Forum OpenACS Q&A: Response to Secure Vs. Insecure locations
Posted by
Richard Hamilton
on 10/30/02 08:45 PM
#
# AOLserver/OpenNSD Configuration File
#
# richard_s.hamilton@virgin.net
#
#########################
#########################
# General Configuration #
#########################
#########################
set server "server"
set servername "openacs"
ns_log notice "${server}.tcl: Starting to read config file..."
set httpport 8000
set httpsport 8443
set hostname www.${server}.com
set address 192.168.100.2
set homedir [file dirname [ns_info config]]
set bindir [file dirname [ns_info nsd]]
set pageroot /web/${server}/www
set directoryfile index.tcl,index.adp,index.html,index.htm
set ext [info sharedlibextension]
set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/key.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/cert.pem
set sslcacertfile ${homedir}/servers/${server}/modules/nsopenssl/ca/cacert.pem
#set nscp_port 9999
#set nscp_addr 127.0.0.1
#set nscp_user ""
#set nscp_user "nsadmin:t2GqvvaiIUbF2:" ;# sample user="nsadmin", pw="x".
############################
# Global server parameters #
############################
ns_section "ns/parameters"
ns_param home $homedir
ns_param debug false
# ns_param MailHost localhost
ns_param ServerLog ${homedir}/log/${server}.log
# ns_param LogRoll on
########################################
# Thread library (nsthread) parameters #
########################################
ns_section "ns/threads"
ns_param mutexmeter true ;# measure lock contention
ns_param stacksize [expr 256*1024] ;# Per-thread stack size for hungry C modules
##############
# MIME types #
##############
ns_section "ns/mimetypes"
ns_param default "*/*" ;# MIME type for unknown extension
ns_param noextension "*/*" ;# MIME type for missing extension
# ns_param ".xls" "application/vnd.ms-excel''
##############################
##############################
# Server-level configuration #
##############################
##############################
ns_section "ns/servers"
ns_param $server $servername
#####################
# Server parameters #
#####################
ns_section "ns/server/${server}"
ns_param directoryfile $directoryfile
ns_param pageroot $pageroot
ns_param maxconnections 50
ns_param maxdropped 0
ns_param maxthreads 50
ns_param minthreads 5
ns_param threadtimeout 120
ns_param globalstats false ;# Enable built-in statistics
ns_param urlstats false ;# Enable URL statistics
ns_param maxurlstats 1000 ;# Max number of URL's to do stats on
ns_param NotFoundResponse ${pageroot}/global/www/file-not-found.html
ns_param ServerBusyResponse ${pageroot}/global/www/busy.html
ns_param ServerInternalErrorResponse ${pageroot}/global/www/error.html
ns_param ForbiddenResponse ${pageroot}/global/www/forbidden.html
ns_param UnauthorizedResponse ${pageroot}/global/www/unauthorized.html
#####################
# Tcl Configuration #
#####################
ns_section "ns/server/${server}/tcl"
ns_param autoclose "on"
ns_param debug "false"
#ns_param library "/usr/local/aolserver/modules/tcl"
ns_param library "/web/${server}/tcl"
######################
# Directory listings #
######################
# use an ADP or a Tcl proc to generate them.
#ns_param directoryadp $pageroot/dirlist.adp ;# Choose one or the other
#ns_param directoryproc _ns_dirlist ;# ...but not both!
ns_param directorylisting fancy ;# Can be simple or fancy
##############################################
# ADP (AOLserver Dynamic Page) configuration #
##############################################
ns_section "ns/server/${server}/adp"
ns_param map "/*.adp" ;# Extensions to parse as ADP's
#ns_param map "/*.html" ;# Any extension can be mapped
ns_param enableexpire false ;# Set "Expires: now" on all ADP's
ns_param enabledebug false ;# Allow Tclpro debugging with "?debug"
ns_param defaultparser fancy
# ADP special pages
#ns_param errorpage ${pageroot}/errorpage.adp ;# Pretty-print ADP scripting errors
###################################
# ADP custom parsers -- see adp.c #
###################################
ns_section "ns/server/${server}/adp/parsers"
ns_param fancy ".adp"
###################
# Modules to load #
###################
# Note that nsssl loads only if requisite files already exist (see top of this file).
ns_section "ns/server/${server}/modules"
ns_param nssock ${bindir}/nssock${ext}
ns_param nslog ${bindir}/nslog${ext}
ns_param nssha1 ${bindir}/nssha1${ext}
ns_param nscache ${bindir}/nscache${ext}
ns_param nsrewrite ${bindir}/nsrewrite${ext}
ns_param nsxml ${bindir}/nsxml${ext}
ns_param nsvhr ${bindir}/nsunix${ext}
ns_param nsfts ${bindir}/nsfts${ext}
if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
ns_param nsssl ${bindir}/nsopenssl${ext}
} else {
ns_log warning "${server}.tcl: nsssl not loaded because key/cert files do not exist."
}
# ns_param nsperm ${bindir}/nsperm.so
# ns_param nscgi ${bindir}/nscgi.so
# ns_param nsjava ${bindir}/libnsjava.so
##########################################
# Socket driver module (HTTP) -- nssock #
##########################################
ns_section "ns/server/${server}/module/nssock"
ns_param timeout 120
ns_param port $httpport
ns_param hostname $hostname
ns_param address $address
##########################################
# Socket driver module (HTTP) -- nsvhr #
##########################################
# This section added by RH on 27/11/01. Virtual Hosting Redirector configuration.
ns_section "ns/server/${server}/module/nsvhr"
ns_param hostname "www.${server}.com"
ns_param socketfile "${server}.nsunix"
# End of section added by RH on 27/11/01.
##########################################
# Socket driver module (HTTPS) -- nsssl: #
##########################################
# Section added by Richard Hamilton on 24/10/02. Configuration for nsopenssl v2.1.
# Sourced from http://www.scottg.net/webtools/aolserver/modules/nsopenssl/configuration
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).
ns_section "ns/server/${server}/module/nsssl"
# General settings
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
# NSD-driven connections:
ns_param ServerCertFile $sslcertfile
ns_param ServerKeyFile $sslkeyfile
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile $sslcacertfile
ns_param ServerTrace false
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile $sslcertfile
ns_param SockServerKeyFile $sslkeyfile
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache false
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir ca
ns_param SockServerCAFile $sslcacertfile
ns_param SockServerTrace false
# Outgoing SSL connections
#ns_param SockClientCertFile $sslcertfile
#ns_param SockClientKeyFile $sslkeyfile
#ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
#ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param SockClientSessionCache false
#ns_param SockClientSessionCacheID 3
#ns_param SockClientSessionCacheSize 512
#ns_param SockClientSessionCacheTimeout 300
#ns_param SockClientPeerVerify true
#ns_param SockServerPeerVerifyDepth 3
#ns_param SockClientCADir ca
#ns_param SockClientCAFile ca.pem
#ns_param SockClientTrace false
# Typically where you store your certificates
# Defaults to $AOLSERVER/servers/${servername}/modules/nsopenssl
ns_param ModuleDir ${homedir}/servers/${server}/modules/nsopenssl
# OpenSSL library support:
ns_param RandomFile /bin/sfxload
ns_param SeedBytes 1024
# End of section
####################
# Database drivers #
####################
ns_section "ns/db/drivers"
ns_param postgres ${bindir}/postgres${ext} ;# Load PostgreSQL driver
ns_section "ns/db/driver/postgres"
ns_param pgbin /usr/local/pgsql/bin
ns_section "ns/db/pools"
ns_param main "OpenACS Main Pool"
ns_param log "OpenACS Log Pool"
ns_param subquery "OpenACS Subquery Pool"
ns_section "ns/db/pool/main"
ns_param Driver postgres
ns_param Connections 5 ;# 5 is a good number. Increase according to your needs
ns_param DataSource localhost::${server} ;# Replace 'yourdb' with the name of your database in PG
ns_param User nsadmin ;# User and password AOLserver will use to connect
ns_param Password "castledb430"
ns_param Verbose Off ;# Set it to On to see all queries. Good for debugging SQL.
ns_param LogSQLErrors On
ns_param ExtendedTableInfo On
# ns_param MaxOpen 1000000000 ;# Max time to keep idle db connection open
# ns_param MaxIdle 1000000000 ;# Max time to keep active db connection open
ns_section "ns/db/pool/log"
ns_param Driver postgres
ns_param Connections 5
ns_param DataSource localhost::${server}
ns_param User nsadmin
ns_param Password "castledb430"
ns_param Verbose On
ns_param LogSQLErrors On
ns_param ExtendedTableInfo On
# ns_param MaxOpen 1000000000
# ns_param MaxIdle 1000000000
ns_section "ns/db/pool/subquery"
ns_param Driver postgres
ns_param Connections 2
ns_param DataSource localhost::${server}
ns_param User nsadmin
ns_param Password "castledb430"
ns_param Verbose On
ns_param LogSQLErrors On
ns_param ExtendedTableInfo On
# ns_param MaxOpen 1000000000
# ns_param MaxIdle 1000000000
ns_section "ns/server/${server}/db"
ns_param Pools "*"
ns_param DefaultPool "main"
#######################
# Access log -- nslog #
#######################
ns_section "ns/server/${server}/module/nslog"
ns_param rolllog true ;# Should we roll log?
ns_param rollonsignal true ;# Roll log on SIGHUP
ns_param rollhour 0 ;# Time to roll log
ns_param maxbackup 5 ;# Max number to keep around when rolling
#
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files inside
# AOLserver are vastly superior to CGIs. You don't actually need the Interps
# if your script calls the appropriate interpreter itself.
#
#ns_section "ns/server/${server}/module/nscgi"
# ns_param map "GET /cgi-bin /web/$server/cgi-bin"
# ns_param map "POST /cgi-bin /web/$server/cgi-bin"
# ns_param Interps CGIinterps
#ns_section "ns/interps/CGIinterps"
# ns_param .pl "/usr/bin/perl"
########################
# Control port -- nscp #
########################
# nscp does not load unless nscp_user is a valid user.
# nscp: Uncomment the sample password and log in with "nsadmin", password "x",
# type "ns_crypt newpassword salt" and put the encrypted string below.
#ns_section "ns/server/${server}/module/nscp"
# ns_param port $nscp_port
# ns_param address $nscp_addr
#ns_section "ns/server/${server}/module/nscp/users"
# ns_param user $nscp_user
#if { $nscp_user != "" } {
# ns_param nscp ${bindir}/nscp${ext}
#} else {
# ns_log warning "${server}.tcl: nscp not loaded because user/password is not set."
#}
##############################
# Source OpenACS Config File #
##############################
# Standard location is: /web/${server}/parameters/ad_${server}.tcl
# source /web/${server}/parameters/ad_${server}.tcl ;# But not for Open_ACS 4.5
ns_log notice "${server}.tcl: finished reading config file."
