OpenVMS Notes: Apache HTTPd

The information and software presented on this web site are intended for educational use only by OpenVMS application developers and OpenVMS system attendants.
The information and software presented on this web site are provided free of charge.
The information and software presented on this web site are presented to you as-is. I will not be held responsible in any way if the information and software presented on this web site damages your computer system, business or organization (sounds like the legal warning from a Microsoft shrink-wrap seal, eh?)
Is this text too small? You have two options:
1. hold down the CTRL key while rolling the mouse wheel (zoom-in, zoom-out)
2. use your keyboard like so:
  - hit: CTRL with "-" key to zoom smaller
  - hit: CTRL with "+" key to zoom larger
  - hit: CTRL with zero key to reset zoom

Table of Contents

Introductory Notes
Problems With CGI
CSWS/SWS Installation Tips
- Installation Tip 1 - Testing with TELNET
  - testing with HTTP 1.0
  - testing with HTTP 1.1
  - testing though a Proxy Server (just to show how it is done)
- Installation Tip 2 - ODS-5 and the system disk
- Installation Tip 3 - ODS-5 and SSL
- ODS-5 and DCL (miscellaneous info)
SWS-2.0 Woes (2004)
- new file format (STREAM_LF is now a requirement)
- intermittent CGI (only when used with TCPware-5.6-2 ???)
SWS-2.1 News (2005-11-xx)
- STREAM_LF is no longer a requirement (yippee!)
- Apache was killing my OpenVMS-7.3-2 Alpha Server (fixed: 2006-05-19)
SWS-2.2 News (2011-09-xx)
My 2012 Tweaks (2012-08-10)
- what's up with "favicon.ico"?
- forcing browsers to cache images
- don't let SSL (https) with IE kill your system
Freeing Up Disk Space
- Apache daily log rotation from a DCL script
Apache Related Links

Introductory Notes

Apache got its name by being "a patched" NCSA web server. Back in the early 1990s system managers would download the public domain NCSA web server code then apply patches to it so that it worked properly. After a period of years it made more sense to download the patched product as a complete kit, so the not-for-profit Apache Foundation was created. Apache is open source code which is the same process making LINUX so powerful and popular:
"You take the best computer people on the planet and let them collaborate in a world wide public forum (the internet) to produce a product that is better than any commercial variety"

According to this site: www.netcraft.com 65% of the web servers in the world are based upon Apache while only 15% are based upon products from Microsoft.
Compaq's port of Apache HTTPd for OpenVMS Alpha is called CSWS (Compaq Secure Web Server) which is pronounced "C-Swiss" by OpenVMS Engineers.
After HP took over (er, merged with) Compaq, CSWS was unofficially rebranded to SWS (pronounced "Swiss").
CSWS-1.3-1 is based upon Apache 1.3.26 and OpenSSL 0.9.7d
SWS-2.0 is based upon Apache 2.0.47 and OpenSSL 0.9.7d
SWS-2.1 is based upon Apache 2.0.52 and OpenSSL 0.9.7d
SWS-2.2 is based upon Apache 2.0.63 and OpenSSL 0.9.8h
CGI is an acronym which means Common Gateway Interface.
- See CGI Links at the bottom of this page
Caveat: Apache for OpenVMS only runs on Alpha or Itanium. If you're still running on VAX then you'll need one of the following:
- Purveyor from www.process.com (it is no longer on their web site but you can still buy a "no support" license)
- OSU DECthreads free from Ohio State University
- WASD free from VSM Software Services in Australia
If you are overly cautious and do not want to mess up your OpenVMS system, download Apache HTTPd for Windows and install it on your PC. Note that Microsoft's IIS (Internet Information Services) is much easier to set up and configure than Apache. However, Apache allows programmers to get out of the box (by learning) while IIS is locked down to serve the majority of Microsoft's customers.
Just like the previous example, if you are going to play with Java Server Pages (jsp) or Java Servlets, then you should download and install Apache Tomcat for Windows. This is a standalone server which normally runs on port 8080 and doesn't require Apache. Be sure to configure the Tomcat connector which allows Apache HTTPd to divert accesses to Java documents (with extensions like ".jsp") to Tomcat over a back channel.
Unfortunately, PHP is not part of any Apache release so Windows versions are available here

Problems With CGI (common gateway interface)

Although quite a bit of Apache documentation exists, info about CGI is lacking. On top of this, a few poorly documented quirks have been thrown into the OpenVMS extensions.

p.s. be careful when Googling the phrase "CGI". You might accidentally return information for www.cgi.com which happens to be the name of a computer services company headquartered in Montreal, Quebec, Canada.

CGI Tip-1 (evolution from beginner to expert)

Many older VMS programmers begin developing CGI-based web applications using this inefficient model:

Triggered by a browser event, Apache accesses a document in one of the script directories (this is usually a DCL script; ignore PHP and server-side Java for now)
The DCL script attempts to detect REQUEST_METHOD (or WWW_REQUEST_METHOD if not Apache) which should be "GET" or "POST".
If your script detected "GET" or "POST" then it calls an external program to read the CGI data which is then translated into either "DCL symbols" or "process-level logical names".

The script now runs the desired web application.

Here is an example DCL-based CGI script sitting in one of Apache's script directories:

$  set noon                              ! do not stop on errors
$  say :== write sys$output              !
$  debug = f$trnlnm("NEIL$DEBUG","LNM$SYSTEM_TABLE")
$  if (debug .eqs. "Y")                  ! if CGI debugging is desired
$  then                                  !
$    say "Status: 200"                   ! start of document header
$    say "Content-Type: text/html"       ! mime type declaration
$    say ""                              ! end of document header
$    say "<html><head></head>"           ! start of HTML
$    say "<body><pre>"                   !
$  endif
$! temps = "''WWW_REQUEST_METHOD'"       ! purveyor method
$  temps = "''REQUEST_METHOD'"           ! apache method
$  if (temps .eqs. "POST") .or.  -
      (temps .eqs. "GET")                !  
$  then                                  !
$     run csmis$exe:read_html_apache.exe ! create DCL symbols (and sets $status to 1 if ok)
$  endif                                 !
$  run csmis$exe:desired_application.exe ! this is our desired web application
$  if debug .eqs. "Y"                    !
$  then                                  !
$    say "</pre>                         !
$    say "</body></html>"                !
$  endif                                 !

In the previous example you executed one DCL script and two images. As your platform begins to serve hundreds of hits per hour, you might not want to incur this amount overhead. By moving symbol reading logic from "read_html_apache.exe" into your application, you can drop this down to one DCL script and one image like this:

$  set noon                              ! do not stop on errors
$  say :== write sys$output              !
$  debug = f$trnlnm("NEIL$DEBUG","LNM$SYSTEM_TABLE")
$  if (debug .eqs. "Y")                  ! if CGI debugging is desired
$  then                                  !
$    say "Status: 200"                   ! start of document header
$    say "Content-Type: text/html"       ! mime type declaration
$    say ""                              ! end of document header
$    say "<html><head></head>"           ! start of HTML
$    say "<body><pre>"                   !
$  endif                                 !
$  run csmis$exe:desired_application.exe ! this is our desired application
$  if debug .eqs. "Y"                    !
$  then                                  !
$    say "</pre>                         !
$    say "</body></html>"                !
$  endif                                 !

or this:

$  set noon                              ! do not stop on errors
$  run csmis$exe:desired_application.exe ! this is our desired application (must return 1)
$  rc = f$integer($STATUS)               !
$  if ((rc .and. 7) .eq. 1)              !
$  then                                  !
$    say :== write sys$output            !
$    say "Status: 500"                   ! start of document header
$    say "Content-Type: text/html"       ! mime type declaration
$    say ""                              ! end of document header
$    say "<html><head></head>"           ! start of HTML
$    say "<body><pre>"                   !
$    say "Script: 2001"                  !
$    say "error: ",rc                    !
$    say "</pre></body></html>"          !
$  endif                                 !

or this:

$ run csmis$exe:desired_application.exe  ! note: "csmis$exe" is a directory on my platform

But your ultimate goal is to run the binary application directly from a specially configured Apache directory. This can be done my enabling one, or more, directories to run executables. In the NCSA web server, some directories were enabled to run applications by default. In Apache the default settings for scripting and running applications are disabled for security reasons. You turn them on my creating/modifying <Directory> declarations in a file named APACHE$COMMON:[000000.CONF]HTTPD.CONF

CGI Tip-2 (debugging)

If you're familiar with writing CGI's for either Purveyor (Process Software Corporation) or OSU DECthreads then you'll probably recognize the "show symbol" and "show logical" lines in the following CGI script.

$  set noon                              ! do not stop on errors
$  say :== write sys$output              !
$  say "Status: 200"                     ! start of document header
$  say "Content-Type: text/html"         !
$  say ""                                ! end of document header
$  say "<html><head></head>"             ! start of HTML
$  say "<body><pre>"                     !
$  show symbol /local/all                ! show web-server process-level local symbols
$  show symbol /global/all               ! show web-server process-level global symbols 
$  show logical/proc/job                 ! show web-server job-level logical names 
$! temps = "''WWW_REQUEST_METHOD'"       x purveyor method
$  temps = "''REQUEST_METHOD'"           ! apache method
$  if (temps .eqs. "POST") .or.  -
      (temps .eqs. "GET")  
$  then
$     run csmis$exe:read_html_apache.exe ! create DCL symbols (and sets $status to 1 if ok)
$  endif
$  show symbol /local/all                ! show all process-level local symbols
$  show symbol /global/all               ! show all process-level global symbols 
$  show logical/proc/job                 ! show all job-level logical names 
$  say "</pre></body></html>"            ! end of HTML

The program just listed will not work properly with SWS because the interface has been locked down to limit hacking. This means that "$show symbol /all" statement won't display any environment variables passed to the CGI by the server. (but you will see FORM variables which were created by your application). To view server-created variables you must explicitly request them by name like this:

$ show symbol/local  SYMBOL-NAME
$ show symbol/global SYMBOL-NAME

... which means you need to know their names ahead of time. Inspect the contents of script "TEST-CGI-VMS.COM" to see what I mean. Note that this incomplete file is missing environment variables AUTH_TYPE, HTTP_COOKIE, REMOTE_USER (and probably a few more).

CGI Tip-3 (controlling the server with logical names)

Starting CSWS with "certain system-level logical names" will modify Apache's operation. Put these declarations in script sys$manager:SYSTARTUP_VMS.COM just before you invoke @sys$startup:APACHE$STARTUP.COM

Inspect APACHE$CGI_MODE in the table below. You will need to start this with setting "1" or "2" if you want to process cookies larger than 970 characters (pretty much standard fare these days). I always use "1" but needed to write a stand-alone function to detect when the symbol overflows into multi-item logicals.
I'm don't think that APACHE$SHOW_CGI_SYMBOL actually does a "wildcard show symbol" operation; it seems to run program TEST-CGI-VMS.EXE which was compiled from TEST-CGI-VMS.C which means that environment variables are probably missing from this program too.
If you're porting CGI from Purveyor to SWS, you might want to define logical APACHE$PREFIX_DCL_CGI_SYMBOLS_WWW to "YES" so that the environmental variables don't need to be changed.

This table was copied from Compaq's "V2.1-1 Installation and Configuration Guide" (more logicals were added with 2.2)

Table 3-5 User Defined Logical Names

Logical Name

Description

APACHE$BG_PIPE_BUFFER_SIZE
(New in Version 2.0)

System logical name that is used to set the socket pipe buffer size for exec functions. If this logical is not set, the default is 32767.

APACHE$CGI_BYPASS_OWNER_CHECK
(Obsolete in V2.x)

If defined to any value, this logical name causes the Secure Web Server to bypass the file owner check of the CGI script file. The default is to enforce the owner check on CGI script files for security purposes.

APACHE$CGI_MODE

System logical name that controls how CGI environment variables are defined in the executing CGI process. There are three different options. Note that only one option is available at a time.

0	Default. Environment variables are defined as local symbols and are truncated at 970 (limitable with DEC C).
1	Environment variables are defined as local symbols unless they are greater than 970 characters. If the environment value is greater than 970 characters, it is defined as a multi-item logical.
2	Environment variables are defined as logicals. If the environment value is greater than 255 characters, it is defined as a multi-item logical.

APACHE$CREATE_SYMBOLS_GLOBAL

If defined, this system logical name causes CGI environment symbols to be defined globally. They are defined locally by default.

APACHE$DAV_DBM_TYPE
(New in Version 2.0)

Used to define the desired DBM organization to use for MOD_DAV. The valid options for this logical are: GDBM, SDBM, VDBM. If this logical is not set, the default is VDBM.

APACHE$DEBUG_DCL_CGI

If defined, this system logical name enables APACHE$VERIFY_DCL_CGI and APACHE$SHOW_CGI_SYMBOL.

APACHE$DL_CASE
(New in Version 2.0)

System logical name that controls how Apache will locate shareable entry points. There are four different options. Note that only one option is available at a time.

1	Entry points are located using upper case search.
2	Entry points are located using mixed case search.
3	Default. Entry points are located using upper case search, then mixed case search.
4	Entry points are located using mixed case search, then upper case search.

APACHE$DL_FORCE_UPPERCASE
(Obsolete in Version 2.x)

If defined to be true (1, T, or Y), this system logical name forces case-sensitive dynamic image activation symbol lookups. By default, symbol lookups are first done in a case-sensitive manner and then, if failed, a second attempt is made using case-insensitive symbol lookups. This fallback behavior can be disabled with APACHE$DL_NO_UPPERCASE_FALLBACK.

APACHE$DL_NO_UPPERCASE_FALLBACK
(Obsolete in Version 2.x)

If defined to be true (1, T, or Y), this system logical name disables case-insensitive symbol name lookups whenever case-sensitive lookups fail. See APACHE$DL_FORCE_UPPERCASE

APACHE$FIXBG
(Obsolete in Version 2.x)

System executive mode logical name pointing to installed, shareable images. Not intended to be modified by the user. Replaced by APACHE$SET_CCL.EXE

APACHE$FLIP_CCL
(New in Version 2.0)

Used by APACHE$SET_CCL.EXE, which replaces APACHE$FIXBG.EXE

APACHE$INPUT

Used by CGI programs for PUT/POST methods of reading the input stream.

APACHE$MB_PIPE_BUFFER_SIZE
(New in Version 2.0)

Used to set the mailbox pipe buffer size for exec functions. If this logical is not set, the default is 4096.

APACHE$PLV_ENABLE_<username>
(Obsolete in Version 2.x)

System executive mode logical name defined during startup and used to control access to the services provided by the APACHE$PRIVILEGED image. Not intended to be modified by the user.

APACHE$PLV_LOGICAL
(Obsolete in Version 2.x)

System executive mode logical name defined during startup and used to control access to the services provided by the APACHE$PRIVILEGED image. Not intended to be modified by the user.

APACHE$PREFIX_DCL_CGI_SYMBOLS_WWW

If defined, this system logical name prefixes all CGI environment variable symbols with "WWW_". By default, no prefix is used.

APACHE$PRIVILEGED
(Obsolete in Version 2.x)

System executive mode logical name pointing to installed, shareable images. Not intended to be modified by the user.

APACHE$READDIR_NO_DOT_FILES
(New in Version 2.0)

Used to disable the simulating of dot files when processing directories. There is no default value.

APACHE$READDIR_NO_NULL_TYPE
(New in Version 2.0)

Used to disable the elimination of the null type which contains a single dot when processing directories. There is no default value.

APACHE$READDIR_NO_UNIX_OPEN
(New in Version 2.0)

Used to disable the processing of unix files when processing directories. There is no default value.

APACHE$SET_CCL
(New in Version 2.0)

Used by APACHE$SET_CCL.EXE, which replaces APACHE$FIXBG.EXE

APACHE$SHOW_CGI_SYMBOL

If defined, this system logical name provides information for troubleshooting the CGI environment by dumping all of the symbols and logicals (job/process) for a given CGI. Use with APACHE$DEBUG_DCL_CGI.

APACHE$SSL_DBM_TYPE
(New in Version 2.0)

Used to define the desired DBM organization to use for MOD_SSL. The valid options for this logical are: GDBM, SDBM, VDBM. If this logical is not set, the default is VDBM.

APACHE$SPL_DISABLED
(New in Version 2.0)

Used to determine whether Shared Process Logging is to be disabled. There is no default value.

APACHE$SPL_MAX_BUFFERS
(New in Version 2.0)

Used to determine the maximum buffer quota for each Shared Process Logging mailbox. If this logical is not set, the default is 10.

APACHE$SPL_MAX_MESSAGE
(New in Version 2.0)

Used to determine the maximum message size for each Shared Process Logging mailbox. If this logical is not set, the default is 1024.

APACHE$SPL_FLUSH_INTERVAL
(New in Version 2.0)

Used to determine the maximum message count per Shared Process Logging file before data is flushed to disk. If this logical is not set, the default is 256.

APACHE$USE_CUSTOM_STAT
(New in Version 2.0)

System logical name that is used to indicate that the custom apache stat function should be used rather than the run-time stat function.

APACHE$USER_HOME_PATH_UPPERCASE
(Obsolete in Version 2.x)

If defined to be true (1, T, or Y), this system logical name uppercases device and directory components for user home directories when matching pathnames in <DIRECTORY> containers. This provides backward compatibility for sites that specify these components in uppercase within <DIRECTORY> containers. See the UserDir directive in Modules and Directives section for more information.

APACHE$VERIFY_DCL_CGI

If defined, this system logical name provides information for troubleshooting DCL command procedure CGIs by forcing a SET VERIFY before executing any DCL CGI. Use with APACHE$DEBUG_DCL_CGI.

CGI Tip-4 (authorization problems)

I was recently working on an SWS application for my employer to do the following:

upon accessing a given web page, prompt the user for a username and password and then validate it against SYSUAF in OpenVMS
display the web page, allowing the user to fill out a form
upon clicking submit we would run a DCL script to:
1. determine the REQUEST_METHOD
2. determine the USERNAME previously entered
3. run a VMS-BASIC program to handle the request and respond with some HTML

First off, I enabled these two lines in HTTPD.CONF

LoadModule auth_module modules/mod_auth.exe
LoadModule auth_openvms_module modules/mod_auth_openvms.exe

...then restarted the server. Everything seemed to work as expected except that I couldn't get any USERNAME info to show up in the DCL script. Furthermore, the DCL version of CGI debugging script "TEST-CGI-VMS.COM" seems to be missing some environmental variables like REMOTE_USER. To make matters worse, the otherwise excellent book "OpenVMS with Apache, OSU, and WASD" states that variable HTTP_AUTHORIZATION should be available in all servers including SWS.

(I was looking for this environmental as a sign that the base64 encoded username and password were making it through to my CGI; I have since discovered that neither SWS nor "Apache on UNIX" ever passed HTTP_AUTHORIZATION to a CGI program).

CGI Tip-4 (preparing for authorization)

According to some helpful folks at Compaq (now HP), in order to get authorization information like REMOTE_USER transferred to the CGI you must do the following:

Add the "AuthAuthoritative On" directive to the ".HTACCESS" file which protects the directory containing the protected files (web pages and/or scripts)
Since both the document directory and scripts directory require identical authentication data, copy the document ".HTACCESS" file to the scripts directory which will contain the CGI program requiring authentication info (this meant creating a "protected_scripts" directory because we have other CGI programs which do not require authentication).

Modify file APACHE$COMMON:[000000.CONF]HTTPD.CONF using either the "AllowOverride AuthConf" or "AllowOverride All" for both the document directory and protected scripts directory. Failure to do this means that many "Auth" directives in ".HTACESS" will be ignored by the server but "AuthOpenVMSUser" and "AuthOpenVMSAuthoritative" aren't affected so invoking a username and password dialog doesn't mean that everything is working.

ServerRoot "/apache$root"
DocumentRoot "/apache$common/main"
LoadModule auth_openvms_module /apache$common/modules/mod_auth_openvms.exe_alpha

ScriptAlias /cgi-bin/ "/apache$root/cgi-bin/"
ScriptAlias /scripts/ "/apache$root/scripts/"
ScriptAlias /bell_private_scripts/ "/apache$root/bell_private_scripts/"
ScriptAlias /ics_private_scripts/ "/apache$root/ics_private_scripts/"

Alias /bell_private/ "/apache$root/bell_private/"
<Directory "/apache$root/bell_private">
    Options FollowSymLinks
    AllowOverride All         <-- enable .HTACCESS (this red remark should not be in your file)
    Order allow,deny
    Allow from all
</Directory>

Alias /ics_private/ "/apache$root/ics_private/"
<Directory "/apache$root/ics_private">
    Options Indexes FollowSymLinks Multiviews
    AllowOverride All         <-- enable .HTACCESS (this red remark should not be in your file)
    Order allow,deny
    Allow from all
</Directory>

<Directory "/apache$root/bell_private_scripts">
    AllowOverride AuthConfig  <-- enable .HTACCESS (this red remark should not be in your file)
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

<Directory "/apache$root/ics_private_scripts">
    AllowOverride AuthConfig  <-- enable .HTACCESS (this red remark should not be in your file)
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

File ".HTACCESS" after modification
1. you can have different files in different directories
2. since the file name begins with a period, it will not appear in any "file-view" in a browser)
```
AuthType Basic
AuthAuthoritative On
AuthName "ICSIS Bell-ATS Authentication"
AuthOpenVMSUser On
AuthOpenVMSAuthoritative On
require valid-user
```

Apache 2.0 Update: For security and performance reasons, Apache 2.0 documentation recommends that you place these directives between <Directory> statements in APACHE$COMMON:[000000.CONF]HTTPD.CONF rather than using ".HTACCESS" files. Click here for more details.

#
ScriptAlias /cgi-bin/                   "/apache$documents/cgi-bin/"             <-- enable scripting
ScriptAlias /scripts/                   "/apache$documents/scripts/"             <-- enable scripting  
ScriptAlias /ics_private_scripts/       "/apache$documents/ics_private_scripts/" <-- enable scripting 
#
<Directory "/apache$documents/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
#
<Directory "/apache$documents/scripts">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
#
<Directory "/apache$documents/ics_private_scripts">
    AllowOverride AuthConfig   <-- enable authorization (this red remark should not be in your file)
    Options None
    Order allow,deny
    Allow from all
</Directory>
#

CGI Tip-5 (dealing with large uploads)

Most form data sent to Apache will be less than or equal to 32,767 bytes. But if you are supporting file-upload like so:

<form method="post" enctype="multipart/form-data" action="/scripts/upload_test_neil">
  <input type="text"   name="textline">
  <input type="file"   name="datafile">
  <input type="submit" name="Send">
</form>

...then you might experience uploads larger than 32,767 bytes. Okay so what's the big deal? Well, if your CGI program was written in "C" then it would be no big deal to read Apache symbol "CONTENT_LENGTH" then malloc that amount (if you have enough memory). Next, you would call fopen(fname,"rb") then read the whole amount all in one operation.

This is not possible if your CGI program was written in BASIC since that language limits strings to a maximum size of 32,767. This means you would need to do multiple reads until you have extracted CONTENT_LENGTH bytes.

Caveat: I am currently (2010-05-30) working on a better CGI program which will properly deal with form data larger than 32k and will post the solution soon. As always, it will be available free-of-charge. The solution will be written in HP BASIC for OpenVMS but I will also post some working stubs written in "C".

CGI Related Links:

Purveyor Programmer's Guide - CGI - The Common Gateway Interface
- http://vms.process.com/~help/helpapicgi.html
which includes two example programs written in "C". This no-nonsense introduction to CGI should be your first choice to learning this topic. Over the years you will find that coming back to this page is all you will ever need.
http://httpd.apache.org/docs-2.0/howto/cgi.html for an introduction at Apache.org
CGI @ Wikipedia
FastCGI @ Wikipedia
FastCGI for OpenVMS
FastCGI Home (original UNIX sources in: C, C++, Java, etc.)
http://www.faqs.org/faqs/www/cgi-faq/ FAQ: Frequently Asked Questions about CGI Programming
http://www.faqs.org/rfcs/rfc3875.html RFC3875 - The Common Gateway Interface (CGI) Version 1.1
download a CGI program (written in BASIC) which can be used to sit between Apache and your application. Note that the name of all HTML form objects will be prefixed with the string "FORM_FLD_" before being converted to DCL symbols.
download a quick hack demo program (written in HP BASIC for OpenVMS) which shows how to extract information from a web page submitted to Apache for OpenVMS (SWS) using CGI (Common Gateway Interface). This program can run in four different modes:
    1. CRT (green screen)
    2. WEB=HTTP: GET
    3. WEB=HTTP: POST
    4. WEB=HTTP: GET + POST.
It also shows how to submit HTML forms and open a JavaScript pop-up window. There is also a small amount of RMS demo code to show how to interface it to the WEB.

CSWS/SWS Installation Tips

Installation Tip #1 (using TELNET to test a new installation)

Testing with HEAD

Telnet www.bellics.net 80					<<<--- type this then hit <enter>
HEAD / HTTP/1.0							<<<--- type this then hit <enter>
								<<<--- hit <enter> (a blank line to end the MIME block)
HTTP/1.1 200 OK							<<<--- start of the HTML response header
Date: Mon, 08 Jun 2009 20:17:47 GMT				<<<--- server's current time stamp
Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52 OpenSSL/0.9.7d	<<<--- web server flavor and version; ssl version
Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT			<<<--- web page time stamp (for receiver's caching logic)
Accept-Ranges: bytes						<<<--- server accepts "bytes"
Connection: close						<<<--- one request and one response
Content-Type: text/html						<<<--- the following document is HTML formatted
								<<<--- notice the blank line to end the MIME block

Testing with "GET and HTTP 1.0" (simpler than HTTP 1.1)

Telnet www.bellics.net 80					<<<--- type this then hit <enter>
GET / HTTP/1.0							<<<--- type this then hit <enter>
								<<<--- hit <enter> (a blank line to end the MIME block)
HTTP/1.1 200 OK							<<<--- start of the HTML response header
Date: Mon, 08 Jun 2009 20:17:47 GMT                     	<<<--- server's current time stamp
Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52 OpenSSL/0.9.7d	<<<--- web server flavor and version; ssl version
Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT			<<<--- web page time stamp (for receiver's caching logic)
Accept-Ranges: bytes						<<<--- server accepts "bytes"
Content-Length: 982 bytes					<<<--- the HTML content block is 982 bytes
Connection: close						<<<--- one request and one response
Content-Type: text/html						<<<--- the following document is HTML formatted
								<<<--- notice the blank line to end the MIME block
<html>								<<<--- start of HTML content (the web page)
<head>
<title>Integrated Convergence Support Information System</title>

Command Notes:

line 1	telnet to "www.bellics.net" using TCP/IP port 80 (telnet defaults to port 23)
line 2	GET will pull back the whole web page; use HEAD or OPTIONS to only pull back server data
	"/" requests the server's default document found in the root directory; you could have also entered something like: "/default.htm" or "/login.html" or "/scripts/whatever"
	HTTP/1.0 indicates we do not want a persistent connection etc. (keep things really simple in this demo)
line 3	a blank line indicates the end of the sender's HTML request block

Response Notes:

line 1	HTTP/1.1	I am able to support HTTP version 1.1 (persistent connections, etc.)
	200 OK	HTTP status message indicating that everything went as planned
line 2	Date ...	server's current date + time usually in international format
line 3	Server ...	Server software and installed security modules
line 4	Last-Modified	last modified date of the file I am sending you (for your cache)

Testing with "GET and HTTP 1.1"

Telnet www.bellics.net 80					<<<--- type this then hit <enter>
GET / HTTP/1.1							<<<--- type this then hit <enter>
host: www.bellics.net						<<<--- mandatory with HTTP/1.1
content-type: text/html						<<<--- optional: says "I can process HTML documents"
connection: close						<<<--- optional: return a page then close (do not persist)
								<<<--- hit <enter> (a blank line to end the MIME block)
HTTP/1.1 200 OK							<<<--- start of the HTML response header
Date: Mon, 08 Jun 2009 20:17:47 GMT                     	<<<--- server's current time stamp
Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52 OpenSSL/0.9.7d	<<<--- web server flavor and version; ssl version
Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT            	<<<--- web page time stamp (for receiver's caching logic)
Accept-Ranges: bytes						<<<--- server accepts "bytes"
Content-Length: 982 bytes					<<<--- the HTML content block is 982 bytes
Connection: close						<<<--- one request and one response
Content-Type: text/html						<<<--- the following document is HTML formatted
								<<<--- notice the blank line to end the MIME block
<html>								<<<--- start of HTML content (the web page)
<head>
<title>Integrated Convergence Support Information System</title>

Testing through a proxy server (just to show how it is done)

Caveats:

a proxy server is a device employed by large enterprises to protect an intranet from an extranet (the real world internet).
a proxy server is not the same as a router/firewall appliance which usually employs NAT (network address translation)

<ur>	Telnet 192.168.210.220 80						!connect to proxy server on port 80
<sr>	%TCPWARE_TELNET-I-TRYING, trying concealed.ca,http (192.168.210.220,80) ...
	%TCPWARE_TELNET-I-ESCCHR, escape (attention) 
		character is "^\"
<ur>	CONNECT www.bellics.com:80 HTTP/1.1					! connect to node on port 80 using HTTP/1.1
										! blank line ends MIME block
<sr>	HTTP/1.1 200 Connection established					! proxy has connected
<ur>	GET / HTTP/1.1								!
	host: www.bellics.com							!
	content-type: text/html							!
	connection: close							!
										! blank line ends MIME block
<sr>	HTTP/1.1 200 OK
	Date: Mon, 08 Jun 2009 20:17:47 GMT
	Server: Apache/2.0.52 (OpenVMS) mod_ssl/2.0.52 OpenSSL/0.9.7d
	Last-Modified: Thu, 13 Aug 2009 16:59:51 GMT
	Accept-Ranges: bytes
	Content-Length: 982 bytes
	Connection: close
	Content-Type: text/html
	
	<html>
	<head>
	<title>Integrated Convergence Support Information System</title>

Installation Tip #2 (ODS-5 and the system disk)

SWS (a.k.a. Apache HTTPd) must be installed on an ODS-5 formatted disk because some filenames include multiple dots
non-system disks support ODS-5 starting with OpenVMS-7.2
the system disk also supports ODS-5 starting with OpenVMS-7.3-1
using "$PRODUCT INSTALL" without any options will place Apache files under SYS$COMMON (on your system disk by default)
I need to reserve free space on my system disk to install patches so have installed Apache on one of my user disks. To do this just execute the install command like so:
```
$PRODUCT INSTALL /destination=disk$user1:[000000]
```
do yourself a favor by using the same command to install Tomcat (although I still installed JAVA into SYS$COMMON)

Installation Tip #3 (ODS-5 + SSL)

Compaq states that an ODS-5 volume is not required for a non-JAVA installation of SWS, but I've found that the online documentation for "mod ssl User" will be corrupt due to the presence of filenames with multiple dots (which is supported in the optional ODS-5 but not the standard ODS-2). What's worse is that you won't see any error messages during installation to an ODS-2 disk. Because I thought that other things could have become compromised, I decided to only install to ODS-5 volumes.

ODS-5 and DCL

This paragraph has nothing to do with the web servers but I decided to mention it here anyway. If you've enabled ODS-5 then you might notice a few strange changes:

If a file is created by an application program written in a high level language (e.g. BASIC, C, C++, etc.) and the file name was defined using lower case characters, and the file doesn't yet exist, then when the file is created you will see a lower case name in the associated directory. If the file already exists, a new file of the same name and location will match the case of the original file.

This DCL command (in effect by default) will make your interactive session work the ODS-2 way on an ODS-5 system.

$set proc/parse_style=traditional/case_lookup=blind

This command will allow you to make your process case-sensitive (so you can rename a file changing its case):

$set proc/parse_style=extended/case_lookup=sensitive

CAVEAT: If your system has been running for years in case-blind mode, then it would be a real bad idea to place this case-sensitive entry into system file "SYS$MANAGER:SYLOGIN.COM". However, it is a completely different situation if your system is new AND all users will be running in case-sensitive mode. Consult HP OpenVMS System Manager's Manual, Volume 1: Essentials before you make any changes affecting more than one account. I have encountered situations were a user couldn't even log off.

SWS-2.0 Woes (2003)

New "Served" File Format

HP released SWS-2.0 (which is based upon Apache 2.0.47) in December of 2003. One shocking change is that all served up web pages (text files) must be first converted to STREAM_LF before they can be used. There were several reasons given in newsgroup: comp.os.vms (and archived here http://groups.google.ca/group/comp.os.vms/ ) which included:

more efficient server operation (since the server wouldn't need to convert from RMS text records to stream in real time)
easier to compute byte count when doing stream/chunk operations (all I/O is now filtered in Apache-2.x)
less work for HP when porting Apache releases to OpenVMS

IMHO, they should have created an Apache plug-in (mod_rms ?) to allow backward compatibility when desired. A good work around for this restriction involves setting up PHP to pickup and process unconverted HTML files.

SWS-2.0 CGI operation appears Intermittent

Caveat: the following problem turned out to be only seen with the TCPware stack (from Process Software) which is now fixed. These notes may be of value for similar problems with other TCP/IP stacks.

A second annoying problem is related to intermittent CGI operation where not all dynamic content gets to your browser.

Here is how it fails on my lab system:

I created an OpenVMS-BASIC application whose only purpose in life it to send back the following response (after being run from a DCL script stored in directory [.cgi-bin]):

Status: 200
Content-Type: text/html

<HTML><HEAD></HEAD><BODY><pre>
0001 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
0002 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
     ...996 more lines go here...
0999 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
1000 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
</pre></BODY></HTML>

which is approximately 100K bytes in size (100 char x 1000 lines ). BTW, this works 100% of the time with CSWS-1.3

after I do a cold restart of the server, I execute the CGI repeatedly until I see less than 1000 lines in my browser. This can vary between 4 and 8 attempts. (BTW, I am the only person using the server)
as soon as I see the missing data, I do a graceful restart of the server to flush the log buffers to disk

inspecting the error log reveals that I've got as many errors as I had attempts (rather than just seeing one as I originally expected). The Apache error log usually looks like this:

[Sat Jul 10 16:07:21 2004] [error] [client 142.180.39.24] (00000870)end of file: Error string not specified yet:
   ap_content_length_filter: apr_bucket_read() failed, referer: http://142.180.39.98/neil.html
[Sat Jul 10 16:07:47 2004] [error] [client 142.180.39.24] (00000870)end of file: Error string not specified yet:
   ap_content_length_filter: apr_bucket_read() failed, referer: http://142.180.39.98/neil.html
[Sat Jul 10 16:07:51 2004] [error] [client 142.180.39.24] (00000870)end of file: Error string not specified yet:
   ap_content_length_filter: apr_bucket_read() failed, referer: http://142.180.39.98/neil.html
[Sat Jul 10 16:07:56 2004] [error] [client 142.180.39.24] (00000870)end of file: Error string not specified yet:
   ap_content_length_filter: apr_bucket_read() failed, referer: http://142.180.39.98/neil.html
[Sat Jul 10 16:07:58 2004] [error] [client 142.180.39.24] (00000870)end of file: Error string not specified yet:
   ap_content_length_filter: apr_bucket_read() failed, referer: http://142.180.39.98/neil.html
[Sat Jul 10 16:08:06 2004] [notice] Graceful restart requested, doing restart
[Sat Jul 10 16:08:09 2004] [notice] Apache/2.0.47 (OpenVMS) mod_jk2/2.0.3-dev configured -- resuming normal 
   operations

Since this looks like a dynamic content problem, I installed Perl (via mod_perl) and Java (via mod_jk2) which both work properly
I removed the DCL program that starts the BASIC app and now run the BASIC app directly from directory [.cgi-bin] but the problem still persists.
I've tried every incantation of "RemoveOutputFilter" in file "HTTPD.CONF" but have not been able to find a way to stop content length filtering of dynamic HTML. I've also tweaked KeepAlive has well as most other parameters.
the following link may shed some light on my problem:
http://hypermail.linklord.com/new-httpd.old/2002/Aug/0374.html
According to the change logs at www.apache.org there have been numerous fixes between Apache 2.0.47 (used by SWS-2.0) and Apache 2.0.50 (latest UNIX/Windows release).

The following links may shed more light on the subject.

http://hypermail.linklord.com/new-httpd.old/2002/Aug/0374.html (output problem described)

http://forums.devshed.com/archive/t-137905 (input problem described)

http://httpd.apache.org/docs-2.0/filter.html (Apache Documentation)

http://www.onlamp.com/pub/a/apache/2001/08/23/apache_2.html (writing Apache filters)

Update 2004-07-14:

By this time I had added all the recommended patches to OpenVMS-7.3-1 and TCPware-5.6-2
DCL programs running HP-BASIC and HP-C apps still failed intermittently in the browser (they failed 100% as far as the error log was concerned)
HP-BASIC and HP-C apps still failed intermittently when run directly from [.CGI-BIN] rather than being called from an intermediate DCL script (they failed 100% as far as the error log was concerned)
DCL-only programs failed intermittently (they failed 100% as far as the error log was concerned)
Since my problem appeared to only affect dynamic content, I installed Perl and Java into SWS-2.0 for further tests
- Perl (connected to Apache via mod_perl) works properly 100%
- Java (connected to Apache via mod_jk2) works properly 100%
As a last resort, I removed "TCPware-5.6-2" and replaced it with "TCPIP Services for OpenVMS" and now the problem problem disappeared.
- I've logged a "support request" with Process Software Corporation and I'll update this web page with more info when the problem is fixed
- Note: Our applications make extensive use of the Telnet and FTP APIs in TCPware so dropping Process Software as a vendor is not an option.

Update 2004-08-23:

Great news! I've just successfully tested Process Software Corporation's fix in ECO "DRIVERS_V562P050" which should be made public any time now.

SWS-2.1 (Apache 2.0.52 and OpenSSL 0.9.7d)

on 2005-11-xx HP released SWS-2.1 which is based upon Apache 2.0.52
served-up files no longer need to be saved in STREAM_LF format (yippee!) but make sure to add the following directives to both of these files "HTTPD.CONF" and "SSL.CONF"
```
 	EnableMMAP Off
	DefaultType text/plain
```
OpenVMS-7.3-2 is the lowest supported version
- If you are using TCPware and want to upgrade the OS to this level, you'll should also upgrade to TCPware-5.7-2 which was also released 2005-11-xx

Apache was killing my OpenVMS-7.3-2 System (fixed: 2006-05-19)

Our two-CPU AlphaServer-DS20e system ran flawless for three years until its first hang in 2005-12-xx. Two weeks earlier we made the following four changes to our production system after similar changes had been made weeks earlier to our development system:
- updated the OS from OpenVMS-7.3-1 to OpenVMS-7.3-2 (then installed consolidated patch V0500)
- updated the stack from TCPware-5.6-2 to TCPware-5.7-2
- updated the Apache web server from CSWS-1.3 to SWS-2.1
- updated main memory from 2 GB to 3 GB (which immediately affects the extended file cache - XFC)
side note: One of the things OpenVMS-7.3-2 does is provide a speedup for SMP systems and our system did see a noticeable speedup.
- previously many internal OpenVMS processes would erroneously serialize on a single internal lock called IORESULT8. So by increasing lock granularity, SMP systems can do more work in a shorter period of time. However, like a thoroughbred horse race, everything has to work perfectly.
- Many people outside of HP thought OpenVMS Engineering would have gotten more press about this speedup if they had released 7.3-2 as OpenVMS-7.4. But some software shops require qualification testing with every major or minor release so it was decided to publish this as a dash release.
After the update on 2005-11-xx our system would intermittently hang every two to three weeks (on average).
In 2006-01-xx we did the following:
- swapped all memory with another machine
- swapped all CPUs with another machine
- reseated all three power supply modules
- installed patch: XFC-0V200
Our intermittent problem went on for a month until we realized the difference between a CRASH and a HANG, and in the case of the latter, you needed to halt the system then type "CRASH" at the console prompt to produce a dump for analysis. There was never any entries in our system error log
After two more months we had accumulated four more dumps and used $ANALYZE/CRASH to inspect them, We noticed that they always contained:
- many APACHE tasks
- all Apache tasks were all sitting at priority 8, 9 or 10
- two or more Apache tasks were computable and/or current
side note: if you've got a serial terminal connected to the console port, you'll probably type "CTRL-P" then "H" to halt the system. On an SMP system you've only stopped CPU-00 and will probably receive the following message
"bugcheck 774 (CPUSANITY, CPU sanity timer expired)"
from one of the other CPUs. Ignore this message because it is caused by you when you stopped CPU-00. This error message is only relevant if it was "seen on the console" or "written to the error log" while the system was running.
HP recommends that SMP systems be halted using the HALT button on the front of the processor
It turned out that Apache was running at too high a priority, and this was caused by the following (possible) 20 year old change in our version of the system startup script "SYSTARTUP_VMS.COM"
```
$ set proc/prior=8
```
and that this didn't cause a problem until we upgraded from OpenVMS-7.3-1 (Clydesdale) to OpenVMS-7.3-2 (Thoroughbred). No one remembers why this line was placed here, but assume it was necessary on VAX so that the STARTUP process would not become bogged down trying to compete with the tasks it was starting.
So the bottom line is that Apache currently takes on the running priority of the starting process.
The good folks at HP have just (2006-05-11) told me that this is a bug and that Apache should be using the base priority set in the Apache account defined in SYSUAF.DAT

SWS-2.2 (based upon Apache 2.0.63 and OpenSSL 0.9.8h)

HPQ says this is only a maintenance release but I wanted it anyway. Why?

Despite everything you have read or have been told, there are two SSL engines in your OpenVMS system
- One SSL engine is baked-into Apache (if you have it installed)
  - cert tool: APACHE$COMMON:[000000]APACHE$CERT_TOOL.COM
- One SSL engine is a standalone product (comes preinstalled starting with OpenVMS-8.2)
  - cert tool: @ssl$com:SSL$CERT_TOOL.COM
- Proof: If you uninstall the standalone product then reboot, your Apache webserver will still be able to process HTTPS transactions
SSL support in SWS-2.1 (OpenSSL 0.9.7d) is closer to HP-OpenSSL-1.3 (OpenSSL 0.9.7e)
SSL support in SWS-2.2 (OpenSSL 0.9.8o) is closer to HP-OpenSSL-1.4 (OpenSSL 0.9.8h) which was preinstalled in my OpenVMS-8.4 system
Before the Apache upgrade, my gSOAP service (which runs under Apache) used an older version of OpenSSL than my gSOAP client (which doesn't run under Apache and so is linked against libraries associated with HP-OpenSSL-1.4)
After the Apache upgrade, my SOAP SERVICE and SOAP CLIENT are much closer together (encryption-wise)
The SSL differences didn't cause any reported problems. We were just being overly cautious with traffic moving between two large corporations.
It was also important to us that both SSL engines used the same security certificates.
- OpenVMS system admins will find various SSL components (certificates, scripts, etc.) in numerous locations including:
  - under APACHE$COMMON:[OPENSSL]
  - under APACHE$COMMON:[000000.CONF] on very old systems even those which have been upgraded
  - under SSL$ROOT:[000000]
  - under SSL$EXAMPLES
- Do yourself a favor by creating a folder called SYS$SYSDEVICE:[CERTIFICATES] then moving your production certificates there. That way, anyone playing with certificate tools will not accidentally clobber production certificates.
- Visit OpenVMS Notes: OpenSSL (both Apache and standalone)

My 2012 Tweaks

What's up with favicon.ico

Analyzing Apache error log files will show a huge number of references to a missing file named favicon.ico

Originally, favicon.ico was only requested when someone bookmarked anything at your website. It's only purpose was to place a tiny graphic before your URL on their bookmark menu (and sometimes in the browser's navigation textbox).
Today it seems that favicon.ico is also used to place a little graphic before the title on the tab (of tab-enabled browsers) which means it will be requested on every page access if not already in the browser's cache)
Some sites only provide favicon.ico for the default documents directory while others provide it for every directory
Some sites like this one: http://www.favicon.cc/ will help you to generate this special 16x16 pixel x 16 colour file
Be sure to add the following line to Apache's config file (httpd.conf) otherwise favicon.ico will be sent out as text/plain which has been known to slow ssl connections (happens during https)
```
#
# file: [.conf]httpd.conf
#

{ ...snip... }

# need this next line for favicon.ico (NSR - 2012-08-09)
#
AddType image/x-icon .ico
```

Forcing browsers to cache image files (which don't change very often)

We've got some AJAX code running and noticed that certain apps are continually (every minute) pulling back three little gifs. What is worse is that these gifs are sent over the encrypted channel (which adds additional overhead) and the problem is multiplied by the fact that ~100 employees are using the app at the same time. You can't control how a user sets up his browser "cache-wise", but this little tweak has stopped the problem on my system:

#
# file: [.conf]httpd.conf
#

{ ...snip... }

LoadModule expires_module	modules/mod_expires.exe
LoadModule headers_module	modules/mod_headers.exe

{ ...snip... }

#----------------------------------------------------------
#	attempt to control the gifs constantly sent ajax
#
# note:	'Expires' requires mod_expire (see Loadmodule above)
#	'Header' requires mod_headers (see Loadmodule above)
#
<filesMatch "\.(ico|gif|jpg|png)$">
	ExpiresActive On
	ExpiresDefault "access plus 1 month"
	Header append Cache-Control "public"
#---------------------------------------------------------
# This next delay is for 4 weeks: (60x60x24x28)
#	Header set Cache-Control "max-age=2419200, public"
#---------------------------------------------------------
</filesMatch>

{ ...snip... }

Don't let SSL and IE kill your system

#
# file: [.conf]ssl.conf
#

{ ...snip... }

#
#	this old Apache declaration is no long 100% true (why treat all IE browsers badly?)
#
#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
#
#	experimental hack to speed up SSL for IE users - NSR (2012-08-13)
#
#BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
#BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
#
#	experimental hack to speed up SSL for IE users - NSR (2012-08-14)
#
#	note:	"MSIE 1" (above) didn't support SSL so it is superfluous
#       	Meanwhile, "MSIE 1" probably break MSIE 10 when it finally appears)
#
BrowserMatch ".*MSIE [2-5].*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Freeing Up Disk Space

<sr>	$
<ur>	sh time
<sr>	27-NOV-2005 20:52:11
	$ 
<ur>	dir [...]*.*/siz=all/date/sel=siz=min=10000
<sr>	Directory APACHE$COMMON:[000000.SPECIFIC.KAWC15.LOGS]

	ACCESS_LOG.;1        1061068/1061095  16-SEP-2003 19:48:46.00
	ERROR_LOG.;1          455636/455700   16-SEP-2003 19:48:44.50
	SSL_ENGINE_LOG.;1     238230/238280   16-SEP-2003 19:48:44.56

	$
<ur>	del APACHE$COMMON:[000000.SPECIFIC.KAWC15.LOGS]*_log*.*;*

Notes:

These files grow forever. I have not been able to get UNIX-style "Apache log rotation" working on OpenVMS so so it is probably a good idea to stop the server every month to delete the files.

this might be a better method (you do not need to stop the server)

start by creating 31 subdirectories named [.log01] to [.log31]

run a batch job every night (perhaps at 00:00:01 AM) to do the following:

rename the files into the desired subdirectory

now execute these commands

$ set def sys$common:[000000.specific.www.logs]	!
$ ren *_log*.* [.log31]				! okay to do this while files are open
$ @APACHE$COMMON:[000000]APACHE$SETUP		! create some symbols
$ httpd -k flush				! tell Apache to flush the logs to disk
$ httpd -k new					! tell Apache to close current file then open new ones

or you could just use this automated DCL script <<<---***