Httpd conf/texis.ini Section

The [Httpd] section of conf/texis.ini controls the Texis Monitor Web Server. This is a minimal web server primarily intended for certain standalone Windows applications. Most environments (e.g. Unix) should use the vhttpd web server instead.

Run Level

Whether to run the Texis Monitor Web Server or not. Set to 1 to run, 0 (default) not to run. Added in version 4.02.1036450486 Nov 4 2002.

Port

The TCP port to listen to. Default 80. If SSL Engine is set to on, the default is 443 instead, since the server will be listening for HTTPS not HTTP requests. Added in version 4.02.1036450486 Nov 4 2002.

Document Root

The document root directory to server documents from. Default is htdocs in the Texis install dir. Must be an absolute path. Added in version 4.02.1036450486 Nov 4 2002.

Transfer Log

Path to log file for transfers. Default is logs/transfer.log in the Texis install dir. Must be absolute. Added in version 4.02.1036450486 Nov 4 2002.

Types Config

Extension-to-Content-Type config file. Relative to install dir if not absolute path. Default is %INSTALLDIR%/conf/mime.types. Added in version 5.01.1251952000 20090903.

Encodings Config

Extension-to-Content-Encoding config file. Relative to install dir if not absolute path. Default is %INSTALLDIR%/conf/mime.encodings. Added in version 5.01.1251952000 20090903.

Max Backlog

The maximum backlog of pending connections to let the OS keep pending. Default is OS dependent. Added in version 4.02.1036450486 Nov 4 2002.

Timeout

The network timeout in seconds. Note that per-script Vortex timeout applies when Vortex scripts are running. Default is 30 seconds. Added in version 4.02.1036450486 Nov 4 2002.

Bind Address

The local IP address to bind to. Default is any, i.e. allow incoming connections from anywhere. Added in version 4.02.1036450486 Nov 4 2002.

User

Windows only: local user to run CGI texis as. Default is same user as the running monitor server process. See discussion of the Vortex <exec> option USER for caveats and permission requirements. Added in version 4.04.1071892000 20031219.

Pass

Windows only: password to login User. Required if User is set. Note: password is in plain text; use EncPass setting instead. Overrides EncPass. Added in version 4.04.1071892000 20031219.

EncPass

  Windows only: encrypted password to login User. Create by running monitor -E from the command-line. Added in version 4.04.1071892000 20031219.

Fast Logon

Windows only: use fast logon method for User. Not recommended; see discussion of the Vortex <exec> flag FASTLOGON for caveats and permission requirements. Added in version 4.04.1071892000 20031219.

Max Clients

The maximum number of simultaneous connections (clients) allowed. Default is 32. Added in version 4.02.1036450486 Nov 4 2002.

Max Header Size

The maximum total HTTP header size to accept, in bytes. Default is 4096. Added in version 4.02.1036450486 Nov 4 2002.

Live Output

Set to 1 to propagate CGI texis output "live", i.e. do not delay until server buffer is full. Default is 1. Added in version 5.01.1172190000 20070222.

Vortex Path

The URL path to interpret as Vortex scripts. Default none. Typically set to /texis. Added in version 4.02.1036450486 20021104. While the overall path is a prefix, each path component must match fully to requests: e.g. given the Vortex Path "/texis", the URL request "/texis/subdir/script" will run the script "subdir/script", but the URL request "/texisation/subdir/script" will not run a script (i.e. will be treated as a flat file request unless otherwise mapped). Note that currently scripts are run via a separate CGI process, not directly as vhttpd does. Amongst the standard CGI environment variables, in version 6 and later the variable HTTPS is set to on if SSL Engine is on. It is unset if SSL Engine is optional or off: this allows scripts that use HTTPS to compute the scheme (protocol) prefix to the request URL to work. If the response will be secure/SSL, i.e. SSL Engine is on, or optional and the connection was RFC 2817 upgraded, the variable SSL_PROTOCOL will be set to the SSL protocol in use: one of SSLv2, SSLv3, or TLSv1. Note that the request might have been insecure, e.g. if SSL Engine is optional and the connection was upgraded on the main request instead of an earlier (OPTIONS) request.

Vortex By Ext Path

The URL path to interpret as Vortex scripts, by extension. A request in this path with a "subdirectory" component that ends in one of the non-empty Vortex Source Extensions or .vtx will be run as a Vortex script. Typically set to /; e.g. the request "/dir/subdir/script.vs/func.html" would run the script dir/subdir/script.vs in the ScriptRoot dir. Added in version 5.01.1182883000 20070626. Note that Vortex Source Extensions typically only contains non-empty values (e.g. .vs) in Version 6.

Texis Exe

The executable to run Vortex scripts. Default is texis.exe in the install dir for Windows, or bin/texis in the install dir for Unix. Added in version 4.02.1036450486 Nov 4 2002.

Index Files

What files to send as a directory's contents, as a space-separated list. Default is index.html for Unix, and index.html index.htm for Windows. Added in version 4.02.1036450486 Nov 4 2002.

Directory Indexing

Whether to list a directory's contents and links when no index file is present. Default is on (1); set to 0 for off. Added in version 4.02.1036450486 Nov 4 2002.

Directory Robots Index

Whether the <meta> robots tag on automatic directory index pages should indicate that the page should be indexed by web crawlers or not. The default is 0 (noindex for no indexing); 1 generates index so that crawlers do index the page. Added in version 5.01.1225747000 20081103.

Directory Robots Follow

Whether the <meta> robots tag on automatic directory index pages should indicate that the pages' links should be followed by web crawlers or not. The default is 1 (follow); 0 generates nofollow so that crawlers do not follow the pages' links. Added in version 5.01.1225747000 20081103.

Multi Views

If on or non-zero, allow content-negotiated variant files to be served. With this option enabled, if a requested file is not found as named, files with the same name but additional recognized file extensions (for MIME types and/or encodings) will be searched for. The files will be ranked according to the client's Accept-... header preferences, and the highest-ranked file will be served. Applies to implicit Index Files files too. For example, a request for "/dir/file" might return "/dir/file.html", "/dir/file.txt.gz" etc. If variant(s) are found but are not deemed acceptable according to the client's Accept-... headers, a 406 Not Acceptable response may result. Disabled by default. Currently, only the Accept-Encoding client header is respected. Added in version 5.01.1251952000 20090903.

Allow File Mask

Only allow access to files in Document Root with at least one of these permission bits set. Note that files must still be accessible by User (if set). The default is o=r, i.e. files must have other-read permission set to be accessible. Added in version 5.01.1147373599 20060511.

Allow Dir Mask

Only allow access to directories in Document Root with at least one of these permission bits set. Note that directories must still be accessible by User (if set). The default is o=r, i.e. directories must have other-read permission set to be accessible. Added in version 5.01.1147373599 20060511.

Pass Env

Space-separated list of environment variables to pass through from the web server's environment to the Vortex CGI environment. Default is none. Only a minimal CGI environment is normally set for security. This setting can be used to pass through variables like LD_LIBRARY_PATH if needed. Use with caution. Added in version 4.02.1047673208 Mar 14 2003.

In addition, all "settings" in the [Httpd Set Env] section are taken as environment variable assignments to pass to the CGI environment. This allows environment variables which aren't set in the web server's environment to be set in the CGI environment. Added in version 4.02.1047663381 Mar 14 2003.

Bad Content Length Work Around

If bit 0 is set, try to read any extra socket input after the request. This works around a Microsoft Internet Explorer bug that causes connection-reset browser errors. If bit 1 is set, log such events. Default is 1. Added in version 5.01.1159558662 20060929.

Trace Requests

Enable debug tracing of monitor web server requests to monitor.log. This is an integer combination of the following bit flags to determine what is logged (same format as <urlcp verbose>):

bit 0

- Responses read

bit 1

- Requests sent

bit 2

- Headers read

bit 3

- Headers sent

The default is 0, i.e. no logging. Generally only set at the request of tech support. Added in version 5.01.1184720000 20070717.

Trace Auth

Enable debug tracing of authorization in monitor web server requests. This is an integer combination of bit flags in the same format as the Vortex <urlcp traceauth> setting. Generally only set at the request of tech support. Added in version 5.01.1184720000 20070717.

Max Conn Requests

Maximum number of requests to service on a Keep-Alive connection to the monitor web server. The default is 100. -1 is unlimited. Added in version 6.

Max Conn Lifetime

Maximum lifetime of a Keep-Alive connection to the monitor web server, in seconds. The default is 60. -1 is unlimited. Added in version 6.

Max Conn Idle Time

Maximum idle (not-in-use) time of a Keep-Alive connection to the monitor web server, in seconds. The default is 5. -1 is unlimited. Added in version 6.

 

SSL Engine

Whether to use secure sockets (SSL) for incoming monitor web server connections. One of three values:

• off: Listen for HTTP requests, do not use SSL. None of the following SSL settings are used.

• optional: Listen for HTTP requests, but upgrade to HTTPS (SSL) if client agrees via Upgrade header.

• on: Listen for HTTPS requests (use SSL).

The default is off. If set to on, the default Port value becomes 443 instead of 80. Added in version 6. If there is a problem initializing the SSL layer, an error such as "SSL disabled for web server due to previous errors" may result in monitor.log, after other errors (e.g. failed to load certificate): the web server will continue to run, but as if SSL Engine was off.

 

SSL Pass Phrase Dialog

How to prompt for passwords when needed for loading password-protected certificate keys for the monitor web server. Can be:

• off: Do not prompt; password-protected keys will not be loaded

• builtin: Use the built-in prompter: ask for password at Texis Monitor startup. This requires that the monitor be started interactively, i.e. from the command line.

The default is off, so that the monitor may always start unimpeded, even from the command line when password prompting might be possible.

If a server is started with a password-protected key, but SSL Pass Phrase Dialog is set to off, an error such as " Cannot obtain password to decrypt SSL certificate key `.../server.key': [Httpd] SSL Pass Phrase Dialog is `off'" may result in monitor.log. If SSL Pass Phrase Dialog is set to builtin and an incorrect password is given when the monitor server is started (and prompts the user), the error " Cannot parse SSL certificate key `.../server.key': Bad password" may result in the log and the error "Failed to load SSL certificate key .../server.key" may be output to the user starting the monitor.

Note: if builtin is set, the monitor must be started manually on the command line, so that it can prompt for any needed password(s). Setting added in version 6. See also the [Scheduler] SSL Pass Phrase Dialog setting for the schedule/license server, here.

 

SSL Certificate File

The path to the SSL server certificate file (in PEM format) to use for the monitor web server. A certificate file is required if SSL Engine is not off. If SSL Certificate Key File is unset, the corresponding certificate key will also be loaded from this file. Can also be the same file as SSL Certificate Chain File (if the certificate is in there). Added in version 6.00.1317693000 20111003 (note that in earlier version 6 releases, SSL Certificate Chain File was used to load the server certificate, and the certificate key was never loaded from that file). The default certificate file is %INSTALLDIR%/conf/ssl/certs/server.cert.

The server certificate file is provided by the administrator. One way to create a certificate and unencrypted private key if they do not exist is with the command:

  /usr/local/morph3/etc/openssl req -new -x509 -nodes -days 3653 \
    -out server.cert -keyout server.key

See http://www.openssl.org/ for more on the openssl command.

If the server certificate file is missing, an error such as " Cannot read SSL certificate .../server.cert: No such file or directory" may result in monitor.log.

 

SSL Certificate Key File

The path to the SSL certificate private key file (in PEM format) that corresponds to the SSL Certificate File certificate set for the monitor web server. This file is provided by the administrator. A certificate key is required if SSL Engine is not off. If this setting is unset (the default), the certificate key is assumed to be concatenated into SSL Certificate File. Added in version 6 (note that in versions prior to 6.00.1317693000 20111003, the default was %INSTALLDIR%/conf/ssl/keys/server.key). Note: This file should be accessible only to the Texis Monitor server, i.e. the monitor owner. See the openssl example above for an example of how to create this file if it does not exist.

If the SSL certificate key is password-protected, SSL Pass Phrase Dialog will need to be set to "builtin" to allow the monitor to prompt for the password at server start; otherwise an error such as "Cannot obtain password to decrypt SSL certificate key" will result.

If the certificate key file is missing, an error such as " Cannot read SSL certificate key `.../server.key': No such file or directory" may result in monitor.log.

 

SSL Certificate Chain File

Optional path to monitor web server certificate's CA (certificate authority) chain file, PEM format. This file contains the chain of CA certificates (if any) for the server certificate, in order, starting with the CA certificate that signed the server certificate, the CA certificate that signed that CA certificate, etc. up through the root/self-signed CA certificate. The server certificate itself may also optionally be combined into this file, if it is the first certificate listed and SSL Certificate File is also set to this file: this allows the server plus chain certificates to all be in one file. Default is unset (no CA chain). Added in version 6 (note that in versions prior to 6.00.1317693000 20111003, this setting also loaded the server certificate).

Setting a CA chain for the server certificate may be needed so that a web browser can trust the server. If the server certificate was not signed by a well-known CA that the browser already trusts, the browser might give an SSL/certificate/security error to the user. Supplying the CA chain - up through a well-known root CA certificate - lets the browser follow that chain to the well-known root CA that it trusts, avoiding the security error.

Note that this setting only sets the server certificate CA chain; it does not alter what CA certificates the server trusts for authentication of clients (see SSL CA Certificate File).

Note also that if further CA certificates are needed to finish the server certificate's chain (due to SSL Certificate Chain File being unset or incomplete), the server may automatically obtain them from the SSL CA Certificate File. Since SSL CA Certificate File certificates are trusted whereas SSL Certificate Chain File certificates are not, it is best to add all needed server certificate chain certificates directly via SSL Certificate Chain File, and not implicitly via SSL CA Certificate File. For example, say the server certificate's issuer is a well-known Thawte certificate, but the server also wants to do authentication of clients and only trust clients with certificates issued by a local issuer (say Acme Co.). The Acme certificate should be the only certificate in the SSL CA Certificate File file - so that the server trusts only client certificates issued by Acme. The well-known Thawte certificate should only be in SSL Certificate Chain File - so that browsers can verify the server. If the Thawte certificate were in SSL CA Certificate File, the server chain would still be completed correctly, but the server would start trusting all clients with Thawte certificates - which is not what is desired.

 

SSL CA Certificate File

Optional file with trusted CA certificates (PEM format), used by monitor web server for authentication of clients. When such authentication is enabled (see SSL Verify Client), clients are asked to present a certificate; the certificate is trusted only if its root certificate is signed by one of the CAs listed in this file. Note that this file may also possibly be used for automatic completion of the server certificate CA chain, if not all needed CA certificates are found in SSL Certificate Chain File; see the SSL Certificate Chain File setting discussion on why this is not usually the best practice.

The default SSL CA Certificate File value is unset. Added in version 6.00.1318364000 20111011.

 

SSL CA DN Request File

Optional file with CA issuer certificates (PEM format) whose names are sent to the client when the client certificate is requested by the monitor web server, during authentication of clients (see SSL Verify Client). The client can choose the certificate it wishes to return based on these acceptable issuer CAs. Some browsers will show the user this list, as an aid in choosing which client certificate to return (i.e. preferably one signed by one of these issuers). If this setting is unset (the default), the list of CA issuer names sent to the client is obtained from SSL CA Certificate File instead.

Note that while this setting (SSL CA DN Request File) sets the list of requested CAs, it does not set the list of CAs that are actually trusted by the server - that is controlled by SSL CA Certificate File. Usually these lists are the same, and hence this setting may be left unset. But sometimes they differ, e.g. if client certificates are signed by intermediate CAs: the requested list may need to be set differently with this setting, to prompt the user more correctly. Added in version 6.00.1318364000 20111011.

 

SSL Verify Client

Whether the monitor web server should ask for and verify SSL client certificates. Verification is enabled if on, disabled if off (the default).

If on and a client certificate cannot be obtained or verified, the connection will be terminated with a server error such as "Cannot verify certificate from host:port: reason at depth N". The specific reason may vary; see the SSL Client/Server Certificate Verification appendix of the Vortex manual for a full list. The client/browser may see an error such as "SSL peer was unable to negotiate an acceptable set of security parameters / ssl_error_handshake_failure_alert", or "Cannot complete SSL handshake: ... alert bad certificate".

The Apache-compatible setting values none and require are also permitted, as aliases for on and off, respectively. The Apache value optional is also permitted - client certificates will be requested and must be verified if presented, but if no certificate is presented the connection continues. (This is a less secure value but may be useful for debugging, development etc.)

When asking for the client certificate, the server will present a list of names of certificate authorities (CAs): the client may choose which certificate to return based on this list. This list is obtained from SSL CA DN Request File if set, or SSL CA Certificate File if the former is unset.

The SSL Verify Client setting was added in version 6.00.1318364000 20111011.

 

SSL Protocol

Which SSL protocols to use when SSL is active for the monitor web server. One or more of the space-separated protocols SSLv2, SSLv3, TLSv1 or all for all protocols. Each protocol may be prefixed with + to add the protocol to the enabled list, - to remove, or = to set (enable just this protocol). The default is all -SSLv2, i.e. enable all protocols except SSL/2.0. Added in version 6.