Httpd conf/texis.ini Section

 

The [Httpd] section of conf/texis.ini controls the Texis Monitor Web Server. This is a minimal web server primarily intended for certain standalone Windows applications. Most environments (e.g. Unix) should use the vhttpd web server instead.

Run Level
Whether to run the Texis Monitor Web Server or not. Set to 1 to run, 0 (default) not to run. Added in version 4.02.1036450486 Nov 4 2002.

Port
The TCP port to listen to. Default 80. If SSL Engine is set to on, the default is 443 instead, since the server will be listening for HTTPS not HTTP requests. Added in version 4.02.1036450486 Nov 4 2002.

Document Root
The document root directory to server documents from. Default is htdocs in the Texis install dir. Must be an absolute path. Added in version 4.02.1036450486 Nov 4 2002.

Transfer Log
Path to log file for transfers. Default is logs/transfer.log in the Texis install dir. Must be absolute. Added in version 4.02.1036450486 Nov 4 2002.

Log Format
  Format for entries in Transfer Log. The value is a printf-like format string containing %-codes for certain special values. The codes are based on Apache 2.4's LogFormat directive format codes, with some codes unsupported.

Note that conf/texis.ini setting values normally have certain %-variables replaced (e.g. %INSTALLDIR%); such var replacement may unexpectedly alter the Log Format value, as it is likely to also contain % codes that have meaning only in Log Format. To avoid this conflict, assign Log Format with the ":=" operator instead of the usual "=": the former disables variable substitution.

Some Log Format codes can take a {varName} prefix - e.g. "%{Referer}i" - as a parameter; these are noted in the list of codes below:

  • %% A percent sign

  • %a Client (remote) IP address

  • %A Local IP address

  • %B The response size in bytes, not including headers

  • %b The response size in bytes, not including headers, or "-" (dash) if unknown/empty

  • %{varName}C The value of cookie varName in the request, or dash if unset

  • %D Elapsed time for the transaction, in microseconds

  • %{varName}e Environment variable varName; unimplemented, always a dash

  • %f The request's filename path

  • %h The client hostname; reverse-DNS lookups are not currently performed so this is always the IP address

  • %H The request protocol

  • %{varName}i The request header named varName, or dash if unset; for security the value is escaped as if a C literal string

  • %k Number of Keep-Alives performed on this socket; i.e. one less than the number of transactions performed

  • %l Remote logname via identd; unimplemented, always a dash

  • %m Request method (e.g. "GET")

  • %{varName}n Apache module note named varName; unimplemented, always a dash

  • %{varName}o Reply header named varName; unimplemented, always a dash

  • %{varName}p Canonical server port; varName is optional and may be "canonical" for canonical server port (e.g. 80), "local" for local port (same as canonical), or "remote" for remote port

  • %{varName}P PID of process servicing the transaction; varName is optional and may be "pid" for PID, "tid" for thread ID, or "hextid" for the thread ID in hexadecimal

  • %q Request query string (with "?"), or empty if none

  • %r Request line; escaped as C literal string for security

  • %R Handler-generated request; unimplemented, always a dash

  • %s Status code (e.g. 200)

  • %>s Final status code (e.g. 200); same as %s

  • %{varName}t Timestamp when request started; varName may be a strftime() date format; the default is "[%d/%b/%Y:%H:%M:%S %z]". The prefix "begin:" may be prepended for the time the transaction began, or "end: for the time the transaction ended.

  • %T Length of time in seconds for transaction

  • %u Remote user; unimplemented, always a dash

  • %U URL path of request, without query string; URL-decoded

  • %v Canonical server name

  • %V Same as %v

  • %X Connection status: "X" if connection error/aborted, "+" if connection is reusable (via Keep-Alive), "-" if not reusable

  • %I Number of bytes received (including request line and headers); unimplemented, always a dash

  • %O Number of bytes sent (including request line and headers); unimplemented, always a dash

  • %S Number of bytes received and sent (including request line and headers); unimplemented, always a dash

  • %{varName}/ Non-Apache extension: print the resource statistic varName; one of the following:

    • UserTime

    • SystemTime

    • RealTime

    • MaxResidentSetSize

    • IntegralSharedMemSize

    • IntegralUnsharedDataSize

    • IntegralUnsharedStackSize

    • MinorPageFaults

    • MajorPageFaults

    • Swaps

    • BlockInputOps

    • BlockOutputOps

    • MessagesSent

    • MessagesReceived

    • SignalsReceived

    • VoluntaryContextSwitches

    • InvoluntaryContextSwitches
    The value is scaled, i.e. it may have a size suffix such as "K" appended. The varName given may have one of the prefixes "self", "children", "both" or "thread" prepended, with a period between it and the rest of varName. Such a prefix alters which statistics group varName is printed from, as per the Unix getrusage() call; the default is children for the Monitor web server and self for vhttpd. Not all platforms support all groups, nor all statistic names. Unsupported statistics are printed as a dash.

Apache's status-code qualifier prefix syntax is supported: after the "%", a comma-separated list of status codes may be given, indicating that the format code is only to be printed if the response status matches one of the codes. E.g. "%404,500{User-Agent}i" only logs the user agent on 404 or 500 responses. An exclamation point preceding the list negates it, i.e. the format is printed if the response status does not match one of the codes. The Apache "<" and ">" modifiers are also supported (though essentially ignored, since there is only one request).

The default Log Format is "%h %l %u %t \"%r\" %>s %b "%{Referer}i" "%{User-Agent}i"", or the standard Combined format. The Log Format setting was added in version 7.01.1384824000 20131118.

Types Config
Extension-to-Content-Type config file. Relative to install dir if not absolute path. Default is %INSTALLDIR%/conf/mime.types. Added in version 5.01.1251952000 20090903.

Encodings Config
Extension-to-Content-Encoding config file. Relative to install dir if not absolute path. Default is %INSTALLDIR%/conf/mime.encodings. Added in version 5.01.1251952000 20090903.

Max Backlog
The maximum backlog of pending connections to let the OS keep pending. Default is OS dependent. Added in version 4.02.1036450486 Nov 4 2002.

Timeout
The network timeout in seconds. Note that per-script Vortex timeout applies when Vortex scripts are running. Default is 30 seconds. Added in version 4.02.1036450486 Nov 4 2002.

Bind Address
The local IP address to bind to. Default is any, i.e. allow incoming connections from anywhere. Added in version 4.02.1036450486 Nov 4 2002.

User
Windows only: local user to run CGI texis as. Default is same user as the running monitor server process. See discussion of the Vortex <exec> option USER for caveats and permission requirements. Added in version 4.04.1071892000 20031219.

Pass
Windows only: password to login User. Required if User is set. Note: password is in plain text; use EncPass setting instead. Overrides EncPass. Added in version 4.04.1071892000 20031219.

EncPass
  Windows only: encrypted password to login User. Create by running monitor -E from the command-line. Added in version 4.04.1071892000 20031219.

Fast Logon
Windows only: use fast logon method for User. Not recommended; see discussion of the Vortex <exec> flag FASTLOGON for caveats and permission requirements. Added in version 4.04.1071892000 20031219.

Max Clients
The maximum number of simultaneous connections (clients) allowed. Default is 32. Added in version 4.02.1036450486 Nov 4 2002.

Max Header Size
The maximum total HTTP header size to accept, in bytes. Default is 4096. Added in version 4.02.1036450486 Nov 4 2002.

Live Output
Set to 1 to propagate CGI texis output "live", i.e. do not delay until server buffer is full. Default is 1. Added in version 5.01.1172190000 20070222.

Vortex Path

The URL path to interpret as Vortex scripts. Default none. Typically set to /texis. Added in version 4.02.1036450486 20021104. While the overall path is a prefix, each path component must match fully to requests: e.g. given the Vortex Path "/texis", the URL request "/texis/subdir/script" will run the script "subdir/script", but the URL request "/texisation/subdir/script" will not run a script (i.e. will be treated as a flat file request unless otherwise mapped). Note that currently scripts are run via a separate CGI process, not directly as vhttpd does. Amongst the standard CGI environment variables, in version 6 and later the variable HTTPS is set to on if SSL Engine is on. It is unset if SSL Engine is optional or off: this allows scripts that use HTTPS to compute the scheme (protocol) prefix to the request URL to work. If the response will be secure/SSL, i.e. SSL Engine is on, or optional and the connection was RFC 2817 upgraded, the variable SSL_PROTOCOL will be set to the SSL protocol in use: one of SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, or TLSv1.3. Note that the request might have been insecure, e.g. if SSL Engine is optional and the connection was upgraded on the main request instead of an earlier (OPTIONS) request.

Vortex By Ext Path
The URL path to interpret as a Vortex script, by extension. A request in this path with a "subdirectory" component that ends in one of the non-empty Vortex Source Extensions or .vtx will be run as a Vortex script. Typically set to /; e.g. the request "/dir/subdir/script.vs/func.html" would run the script dir/subdir/script.vs in the ScriptRoot dir. Added in version 5.01.1182883000 20070626. Note that Vortex Source Extensions typically only contains non-empty values (e.g. .vs) in Version 6.

Texis Exe

The executable (and optional arguments) to run Vortex scripts. Default is texis.exe in the install dir for Windows, or bin/texis in the install dir for Unix. Added in version 4.02.1036450486 Nov 4 2002. Note that since the Texis Monitor web server runs Vortex scripts via a separate CGI process, and Vortex ignores command line arguments by default in CGI mode for security, any arguments will likely be ignored (unless permitted via [Texis] Allow Cgi Command Line Options).

Index Files
What files to send as a directory's contents, as a space-separated list. Default is index.html for Unix, and index.html index.htm for Windows. Added in version 4.02.1036450486 Nov 4 2002.

Directory Indexing
Whether to list a directory's contents and links when no index file is present. Default is on (1); set to 0 for off. Added in version 4.02.1036450486 Nov 4 2002.

Directory Robots Index
Whether the <meta> robots tag on automatic directory index pages should indicate that the page should be indexed by web crawlers or not. The default is 0 (noindex for no indexing); 1 generates index so that crawlers do index the page. Added in version 5.01.1225747000 20081103.

Directory Robots Follow
Whether the <meta> robots tag on automatic directory index pages should indicate that the pages' links should be followed by web crawlers or not. The default is 1 (follow); 0 generates nofollow so that crawlers do not follow the pages' links. Added in version 5.01.1225747000 20081103.

Multi Views
If on or non-zero, allow content-negotiated variant files to be served. With this option enabled, if a requested file is not found as named, files with the same name but additional recognized file extensions (for MIME types and/or encodings) will be searched for. The files will be ranked according to the client's Accept-... header preferences, and the highest-ranked file will be served. Applies to implicit Index Files files too. For example, a request for "/dir/file" might return "/dir/file.html", "/dir/file.txt.gz" etc. If variant(s) are found but are not deemed acceptable according to the client's Accept-... headers, a 406 Not Acceptable response may result. Disabled by default. Currently, only the Accept-Encoding client header is respected. Added in version 5.01.1251952000 20090903.

Allow File Mask
Only allow access to files in Document Root with at least one of these permission bits set. Note that files must still be accessible by User (if set). The default is o=r, i.e. files must have other-read permission set to be accessible. Added in version 5.01.1147373599 20060511.

Allow Dir Mask
Only allow access to directories in Document Root with at least one of these permission bits set. Note that directories must still be accessible by User (if set). The default is o=r, i.e. directories must have other-read permission set to be accessible. Added in version 5.01.1147373599 20060511.

Pass Env
Space-separated list of environment variables to pass through from the web server's environment to the Vortex CGI environment. Default is none. Only a minimal CGI environment is normally set for security. This setting can be used to pass through variables like LD_LIBRARY_PATH if needed. Use with caution. Added in version 4.02.1047673208 Mar 14 2003.

In addition, all "settings" in the [Httpd Set Env] section are taken as environment variable assignments to pass to the CGI environment. This allows environment variables which aren't set in the web server's environment to be set in the CGI environment. Added in version 4.02.1047663381 Mar 14 2003.

Bad Content Length Work Around
If bit 0 is set, try to read any extra socket input after the request. This works around a Microsoft Internet Explorer bug that causes connection-reset browser errors. If bit 1 is set, log such events. Default is 1. Added in version 5.01.1159558662 20060929.

Trace Requests

Enable debug tracing of monitor web server requests to monitor.log. This is an integer combination of the following bit flags to determine what is logged (same format as <urlcp verbose>):

bit 0
- Responses read
bit 1
- Requests sent
bit 2
- Headers read
bit 3
- Headers sent

The default is 0, i.e. no logging. Generally only set at the request of tech support. Added in version 5.01.1184720000 20070717.

Trace Auth

Enable debug tracing of authorization in monitor web server requests. This is an integer combination of bit flags in the same format as the Vortex <urlcp traceauth> setting. Generally only set at the request of tech support. Added in version 5.01.1184720000 20070717.

Max Conn Requests

Maximum number of requests to service on a Keep-Alive connection to the monitor web server. The default is 100. -1 is unlimited. Added in version 6.

Max Conn Lifetime

Maximum lifetime of a Keep-Alive connection to the monitor web server, in seconds. The default is 60. -1 is unlimited. Added in version 6.

Max Conn Idle Time

Maximum idle (not-in-use) time of a Keep-Alive connection to the monitor web server, in seconds. The default is 5. -1 is unlimited. Added in version 6.

 

SSL Engine
Whether to use secure sockets (SSL) for incoming monitor web server connections. One of three values:

  • off: Listen for HTTP requests, do not use SSL. None of the following SSL settings are used.

  • optional: Listen for HTTP requests, but upgrade to HTTPS (SSL) if client agrees via Upgrade header.

  • on: Listen for HTTPS requests (use SSL).

The default is off. If set to on, the default Port value becomes 443 instead of 80. Added in version 6. If there is a problem initializing the SSL layer, an error such as "SSL disabled for web server due to previous errors" may result in monitor.log, after other errors (e.g. failed to load certificate): the web server will continue to run, but as if SSL Engine was off.

 

SSL Pass Phrase Dialog
How to prompt for passwords when needed for loading password-protected certificate keys for the monitor web server. Can be:

  • off: Do not prompt; password-protected keys will not be loaded

  • builtin: Use the built-in prompter: ask for password at Texis Monitor startup. This requires that the monitor be started interactively, i.e. from the command line.
The default is off, so that the monitor may always start unimpeded, even from the command line when password prompting might be possible.

If a server is started with a password-protected key, but SSL Pass Phrase Dialog is set to off, an error such as " Cannot obtain password to decrypt SSL certificate key `.../server.key': [Httpd] SSL Pass Phrase Dialog is `off'" may result in monitor.log. If SSL Pass Phrase Dialog is set to builtin and an incorrect password is given when the monitor server is started (and prompts the user), the error " Cannot parse SSL certificate key `.../server.key': Bad password" may result in the log and the error "Failed to load SSL certificate key .../server.key" may be output to the user starting the monitor.

Note: if builtin is set, the monitor must be started manually on the command line, so that it can prompt for any needed password(s). Setting added in version 6. See also the [Scheduler] SSL Pass Phrase Dialog setting for the schedule/license server, here.

 

SSL Certificate File
The path to the SSL server certificate file (in PEM format) to use for the monitor web server. A certificate file is required if SSL Engine is not off. If SSL Certificate Key File is unset, the corresponding certificate key will also be loaded from this file. Can also be the same file as SSL Certificate Chain File (if the certificate is in there). Added in version 6.00.1317693000 20111003 (note that in earlier version 6 releases, SSL Certificate Chain File was used to load the server certificate, and the certificate key was never loaded from that file). The default certificate file is %INSTALLDIR%/conf/ssl/certs/server.cert.

The server certificate file is provided by the administrator. One way to create a certificate and unencrypted private key if they do not exist is with the command:

  /usr/local/morph3/etc/openssl req -new -x509 -nodes -days 3653 \
    -out server.cert -keyout server.key
See http://www.openssl.org/ for more on the openssl command.

If the server certificate file is missing, an error such as " Cannot read SSL certificate .../server.cert: No such file or directory" may result in monitor.log.

 

SSL Certificate Key File
The path to the SSL certificate private key file (in PEM format) that corresponds to the SSL Certificate File certificate set for the monitor web server. This file is provided by the administrator. A certificate key is required if SSL Engine is not off. If this setting is unset (the default), the certificate key is assumed to be concatenated into SSL Certificate File. Added in version 6 (note that in versions prior to 6.00.1317693000 20111003, the default was %INSTALLDIR%/conf/ssl/keys/server.key). Note: This file should be accessible only to the Texis Monitor server, i.e. the monitor owner. See the openssl example above for an example of how to create this file if it does not exist.

If the SSL certificate key is password-protected, SSL Pass Phrase Dialog will need to be set to "builtin" to allow the monitor to prompt for the password at server start; otherwise an error such as "Cannot obtain password to decrypt SSL certificate key" will result.

If the certificate key file is missing, an error such as " Cannot read SSL certificate key `.../server.key': No such file or directory" may result in monitor.log.

 

SSL Certificate Chain File
Optional path to monitor web server certificate's CA (certificate authority) chain file, PEM format. This file contains the chain of CA certificates (if any) for the server certificate, in order, starting with the CA certificate that signed the server certificate, the CA certificate that signed that CA certificate, etc. up through the root/self-signed CA certificate. The server certificate itself may also optionally be combined into this file, if it is the first certificate listed and SSL Certificate File is also set to this file: this allows the server plus chain certificates to all be in one file. Default is unset (no CA chain). Added in version 6 (note that in versions prior to 6.00.1317693000 20111003, this setting also loaded the server certificate).

Setting a CA chain for the server certificate may be needed so that a web browser can trust the server. If the server certificate was not signed by a well-known CA that the browser already trusts, the browser might give an SSL/certificate/security error to the user. Supplying the CA chain - up through a well-known root CA certificate - lets the browser follow that chain to the well-known root CA that it trusts, avoiding the security error.

Note that this setting only sets the server certificate CA chain; it does not alter what CA certificates the server trusts for authentication of clients (see SSL CA Certificate File).

Note also that if further CA certificates are needed to finish the server certificate's chain (due to SSL Certificate Chain File being unset or incomplete), the server may automatically obtain them from the SSL CA Certificate File. Since SSL CA Certificate File certificates are trusted whereas SSL Certificate Chain File certificates are not, it is best to add all needed server certificate chain certificates directly via SSL Certificate Chain File, and not implicitly via SSL CA Certificate File. For example, say the server certificate's issuer is a well-known Thawte certificate, but the server also wants to do authentication of clients and only trust clients with certificates issued by a local issuer (say Acme Co.). The Acme certificate should be the only certificate in the SSL CA Certificate File file - so that the server trusts only client certificates issued by Acme. The well-known Thawte certificate should only be in SSL Certificate Chain File - so that browsers can verify the server. If the Thawte certificate were in SSL CA Certificate File, the server chain would still be completed correctly, but the server would start trusting all clients with Thawte certificates - which is not what is desired.

 

SSL CA Certificate File
Optional file with trusted CA certificates (PEM format), used by monitor web server for authentication of clients. When such authentication is enabled (see SSL Verify Client), clients are asked to present a certificate; the certificate is trusted only if its root certificate is signed by one of the CAs listed in this file. Note that this file may also possibly be used for automatic completion of the server certificate CA chain, if not all needed CA certificates are found in SSL Certificate Chain File; see the SSL Certificate Chain File setting discussion on why this is not usually the best practice.

The default SSL CA Certificate File value is unset. Added in version 6.00.1318364000 20111011.

 

SSL CA DN Request File
Optional file with CA issuer certificates (PEM format) whose names are sent to the client when the client certificate is requested by the monitor web server, during authentication of clients (see SSL Verify Client). The client can choose the certificate it wishes to return based on these acceptable issuer CAs. Some browsers will show the user this list, as an aid in choosing which client certificate to return (i.e. preferably one signed by one of these issuers). If this setting is unset (the default), the list of CA issuer names sent to the client is obtained from SSL CA Certificate File instead.

Note that while this setting (SSL CA DN Request File) sets the list of requested CAs, it does not set the list of CAs that are actually trusted by the server - that is controlled by SSL CA Certificate File. Usually these lists are the same, and hence this setting may be left unset. But sometimes they differ, e.g. if client certificates are signed by intermediate CAs: the requested list may need to be set differently with this setting, to prompt the user more correctly. Added in version 6.00.1318364000 20111011.

 

SSL Verify Client
Whether the monitor web server should ask for and verify SSL client certificates. Verification is enabled if on, disabled if off (the default).

If on and a client certificate cannot be obtained or verified, the connection will be terminated with a server error such as "Cannot verify certificate from host:port: reason at depth N". The specific reason may vary; see the SSL Client/Server Certificate Verification appendix of the Vortex manual for a full list. The client/browser may see an error such as "SSL peer was unable to negotiate an acceptable set of security parameters / ssl_error_handshake_failure_alert", or "Cannot complete SSL handshake: ... alert bad certificate".

The Apache-compatible setting values none and require are also permitted, as aliases for on and off, respectively. The Apache value optional is also permitted - client certificates will be requested and must be verified if presented, but if no certificate is presented the connection continues. (This is a less secure value but may be useful for debugging, development etc.)

When asking for the client certificate, the server will present a list of names of certificate authorities (CAs): the client may choose which certificate to return based on this list. This list is obtained from SSL CA DN Request File if set, or SSL CA Certificate File if the former is unset.

The SSL Verify Client setting was added in version 6.00.1318364000 20111011.

 

SSL Protocol
Which SSL protocol(s) to use when SSL is active for the monitor web server. One or more of the space-separated protocols SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, or all for all protocols. An action may optionally be prefixed to any protocol: + to add the protocol to the enabled list, - to remove, or = to set (enable just this protocol - this is the default action). The default setting value is all -SSLv2 -SSLv3, i.e. enable all protocols except SSL/2.0 and SSL/3, which are known to be vulnerable. Setting added in version 6. (Prior to version 7.02.1413403000 20141015, the default was all -SSLv2. Prior to version 7.03, TLSv1.1 and TLSv1.2 were unsupported. Prior to version 7.07, TLSv1.3 was unsupported.) Note that support for vulnerable protocols may end in some Texis versions, depending on the concurrent OpenSSL libs' support: e.g. SSLv2 is no longer supported in OpenSSL 1.1.0 and later (used in Texis version 7.06.1534958000 20180822 and later).

SSL Cipher Suite

Which SSL ciphers to use when SSL is active for the monitor web server. The syntax is the same as for the Apache SSLCipherSuite directive, which use the OpenSSL ciphers tool syntax for ciphers. Note that support for some (e.g. vulnerable) ciphers may end in some Texis versions, depending on the concurrent OpenSSL libs' support: e.g. 40- and 56-bit ciphers are no longer supported in OpenSSL 1.1.0 and later (used in Texis version 7.06.1534958000 20180822 and later). Also, the list of ciphers classified as LOW, EXPORT etc. may change. Setting added in Texis version 7.06.1534958000 20180822.

In version 7.07 and later, an optional cipher group may be given as the first space-separated token in the setting value, to set the cipher list for that protocol group. The group may be SSL (the default) for protocols TLSv1.2 and below, or TLSv1.3 for TLSv1.3 ciphers; the cipher lists for the two groups are independent.


Copyright © Thunderstone Software     Last updated: Dec 10 2018
Copyright © 2019 Thunderstone Software LLC. All rights reserved.