naviserver-devel — Developer discussion

[naviserver-devel] New NaviServer Users Mailing List

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

As discussed and requested at last week’s EuroTcl/OpenACS conference, I’ve created a new mailing list: naviserver-users, now available on SourceForge:

🔗 https://sourceforge.net/p/naviserver/mailman/

While the interface isn’t particularly polished, this setup consolidates everything in one place and gets us started. That said, we can certainly consider alternative platforms - such as openacs.org - or any others you might suggest.

Looking forward to your feedback and participation.

All the best,
Gustaf



PS: The videos from the conference are already online (many thanks to Antonio!), they need still linkage on the conference site.

 https://learn.wu.ac.at/eurotcl2025/

Re: [naviserver-devel] Announcement: NaviServer 5.0.0 Release

[Stefan S. <ste...@wu...>]

Congratulations, what a heavy lift! Enjoy Bologna and have NS 5 celebrated!

Ciao, Stefan

> Dear all,
> 
> We are glad to announce the final release of NaviServer 5.0.0, marking 
> the most significant update in the project’s history with over 70,000 
> lines of changes. This release delivers robust security enhancements, 
> modernized infrastructure, and improved scalability. Key highlights include:
> 
>   *
> 
>     *Security by Default*: HTTP client requests now validate server
>     certificates automatically, with configurable trust exceptions and a
>     bundled CA root store. A new pluggable authorization framework
>     (|ns_auth|) enables scriptable request- and user-level access control.
> 
>   *
> 
>     *Modernized Core*: Unix domain socket support, case-insensitive
>     |ns_set|, Argon2 password hashing, and streamlined configuration via
>     environment variables (ideal for containers). The reverse proxy is
>     now built into the core, with new forward proxy capabilities.
> 
>   *
> 
>     *Enhanced Observability and Scalability*: Improved logging (dynamic
>     paths, rotation, and new "Security" severity), detailed connection
>     diagnostics (|ns_conn urldict|, |ns_connchan debug|), runtime
>     introspection (|ns_http keepalives|, |ns_info buildinfo|),
>     persistent client connections, and streaming HTTP client processing.
> 
> *Backward Compatibility & Future-Readiness*
> While introducing cutting-edge features, NaviServer 5.0.0 maintains 
> strong backward compatibility, with deprecated APIs clearly documented 
> and modern replacements provided (e.g., |ns_urlencode| → 
> |ns_percentencode|). The release introduces/extends over 50 Tcl commands 
> and subcommands. The upgrade to MPL 1.2 and Tcl 9 support ensures 
> long-term sustainability. Over 20 community-contributed modules (like 
> |nsdbpg|, |nssmtpd|) have been updated in lockstep.
> 
> The following people contributed to this release:
> 
>       Alexander Danilov, Andrew Piskorski, Antonio Pisano, Brendan 
> Graves, Brian Fenton, Danilo Raynor, David F, David Osborne,
> 
>       Filip Minic, Georg Lehner, Gustaf Neumann, Hector Romojaro, Joe 
> Oldak, Oleg Oleinick, Priyank Jalu, Thomas Renner, Zoran Vasiljevic
> 
> *Resources*:
> 
>   *
> 
>     Download
>     <https://sourceforge.net/projects/naviserver/files/naviserver/5.0.0/> | GitHub <https://github.com/naviserver-project/naviserver> | Docs <https://naviserver.sourceforge.io/5.0/toc.html>
> 
> This release is a major leap forward in security, flexibility, and 
> maintainability. See below for the detailed changes: Upgrade today!
> 
> /The NaviServer Team/
> 
> 
>     Tcl API Changes
> 
> 
>       |ns_cache|
> 
>   * New option |cachingmode|: Accepts |full| or |none| to toggle caching
>     behavior.
> 
> 
>       |ns_configsection|
> 
>   * New option |-filter|: Filters variables by |unread|, |defaulted|, or
>     |defaults|.
> 
> 
>       |ns_configure_variables|
> 
>   * New command to pull in configuration variables from environment
>     variables (for use in configuration files)
> 
> 
>       |ns_conn|
> 
>   *
> 
>     *General enhancements*:
> 
>       o |ns_conn host|, |ns_conn port|, |ns_conn protocol|: Now return
>         appropriate values for all request types (not limited to forward
>         proxy requests).
>   *
> 
>     *New subcommands*:
> 
>       o |ns_conn target|: Returns the complete request target, including
>         query parameters, from the HTTP start line.
>       o |ns_conn fragment|: Returns the fragment identifier (after |#|)
>         if present.
>       o |ns_conn urldict|: Parses the request URL into a Tcl dictionary
>         for structured access.
>       o |ns_conn host|: Supports an optional default value if the host
>         is not determined.
>       o |ns_conn details|: Returns a dictionary with driver-specific
>         connection metadata.
> 
> 
>       |ns_connchan|
> 
>   *
> 
>     *Security and diagnostics improvements*:
> 
>       o |ns_connchan debug|: Set or query the debug level.
>       o |ns_connchan connect| / |ns_connchan open|: Now accept
>         additional security-related options: |-cafile|, |-capath|,
>         |-cert|, |-hostname|, |-insecure|, |-driver|, and |-unixsocket|.
>       o |ns_connchan status|: Added |-server| option for multi-server
>         introspection.
>       o |ns_connchan write|: Now performs buffered writes.
>   *
> 
>     More detailed timeout handling
> 
> 
>       |ns_driver|
> 
>   * |info|, |names|, |stats|, and |threads| support the |-server| option
>     to allow multi-server diagnostics.
> 
> 
>       |ns_http|
> 
>   *
> 
>     *Connection handling and introspection*:
> 
>       o
> 
>         Persistent HTTP connections supported via the |keepalive| option
>         in |httpclient| configuration.
> 
>       o
> 
>         Introduced support for multiple task threads.
> 
>       o
> 
>         Streaming response support for incremental data handling (useful
>         for large file transfers and LLM interaction).
> 
>       o
> 
>         Default timeout configuration for requests.
> 
>       o
> 
>         New callbacks: |response_header_callback| and
>         |response_data_callback|.
> 
>       o
> 
>         Renamed |-donecallback| to |-done_callback| (old name deprecated).
> 
>       o
> 
>         Added support for informational HTTP status codes (e.g., 100
>         Continue).
> 
>       o
> 
>         New subcommands:
> 
>           + |ns_http keepalives|: Displays active persistent connections.
>           + |ns_http taskthreads|: Provides insight into HTTP client
>             threads.
>       o
> 
>         Major internal refactoring of |tclhttp.c| for modularity and
>         maintainability.
> 
> 
>       |ns_ictl|
> 
>   * |getmodules|: Now supports the |-server| option for per-server
>     introspection.
> 
> 
>       |ns_info|
> 
>   *
> 
>     Added subcommands:
> 
>       o |argv|: Returns the original argument vector.
>       o |bindir|: Returns the binary directory path.
>       o |buildinfo|: Displays build-time config and version info.
>       o |logdir|: Path to the log directory.
>       o |meminfo|: Displays memory statistics (when using |tcmalloc|).
> 
> 
>       |ns_ip|
> 
>   *
> 
>     Added subcommands:
> 
>       o |inany|: Checks if an IP matches any configured address.
>       o |properties|: Returns metadata about configured IPs.
>       o |public|: Determines if an IP is publicly routable.
>       o |trusted|: Checks if an IP is trusted.
>       o |valid|: Validates IP syntax.
>   *
> 
>     These enhancements supersede the need for |ns_subnetmatch|.
> 
> 
>       |ns_issmallint|
> 
>   * New command to check if a value is a valid small integer (replaces
>     the old, now deprecated |issmallint|).
> 
> 
>       |ns_logctl|
> 
>   * New subcommand |grep|: Searches log files with pattern matching,
>     stripping color codes and handling line continuations.
> 
> 
>       |ns_register*| Enhancements
> 
>   * All |ns_register_*| commands now support the |-constraints| option,
>     enabling context-sensitive behavior.
>   * New command: |ns_register_auth| allows registration of user- and
>     request-level authorization handlers.
> 
> 
>       |ns_server|
> 
>   * New subcommands:
>       o |authprocs|: Lists registered request/user auth procedures.
>       o |hosts|: Lists registered hostnames for the server.
>       o |logdir|: Returns the server log directory.
>       o |realm|: returns or sets the realm of the server
>       o |serverdir|: Returns the base directory for the virtual server
>         (|-effective| returns the resolved runtime path).
>       o |vhostenabled|: Returns a boolean indicating virtual hosting status.
>   * |ns_server mapped|: New option |-all| returns a dict with handler
>     and pool info.
> 
> 
>       |ns_set|
> 
>   *
> 
>     *Case-insensitive support*:
> 
>       o New |-nocase| flag for |ns_set create| and related operations.
>       o Deprecated the |i*| subcommands (e.g., |iget|, |ifind|) in favor
>         of unified interface.
>   *
> 
>     *Multi-valued key support*:
> 
>       o |-all| option retrieves all values for a given key in
>         |ns_set| and |ns_config|.
>   *
> 
>     *New subcommands*:
> 
>       o |format|: Pretty-prints the set contents.
>       o |stats|: Returns memory usage statistics.
>   *
> 
>     |delkey|: Now returns a boolean success flag.
> 
>   *
> 
>     *Internal improvements*:
> 
>       o Refactored |ns_set| internals using dense storage for lower
>         memory use and better cache locality.
>       o Replaced deeply nested switch logic with modular, maintainable code.
> 
> 
>       |ns_thread|
> 
>   *
> 
>     Unified thread creation:
> 
>       o Use |ns_thread create| for all thread types.
>       o Deprecated |begin| and |begindetached| to align with |ns_cond|,
>         |ns_mutex|, and |ns_sema| usage.
> 
> 
>           |ns_urlspace|
> 
>   *
> 
>     Wildcard matching now supports path-segment-level matches
>     (previously limited to leaf nodes).
> 
>   *
> 
>     Applied improved matching in |nscgi| to support directory-wide CGI
>     mapping.
> 
>   *
> 
>     Renamed option |-contextfilter| to |-constraints| in |ns_urlspace
>     set/unset| to match the new registration API.
> 
> 
>       Database Enhancements
> 
>   * |ns_db info|: Returns a dictionary of metadata for a given DB handle.
>   * |ns_dbpooldescription|: Renamed from the previous
>     |ns_pooldescription| for consistent naming.
>   * |ns_db rowcount|: Fixed in this release to return actual row counts.
> 
> 
>       New Utilities
> 
>   * |ns_fseekchars|: Efficiently scans a stream for a string (e.g., for
>     multipart/form-data parsing).
>   * |ns_joinurl|: Constructs well-formed URLs from path components.
>   * |ns_mkdtemp|: Creates a unique temporary directory (POSIX-style
>     |mkdtemp()|).
>   * |ns_parsehtml|: Parses HTML fragments into a structured Tcl dict.
>   * |ns_parsemessage|: Parses MIME-style messages (e.g., emails or HTTP
>     headers).
>   * |ns_percentencode| / |ns_percentdecode|: Replace deprecated
>     |ns_urlencode| and |ns_urldecode| for robust URL-safe encoding/decoding.
> 
> 
>     Changes in Core Modules
> 
> 
>       |nscgi|
> 
>   * New command: |ns_register_cgi| for dynamic CGI handler registration
>     (supports |-noinherit|, |-path|, etc.).
>   * Supports unregistration via |ns_unregister_op|.
>   * New environment variables: |SCRIPT_FILENAME|, |REQUEST_URI|.
>   * Refactored to support major web apps (e.g., WordPress, Joomla).
>   * See commit |36027b70215| for implementation details.
> 
> 
>       |nscp|
> 
>   * Integrated with new authorization system (e.g., via |nsperm users|).
>   * New command |nscp users|: Lists registered users for nscp
>     authentication.
> 
> 
>       |nsperm|
> 
>   * Acts as a pluggable authorization provider for request/user scopes.
>   * New config parameter: |allowLoopbackEmptyUser|—permits
>     unauthenticated loopback access when enabled.
>   * Added support for setting default server start pages and |nsstats|.
> 
> 
>       |nsproxy|
> 
>   * New subcommand: |ns_proxy workers|—provides detailed runtime info on
>     proxy worker processes.
> 
> ------------------------------------------------------------------------
> 
> 
>     Bug Fixes
> 
> 
>       Stability and Crash Resolutions
> 
>   *
> 
>     *Addressed multiple potential crash scenarios:*
> 
>       o Robust handling of HTTP |CONNECT| requests.
>       o Fixed crashes caused by missing or empty argument lists in
>         commands such as |ns_filestat|, |ns_sockcallback|, and |ns_ictl
>         oncleanup|.
>       o Prevented crash in |ns_log| when invoked with an empty message.
>       o Resolved a 24-year-old bug in |Ns_AdjTime()| that could lead to
>         fatal errors due to microsecond overflow in multithreaded
>         environments.
>       o Fixed crash in |ns_conn copy| when operating on empty content.
>       o Prevented crash in |ns_sema release| with invalid semaphore counts.
>       o Corrected off-by-one error in |ns_adp_bind_args| that could
>         access uninitialized |Tcl_Obj| values.
>       o Fixed crash in |ns_inet_ntop| due to unsafe memory operations
>         with overlapping regions (notably on aarch64 with musl).
>       o Resolved crash in |Ns_SetIUpdateSz()| caused by case mismatch in
>         header keys with the legacy C API.
>       o Fixed crash during |nscp| startup when the |users| section was
>         not configured.
>       o Prevented crash in debug mode when the |Host:| header could not
>         be mapped to a virtual server and the driver was installed locally.
>       o Avoided crash when launching |nsd| with |-c| and |-t| options
>         and no |home| parameter defined.
>       o Fixed crash during computation of |ns_conn location| when the
>         network driver was not globally installed (global installation
>         now recommended).
>       o Fixed crash due to self-destructive header replacement when
>         |ns_conn outputheaders| are passed via |ns_respond ... -headers ...|
> 
> 
>       Functional Correctness and Logic Fixes:
> 
>   * |ns_conn status|: Fixed issue where updated status codes were
>     silently ignored.
>   * |ns_conn doneCallback|: Ensured this callback is always invoked in
>     |ns_http|.
>   * |nsv_dict get|: Fixed a memory leak in value retrieval.
>   * |ns_conn peeraddr|: Resolved race condition in pipelined requests
>     that could yield incorrect peer addresses.
>   * |ns_cache_eval -force|: Fixed race condition that could produce
>     obsolete results.
>   * |ns_sema create|: Corrected handling of initial count values (e.g.,
>     |1000|).
>   * |ns_trim|: Fixed spacing logic to trim only leading and trailing
>     whitespace, preserving internal spacing.
>   * |ns_config -int|: Corrected fallback behavior when invalid values
>     are supplied, now correctly using documented defaults.
>   * |ns_sockcallback|: Now gracefully handles missing arguments.
>   * |ns_socknread|: Fixed inaccurate results for buffered connections.
>   * |ns_crypto::aead::encrypt/decrypt|: Restored compatibility with
>     OpenSSL 1.1.1.
>   * Fixed incorrect parsing of encoded backslashes in URLs.
>   * |Ns_StrTrimRight()|: Corrected UTF-8 handling in right-side string
>     trimming.
>   * Fixed |ns_conn location| when running behind a reverse proxy to
>     always returns a value, even in broken configurations.
> 
> 
>       OpenSSL fixes
> 
>   * Added support for detecting and validating OCSP Must-Staple and AIA
>     presence in certificates. Without that, NaviServer might crash, when
>     OCSP is turned on, and NULL values are passed for AIA URLs (letsencrypt)
>   * Introduced stable output buffers for |send| operations to support
>     retries after |SSL_ERROR_WANT_WRITE|, preventing connection failures
>     under high load.
>   * Improved error handling in OpenSSL integration by draining the error
>     stack via DrainErrorStack().
> 
> 
>       HTTP Client Fixes
> 
>   * |ns_http|:
>       o Reordered initialization in |NsInitServer()| to ensure
>         submodules can access a fully configured server state.
> 
> 
>       HTML and ADP Parsing Fixes
> 
>   * ADP Parser:
>       o Enhanced support for quoted |>| characters inside attribute
>         values, aligning with modern HTML parsing rules.
>   * |return-notice| handling:
>       o Suppressed spurious error messages when fallback ADP templates
>         are processed outside of a full ADP context.
>   * |ns_striphtml|:
>       o Fixed long-standing bug where adjacent HTML entities were
>         incorrectly decoded—only the first entity was processed.
> 
> 
>       Logging and Diagnostics Fixes
> 
>   * Fixed misleading log output when dynamically changing extended
>     headers via |ns_accesslog extendedheaders ...|.
>   * Improved error messages when port binding fails due to conflicts
>     with driver assignment.
>   * Fixed off-by-one error in the virtual server port configuration logic.
>   * Clarified or corrected multiple logging messages across modules for
>     better diagnostics.
> 
> 
>       nscgi Module Fixes
> 
>   * Fixed file upload failures when uploads were internally spooled by
>     NaviServer — previously returned 500 errors.
>   * Corrected processing of CGI script exit codes not 0.
>   * Fixed hostname and port reporting for |SERVER_NAME|.
> 
> 
>       Database Fixes
> 
>   * |ns_db rowcount|: Fixed regression where the row count logic was not
>     invoked, rendering the command a no-op.
> 
> 
>       Build and Compatibility Fixes
> 
>   * Suppressed obsolete |--enable-threads| warning for Tcl versions
>     where thread support is now enabled by default.
>   * Fixed compilation failure with glibc 2.38+ due to
>     |PTHREAD_STACK_MIN| becoming dynamic via |sysconf()|.
> 
> 
>       General Cleanups
> 
>   * Fixed small memory leak triggered by |serverrootproc| reset.
>   * Numerous minor typo corrections, comment clarifications, and small
>     logic cleanups across modules.
> 
> ------------------------------------------------------------------------
> 
> 
>     C-Level Infrastructure, C API Enhancements, and Build System
> 
> 
>       Core Infrastructure Improvements
> 
>   *
> 
>     *Socket Layer Enhancements*:
> 
>       o Added |sendErrno| field to the |Sock| structure to improve
>         diagnostics and tracking of write errors.
>   *
> 
>     *Modernized Initialization*:
> 
>       o Introduced |NS_INIT_ONCE()| macro for thread-safe one-time
>         initialization, replacing legacy double-lock patterns.
>   *
> 
>     *Data Structure Utilities*:
> 
>       o Added utility functions |Ns_DListSaveString()| and
>         |Ns_DListFreeElements()| to simplify dynamic list management.
>       o Replaced use of legacy |Ns_DString| functions with standard
>         |Tcl_DString|, modernizing internal data handling.
>   *
> 
>     *Debugging Support*:
> 
>       o Added |NsHexPrint()| for hex-dumping of byte sequences, aiding
>         in low-level debugging and analysis.
>   *
> 
>     *Introspection Enhancements*:
> 
>       o Introduced |Ns_TclReturnCodeString()| and
>         |Ns_ReturnCodeString()| to convert internal return codes into
>         readable strings, improving log clarity and diagnostics.
>   *
> 
>     *Code Quality and Performance*:
> 
>       o Applied extensive internal refactorings to improve performance,
>         cache locality, and maintainability across multiple subsystems.
> 
> 
>       C API Enhancements
> 
>   *
> 
>     *General*:
> 
>       o Added typedefs for |Ns_AuthorizeRequestProc|,
>         |Ns_AuthorizeUserProc|,|Ns_UrlSpaceMatchInfo|,
>         |Ns_DriverConnInfoProc|
>       o Added enum for |Ns_RequestType|, |Ns_UrlSpaceOp|,
>         |Ns_DriverClientInitArg|
>       o Added API calls in ns.h: |Ns_ConfigFilename|, |Ns_ConnTarget|,
>         |Ns_UrlSpaceMatchInfo|, |Ns_ConnServPtr|,
>         |Ns_DStringAppendSockState|, |Ns_RegisterFilter2|,
>         |Ns_TaskQueueLength|, |Ns_TaskQueueName|,
>         |Ns_TaskQueueRequests|, |Ns_ObjvTablePrint|, |Ns_InfoLogPath|,
>         |Ns_LogPath|, |Ns_ServerLogDir|, |Ns_ServerRootProcEnabled|,
>         |Ns_ServerLogGetFd|, |Ns_ServerLogCloseAll|,
>         |Ns_ServerLogRollAll|, |Ns_GetServer|, |Ns_ServerName|,
>         |Ns_SockSetSendErrno|, |Ns_SockGetSendErrno|,
>         |Ns_SockGetSendRejected|, |Ns_SockGetSendCount|,
>         |Ns_SockFlagAdd|, |Ns_SockFlagClear|, |Ns_SockSendBufsEx|,
>         |Ns_SockConnectUnix|, |Ns_SockGetClientSockAddr|,
>         |Ns_SockGetConfiguredSockAddr|, |Ns_SockaddrPublicIpAddress|,
>         |Ns_SockaddrTrustedReverseProxy|, |Ns_SockaddrInAny|,
>         |Ns_SockaddrAddToDictIpProperties|, |Ns_TclReturnCodeString|,
>         |Ns_ReturnCodeString|, |Ns_TclInterpServPtr|,
>         |Ns_LogDeprecatedParameter|, |Ns_RegisterFastUrl2File|
>       o Extended |Ns_Request|, |Ns_TclCallback|
>       o Refactored |Ns_ConnReturnMoved()| and
>         |Ns_ConnReturnRedirect()| to unify redirection logic.
>   *
> 
>     *Secure Communication and Validation*:
> 
>       o Added fine-grained certificate validation APIs
>       o Improved error stack draining for OpenSSL operations.
>   *
> 
>     *Extended C API for |ns_connchan|*:
> 
>       o Introduced a minimal C-level API for |connchan| connections,
>         enabling finer control over lower-level network operations.
>   *
> 
>     *Build Platform Compatibility*:
> 
>       o Updated Windows build system to use |NS_IMPORT| in place of
>         deprecated |NS_EXTERN|.
>       o Avoided use of deprecated C functions such as |mktemp()| to
>         improve portability and security.
> 
> 
>       Build System and Tooling
> 
>   *
> 
>     *Configuration and Sample Support*:
> 
>       o Replaced hard-coded OS commands (ls, mv, ...) consistently with
>         build variables
>       o Replaced hard-coded OpenSSL binary references with the
>         |$(OPENSSL)| build variable.
>       o Enhanced log path and configuration variable handling to support
>         more dynamic setups.
>   *
> 
>     *Test Infrastructure*:
> 
>       o Extended regression and compatibility test coverage to validate
>         edge cases and cross-platform behavior.
>   *
> 
>     *Build Metadata Introspection*:
> 
>       o Added support for build-time introspection of environment
>         settings, including allocator type (e.g., |malloc|), compiler
>         version, and Tcl build info.
>   *
> 
>     *Optional Deprecation-Free Builds*:
> 
>       o Introduced build flag |NS_NO_DEPRECATED| to exclude deprecated
>         functions and APIs, mirroring Tcl’s |TCL_NO_DEPRECATED| mechanism.
>   *
> 
>     *CI/CD Modernization*:
> 
>       o Upgraded GitHub Actions workflows from version 3 to version 4
>         for improved performance and compatibility.
>   *
> 
>     *Sample Configuration Files*:
> 
>       o Improved sample configurations (|nsd-config| and
>         |openacs-config|) to use environment-specific settings via
>         |ns_configure_variables|
>       o prefer names |http| and |https| instead of |nsock| and
>         |nsssl| inside sample configuration files to ease configuration
>         for new users.
> 
> ------------------------------------------------------------------------
> 
> 
>     Documentation Updates
> 
> 
>       Comprehensive Overhaul
> 
>   *
> 
>     Conducted a thorough review and restructuring of all documentation:
> 
>       o
> 
>         *Tcl Command Documentation*:
> 
>           + Ensured all implemented Tcl commands and their options are
>             fully documented.
>           + Removed documentation for obsolete or unimplemented commands.
>           + Deprecated commands are no longer advertised in manuals or
>             used in examples.
>           + Introduced a dedicated section listing deprecated commands.
>           + Enabled automated generation of a complete command reference.
>       o
> 
>         *Test Alignment*:
> 
>           + Verified that every implemented Tcl command is covered by
>             regression tests.
>           + Ensured that all documented commands are also implemented
>             and tested.
> 
> 
>       Syntax and Formatting Consistency
> 
>   * Standardized placeholder syntax across the documentation and syntax
>     error messages (see commit |ffbd32774db|for details).
> 
> 
>       Manual Page Improvements
> 
>   *
> 
>     *nscgi*: Significantly revised documentation and usage examples for
>     clarity and completeness.
> 
>   *
> 
>     *admin-config.man*: Added a new section on “Customizing File Locations”.
> 
>   *
> 
>     Added and updated sections covering:
> 
>       o Basic templating features.
>       o Error handling mechanisms.
>       o Recently introduced Tcl commands and options.
> 
> 
>       Visual and Structural Enhancements
> 
>   *
> 
>     Updated diagrams and usage examples related to:
> 
>       o Request processing flow.
>       o Reverse proxy (revproxy) behavior.
> 
> 
>       Additional Improvements
> 
>   * Numerous corrections to spelling, grammar, formatting, and internal
>     linking throughout the documentation.
> 
> 
>       Deprecation Management Infrastructure
> 
>   * Introduced compiler warnings for usage of deprecated
>     |Ns_DString*| functions
>   * Added log severity level |Deprecated| to better surface deprecated
>     usage at runtime
>   * Documented all deprecated commands in a dedicated section of the
>     command reference
>   * Deprecated the use of manual double-checked locking for one-time
>     initialization replaced by the |NS_INIT_ONCE()| macro for safer and
>     cleaner initialization semantics
> 
> ------------------------------------------------------------------------
> 
> 
>     Deprecations
> 
> 
>       Tcl-Level Command Deprecations
> 
>   *
> 
>     Deprecated the following Tcl commands:
> 
>       o
> 
>         |ns_set print| → replaced by |ns_set format|
> 
>       o
> 
>         |ns_checkurl| and |ns_requestauthorize| → replaced by |ns_auth
>         request|
> 
>       o
> 
>         |ns_thread begin| → replaced by |ns_thread create|
> 
>       o
> 
>         |ns_thread begindetached| → replaced by |ns_thread create -detached|
> 
>       o
> 
>         |ns_event| → replaced by |ns_cond|
> 
>       o
> 
>         |ns_pooldescription| → replaced by |ns_dbpooldescription|
> 
>       o
> 
>         |keyldel|, |keylget|, |keylkeys|, |keylset| (from TclX) →
>         replaced by native |dict| functionality in Tcl
> 
>       o
> 
>         Legacy experimental functions (marked TBD for over 20 years) are
>         now deprecated:
> 
>           + |ns_browsermatch|, |ns_choosecharset|, |ns_cookiecharset|,
>             |ns_formfieldcharset|, |ns_formvalueput|, |ns_paren|,
>             |ns_tagelement|, |ns_tagelementset|
>       o
> 
>         Deprecated non-namespaced functions:
> 
>           + |getformdata|, |issmallint|
>       o
> 
>         |ns_parsetime|: now officially deprecated (was internally marked
>         "To be removed" for ~15 years)
> 
>       o
> 
>         |ns_set_precision|: deprecated in favor of standard Tcl idioms
> 
> 
>       Tcl-Level Option Deprecations
> 
>   *
> 
>     Deprecated options:
> 
>       o |-buffered| in |ns_connchan write|
>       o |-donecallback| in |ns_http| → replaced by
>         |-done_callback| (naming consistency)
>       o |-binary| (previously used to indicate Tcl objects with binary
>         data) → replaced by |-data|, aligning with conventions where
>         |-binary| is a boolean flag
> 
> 
>       C-Level API Deprecations
> 
>   *
> 
>     Deprecated or removed C functions:
> 
>       o |Ns_ObjvFlags()| → replaced by |Ns_ObjvIndex()| for option
>         parsing (removed redundancy)
>       o |Ns_SockSendBufs2()| → replaced by |Ns_SockSendBufsEx()| which
>         returns an additional |errorCode|
>       o |Ns_TclInitInterps()| → removed (marked as deprecated since 2005)
>       o Deprecated internal usage of OpenSSL and Tcl functions that have
>         been marked as deprecated upstream
>       o All C functions previously marked as deprecated in source
>         comments are now officially deprecated
> 
> 
>       Configuration Parameter Deprecations
> 
>   *
> 
>     Global config parameters:
> 
>       o |logroll|: → replaced by |logrollonsignal| (standardized log
>         rotation behavior on |SIGHUP|)
>       o |serverlog|: → replaced by |systemlog| to reduce ambiguity
>         between system and per-server logs
>   *
> 
>     Section parameter changes:
> 
>       o |serverdir| in the |fastpath| section is now deprecated → use
>         |serverdir| in the main per-server section instead (reflecting
>         its broader usage scope)
> 
> 
>     Changes in extra Modules
> 
> 
>       letsencrypt
> 
>   * Tcl9 compatibility changes
> 
> 
>       nsauthpam
> 
>   * Tcl9 compatibility changes
>   * License upgrade
> 
> 
>       nscoap
> 
>   * Tcl9 compatibility changes
>   * NaviServer 5 compatibility
>   * License upgrade
> 
> 
>       nsdbbdb
> 
>   * Replaced deprecated Ns_DString operations
>   * Support for LMDB
> 
> 
>       nsdbi
> 
>   * Removed calls to deprecated functions
>   * Tcl9 compatibility changes
> 
> 
>       nsdbilite
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsdbimy
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsdbipg
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsdbmysql
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsdbpg
> 
>   * Tcl9 compatibility changes
>   * NaviServer 5 compatibility
>   * Removed calls to deprecated functions
>   * License upgrade
> 
> 
>       nsdbsqlite
> 
>   * Fixed execution of DML queries.
>   * Removed calls to deprecated functions
>   * Pulled in new upstream version (3.47.2) of qlite3.c
> 
> 
>       nsdns
> 
>   * Removed calls to deprecated functions
>   * Code cleanup
> 
> 
>       nsldap
> 
>   * Added support for LDAP URIs in pool configuration
>   * Removed calls to deprecated functions
>   * Removed unneeded compile macro
>   * Fixed result setting of "connected" subcommand
>   * Refactor nsldap Tcl command into modular subcommands
>   * Tcl9 compatibility changes
>   * Updated documentation
> 
> 
>       nsloopctl
> 
>   * Tcl9 compatibility changes
>   * Minor code cleanup
> 
> 
>       nsmemcache
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsoracle
> 
>   * Added experimental boolean configuration parameter
>     |convertEncoding|: When this Boolean parameter is true, the
>     connection is created with OCIEnvNlsCreate() instead of
>     OCIEnvCreate(). OCIEnvNlsCreate was introduced with Oracle9 and is
>     an enhanced version of OCIEnvCreate() which is used by default
>     (legacy setting) or when ConvertEncoding is not true. This parameter
>     performs on-the-fly conversions when connecting to a Latin1 encoded
>     database.
>   * Removed calls to deprecated functions
>   * Modernized configuration (range checks) and use Ns_ReturnCode when
>     appropriate
>   * Tcl9 compatibility changes
> 
> 
>       nsphp
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsshell
> 
>   * Updated command list for command completion for NaviServer 5
>   * Updated most JavaScript libraries
> 
> 
>       nssmtpd
> 
>   * Simplified configuration (provided defaults were possible)
>   * Added support for providing mail server password via userinfo in
>     |relayhost|
>   * Fixed multi-line response parsing
>   * Tcl9 compatibility changes
>   * NaviServer 5 compatibility
>   * Removed calls to deprecated functions
>   * Updated documentation
>   * License upgrade
> 
> 
>       nssnmp
> 
>   * Removed calls to deprecated functions
> 
> 
>       nsstats
> 
>   * More detailed reports:
>       o added list of loaded modules per server
>       o added list of all registered domain names for a driver
>       o added server log dir to per-server information
>   * Refactored web UI (adjusted layout for NaviServer 4.99 and 5)
>   * Added support for dark mode
>   * Added support for |nsperm| module, when installed
>   * Made parsing of http client log file more robust
>   * License upgrade
> 
> 
>       nssyslogd
> 
>   * Removed calls to deprecated functions
>   * NaviServer 5 compatibility
> 
> 
>       nstk
> 
>   * Tcl9 compatibility changes
> 
> 
>       nsudp
> 
>   * Tcl9 compatibility changes
>   * NaviServer 5 compatibility
>   * License upgrade
> 
> 
>       nswebpush
> 
>   * Tcl9 compatibility changes
>   * Updated code for newer and more picky web servers
>   * Fixed code for aes128gcm
> 
> 
>       revproxy
> 
>   * moved code to main repository
> 
> 
>       websocket
> 
>   * NaviServer 5 compatibility
>   * Avoid deprecated messages for |ns_conn write -buffered|
>   * Improved documentation
>   * More detailed timeout handling
> 
> 
> 
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

[naviserver-devel] Announcement: NaviServer 5.0.0 Release

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,
We are glad to announce the final release of NaviServer 5.0.0, marking the most significant update in the project’s history with over 70,000 lines of changes. This release delivers robust security enhancements, modernized infrastructure, and improved scalability. Key highlights include:

Security by Default: HTTP client requests now validate server certificates automatically, with configurable trust exceptions and a bundled CA root store. A new pluggable authorization framework (ns_auth) enables scriptable request- and user-level access control.

Modernized Core: Unix domain socket support, case-insensitive ns_set, Argon2 password hashing, and streamlined configuration via environment variables (ideal for containers). The reverse proxy is now built into the core, with new forward proxy capabilities.

Enhanced Observability and Scalability: Improved logging (dynamic paths, rotation, and new "Security" severity), detailed connection diagnostics (ns_conn urldict, ns_connchan debug), runtime introspection (ns_http keepalives, ns_info buildinfo), persistent client connections, and streaming HTTP client processing.

Backward Compatibility & Future-Readiness
While introducing cutting-edge features, NaviServer 5.0.0 maintains strong backward compatibility, with deprecated APIs clearly documented and modern replacements provided (e.g., ns_urlencode → ns_percentencode). The release introduces/extends over 50 Tcl commands and subcommands. The upgrade to MPL 1.2 and Tcl 9 support ensures long-term sustainability. Over 20 community-contributed modules (like nsdbpg, nssmtpd) have been updated in lockstep.

The following people contributed to this release:   

     Alexander Danilov, Andrew Piskorski, Antonio Pisano, Brendan Graves, Brian Fenton, Danilo Raynor, David F, David Osborne, 

     Filip Minic, Georg Lehner, Gustaf Neumann, Hector Romojaro, Joe Oldak, Oleg Oleinick, Priyank Jalu, Thomas Renner, Zoran Vasiljevic

Resources:

Download <https://sourceforge.net/projects/naviserver/files/naviserver/5.0.0/> | GitHub <https://github.com/naviserver-project/naviserver> | Docs <https://naviserver.sourceforge.io/5.0/toc.html>
This release is a major leap forward in security, flexibility, and maintainability. See below for the detailed changes: Upgrade today!

The NaviServer Team



Tcl API Changes

ns_cache

New option cachingmode: Accepts full or none to toggle caching behavior.
ns_configsection

New option -filter: Filters variables by unread, defaulted, or defaults.
ns_configure_variables

New command to pull in configuration variables from environment variables (for use in configuration files)
ns_conn

General enhancements:

ns_conn host, ns_conn port, ns_conn protocol: Now return appropriate values for all request types (not limited to forward proxy requests).
New subcommands:

ns_conn target: Returns the complete request target, including query parameters, from the HTTP start line.
ns_conn fragment: Returns the fragment identifier (after #) if present.
ns_conn urldict: Parses the request URL into a Tcl dictionary for structured access.
ns_conn host: Supports an optional default value if the host is not determined.
ns_conn details: Returns a dictionary with driver-specific connection metadata.
ns_connchan

Security and diagnostics improvements:

ns_connchan debug: Set or query the debug level.
ns_connchan connect / ns_connchan open: Now accept additional security-related options: -cafile, -capath, -cert, -hostname, -insecure, -driver, and -unixsocket.
ns_connchan status: Added -server option for multi-server introspection.
ns_connchan write: Now performs buffered writes.
More detailed timeout handling

ns_driver

info, names, stats, and threads support the -server option to allow multi-server diagnostics.
ns_http

Connection handling and introspection:

Persistent HTTP connections supported via the keepalive option in httpclient configuration.

Introduced support for multiple task threads.

Streaming response support for incremental data handling (useful for large file transfers and LLM interaction).

Default timeout configuration for requests.

New callbacks: response_header_callback and response_data_callback.

Renamed -donecallback to -done_callback (old name deprecated).

Added support for informational HTTP status codes (e.g., 100 Continue).

New subcommands:

ns_http keepalives: Displays active persistent connections.
ns_http taskthreads: Provides insight into HTTP client threads.
Major internal refactoring of tclhttp.c for modularity and maintainability.

ns_ictl

getmodules: Now supports the -server option for per-server introspection.
ns_info

Added subcommands:

argv: Returns the original argument vector.
bindir: Returns the binary directory path.
buildinfo: Displays build-time config and version info.
logdir: Path to the log directory.
meminfo: Displays memory statistics (when using tcmalloc).
ns_ip

Added subcommands:

inany: Checks if an IP matches any configured address.
properties: Returns metadata about configured IPs.
public: Determines if an IP is publicly routable.
trusted: Checks if an IP is trusted.
valid: Validates IP syntax.
These enhancements supersede the need for ns_subnetmatch.

ns_issmallint

New command to check if a value is a valid small integer (replaces the old, now deprecated issmallint).
ns_logctl

New subcommand grep: Searches log files with pattern matching, stripping color codes and handling line continuations.
ns_register* Enhancements

All ns_register_* commands now support the -constraints option, enabling context-sensitive behavior.
New command: ns_register_auth allows registration of user- and request-level authorization handlers.
ns_server

New subcommands:
authprocs: Lists registered request/user auth procedures.
hosts: Lists registered hostnames for the server.
logdir: Returns the server log directory.
realm: returns or sets the realm of the server
serverdir: Returns the base directory for the virtual server (-effective returns the resolved runtime path).
vhostenabled: Returns a boolean indicating virtual hosting status.
ns_server mapped: New option -all returns a dict with handler and pool info.
ns_set

Case-insensitive support:

New -nocase flag for ns_set create and related operations.
Deprecated the i* subcommands (e.g., iget, ifind) in favor of unified interface.
Multi-valued key support:

-all option retrieves all values for a given key in ns_set and ns_config.
New subcommands:

format: Pretty-prints the set contents.
stats: Returns memory usage statistics.
delkey: Now returns a boolean success flag.

Internal improvements:

Refactored ns_set internals using dense storage for lower memory use and better cache locality.
Replaced deeply nested switch logic with modular, maintainable code.
ns_thread

Unified thread creation:

Use ns_thread create for all thread types.
Deprecated begin and begindetached to align with ns_cond, ns_mutex, and ns_sema usage.
ns_urlspace

Wildcard matching now supports path-segment-level matches (previously limited to leaf nodes).

Applied improved matching in nscgi to support directory-wide CGI mapping.

Renamed option -contextfilter to -constraints in ns_urlspace set/unset to match the new registration API.

Database Enhancements

ns_db info: Returns a dictionary of metadata for a given DB handle.
ns_dbpooldescription: Renamed from the previous ns_pooldescription for consistent naming.
ns_db rowcount: Fixed in this release to return actual row counts.
New Utilities

ns_fseekchars: Efficiently scans a stream for a string (e.g., for multipart/form-data parsing).
ns_joinurl: Constructs well-formed URLs from path components.
ns_mkdtemp: Creates a unique temporary directory (POSIX-style mkdtemp()).
ns_parsehtml: Parses HTML fragments into a structured Tcl dict.
ns_parsemessage: Parses MIME-style messages (e.g., emails or HTTP headers).
ns_percentencode / ns_percentdecode: Replace deprecated ns_urlencode and ns_urldecode for robust URL-safe encoding/decoding.
Changes in Core Modules

nscgi

New command: ns_register_cgi for dynamic CGI handler registration (supports -noinherit, -path, etc.).
Supports unregistration via ns_unregister_op.
New environment variables: SCRIPT_FILENAME, REQUEST_URI.
Refactored to support major web apps (e.g., WordPress, Joomla).
See commit 36027b70215 for implementation details.
nscp

Integrated with new authorization system (e.g., via nsperm users).
New command nscp users: Lists registered users for nscp authentication.
nsperm

Acts as a pluggable authorization provider for request/user scopes.
New config parameter: allowLoopbackEmptyUser—permits unauthenticated loopback access when enabled.
Added support for setting default server start pages and nsstats.
nsproxy

New subcommand: ns_proxy workers—provides detailed runtime info on proxy worker processes.
Bug Fixes

Stability and Crash Resolutions

Addressed multiple potential crash scenarios:

Robust handling of HTTP CONNECT requests.
Fixed crashes caused by missing or empty argument lists in commands such as ns_filestat, ns_sockcallback, and ns_ictl oncleanup.
Prevented crash in ns_log when invoked with an empty message.
Resolved a 24-year-old bug in Ns_AdjTime() that could lead to fatal errors due to microsecond overflow in multithreaded environments.
Fixed crash in ns_conn copy when operating on empty content.
Prevented crash in ns_sema release with invalid semaphore counts.
Corrected off-by-one error in ns_adp_bind_args that could access uninitialized Tcl_Obj values.
Fixed crash in ns_inet_ntop due to unsafe memory operations with overlapping regions (notably on aarch64 with musl).
Resolved crash in Ns_SetIUpdateSz() caused by case mismatch in header keys with the legacy C API.
Fixed crash during nscp startup when the users section was not configured.
Prevented crash in debug mode when the Host: header could not be mapped to a virtual server and the driver was installed locally.
Avoided crash when launching nsd with -c and -t options and no home parameter defined.
Fixed crash during computation of ns_conn location when the network driver was not globally installed (global installation now recommended).
Fixed crash due to self-destructive header replacement when ns_conn outputheaders are passed via ns_respond ... -headers ...
Functional Correctness and Logic Fixes:

ns_conn status: Fixed issue where updated status codes were silently ignored.
ns_conn doneCallback: Ensured this callback is always invoked in ns_http.
nsv_dict get: Fixed a memory leak in value retrieval.
ns_conn peeraddr: Resolved race condition in pipelined requests that could yield incorrect peer addresses.
ns_cache_eval -force: Fixed race condition that could produce obsolete results.
ns_sema create: Corrected handling of initial count values (e.g., 1000).
ns_trim: Fixed spacing logic to trim only leading and trailing whitespace, preserving internal spacing.
ns_config -int: Corrected fallback behavior when invalid values are supplied, now correctly using documented defaults.
ns_sockcallback: Now gracefully handles missing arguments.
ns_socknread: Fixed inaccurate results for buffered connections.
ns_crypto::aead::encrypt/decrypt: Restored compatibility with OpenSSL 1.1.1.
Fixed incorrect parsing of encoded backslashes in URLs.
Ns_StrTrimRight(): Corrected UTF-8 handling in right-side string trimming.
Fixed ns_conn location when running behind a reverse proxy to always returns a value, even in broken configurations.
OpenSSL fixes

Added support for detecting and validating OCSP Must-Staple and AIA presence in certificates. Without that, NaviServer might crash, when OCSP is turned on, and NULL values are passed for AIA URLs (letsencrypt)
Introduced stable output buffers for send operations to support retries after SSL_ERROR_WANT_WRITE, preventing connection failures under high load.
Improved error handling in OpenSSL integration by draining the error stack via DrainErrorStack().
HTTP Client Fixes

ns_http:
Reordered initialization in NsInitServer() to ensure submodules can access a fully configured server state.
HTML and ADP Parsing Fixes

ADP Parser:
Enhanced support for quoted > characters inside attribute values, aligning with modern HTML parsing rules.
return-notice handling:
Suppressed spurious error messages when fallback ADP templates are processed outside of a full ADP context.
ns_striphtml: 
Fixed long-standing bug where adjacent HTML entities were incorrectly decoded—only the first entity was processed.
Logging and Diagnostics Fixes

Fixed misleading log output when dynamically changing extended headers via ns_accesslog extendedheaders ....
Improved error messages when port binding fails due to conflicts with driver assignment.
Fixed off-by-one error in the virtual server port configuration logic.
Clarified or corrected multiple logging messages across modules for better diagnostics.
nscgi Module Fixes

Fixed file upload failures when uploads were internally spooled by NaviServer — previously returned 500 errors.
Corrected processing of CGI script exit codes not 0.
Fixed hostname and port reporting for SERVER_NAME.
Database Fixes

ns_db rowcount: Fixed regression where the row count logic was not invoked, rendering the command a no-op.
Build and Compatibility Fixes

Suppressed obsolete --enable-threads warning for Tcl versions where thread support is now enabled by default.
Fixed compilation failure with glibc 2.38+ due to PTHREAD_STACK_MIN becoming dynamic via sysconf().
General Cleanups

Fixed small memory leak triggered by serverrootproc reset.
Numerous minor typo corrections, comment clarifications, and small logic cleanups across modules.
C-Level Infrastructure, C API Enhancements, and Build System

Core Infrastructure Improvements

Socket Layer Enhancements:

Added sendErrno field to the Sock structure to improve diagnostics and tracking of write errors.
Modernized Initialization:

Introduced NS_INIT_ONCE() macro for thread-safe one-time initialization, replacing legacy double-lock patterns.
Data Structure Utilities:

Added utility functions Ns_DListSaveString() and Ns_DListFreeElements() to simplify dynamic list management.
Replaced use of legacy Ns_DString functions with standard Tcl_DString, modernizing internal data handling.
Debugging Support:

Added NsHexPrint() for hex-dumping of byte sequences, aiding in low-level debugging and analysis.
Introspection Enhancements:

Introduced Ns_TclReturnCodeString() and Ns_ReturnCodeString() to convert internal return codes into readable strings, improving log clarity and diagnostics.
Code Quality and Performance:

Applied extensive internal refactorings to improve performance, cache locality, and maintainability across multiple subsystems.
C API Enhancements

General:

Added typedefs for Ns_AuthorizeRequestProc, Ns_AuthorizeUserProc,Ns_UrlSpaceMatchInfo, Ns_DriverConnInfoProc
Added enum for Ns_RequestType, Ns_UrlSpaceOp, Ns_DriverClientInitArg
Added API calls in ns.h: Ns_ConfigFilename, Ns_ConnTarget, Ns_UrlSpaceMatchInfo, Ns_ConnServPtr, Ns_DStringAppendSockState, Ns_RegisterFilter2, Ns_TaskQueueLength, Ns_TaskQueueName, Ns_TaskQueueRequests, Ns_ObjvTablePrint, Ns_InfoLogPath, Ns_LogPath, Ns_ServerLogDir, Ns_ServerRootProcEnabled, Ns_ServerLogGetFd, Ns_ServerLogCloseAll, Ns_ServerLogRollAll, Ns_GetServer, Ns_ServerName, Ns_SockSetSendErrno, Ns_SockGetSendErrno, Ns_SockGetSendRejected, Ns_SockGetSendCount, Ns_SockFlagAdd, Ns_SockFlagClear, Ns_SockSendBufsEx, Ns_SockConnectUnix, Ns_SockGetClientSockAddr, Ns_SockGetConfiguredSockAddr, Ns_SockaddrPublicIpAddress, Ns_SockaddrTrustedReverseProxy, Ns_SockaddrInAny, Ns_SockaddrAddToDictIpProperties, Ns_TclReturnCodeString, Ns_ReturnCodeString, Ns_TclInterpServPtr, Ns_LogDeprecatedParameter, Ns_RegisterFastUrl2File
Extended Ns_Request, Ns_TclCallback
Refactored Ns_ConnReturnMoved() and Ns_ConnReturnRedirect() to unify redirection logic.
Secure Communication and Validation:

Added fine-grained certificate validation APIs
Improved error stack draining for OpenSSL operations.
Extended C API for ns_connchan:

Introduced a minimal C-level API for connchan connections, enabling finer control over lower-level network operations.
Build Platform Compatibility:

Updated Windows build system to use NS_IMPORT in place of deprecated NS_EXTERN.
Avoided use of deprecated C functions such as mktemp() to improve portability and security.
Build System and Tooling

Configuration and Sample Support:

Replaced hard-coded OS commands (ls, mv, ...) consistently with build variables
Replaced hard-coded OpenSSL binary references with the $(OPENSSL) build variable.
Enhanced log path and configuration variable handling to support more dynamic setups.
Test Infrastructure:

Extended regression and compatibility test coverage to validate edge cases and cross-platform behavior.
Build Metadata Introspection:

Added support for build-time introspection of environment settings, including allocator type (e.g., malloc), compiler version, and Tcl build info.
Optional Deprecation-Free Builds:

Introduced build flag NS_NO_DEPRECATED to exclude deprecated functions and APIs, mirroring Tcl’s TCL_NO_DEPRECATED mechanism.
CI/CD Modernization:

Upgraded GitHub Actions workflows from version 3 to version 4 for improved performance and compatibility.
Sample Configuration Files:

Improved sample configurations (nsd-config and openacs-config) to use environment-specific settings via ns_configure_variables
prefer names http and https instead of nsock and nsssl inside sample configuration files to ease configuration for new users.
Documentation Updates

Comprehensive Overhaul

Conducted a thorough review and restructuring of all documentation:

Tcl Command Documentation:

Ensured all implemented Tcl commands and their options are fully documented.
Removed documentation for obsolete or unimplemented commands.
Deprecated commands are no longer advertised in manuals or used in examples.
Introduced a dedicated section listing deprecated commands.
Enabled automated generation of a complete command reference.
Test Alignment:

Verified that every implemented Tcl command is covered by regression tests.
Ensured that all documented commands are also implemented and tested.
Syntax and Formatting Consistency

Standardized placeholder syntax across the documentation and syntax error messages (see commit ffbd32774dbfor details).
Manual Page Improvements

nscgi: Significantly revised documentation and usage examples for clarity and completeness.

admin-config.man: Added a new section on “Customizing File Locations”.

Added and updated sections covering:

Basic templating features.
Error handling mechanisms.
Recently introduced Tcl commands and options.
Visual and Structural Enhancements

Updated diagrams and usage examples related to:

Request processing flow.
Reverse proxy (revproxy) behavior.
Additional Improvements

Numerous corrections to spelling, grammar, formatting, and internal linking throughout the documentation.
Deprecation Management Infrastructure

Introduced compiler warnings for usage of deprecated Ns_DString* functions
Added log severity level Deprecated to better surface deprecated usage at runtime
Documented all deprecated commands in a dedicated section of the command reference
Deprecated the use of manual double-checked locking for one-time initialization replaced by the NS_INIT_ONCE() macro for safer and cleaner initialization semantics
Deprecations

Tcl-Level Command Deprecations

Deprecated the following Tcl commands:

ns_set print → replaced by ns_set format

ns_checkurl and ns_requestauthorize → replaced by ns_auth request

ns_thread begin → replaced by ns_thread create

ns_thread begindetached → replaced by ns_thread create -detached

ns_event → replaced by ns_cond

ns_pooldescription → replaced by ns_dbpooldescription

keyldel, keylget, keylkeys, keylset (from TclX) → replaced by native dict functionality in Tcl

Legacy experimental functions (marked TBD for over 20 years) are now deprecated:

ns_browsermatch, ns_choosecharset, ns_cookiecharset, ns_formfieldcharset, ns_formvalueput, ns_paren, ns_tagelement, ns_tagelementset
Deprecated non-namespaced functions:

getformdata, issmallint
ns_parsetime: now officially deprecated (was internally marked "To be removed" for ~15 years)

ns_set_precision: deprecated in favor of standard Tcl idioms

Tcl-Level Option Deprecations

Deprecated options:

-buffered in ns_connchan write
-donecallback in ns_http → replaced by -done_callback (naming consistency)
-binary (previously used to indicate Tcl objects with binary data) → replaced by -data, aligning with conventions where -binary is a boolean flag
C-Level API Deprecations

Deprecated or removed C functions:

Ns_ObjvFlags() → replaced by Ns_ObjvIndex() for option parsing (removed redundancy)
Ns_SockSendBufs2() → replaced by Ns_SockSendBufsEx() which returns an additional errorCode
Ns_TclInitInterps() → removed (marked as deprecated since 2005)
Deprecated internal usage of OpenSSL and Tcl functions that have been marked as deprecated upstream
All C functions previously marked as deprecated in source comments are now officially deprecated
Configuration Parameter Deprecations

Global config parameters:

logroll: → replaced by logrollonsignal (standardized log rotation behavior on SIGHUP)
serverlog: → replaced by systemlog to reduce ambiguity between system and per-server logs
Section parameter changes:

serverdir in the fastpath section is now deprecated → use serverdir in the main per-server section instead (reflecting its broader usage scope)
Changes in extra Modules

letsencrypt

Tcl9 compatibility changes
nsauthpam

Tcl9 compatibility changes
License upgrade
nscoap

Tcl9 compatibility changes
NaviServer 5 compatibility
License upgrade
nsdbbdb

Replaced deprecated Ns_DString operations
Support for LMDB
nsdbi

Removed calls to deprecated functions
Tcl9 compatibility changes
nsdbilite

Removed calls to deprecated functions
nsdbimy

Removed calls to deprecated functions
nsdbipg

Removed calls to deprecated functions
nsdbmysql

Removed calls to deprecated functions
nsdbpg

Tcl9 compatibility changes
NaviServer 5 compatibility
Removed calls to deprecated functions
License upgrade
nsdbsqlite

Fixed execution of DML queries.
Removed calls to deprecated functions
Pulled in new upstream version (3.47.2) of qlite3.c
nsdns

Removed calls to deprecated functions
Code cleanup
nsldap

Added support for LDAP URIs in pool configuration
Removed calls to deprecated functions
Removed unneeded compile macro
Fixed result setting of "connected" subcommand
Refactor nsldap Tcl command into modular subcommands
Tcl9 compatibility changes
Updated documentation
nsloopctl

Tcl9 compatibility changes
Minor code cleanup
nsmemcache

Removed calls to deprecated functions
nsoracle

Added experimental boolean configuration parameter convertEncoding: When this Boolean parameter is true, the connection is created with OCIEnvNlsCreate() instead of OCIEnvCreate(). OCIEnvNlsCreate was introduced with Oracle9 and is an enhanced version of OCIEnvCreate() which is used by default (legacy setting) or when ConvertEncoding is not true. This parameter performs on-the-fly conversions when connecting to a Latin1 encoded database.
Removed calls to deprecated functions
Modernized configuration (range checks) and use Ns_ReturnCode when appropriate
Tcl9 compatibility changes
nsphp

Removed calls to deprecated functions
nsshell

Updated command list for command completion for NaviServer 5
Updated most JavaScript libraries
nssmtpd

Simplified configuration (provided defaults were possible)
Added support for providing mail server password via userinfo in relayhost
Fixed multi-line response parsing
Tcl9 compatibility changes
NaviServer 5 compatibility
Removed calls to deprecated functions
Updated documentation
License upgrade
nssnmp

Removed calls to deprecated functions
nsstats

More detailed reports:
added list of loaded modules per server
added list of all registered domain names for a driver
added server log dir to per-server information
Refactored web UI (adjusted layout for NaviServer 4.99 and 5)
Added support for dark mode
Added support for nsperm module, when installed
Made parsing of http client log file more robust
License upgrade
nssyslogd

Removed calls to deprecated functions
NaviServer 5 compatibility
nstk

Tcl9 compatibility changes
nsudp

Tcl9 compatibility changes
NaviServer 5 compatibility
License upgrade
nswebpush

Tcl9 compatibility changes
Updated code for newer and more picky web servers
Fixed code for aes128gcm
revproxy

moved code to main repository
websocket

NaviServer 5 compatibility
Avoid deprecated messages for ns_conn write -buffered
Improved documentation
More detailed timeout handling

[naviserver-devel] Forthcoming OpenACS/EuroTcl conference in Bologna

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

The preliminary program for this year’s conference (next week in Bologna)  is now available:
👉 https://openacs.km.at/evaluate/org/129998253/companyhelp/schedule

Please note that we will not have live-streams this year. However, we plan to make recordings of the presentations available afterward.

As in previous years, the program includes an OpenACS and NaviServer panel to discuss future directions for both projects. If you have suggestions for improvements or areas that need attention - whether technical, community-related, or otherwise, or features you need in your projects - please feel free to email me your thoughts. I’ll make sure your input is brought into the discussion.

Looking forward to hearing from you!

All the best,
-g 

[naviserver-devel] NaviServer 5 RC1 available

[Gustaf N. (sslmail) <ne...@wu...>]

Hi everyone, 

I’m glad to report that NaviServer 5.0 RC 1 is now available on SourceForge:
https://sourceforge.net/projects/naviserver/files/NaviServer5.0/

The updated online documentation can be found here:
https://naviserver.org/docs/5.0/

This marks our feature freeze - over the coming weeks we’ll focus strictly on bug fixes and stability improvements. Our goal is to deliver the final 5.0 release before the OpenACS/EuroTcl/Conference in Bologna (July 10–11, 2025): https://openacs.km.at/

Below is the preliminary changelog for the core package. We continue work on a summary of the main changes in the NaviServer modules repositories.
Since raw changelog since the 4.99 release is quite large (>22K lines), something may have slipped through. If you spot any omissions that should be on our radar, please let me know.

The changes are quite extensive:

 522 files changed, 78016 insertions(+), 32993 deletions(-)

According to our documentation, this is the largest number of changes between releases.
Please, if possible, download RC 1, give it a spin, and let us know of any regressions or show-stopper bugs by opening an issue on our tracker.
https://github.com/naviserver-project/naviserver

Thank you for your testing and feedback - let’s make the 5.0 release rock solid for Bologna!

Best regards,
The NaviServer Team


Changelog

New Features

Security Enhancements

Secure by Default when NaviServer is used as an HTTP client (ns_http and ns_connchan)
All HTTP client requests now validate the peer server certificate by default.

Introduced the -insecure flag to bypass validation in trusted scenarios.

Bundled a ca-bundle.crt with well-known root certificates for out-of-the-box verification support.

Fine-Grained Validation Management:

Configure validation exceptions in the httpclient section to allow specific certificate issues (e.g., self-signed certs) for defined IP ranges.
Define a directory for storing rejected certificates, enabling later review, manual trust decisions, or audit trails.
For details, consult the admin-config manual.
Certificate Management Added new commands:

ns_certctl list – List loaded certificates.
ns_certctl reload – Reload certificates at runtime.
Pluggable Authorization Framework

Introduced flexible, scriptable request- and user-level authorization:
Supports multiple authorization handlers ("authorities") with ordered evaluation.
Handlers can return continuation codes (TCL_OK, TCL_BREAK, TCL_RETURN) to control the authorization chain.
New Tcl commands:
ns_auth request – Evaluate configured request-level auth handlers.
ns_auth user – Evaluate user-level authorization logic.
Improved Reverse Proxy Trust Management

Define trusted upstream proxies via CIDR ranges.
Configurable handling of X-Forwarded-For chains, including:
Skipping non-routable addresses.
Alternative resolution strategies.
Improves accuracy and security of client IP logging (e.g., in access.log).
For implementation details, see commit ab23158ece.
Argon2 Password Hashing New command: ns_crypto::argon2 – Provides support for modern, secure password hashing.

User Interface and HTML Improvements

Modernized Default Start Page

Redesigned layout with responsive and accessible design.
Added modal dialog for password updates.
Improved security guidance for publicly exposed installations.
Installer now fetches resources from GitHub (previously Bitbucket).
Dark Mode Support

Automatically respects system preferences via the prefers-color-scheme media query.
Supported across modern versions of Windows, macOS, iOS, and Android.
Consistent Visual Styling

Unified look and feel across:
Default start page
NaviServer documentation
nsstats module interface
Configuration and File Management

Configuration via environment variables

Added ability to pull in environment variables with a certain prefix as configuration variables for configuration files (new command ns_configure_variables). This helps configuration significantly for container-based deployments, where ports etc. have to be adjusted on standardized configuration files.
New File Location Options

Unified log path resolution via logdir or serverdir.
Moved serverdir definition from fastpath to the top-level server section; it now acts as the root for both logdirand page directories.
Added bindir parameter for custom binary module and nsproxy worker locations.
Improved Log Configuration

Relative log file paths are now resolved consistently based on:
serverrootproc (for mass virtual hosting), or
serverdir.
Supports dynamic log file naming (e.g., using Host header) for per-vhost logging.
Log rotation now applies across multiple log targets.
Improved Section Parameter Updates

New -update flag for ns_section, allowing ns_param to overwrite previously defined values rather than appending.
Proxy Features

Reverse Proxy Integration

The reverse proxy module is now built into the NaviServer core.
Leverages improvements in ns_http, including:
Persistent connections
Streaming request handling
New features:
-use_target_host_header flag for ::revproxy::upstream to control Host header forwarding.
Configurable transport mechanism using either ns_http or ns_connchan.
Support for backend connections via Unix domain sockets.
Forward Proxy Implementation

Base implementation included, built on the same scalable architecture as the reverse proxy.
Full support for the HTTP CONNECT method:
Enables tunneling HTTPS connections through the proxy.
Eliminates the need for insecure plaintext fallbacks.
Additional Functional Improvements

Unix Domain Socket Support

Both ns_http and ns_connchan now support connections via Unix domain sockets.
Multibyte HTML Entity Support

ns_striphtml and ns_unquotehtml now correctly decode multibyte numeric HTML entities.
New Log Severities

Security – For security-related events.
Deprecated – For usage of deprecated features (e.g., API calls, parameters).
TclPro Debugger Support

Significantly improved integration with the TclPro debugger.
Resolved missing file references and corrected documentation.
See the ns_adp_debug manual for usage.
Tcl 9 Compatibility

Internal updates to support Tcl 9 features and constraints.
Support for Tcl command argument counts >2^31.
License Upgrade

Changed from MPL 1.1 + GPL to MPL 1.2.
Announced previously on the mailing list and Tcl forums.
Tcl API Changes

ns_cache

New option cachingmode: Accepts full or none to toggle caching behavior.
ns_configsection

New option -filter: Filters variables by unread, defaulted, or defaults.
ns_configure_variables

New command to pull in configuration variables from environment variables (to be used in configuration files)
ns_conn

General enhancements:

ns_conn host, ns_conn port, ns_conn protocol: Now return appropriate values for all request types (not limited to forward proxy requests).
ns_conn target: Returns the complete request target, including query parameters, from the HTTP start line.
ns_conn fragment: Returns the fragment identifier (after #) if present.
ns_conn urldict: Parses the request URL into a Tcl dictionary for structured access.
ns_conn host: Supports an optional default value if the host is not determined.
ns_conn details: Returns a dictionary with driver-specific connection metadata.
ns_connchan

Security and diagnostics improvements:

ns_connchan debug: Set or query the debug level.
ns_connchan connect / ns_connchan open: Now accept additional security-related options: -cafile, -capath, -cert, -hostname, -insecure, -driver, and -unixsocket.
ns_connchan status: Added -server option for multi-server introspection.
ns_connchan write: Now performs buffered writes.
ns_driver

info, names, stats, and threads support the -server option to allow multi-server diagnostics.
ns_http

Connection handling and introspection:

Persistent HTTP connections supported via the keepalive option in httpclient configuration.

Introduced support for multiple task threads.

Streaming response support for incremental data handling (useful for large file transfers and LLM interaction).

Default timeout configuration for requests.

New callbacks: response_header_callback and response_data_callback.

Renamed -donecallback to -done_callback (old name deprecated).

Added support for informational HTTP status codes (e.g., 100 Continue).

New subcommands:

ns_http keepalives: Displays active persistent connections.
ns_http taskthreads: Provides insight into HTTP client threads.
Major internal refactoring of tclhttp.c for modularity and maintainability.

ns_ictl

getmodules: Now supports the -server option for per-server introspection.
ns_info

Added subcommands:

argv: Returns the original argument vector.
bindir: Returns the binary directory path.
buildinfo: Displays build-time config and version info.
logdir: Path to the log directory.
meminfo: Displays memory statistics (when using tcmalloc).
ns_ip

Added subcommands:

inany: Checks if an IP matches any configured address.
properties: Returns metadata about configured IPs.
public: Determines if an IP is publicly routable.
trusted: Checks if an IP is trusted.
valid: Validates IP syntax.
These enhancements supersede the need for ns_subnetmatch.

ns_issmallint

New command to check if a value is a valid small integer (replaces the old, now deprecated issmallint).
ns_logctl

New subcommand grep: Searches log files with pattern matching, stripping color codes and handling line continuations.
ns_register* Enhancements

All ns_register_* commands now support the -constraints option, enabling context-sensitive behavior.
New command: ns_register_auth allows registration of user- and request-level authorization handlers.
ns_server

New subcommands:
authprocs: Lists registered request/user auth procedures.
hosts: Lists registered hostnames for the server.
logdir: Returns the server log directory.
realm: returns or sets the realm of the server
serverdir: Returns the base directory for the virtual server (-effective returns the resolved runtime path).
vhostenabled: Returns a boolean indicating virtual hosting status.
ns_server mapped: New option -all returns a dict with handler and pool info.
ns_set

Case-insensitive support:

New -nocase flag for ns_set create and related operations.
Deprecated the i* subcommands (e.g., iget, ifind) in favor of unified interface.
Multi-valued key support:

-all option retrieves all values for a given key in ns_set and ns_config.
New subcommands:

format: Pretty-prints the set contents.
stats: Returns memory usage statistics.
delkey: Now returns a boolean success flag.

Internal improvements:

Refactored ns_set internals using dense storage for lower memory use and better cache locality.
Replaced deeply nested switch logic with modular, maintainable code.
ns_thread

Unified thread creation:

Use ns_thread create for all thread types.
Deprecated begin and begindetached to align with ns_cond, ns_mutex, and ns_sema usage.
ns_urlspace

Wildcard matching now supports path-segment-level matches (previously limited to leaf nodes).

Applied improved matching in nscgi to support directory-wide CGI mapping.

Renamed option -contextfilter to -constraints in ns_urlspace set/unset to match the new registration API.

Database Enhancements

ns_db info: Returns a dictionary of metadata for a given DB handle.
ns_dbpooldescription: Renamed from the previous ns_pooldescription for consistent naming.
ns_db rowcount: Fixed in this release to return actual row counts.
New Utilities

ns_fseekchars: Efficiently scans a stream for a string (e.g., for multipart/form-data parsing).
ns_joinurl: Constructs well-formed URLs from path components.
ns_mkdtemp: Creates a unique temporary directory (POSIX-style mkdtemp()).
ns_parsehtml: Parses HTML fragments into a structured Tcl dict.
ns_parsemessage: Parses MIME-style messages (e.g., emails or HTTP headers).
ns_percentencode / ns_percentdecode: Replace deprecated ns_urlencode and ns_urldecode for robust URL-safe encoding/decoding.
Changes in Core Modules

nscgi

New command: ns_register_cgi for dynamic CGI handler registration (supports -noinherit, -path, etc.).
Supports unregistration via ns_unregister_op.
New environment variables: SCRIPT_FILENAME, REQUEST_URI.
Refactored to support major web apps (e.g., WordPress, Joomla).
See commit 36027b70215 for implementation details.
nscp

Integrated with new authorization system (e.g., via nsperm users).
New command nscp users: Lists registered users for nscp authentication.
nsperm

Acts as a pluggable authorization provider for request/user scopes.
New config parameter: allowLoopbackEmptyUser—permits unauthenticated loopback access when enabled.
Added support for setting default server start pages and nsstats.
nsproxy

New subcommand: ns_proxy workers—provides detailed runtime info on proxy worker processes.
Bug Fixes

Stability and Crash Resolutions

Addressed multiple potential crash scenarios:

Robust handling of HTTP CONNECT requests.
Fixed crashes caused by missing or empty argument lists in commands such as ns_filestat, ns_sockcallback, and ns_ictl oncleanup.
Prevented crash in ns_log when invoked with an empty message.
Resolved a 24-year-old bug in Ns_AdjTime() that could lead to fatal errors due to microsecond overflow in multithreaded environments.
Fixed crash in ns_conn copy when operating on empty content.
Prevented crash in ns_sema release with invalid semaphore counts.
Corrected off-by-one error in ns_adp_bind_args that could access uninitialized Tcl_Obj values.
Fixed crash in ns_inet_ntop due to unsafe memory operations with overlapping regions (notably on aarch64 with musl).
Resolved crash in Ns_SetIUpdateSz() caused by case mismatch in header keys with the legacy C API.
Fixed crash during nscp startup when the users section was not configured.
Prevented crash in debug mode when the Host: header could not be mapped to a virtual server and the driver was installed locally.
Avoided crash when launching nsd with -c and -t options and no home parameter defined.
Fixed crash during computation of ns_conn location when the network driver was not globally installed (global installation now recommended).
Fixed crash due to self-destructive header replacement when ns_conn outputheaders are passed via ns_respond ... -headers ...
Functional Correctness and Logic Fixes:

ns_conn status: Fixed issue where updated status codes were silently ignored.
ns_conn doneCallback: Ensured this callback is always invoked in ns_http.
nsv_dict get: Fixed a memory leak in value retrieval.
ns_conn peeraddr: Resolved race condition in pipelined requests that could yield incorrect peer addresses.
ns_cache_eval -force: Fixed race condition that could produce obsolete results.
ns_sema create: Corrected handling of initial count values (e.g., 1000).
ns_trim: Fixed spacing logic to trim only leading and trailing whitespace, preserving internal spacing.
ns_config -int: Corrected fallback behavior when invalid values are supplied, now correctly using documented defaults.
ns_sockcallback: Now gracefully handles missing arguments.
ns_socknread: Fixed inaccurate results for buffered connections.
ns_crypto::aead::encrypt/decrypt: Restored compatibility with OpenSSL 1.1.1.
Fixed incorrect parsing of encoded backslashes in URLs.
Ns_StrTrimRight(): Corrected UTF-8 handling in right-side string trimming.
Fixed ns_conn location when running behind a reverse proxy to always returns a value, even in broken configurations.
OpenSSL fixes

Added support for detecting and validating OCSP Must-Staple and AIA presence in certificates. Without that, NaviServer might crash, when OCSP is turned on, and NULL values are passed for AIA URLs (letsencrypt)
Introduced stable output buffers for send operations to support retries after SSL_ERROR_WANT_WRITE, preventing connection failures under high load.
Improved error handling in OpenSSL integration by draining the error stack via DrainErrorStack().
HTTP Client Fixes

ns_http:
Reordered initialization in NsInitServer() to ensure submodules can access a fully configured server state.
HTML and ADP Parsing Fixes

ADP Parser:
Enhanced support for quoted > characters inside attribute values, aligning with modern HTML parsing rules.
return-notice handling:
Suppressed spurious error messages when fallback ADP templates are processed outside of a full ADP context.
ns_striphtml: 
Fixed long-standing bug where adjacent HTML entities were incorrectly decoded—only the first entity was processed.
Logging and Diagnostics Fixes

Fixed misleading log output when dynamically changing extended headers via ns_accesslog extendedheaders ....
Improved error messages when port binding fails due to conflicts with driver assignment.
Fixed off-by-one error in the virtual server port configuration logic.
Clarified or corrected multiple logging messages across modules for better diagnostics.
nscgi Module Fixes

Fixed file upload failures when uploads were internally spooled by NaviServer — previously returned 500 errors.
Corrected processing of CGI script exit codes not 0.
Fixed hostname and port reporting for SERVER_NAME.
Database Fixes

ns_db rowcount: Fixed regression where the row count logic was not invoked, rendering the command a no-op.
Build and Compatibility Fixes

Suppressed obsolete --enable-threads warning for Tcl versions where thread support is now enabled by default.
Fixed compilation failure with glibc 2.38+ due to PTHREAD_STACK_MIN becoming dynamic via sysconf().
General Cleanups

Fixed small memory leak triggered by serverrootproc reset.
Numerous minor typo corrections, comment clarifications, and small logic cleanups across modules.
C-Level Infrastructure, C API Enhancements, and Build System

Core Infrastructure Improvements

Socket Layer Enhancements:

Added sendErrno field to the Sock structure to improve diagnostics and tracking of write errors.
Modernized Initialization:

Introduced NS_INIT_ONCE() macro for thread-safe one-time initialization, replacing legacy double-lock patterns.
Data Structure Utilities:

Added utility functions Ns_DListSaveString() and Ns_DListFreeElements() to simplify dynamic list management.
Replaced use of legacy Ns_DString functions with standard Tcl_DString, modernizing internal data handling.
Debugging Support:

Added NsHexPrint() for hex-dumping of byte sequences, aiding in low-level debugging and analysis.
Introspection Enhancements:

Introduced Ns_TclReturnCodeString() and Ns_ReturnCodeString() to convert internal return codes into readable strings, improving log clarity and diagnostics.
Code Quality and Performance:

Applied extensive internal refactorings to improve performance, cache locality, and maintainability across multiple subsystems.
C API Enhancements

General:

Added typedefs for Ns_AuthorizeRequestProc, Ns_AuthorizeUserProc,Ns_UrlSpaceMatchInfo, Ns_DriverConnInfoProc
Added enum for Ns_RequestType, Ns_UrlSpaceOp, Ns_DriverClientInitArg
Added API calls in ns.h: Ns_ConfigFilename, Ns_ConnTarget, Ns_UrlSpaceMatchInfo, Ns_ConnServPtr, Ns_DStringAppendSockState, Ns_RegisterFilter2, Ns_TaskQueueLength, Ns_TaskQueueName, Ns_TaskQueueRequests, Ns_ObjvTablePrint, Ns_InfoLogPath, Ns_LogPath, Ns_ServerLogDir, Ns_ServerRootProcEnabled, Ns_ServerLogGetFd, Ns_ServerLogCloseAll, Ns_ServerLogRollAll, Ns_GetServer, Ns_ServerName, Ns_SockSetSendErrno, Ns_SockGetSendErrno, Ns_SockGetSendRejected, Ns_SockGetSendCount, Ns_SockFlagAdd, Ns_SockFlagClear, Ns_SockSendBufsEx, Ns_SockConnectUnix, Ns_SockGetClientSockAddr, Ns_SockGetConfiguredSockAddr, Ns_SockaddrPublicIpAddress, Ns_SockaddrTrustedReverseProxy, Ns_SockaddrInAny, Ns_SockaddrAddToDictIpProperties, Ns_TclReturnCodeString, Ns_ReturnCodeString, Ns_TclInterpServPtr, Ns_LogDeprecatedParameter, Ns_RegisterFastUrl2File
Extended Ns_Request, Ns_TclCallback
Refactored Ns_ConnReturnMoved() and Ns_ConnReturnRedirect() to unify redirection logic.
Secure Communication and Validation:

Added fine-grained certificate validation APIs
Improved error stack draining for OpenSSL operations.
Extended C API for ns_connchan:

Introduced a minimal C-level API for connchan connections, enabling finer control over lower-level network operations.
Build Platform Compatibility:

Updated Windows build system to use NS_IMPORT in place of deprecated NS_EXTERN.
Avoided use of deprecated C functions such as mktemp() to improve portability and security.
Build System and Tooling

Configuration and Sample Support:

Replaced hard-coded OS commands (ls, mv, ...) consistently with build variables
Replaced hard-coded OpenSSL binary references with the $(OPENSSL) build variable.
Enhanced log path and configuration variable handling to support more dynamic setups.
Test Infrastructure:

Extended regression and compatibility test coverage to validate edge cases and cross-platform behavior.
Build Metadata Introspection:

Added support for build-time introspection of environment settings, including allocator type (e.g., malloc), compiler version, and Tcl build info.
Optional Deprecation-Free Builds:

Introduced build flag NS_NO_DEPRECATED to exclude deprecated functions and APIs, mirroring Tcl’s TCL_NO_DEPRECATED mechanism.
CI/CD Modernization:

Upgraded GitHub Actions workflows from version 3 to version 4 for improved performance and compatibility.
Sample Configuration Files:

Improved sample configurations (nsd-config and openacs-config) to use environment-specific settings via ns_configure_variables
prefer names http and https instead of nsock and nsssl inside sample configuration files to ease configuration for new users.
Documentation Updates

Comprehensive Overhaul

Conducted a thorough review and restructuring of all documentation:

Tcl Command Documentation:

Ensured all implemented Tcl commands and their options are fully documented.
Removed documentation for obsolete or unimplemented commands.
Deprecated commands are no longer advertised in manuals or used in examples.
Introduced a dedicated section listing deprecated commands.
Enabled automated generation of a complete command reference.
Test Alignment:

Verified that every implemented Tcl command is covered by regression tests.
Ensured that all documented commands are also implemented and tested.
Syntax and Formatting Consistency

Standardized placeholder syntax across the documentation and syntax error messages (see commit ffbd32774db for details).
Manual Page Improvements

nscgi: Significantly revised documentation and usage examples for clarity and completeness.

admin-config.man: Added a new section on “Customizing File Locations”.

Added and updated sections covering:

Basic templating features.
Error handling mechanisms.
Recently introduced Tcl commands and options.
Visual and Structural Enhancements

Updated diagrams and usage examples related to:

Request processing flow.
Reverse proxy (revproxy) behavior.
Additional Improvements

Numerous corrections to spelling, grammar, formatting, and internal linking throughout the documentation.

Improved WebSocket documentation with expanded details on:

Timeout handling.
Use of connchan for bidirectional communication.
Deprecations

Tcl-Level Command Deprecations

Deprecated the following Tcl commands:

ns_set print → replaced by ns_set format

ns_checkurl and ns_requestauthorize → replaced by ns_auth request

ns_thread begin → replaced by ns_thread create

ns_thread begindetached → replaced by ns_thread create -detached

ns_event → replaced by ns_cond

ns_pooldescription → replaced by ns_dbpooldescription

keyldel, keylget, keylkeys, keylset (from TclX) → replaced by native dict functionality in Tcl

Legacy experimental functions (marked TBD for over 20 years) are now deprecated:

ns_browsermatch, ns_choosecharset, ns_cookiecharset, ns_formfieldcharset, ns_formvalueput, ns_paren, ns_tagelement, ns_tagelementset
Deprecated non-namespaced functions:

getformdata, issmallint
ns_parsetime: now officially deprecated (was internally marked "To be removed" for ~15 years)

ns_set_precision: deprecated in favor of standard Tcl idioms

Tcl-Level Option Deprecations

Deprecated options:

-buffered in ns_connchan write
-donecallback in ns_http → replaced by -done_callback (naming consistency)
-binary (previously used to indicate Tcl objects with binary data) → replaced by -data, aligning with conventions where -binary is a boolean flag
C-Level API Deprecations

Deprecated or removed C functions:

Ns_ObjvFlags() → replaced by Ns_ObjvIndex() for option parsing (removed redundancy)
Ns_SockSendBufs2() → replaced by Ns_SockSendBufsEx() which returns an additional errorCode
Ns_TclInitInterps() → removed (marked as deprecated since 2005)
Deprecated internal usage of OpenSSL and Tcl functions that have been marked as deprecated upstream
All C functions previously marked as deprecated in source comments are now officially deprecated
Configuration Parameter Deprecations

Global config parameters:

logroll: → replaced by logrollonsignal (standardized log rotation behavior on SIGHUP)
serverlog: → replaced by systemlog to reduce ambiguity between system and per-server logs
Section parameter changes:

serverdir in the fastpath section is now deprecated → use serverdir in the main per-server section instead (reflecting its broader usage scope)
Deprecation Management Infrastructure

Introduced compiler warnings for usage of deprecated Ns_DString* functions
Added log severity level Deprecated to better surface deprecated usage at runtime
Documented all deprecated commands in a dedicated section of the command reference
Deprecated the use of manual double-checked locking for one-time initialization replaced by the NS_INIT_ONCE() macro for safer and cleaner initialization semantics

Re: [naviserver-devel] nsauthn: prototypish Tcl module using ns_register_auth

[Gustaf N. (sslmail) <ne...@wu...>]

> On 24.06.2025, at 22:21, Georg Lehner <jor...@ma...> wrote:
> What is needed is a configuration option for the LDAP version to use, so that one can adapt to the capabilities of the given server.
> 
I do not see this as urgent. LDAPv3 was defined in RFC2251 (Dec 97) and is supported by OpenLDAP since 25 years (full compliance in 2000).
the nsldap module uses ldap_sasl_bind_s(), which was not supported by v2, so, without v3 there is not much the module can do.

>>> Global Initialzation of a Tcl Module
>>> 
> As I understand it, with the provided nsd-config.tcl the global libraries are served from /usr/local/ns/tcl, as well as the private libraries for the server default.
> 
> I created a module as a subdirectory of /usr/local/ns/tcl and put an initialization proc into my module into the file init.tcl and also execute it within this file.  When I load the module globally, the initialization proc is not run and the module is not loaded. When I load the module in the default server it is loaded/executed as expected.
> 
> Code within /usr/local/ns/tcl/init.tcl is executed, but I do not want to touch this file, since it is part of the installation of Naviserver.
> 

I think the code works as designed. If you load the module globally, then the global library files are used. If you load the module per server, then the per-server library files are used. 
Do you say, this is not the case? If so, this is a bug.
Do you expect that a globally loaded module uses the per-server library files?

All the best
-g

Re: [naviserver-devel] nsauthn: prototypish Tcl module using ns_register_auth

[Georg L. <jor...@ma...>]

On 18.06.25 10:43, Gustaf Neumann (sslmail) wrote:
>>
>>   * .... The pre-processor macro LDAPV3 has to be defined manually
>>     when building in order to work with current LDAP server versions.
>>
> As i see it, the macro is not necessary (i’ve replaced it with a 
> proper version compare, with macros provided by the standard includes.
> Also without the macro being defined, nsdap compiles fine and works 
> (but without setting the LDAP to LDAPV3). Is this maybe Alpine specific?

Sorry for not being specific, what I meant to say is: Since the LDAP 
version is hardcoded and by default is lower then LDAPV3 the module will 
not work with an LDAP server expecting LDAPV3. To remedy one has to 
recompile.

What is needed is a configuration option for the LDAP version to use, so 
that one can adapt to the capabilities of the given server.

>
>>   * Ns_ModuleInit() returns extraneously when scheduling a background
>>     procedure: I worked around by setting maxidle to 0 in the pool
>>     configuration.
>>
> what means  "returns extraneously”? crash? Tcl exception? I would 
> expect, Ns_ModuleInit() to be executed during startup (when all 
> modules are loaded), not in a background procedure.
At the end of Ns_ModuleInit() background procedures are scheduled in a 
loop with return Ns_ScheduleProcEx(...). Therefore Ns_ModuleInit() exits 
at this point with the integer id of the first scheduled proc. I can see 
though, that you already fixed this in the source code.
>>
>>   * Thorough documentation of all configuration options is missing.
>>
> ditto
I already started to complement the documentation (plus clarifying and 
reformatting) in a fork of the repo. I'll be happy to include 
documentation of your improvements and create a pull request.
>>
>>  *
>>
>>
>>   * Current LDAP client library implementations encourage the use of
>>     LDAP URI's instead of host, port and schema. This would be a
>>     useful enhancement.
>>
> i have added this to the repository. Please test if possible, i have 
> no usable LDAP server installation.
I'll do! thanks for the improvements.
>>
>>
>>       Controlled Creation of the auth Chain
>>
>> Initially I had the idea of separating authentication and 
>> authorization and have the admin of the server decide how and in 
>> which order to run respective "filters".  The current implementation 
>> does not give exact control over the order of registration of auth 
>> callbacks.  I'll have to learn more on the details of Naviserver 
>> configuration.
>>
> what do you mean by “no control”? This is exactly like for filters, 
> you can append at the end or at the begin,ut

It was a problem in my approach to structure the configuration sections 
for the module. I already figured out a better way to do it.

>
>>       Global Initialzation of a Tcl Module
>>
>> The nsauthn module implements caching of credentials from passwd 
>> files.  For this I wanted to use a global initialization procedure, 
>> run before any server is initialized. Alas I did not find if this is 
>> even possible. Any info on this is appreciated.
>>
> In general, the global (shared) Tcl libraries are loaded before the 
> per-server (private) libraries.
> You get the path of the global libraries via [ns_library shared] and 
> the per-server ones via ns_library private]
>
> https://naviserver.sourceforge.io/5.0/manual/files/tcl-libraries.html

As I understand it, with the provided nsd-config.tcl the global 
libraries are served from /usr/local/ns/tcl, as well as the private 
libraries for the server default.

I created a module as a subdirectory of /usr/local/ns/tcl and put an 
initialization proc into my module into the file init.tcl and also 
execute it within this file.  When I load the module globally, the 
initialization proc is not run and the module is not loaded. When I load 
the module in the default server it is loaded/executed as expected.

Code within /usr/local/ns/tcl/init.tcl is executed, but I do not want to 
touch this file, since it is part of the installation of Naviserver.

...

Best Regards,

   Georg

Re: [naviserver-devel] nsauthn: prototypish Tcl module using ns_register_auth

[Gustaf N. (sslmail) <ne...@wu...>]

> nsldap Issues
> I'm inclined to do some maintenance of the nsldap module, just for the record:
> 
> Deprecation warnings during build.
i have replaced the ones concerning Ns_DString* operations in the repository.

When compiling under macOS of the form:

nsldap.c:652:15: warning: 'ldap_initialize' is deprecated: first deprecated in macOS 10.11 - use OpenDirectory Framework [-Wdeprecated-declarations]

These will go away when using openLDAP under macOS. I assume, you are just referring to the prior ones.

> The pre-processor macro LDAPV3 has to be defined manually when building in order to work with current LDAP server versions.
As i see it, the macro is not necessary (i’ve replaced it with a proper version compare, with macros provided by the standard includes.
Also without the macro being defined, nsdap compiles fine and works (but without setting the LDAP to LDAPV3). Is this maybe Alpine specific?

> Ns_ModuleInit() returns extraneously when scheduling a background procedure: I worked around by setting maxidle to 0 in the pool configuration.
what means  "returns extraneously”? crash? Tcl exception? I would expect, Ns_ModuleInit() to be executed during startup (when all modules are loaded), not in a background procedure.

> The ns_ldap search documentation mentions that attributes to be extracted can be specified after the filter.
> This is not consistently documented.
> If using an empty filter *and* an attribute to extract, an assertion is triggered and nsd exits.
this requires certainly work
> Thorough documentation of all configuration options is missing.
ditto
> 
> Current LDAP client library implementations encourage the use of LDAP URI's instead of host, port and schema. This would be a useful enhancement.
i have added this to the repository. Please test if possible, i have no usable LDAP server installation.
> Controlled Creation of the auth Chain
> 
> Initially I had the idea of separating authentication and authorization and have the admin of the server decide how and in which order to run respective "filters".  The current implementation does not give exact control over the order of registration of auth callbacks.  I'll have to learn more on the details of Naviserver configuration.
> 
what do you mean by “no control”? This is exactly like for filters, you can append at the end or at the begin,

> Global Initialzation of a Tcl Module
> 
> The nsauthn module implements caching of credentials from passwd files.  For this I wanted to use a global initialization procedure, run before any server is initialized. Alas I did not find if this is even possible. Any info on this is appreciated.
> 
In general, the global (shared) Tcl libraries are loaded before the per-server (private) libraries.
You get the path of the global libraries via [ns_library shared] and the per-server ones via ns_library private] 

https://naviserver.sourceforge.io/5.0/manual/files/tcl-libraries.html

> - - -
> 
> Best Regards,
> 
>   Georg
> 
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

[naviserver-devel] nsauthn: prototypish Tcl module using ns_register_auth

[Georg L. <jor...@ma...>]

Hello,

My first excursion into Naviserver module development is nsauthn:

https://github.com/jorge-leon/nsauthn

The module builds on the new `ns_register_auth` function and implements 
a minimum of the ideas discussed about a month ago, namely Basic HTTP 
Authentication against passwd files and against LDAP/AD.

The repository contains a README.md file with hopefully sufficient 
detail to get started. Most likely I will set up a documented demo on 
https://naviserver.magma-soft.at in the near future.

I ran into some issues I could not overcome yet.


      Passing on Information to the request handler:

I tried to use the [ns_conn auth] ns_set from within the registered 
callback to pass on information to the rest of the request processing 
chain. This did not work out, I received: Warning: authorize script 
error: no connection

Is there some other way to get to ns_conn at that place, or to pass on 
information for later consumption?


      nsldap Issues

I'm inclined to do some maintenance of the nsldap module, just for the 
record:

  * Deprecation warnings during build.
  * The pre-processor macro LDAPV3 has to be defined manually when
    building in order to work with current LDAP server versions.
  * Ns_ModuleInit() returns extraneously when scheduling a background
    procedure: I worked around by setting maxidle to 0 in the pool
    configuration.
  * The ns_ldap search documentation mentions that attributes to be
    extracted can be specified after the filter.
      o This is not consistently documented.
      o If using an empty filter *and* an attribute to extract, an
        assertion is triggered and nsd exits.
  * Thorough documentation of all configuration options is missing.
  * Current LDAP client library implementations encourage the use of
    LDAP URI's instead of host, port and schema. This would be a useful
    enhancement.


      Controlled Creation of the auth Chain

Initially I had the idea of separating authentication and authorization 
and have the admin of the server decide how and in which order to run 
respective "filters".  The current implementation does not give exact 
control over the order of registration of auth callbacks.  I'll have to 
learn more on the details of Naviserver configuration.


      Global Initialzation of a Tcl Module

The nsauthn module implements caching of credentials from passwd files.  
For this I wanted to use a global initialization procedure, run before 
any server is initialized. Alas I did not find if this is even possible. 
Any info on this is appreciated.

- - -

Best Regards,

   Georg

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

>> On the C-level, NaviServer provides in the possibility to register an authProc via Ns_SetRequestAuthorizeProc(), which has to return NS_OK, NS_UNAUTHORIZED, NS_FORBIDDEN, or NS_ERROR. Currently, only nsperm uses this, and the infrastructure allows only a single proc to be registered there. I could imagine making this more flexible by
>> - allowing a chain of responsibility (multiple authProcs),
>> - allowing to add a Tcl handler for this.
> 
> Yes: that sounds great!

Well, we have it now in the repository for the 5.0 release.

Instead of a single, C-Level proc, we have now pluggable request- and user-level authorization callbacks with multiple authorities and continuation codes. 
In other words, we have the ability to have a chain of authorization procs (e.g. for different authorities), and these procs can be scripted. One could now implement nsperm fully in Tcl, and it will run after pre-auth and before post-auth filters. 

Here is the updated picture from the documentation visualizing the authorization chain.



The authorization chain is similar to the filter chains: one can control, whether
- the handler feels responsible for the input and the next element in the chain should be called, or
- it claims full responsibility and the rest of the chain should be skipped, or
- one should stop request processing and not call the request proc at all (“return -code  return …”, or “filter_return” in filters).

The details are slight more difficult:
- Sometimes, one needs just user authorization (no http method or path), as e.g. for authorization in nscp.
- Sometimes we want to distinguish between “no such user” and “password incorrect”.
- Sometimes we want to distinguish between wrong user/password (let user retry) and “forbidden” (no retry makes sense).
- ….

We have now the possibility to register C and Tcl-level user authorization procs and request authorization procs.
The new commands for registration:

ns_register_auth ?-authority <label>? ?-first? request script ?arg…? 
ns_register_auth ?-authority <label>? ?-first? user script ?arg…?

For script-level testing:

ns_auth request ?-dict? method url user passwd ?peer? 
ns_auth user ?-dict? user passwd

As mentioned before, authorization also be achieved by abusing in preauth filter, … and e.g. OpenACS does this in some complex ways.
However, having a clear authorization phase looks architecturally much better to me.

The updated documentation is [1].

I hope, this was the last larger change before the release, the next European OpenACS and Tcl/Tk Conference [2] is coming closer. 
Please consider joining.

All the best
-g


[1] https://naviserver.sourceforge.io/5.0/naviserver/files/commandlist.html
[2] https://openacs.km.at/evaluate/org/129998253/conferencenews/

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Gustaf N. (sslmail) <ne...@wu...>]

> At which moment is the authProc called? before or after the preauth filter?

As the name indicates, the authProc is called after “preauth” and before “postauth”.

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Georg L. <jor...@ma...>]

Hello,

On 5/7/25 11:28, Gustaf Neumann (sslmail) wrote:
>> On 07.05.2025, at 09:45, Georg Lehner <jor...@ma...> wrote:
>>
>> Hello,
>>
>> Reflecting on this topic I realize, that a more generic framework would be beneficial, where authorization (ns_register_filter preauth ...) can be combined with modular authentication.
> Well, there is always more, we can do!
>
> Be aware, that there are already many authentication and access control modules available. We have
>   - nsauthpam
>   - nsldap/nsldapd
>   - nsradiusd
>   - knspnego
>   - nsaccess
>
> and inside OpenACS on top of that (xooauth), at least supporting
>   - azure (Microsoft Graph API)
>   - github
>   - site blocking via request monitor
>
> together with the option to define multiple authorities in one system and detailed access control.
Thanks for the list!
> In our larger applications, we have the need in a single server to support at the same time e.g. azure and local accounts (e.g., most schools require azure, but not all users have azure accounts). All the OpenACS based authentication uses a system based on signed cookies, which is usually significant better in performance compared to going for every request to the backend.

I agree, backend authentication should only be used for getting session 
credentials/cookies etc.

Is there already a session management module available for Naviserver?

> The OpenACS based system uses preauth filters, where the workflow of a request is
>   1) recieve request
>   2) preauth filter
>   3) auth call
>   4) postauth filter
>   5) request proc
>   6) trace
>
> Note, that none of “our” sites uses nsperm. In the work towards NaviServer 5, i have added more functionality to nsperm and integrated it in security sensitive applications (nsstats, nscp) to provide a single source for authentication and to avoid hard-coded passwords; it provides an infrastructure for basic needs (e.g. user management), so it is useful for small applications (it won’t work well with a few hundred thousand users, we have in our larger systems). nsperm is just intended for users with plain NaviServer applications.
>
> On the C-level, NaviServer provides in the possibility to register an authProc via Ns_SetRequestAuthorizeProc(), which has to return NS_OK, NS_UNAUTHORIZED, NS_FORBIDDEN, or NS_ERROR. Currently, only nsperm uses this, and the infrastructure allows only a single proc to be registered there. I could imagine making this more flexible by
> - allowing a chain of responsibility (multiple authProcs),
> - allowing to add a Tcl handler for this.

Yes: that sounds great!

> But at the end, this is not much different to the list of PREAUTH filters, we have now. OpenACS preauth filter does much more than just authentication (e.g. setup for performance monitoring, sets up session variables, handles redirects to canonical URLs, …), and it decides based on the sitemap and its permissions, whether authentication is actually needed.  So, all you are sketching below can be done via a preauth filter.

At which moment is the authProc called? before or after the preauth filter?

Best Regards,

   Georg

>
> Probably, the main difference between the preauth filter and the potentially added list of authenticators is that the auth call are performed always, whereas the filter might care about it. And, secondly, that autcall is intended for authentication, whereas it is not clear to a beginner, that the preauth filter is supposed to do it. Furthermore, it can open the authorization system of OpenACS to multiple authorities, even when nsperm is installed. So, using the authProc is architecturally better. For OpenACS applications, i would not expect any differences, the user benefits would be non-existing.
>
> all the best
> -gn
>
>
>
>
>> Nginx has modules:  access (IP based),  auth_basic (http basic authentication),  auth_jwt (JWT authentication), auth_request (see last Email), and probably some more.
>>
>> Apache has probably even a more elaborated authentication infrastructure with authz, authn and the access control functionality.
>>
>> The Naviserver nsperm module kind of mixes together parts of what basic apache authn/authz/access control provides and restricts its use to some special cases.
>>
>> - a global user database, valid for all servers.
>>
>> - Either a global passwd file or a per server configurable passwd file path. The later probably leading to name clashes.
>>
>> - http basic auth
>>
>> - a single global file within the module directory which maps paths to permissions
>>
>> - Either: a per server fixed, unchangeable filename for IP based access control which only works for static web sites - .htaccess in to be restricted directories - or a single global access control via two files in the module directory: hosts.allow/hosts.deny
>>
>> - - -
>>
>> What do you think about an approach with an authentication module "auth", to be configured like:
>>
>> ns_section ns/server/$server/module/auth {
>>
>>    ns_param map "<method> <url_pattern> <authenticator> ?args?"
>>
>>    ...
>>
>> }
>>
>> Where <authenticator> is a proc from some C or Tcl module which is registered as in "ns_register_filter preauth".
>>
>> In order to "deny all",  one would need a wildcard <method>.
>>
>> An "access" <authenticator> to only allow get on localhost (in an IPv4 only environment) could look like:
>>
>>    ns_param map "GET /* access allow 127.0.0.1"
>>
>>    ns_param map "* /* access deny 0.0.0.0/0"
>>
>> A "nsperm" like user authenticator coud look like
>>
>>    ns_param map "* /* basic allow group nsadmin"
>>
>>    ns_param map "* /foo/* basic allow user bar"
>>
>>    ns_param map "* /* basic deny all"
>>
>> ...
>>
>> Best Regards
>>
>>    Georg
>>
>>
>> On 5/5/25 19:12, Georg Lehner wrote:
>>> Hello,
>>>
>>> Nginx has an "auth_request"[1] module, which allows to offload authentication to an HTTP backend.
>>>
>>> This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID Connect authentication to (reverse proxied) applications which do not implement authentication by themself. See configuration examples with Keycloak[3] or authentik[4]
>>>
>>> I believe, Naviserver would benefit from a compliant implementation of this "authentication protocol" (and I would put it immediately into operation).
>>>
>>> How difficult would it be to implement this?  Would this go into the nsperm module or be rather implemented as a separate module?
>>>
>>> - - -
>>>
>>> Of course, replacing oauth2-proxy directly in Naviserver would be even more efficient. E.g. Apache has its own mod_auth_openidc for this. But I guess that's much harder to implent, and auth_request could also be used with other creatively invented backends.
>>>
>>> Best Regards,
>>>
>>>    Georg
>>>
>>> [1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
>>>
>>> [2] https://github.com/oauth2-proxy/oauth2-proxy
>>>
>>> [3] https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
>>>
>>> [4] https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> naviserver-devel mailing list
>>> nav...@li...
>>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>>
>> _______________________________________________
>> naviserver-devel mailing list
>> nav...@li...
>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Gustaf N. (sslmail) <ne...@wu...>]

> On 07.05.2025, at 09:45, Georg Lehner <jor...@ma...> wrote:
> 
> Hello,
> 
> Reflecting on this topic I realize, that a more generic framework would be beneficial, where authorization (ns_register_filter preauth ...) can be combined with modular authentication.

Well, there is always more, we can do!

Be aware, that there are already many authentication and access control modules available. We have 
 - nsauthpam
 - nsldap/nsldapd
 - nsradiusd
 - knspnego
 - nsaccess

and inside OpenACS on top of that (xooauth), at least supporting
 - azure (Microsoft Graph API)
 - github
 - site blocking via request monitor

together with the option to define multiple authorities in one system and detailed access control. 
In our larger applications, we have the need in a single server to support at the same time e.g. azure and local accounts (e.g., most schools require azure, but not all users have azure accounts). All the OpenACS based authentication uses a system based on signed cookies, which is usually significant better in performance compared to going for every request to the backend. 

The OpenACS based system uses preauth filters, where the workflow of a request is 
 1) recieve request
 2) preauth filter
 3) auth call
 4) postauth filter
 5) request proc
 6) trace

Note, that none of “our” sites uses nsperm. In the work towards NaviServer 5, i have added more functionality to nsperm and integrated it in security sensitive applications (nsstats, nscp) to provide a single source for authentication and to avoid hard-coded passwords; it provides an infrastructure for basic needs (e.g. user management), so it is useful for small applications (it won’t work well with a few hundred thousand users, we have in our larger systems). nsperm is just intended for users with plain NaviServer applications.

On the C-level, NaviServer provides in the possibility to register an authProc via Ns_SetRequestAuthorizeProc(), which has to return NS_OK, NS_UNAUTHORIZED, NS_FORBIDDEN, or NS_ERROR. Currently, only nsperm uses this, and the infrastructure allows only a single proc to be registered there. I could imagine making this more flexible by
- allowing a chain of responsibility (multiple authProcs),
- allowing to add a Tcl handler for this.

But at the end, this is not much different to the list of PREAUTH filters, we have now. OpenACS preauth filter does much more than just authentication (e.g. setup for performance monitoring, sets up session variables, handles redirects to canonical URLs, …), and it decides based on the sitemap and its permissions, whether authentication is actually needed.  So, all you are sketching below can be done via a preauth filter.

Probably, the main difference between the preauth filter and the potentially added list of authenticators is that the auth call are performed always, whereas the filter might care about it. And, secondly, that autcall is intended for authentication, whereas it is not clear to a beginner, that the preauth filter is supposed to do it. Furthermore, it can open the authorization system of OpenACS to multiple authorities, even when nsperm is installed. So, using the authProc is architecturally better. For OpenACS applications, i would not expect any differences, the user benefits would be non-existing.

all the best
-gn




> 
> Nginx has modules:  access (IP based),  auth_basic (http basic authentication),  auth_jwt (JWT authentication), auth_request (see last Email), and probably some more.
> 
> Apache has probably even a more elaborated authentication infrastructure with authz, authn and the access control functionality.
> 
> The Naviserver nsperm module kind of mixes together parts of what basic apache authn/authz/access control provides and restricts its use to some special cases.
> 
> - a global user database, valid for all servers.
> 
> - Either a global passwd file or a per server configurable passwd file path. The later probably leading to name clashes.
> 
> - http basic auth
> 
> - a single global file within the module directory which maps paths to permissions
> 
> - Either: a per server fixed, unchangeable filename for IP based access control which only works for static web sites - .htaccess in to be restricted directories - or a single global access control via two files in the module directory: hosts.allow/hosts.deny
> 
> - - -
> 
> What do you think about an approach with an authentication module "auth", to be configured like:
> 
> ns_section ns/server/$server/module/auth {
> 
>   ns_param map "<method> <url_pattern> <authenticator> ?args?"
> 
>   ...
> 
> }
> 
> Where <authenticator> is a proc from some C or Tcl module which is registered as in "ns_register_filter preauth".
> 
> In order to "deny all",  one would need a wildcard <method>.
> 
> An "access" <authenticator> to only allow get on localhost (in an IPv4 only environment) could look like:
> 
>   ns_param map "GET /* access allow 127.0.0.1"
> 
>   ns_param map "* /* access deny 0.0.0.0/0"
> 
> A "nsperm" like user authenticator coud look like
> 
>   ns_param map "* /* basic allow group nsadmin"
> 
>   ns_param map "* /foo/* basic allow user bar"
> 
>   ns_param map "* /* basic deny all"
> 
> ...
> 
> Best Regards
> 
>   Georg
> 
> 
> On 5/5/25 19:12, Georg Lehner wrote:
>> Hello,
>> 
>> Nginx has an "auth_request"[1] module, which allows to offload authentication to an HTTP backend.
>> 
>> This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID Connect authentication to (reverse proxied) applications which do not implement authentication by themself. See configuration examples with Keycloak[3] or authentik[4]
>> 
>> I believe, Naviserver would benefit from a compliant implementation of this "authentication protocol" (and I would put it immediately into operation).
>> 
>> How difficult would it be to implement this?  Would this go into the nsperm module or be rather implemented as a separate module?
>> 
>> - - -
>> 
>> Of course, replacing oauth2-proxy directly in Naviserver would be even more efficient. E.g. Apache has its own mod_auth_openidc for this. But I guess that's much harder to implent, and auth_request could also be used with other creatively invented backends.
>> 
>> Best Regards,
>> 
>>   Georg
>> 
>> [1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
>> 
>> [2] https://github.com/oauth2-proxy/oauth2-proxy
>> 
>> [3] https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
>> 
>> [4] https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
>> 
>> 
>> 
>> 
>> _______________________________________________
>> naviserver-devel mailing list
>> nav...@li...
>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
> 
> 
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Georg L. <jor...@ma...>]

Hello,

Reflecting on this topic I realize, that a more generic framework would 
be beneficial, where authorization (ns_register_filter preauth ...) can 
be combined with modular authentication.

Nginx has modules:  access (IP based),  auth_basic (http basic 
authentication),  auth_jwt (JWT authentication), auth_request (see last 
Email), and probably some more.

Apache has probably even a more elaborated authentication infrastructure 
with authz, authn and the access control functionality.

The Naviserver nsperm module kind of mixes together parts of what basic 
apache authn/authz/access control provides and restricts its use to some 
special cases.

- a global user database, valid for all servers.

- Either a global passwd file or a per server configurable passwd file 
path. The later probably leading to name clashes.

- http basic auth

- a single global file within the module directory which maps paths to 
permissions

- Either: a per server fixed, unchangeable filename for IP based access 
control which only works for static web sites - .htaccess in to be 
restricted directories - or a single global access control via two files 
in the module directory: hosts.allow/hosts.deny

- - -

What do you think about an approach with an authentication module 
"auth", to be configured like:

ns_section ns/server/$server/module/auth {

   ns_param map "<method> <url_pattern> <authenticator> ?args?"

   ...

}

Where <authenticator> is a proc from some C or Tcl module which is 
registered as in "ns_register_filter preauth".

In order to "deny all",  one would need a wildcard <method>.

An "access" <authenticator> to only allow get on localhost (in an IPv4 
only environment) could look like:

   ns_param map "GET /* access allow 127.0.0.1"

   ns_param map "* /* access deny 0.0.0.0/0"

A "nsperm" like user authenticator coud look like

   ns_param map "* /* basic allow group nsadmin"

   ns_param map "* /foo/* basic allow user bar"

   ns_param map "* /* basic deny all"

...

Best Regards

   Georg


On 5/5/25 19:12, Georg Lehner wrote:
> Hello,
>
> Nginx has an "auth_request"[1] module, which allows to offload 
> authentication to an HTTP backend.
>
> This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID 
> Connect authentication to (reverse proxied) applications which do not 
> implement authentication by themself. See configuration examples with 
> Keycloak[3] or authentik[4]
>
> I believe, Naviserver would benefit from a compliant implementation of 
> this "authentication protocol" (and I would put it immediately into 
> operation).
>
> How difficult would it be to implement this?  Would this go into the 
> nsperm module or be rather implemented as a separate module?
>
> - - -
>
> Of course, replacing oauth2-proxy directly in Naviserver would be even 
> more efficient. E.g. Apache has its own mod_auth_openidc for this. But 
> I guess that's much harder to implent, and auth_request could also be 
> used with other creatively invented backends.
>
> Best Regards,
>
>   Georg
>
> [1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
>
> [2] https://github.com/oauth2-proxy/oauth2-proxy
>
> [3] 
> https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
>
> [4] 
> https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
>
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

Re: [naviserver-devel] Functionality similar to nginx' auth_request

[Wolfgang W. <wol...@di...>]

Hello!

We have interfaces for facebook (OAuth2), apple, microsoft and google 
(OpenID). The OpenID interfaces are quite similar, as they all are based 
on JWTs.

The only thing we could no do directly in naviserver was the 
verification of the signature with PEM and JWK. We are using a python 
script for this (which of course is not optimal). Here is the script for 
JWK:

#!/usr/bin/python2
'''
jwt signature verification.
'''
importsys
importjwt
importjson


defverify_jwt_signature(token, jwk, expected_audience=None):
# Load the public key
    public_key = jwt.algorithms.RSAAlgorithm.from_jwk(jwk)
    decoded_payload = jwt.decode(token, public_key, 
algorithms=['RS256'], audience=expected_audience)
print(decoded_payload)
return1
if__name__ == "__main__":
iflen(sys.argv) < 3orlen(sys.argv) > 4:
print("Usage: python verify_jwt_script.py <public_key.jwk> <jwt_token> 
[expected_audience]")
sys.exit(1)

    jwk = sys.argv[1]
    jwt_token = sys.argv[2]

expected_audience = sys.argv[3] iflen(sys.argv) == 4elseNone

    verify_jwt_signature(jwt_token, jwk, expected_audience)


HMAC signatures work fine in navsiserver with ns_hmac.

Once you have JWT handling in place, OpenID is should be no problem. For 
JSON processing we use rl_json and for everything else naviserver 
internals, e.g. ns_base64urlencode and ns_base64urldecode and ns_crypto 
for signing a request with PEM (which now also works without the PEM 
temp file):

ns_crypto::md string-encoding base64url -digest SHA256 -sign $pem_file$txt

Regards,

Wolfgang


Am 05.05.25 um 19:12 schrieb Georg Lehner:
> Hello,
>
> Nginx has an "auth_request"[1] module, which allows to offload 
> authentication to an HTTP backend.
>
> This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID 
> Connect authentication to (reverse proxied) applications which do not 
> implement authentication by themself. See configuration examples with 
> Keycloak[3] or authentik[4]
>
> I believe, Naviserver would benefit from a compliant implementation of 
> this "authentication protocol" (and I would put it immediately into 
> operation).
>
> How difficult would it be to implement this?  Would this go into the 
> nsperm module or be rather implemented as a separate module?
>
> - - -
>
> Of course, replacing oauth2-proxy directly in Naviserver would be even 
> more efficient. E.g. Apache has its own mod_auth_openidc for this. But 
> I guess that's much harder to implent, and auth_request could also be 
> used with other creatively invented backends.
>
> Best Regards,
>
>   Georg
>
> [1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
>
> [2] https://github.com/oauth2-proxy/oauth2-proxy
>
> [3] 
> https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc
>
> [4] 
> https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx
>
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
-- 

*Wolfgang Winkler*
Geschäftsführung
wol...@di...
mobil +43.699.19971172

dc:*büro*
digital concepts Novak Winkler OG
Software & Design
Landstraße 68, 5. Stock, 4020 Linz
www.digital-concepts.com <http://www.digital-concepts.com>
tel +43.732.997117.72
tel +43.699.1997117.2

Firmenbuchnummer: 192003h
Firmenbuchgericht: Landesgericht Linz

[naviserver-devel] Functionality similar to nginx' auth_request

[Georg L. <jor...@ma...>]

Hello,

Nginx has an "auth_request"[1] module, which allows to offload 
authentication to an HTTP backend.

This is used e.g. with oauth2-proxy[2] to provide OAuth2/OpenID Connect 
authentication to (reverse proxied) applications which do not implement 
authentication by themself. See configuration examples with Keycloak[3] 
or authentik[4]

I believe, Naviserver would benefit from a compliant implementation of 
this "authentication protocol" (and I would put it immediately into 
operation).

How difficult would it be to implement this?  Would this go into the 
nsperm module or be rather implemented as a separate module?

- - -

Of course, replacing oauth2-proxy directly in Naviserver would be even 
more efficient. E.g. Apache has its own mod_auth_openidc for this. But I 
guess that's much harder to implent, and auth_request could also be used 
with other creatively invented backends.

Best Regards,

   Georg

[1] https://nginx.org/en/docs/http/ngx_http_auth_request_module.html

[2] https://github.com/oauth2-proxy/oauth2-proxy

[3] 
https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/keycloak_oidc

[4] 
https://docs.goauthentik.io/docs/add-secure-apps/providers/proxy/server_nginx

Re: [naviserver-devel] ns_crypto::aead::decrypt "could not set tag value" error

[Wolfgang W. <wol...@di...>]

Yes, now it works with -encoding binary:

% set d [ns_crypto::aead::encrypt string -cipher aes-128-gcm -iv 
123456789 -key secret -encoding binary "Hello world!"]
% set r [ns_crypto::aead::decrypt string -cipher aes-128-gcm -iv 
123456789 -key secret -tag [dict get $d tag] -encoding binary [dict get 
$d bytes]]
 > Hello World!

Regards,

Wolfgang

Am 05.05.25 um 15:38 schrieb Gustaf Neumann (sslmail):
> Please check, if the following helps also for your environment:
>
> https://github.com/naviserver-project/naviserver/commit/08e5d8ffc22d403bcd31b0be1c9eb592e8e583d0 
>
>
> all the best
> -gn
>
>> On 05.05.2025, at 14:13, Gustaf Neumann (sslmail) <ne...@wu...> 
>> wrote:
>>
>> Hi Wolfgang,
>>
>> At first sight, It looks to me as if there was a change in OpenSSL 
>> leading to the problem.
>> The error is triggered by OpenSSL’s  EVP_CIPHER_CTX_ctrl(). The docu 
>> states [1]
>>
>>
>>     /EVP_CIPHER_CTX_ctrl(): This is a legacy method…./
>>
>>
>> … in versions starting with 3.0.
>>
>> When time permits, i will check out the details,
>> - how the new parameter setting mechanism effect the code (we have 4 
>> occurrences of this call)
>> - whether replacing it solves the issue,
>> - how to make it work with different versions of OpenSSL (pre 3.0.0)
>>
>> The strange part is that the aead encrypt/decrypt sequence is in the 
>> regression test, where it continues to work.
>> … So, maybe this is (also) related with the handling of binary 
>> strings in Tcl.
>>
>> -g
>> PS: Is your code for Passkeys and WebAuthn with NaviServer already 
>> available on GithHub, as you mentioned in January?
>>
>>
>> [1] https://docs.openssl.org/3.5/man3/EVP_EncryptInit/#description
>>
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
-- 

*Wolfgang Winkler*
Geschäftsführung
wol...@di...
mobil +43.699.19971172

dc:*büro*
digital concepts Novak Winkler OG
Software & Design
Landstraße 68, 5. Stock, 4020 Linz
www.digital-concepts.com <http://www.digital-concepts.com>
tel +43.732.997117.72
tel +43.699.1997117.2

Firmenbuchnummer: 192003h
Firmenbuchgericht: Landesgericht Linz

Re: [naviserver-devel] ns_crypto::aead::decrypt "could not set tag value" error

[Gustaf N. (sslmail) <ne...@wu...>]

Please check, if the following helps also for your environment:

https://github.com/naviserver-project/naviserver/commit/08e5d8ffc22d403bcd31b0be1c9eb592e8e583d0

all the best
-gn

> On 05.05.2025, at 14:13, Gustaf Neumann (sslmail) <ne...@wu...> wrote:
> 
> Hi Wolfgang,
> 
> At first sight, It looks to me as if there was a change in OpenSSL leading to the problem.
> The error is triggered by OpenSSL’s  EVP_CIPHER_CTX_ctrl(). The docu states [1]
> 
> 
> EVP_CIPHER_CTX_ctrl(): This is a legacy method….
> 
> … in versions starting with 3.0. 
> 
> When time permits, i will check out the details, 
> - how the new parameter setting mechanism effect the code (we have 4 occurrences of this call)
> - whether replacing it solves the issue,
> - how to make it work with different versions of OpenSSL (pre 3.0.0)
> 
> The strange part is that the aead encrypt/decrypt sequence is in the regression test, where it continues to work.
> … So, maybe this is (also) related with the handling of binary strings in Tcl.
> 
> -g
> PS: Is your code for Passkeys and WebAuthn with NaviServer already available on GithHub, as you mentioned in January? 
> 
> 
> [1] https://docs.openssl.org/3.5/man3/EVP_EncryptInit/#description
> 

Re: [naviserver-devel] ns_crypto::aead::decrypt "could not set tag value" error

[Gustaf N. (sslmail) <ne...@wu...>]

Hi Wolfgang,

At first sight, It looks to me as if there was a change in OpenSSL leading to the problem.
The error is triggered by OpenSSL’s  EVP_CIPHER_CTX_ctrl(). The docu states [1]


EVP_CIPHER_CTX_ctrl(): This is a legacy method….

… in versions starting with 3.0. 

When time permits, i will check out the details, 
- how the new parameter setting mechanism effect the code (we have 4 occurrences of this call)
- whether replacing it solves the issue,
- how to make it work with different versions of OpenSSL (pre 3.0.0)

The strange part is that the aead encrypt/decrypt sequence is in the regression test, where it continues to work.
… So, maybe this is (also) related with the handling of binary strings in Tcl.

-g
PS: Is your code for Passkeys and WebAuthn with NaviServer already available on GithHub, as you mentioned in January? 


[1] https://docs.openssl.org/3.5/man3/EVP_EncryptInit/#description




> On 05.05.2025, at 12:25, Wolfgang Winkler via naviserver-devel <nav...@li...> wrote:
> 
> Dear all,
> 
> when I follow the example of:
> 
> https://naviserver.sourceforge.io/n/naviserver/files/ns_crypto.html#1
> 
>  % set d [ns_crypto::aead::encrypt string -cipher aes-128-gcm -iv 123456789 \
>     -key secret -encoding binary \
>     "hello world"]
>  % ns_crypto::aead::decrypt string -cipher aes-128-gcm -iv 123456789 \
>     -key secret -tag [dict get $d tag] \
>     -encoding binary [dict get $d bytes]
> 
> I get the error: "could not set tag value"
> 
> I've tried it with naviserver 4.99.23 and 5.0 with OpenSSL 3.4.1.
> 
> We'd like to use it, because it is so much faster than any other way of symmetric encryption for tcl or naviserver I'm aware of.
> 
> Regards,
> 
> Wolfgang Winkler
> 
> --
> Wolfgang Winkler
> Geschäftsführung
> wol...@di... <mailto:wol...@di...>
> mobil +43.699.19971172
> 
> dc:büro
> digital concepts Novak Winkler OG
> Software & Design
> Landstraße 68, 5. Stock, 4020 Linz
> www.digital-concepts.com <http://www.digital-concepts.com/>
> tel +43.732.997117.72
> tel +43.699.1997117.2
> 
> Firmenbuchnummer: 192003h
> Firmenbuchgericht: Landesgericht Linz
> 
> 
> 
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

[naviserver-devel] ns_crypto::aead::decrypt "could not set tag value" error

[Wolfgang W. <wol...@di...>]

Dear all,

when I follow the example of:

https://naviserver.sourceforge.io/n/naviserver/files/ns_crypto.html#1

  % set d [ns_crypto::aead::encrypt string -cipher aes-128-gcm -iv 
123456789 \
     -key secret -encoding binary \
     "hello world"]
  % ns_crypto::aead::decrypt string -cipher aes-128-gcm -iv 123456789 \
     -key secret -tag [dict get $d tag] \
     -encoding binary [dict get $d bytes]

I get the error: "could not set tag value"

I've tried it with naviserver 4.99.23 and 5.0 with OpenSSL 3.4.1.

We'd like to use it, because it is so much faster than any other way of 
symmetric encryption for tcl or naviserver I'm aware of.

Regards,

Wolfgang Winkler

-- 

*Wolfgang Winkler*
Geschäftsführung
wol...@di...
mobil +43.699.19971172

dc:*büro*
digital concepts Novak Winkler OG
Software & Design
Landstraße 68, 5. Stock, 4020 Linz
www.digital-concepts.com <http://www.digital-concepts.com>
tel +43.732.997117.72
tel +43.699.1997117.2

Firmenbuchnummer: 192003h
Firmenbuchgericht: Landesgericht Linz

Re: [naviserver-devel] Updated Online Documentation & Styling – Uniform, Responsive Design for NaviServer 5.0

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

While have dived into CSS, i’ve also added a dark-mode for the default index page, man pages, and nsstats.

All the best
-g

Re: [naviserver-devel] Updated Online Documentation & Styling – Uniform, Responsive Design for NaviServer 5.0

[Brian F. <bri...@ai...>]

This looks fantastic! Great job.

Brian
________________________________
From: Gustaf Neumann (sslmail) <ne...@wu...>
Sent: Friday 28 March 2025 5:49 pm
To: nav...@li... <nav...@li...>
Subject: [naviserver-devel] Updated Online Documentation & Styling – Uniform, Responsive Design for NaviServer 5.0

Dear NaviServer Developers,

Over the past few days, I’ve been working on revamping our online documentation and styling. I’m pleased to share that we now have a uniform, responsive design for:

  - The plain NaviServer start page

  - The nsstats module

  - The manual pages

Notably, the new design no longer depends on external libraries (we previously relied on Bootstrap 5 and, in part, on W3.CSS). While the current implementation is responsive to a high degree, there’s always room for further refinement.

You can preview the updated pages via the following links (please note that the man pages on SourceForge may take a short while to propagate to all regions – if something appears off, try reloading your browser):

    Main Table of Contents:
    https://naviserver.sourceforge.io/5.0/toc.html

    Keyword Index:
    https://naviserver.sourceforge.io/5.0/index.html

    Command List:
    https://naviserver.sourceforge.io/5.0/naviserver/files/commandlist.html

    Sample Command Man Page (ns_conn):
    https://naviserver.sourceforge.io/5.0/naviserver/files/ns_conn.html

Styling the documentation, which is produced by the Tcl doctools, is quite challenging, since the produced markup is widely old-style, and it allows only little influence on the output.

I welcome any feedback or suggestions you might have

All the best
-g




[cid:879...@EU...]

_______________________________________________
naviserver-devel mailing list
nav...@li...
https://lists.sourceforge.net/lists/listinfo/naviserver-devel

[naviserver-devel] Updated Online Documentation & Styling – Uniform, Responsive Design for NaviServer 5.0

[Gustaf N. (sslmail) <ne...@wu...>]

Dear NaviServer Developers,

Over the past few days, I’ve been working on revamping our online documentation and styling. I’m pleased to share that we now have a uniform, responsive design for:

  - The plain NaviServer start page

  - The nsstats module

  - The manual pages

Notably, the new design no longer depends on external libraries (we previously relied on Bootstrap 5 and, in part, on W3.CSS). While the current implementation is responsive to a high degree, there’s always room for further refinement.

You can preview the updated pages via the following links (please note that the man pages on SourceForge may take a short while to propagate to all regions – if something appears off, try reloading your browser):

    Main Table of Contents:
    https://naviserver.sourceforge.io/5.0/toc.html

    Keyword Index:
    https://naviserver.sourceforge.io/5.0/index.html

    Command List:
    https://naviserver.sourceforge.io/5.0/naviserver/files/commandlist.html

    Sample Command Man Page (ns_conn):
    https://naviserver.sourceforge.io/5.0/naviserver/files/ns_conn.html

Styling the documentation, which is produced by the Tcl doctools, is quite challenging, since the produced markup is widely old-style, and it allows only little influence on the output.

I welcome any feedback or suggestions you might have

All the best
-g

Re: [naviserver-devel] HTTP client: security by default

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

A stable version of the certificate validation management for outgoing HTTPS requests (ns_http, ns_connchan) for NaviServer 5 is now in the NaviServer repository on GitHub. The current documentation is also online:

   https://naviserver.sourceforge.io/5.0/manual/files/admin-config.html#subsection13

Let me know, if you have additional requirements in this regard.

The newest version of NaviServer runs since this morning on openacs.org <http://openacs.org/>.

All the best
-gn

> On 23.01.2025, at 18:43, Gustaf Neumann (sslmail) <ne...@wu...> wrote:
> 
> Dear all,
> 
> This mail is a warning, that after an upgrade to the newest version from git, some of your configuration files/applications might need adjustments,
> 
> The newest commit to the main repository brings more security, by validating in ns_http client requests always the server certificate. While this is common for browsers, this is not necessarily the case for automated web operations (web services etc.), opening a large attack vector for man-in-the-middle attacks (see below). So far, checking the certificates was per default deactivated, which has the consequence, that in practice, many (most?) application developers just used with the defaults, leading to an unpleasant situation. Now, certificated checking is activated, it can be deactivated by adding the parameter “-insecure” to an “ns_http” request (there are other means, see below).
> 
> The regression test (including self-signed certificates for HTTPS, revproxy, …) works fine.
> 
> Next steps for me:
> - check consequences for letsencrypt  
> - add similar changes to “ns_connchan open|connect"
> - documentation of certificate management in detail (covering ns_http, ns_connchan, admin-config)
> 
> We are getting closer to the release candiate...
> 
> all the best
> -gn
> 
> 
> Security by default for HTTP client requests (ns_http)
> 
> Background: Authenticating the peer is a critical part of SSL connection setup when a client connects to a server. In this process, the server presents its public-key certificate. If the results of this authentication is missing, a server might be vulnerable to man-in-the-middle attacks. Protection against this is one of the intentions of HTTPS, and becomes more important when backend transactions are performed via HTTPS (administration of servers, cloud infrastructure, payments, ...), establishing secure network tunnels, or when sending confidential information via HTTPs
> 
> As the paper mentioned below points out, the validation of peer certificates is usually in place for web communication over the browser, but it is often not active for web service interactions.  One reason for this is that application developers choose very often the default setup.
> 
> The key instrument of NaviServer for performing HTTP client operations is ns_http, which certainly has the ability for certificate validation, but so far it was per default deactivated. This changes now with NaviServer 5, where the default is now including validation.
> 
> One of the consequences of validating peer certificates is that the administrator has to care about certificates (what certificates are accepted), including management of self-signed certificates.
> 
> We try to make the transition as smooth a possible by providing a reasonable default setup including established root certificates (ca-bundle.crt), providing simple means to add your own trusted certificates (including self-signed certificates). This default setup can be altered for a server via the configuration file, or for every single request via parameters.
> 
> The most important changes are:
> 
> - new parameter "-insecure" for "ns_http run" and "ns_http queue"
>  This parameter turns off certificate validation for the target HTTPS server. The name follows the naming convention of curl.
> 
> - The old parameter "-validate" is a now a no-op.
>  Per default, all ns_http requests to HTTPS servers are now validated
> 
> - Store certificates in directory ${NSHOME}/certificates instead of ${NSHOME}/etc
> 
> - New configuration parameter "CApath" and "CAfile" for the "httpclient" section of a server to specify default locations for certificate validation. It is possible to override these values via parameters to "ns_http run" and "ns_http queue".
> 
>  Default configuration:
> 
>     ns/${server}/httpclient {
>        ns_param CAfile ... ;# default ${NSHOME}/ca-bundle.crt
>        ns_param CApath ... ;# default ${NSHOME}/certificates
>     }
> 
>  * "CAfile" points to a .pem file containing established root certificates, often named "ca-bundle.crt". This file contains multiple of these certificates. The version shipped with NaviServer is based on Mozilla's root certificates. Also, many operating systems provide these certificates (e.g., on Ubuntu /etc/ssl/certs/ca-certificates.crt). One can certainly use various sources, e.g. via symbolic links or configuration parameters. The file can be manually updated e.g. via 
> 
>          curl https://curl.se/ca/cacert.pem -o /usr/local/ns/ca-bundle.crt
> 
>  * "CApath" points to a directory containing CA certificates in PEM
>     format. Each of the files must contain exactly one CA certificate (OpenSSL requirement).
> 
>     It is possible to add self-signed certificates to this directory to connect via ns_http with an HTTPS URL to this server, after running
> 
>         openssl rehash ${NSHOME}/certificates
> 
>     The rehash operation is performed automatically in the installation process.
> 
> - New configuration parameter "insecure" for the "httpclient" section of a server
> 
>     The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
>     https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf 
> 
> - Added certificate settings to sample configuration files nsd-config.tcl and openacs-config.tcl
> 
> - Minor cleanup of Makefiles (improve consistency and configurability)
> 
> - similar changes for "ns_connchan connect|open" will follow
> 

[naviserver-devel] HTTP client: security by default

[Gustaf N. (sslmail) <ne...@wu...>]

Dear all,

This mail is a warning, that after an upgrade to the newest version from git, some of your configuration files/applications might need adjustments,

The newest commit to the main repository brings more security, by validating in ns_http client requests always the server certificate. While this is common for browsers, this is not necessarily the case for automated web operations (web services etc.), opening a large attack vector for man-in-the-middle attacks (see below). So far, checking the certificates was per default deactivated, which has the consequence, that in practice, many (most?) application developers just used with the defaults, leading to an unpleasant situation. Now, certificated checking is activated, it can be deactivated by adding the parameter “-insecure” to an “ns_http” request (there are other means, see below).

The regression test (including self-signed certificates for HTTPS, revproxy, …) works fine.

Next steps for me:
 - check consequences for letsencrypt  
 - add similar changes to “ns_connchan open|connect"
 - documentation of certificate management in detail (covering ns_http, ns_connchan, admin-config)

We are getting closer to the release candiate...

all the best
-gn


Security by default for HTTP client requests (ns_http)

Background: Authenticating the peer is a critical part of SSL connection setup when a client connects to a server. In this process, the server presents its public-key certificate. If the results of this authentication is missing, a server might be vulnerable to man-in-the-middle attacks. Protection against this is one of the intentions of HTTPS, and becomes more important when backend transactions are performed via HTTPS (administration of servers, cloud infrastructure, payments, ...), establishing secure network tunnels, or when sending confidential information via HTTPs

As the paper mentioned below points out, the validation of peer certificates is usually in place for web communication over the browser, but it is often not active for web service interactions.  One reason for this is that application developers choose very often the default setup.

The key instrument of NaviServer for performing HTTP client operations is ns_http, which certainly has the ability for certificate validation, but so far it was per default deactivated. This changes now with NaviServer 5, where the default is now including validation.

One of the consequences of validating peer certificates is that the administrator has to care about certificates (what certificates are accepted), including management of self-signed certificates.

We try to make the transition as smooth a possible by providing a reasonable default setup including established root certificates (ca-bundle.crt), providing simple means to add your own trusted certificates (including self-signed certificates). This default setup can be altered for a server via the configuration file, or for every single request via parameters.

The most important changes are:

- new parameter "-insecure" for "ns_http run" and "ns_http queue"
  This parameter turns off certificate validation for the target HTTPS server. The name follows the naming convention of curl.
  
- The old parameter "-validate" is a now a no-op.
  Per default, all ns_http requests to HTTPS servers are now validated

- Store certificates in directory ${NSHOME}/certificates instead of ${NSHOME}/etc

- New configuration parameter "CApath" and "CAfile" for the "httpclient" section of a server to specify default locations for certificate validation. It is possible to override these values via parameters to "ns_http run" and "ns_http queue".

  Default configuration:

     ns/${server}/httpclient {
        ns_param CAfile ... ;# default ${NSHOME}/ca-bundle.crt
        ns_param CApath ... ;# default ${NSHOME}/certificates
     }

  * "CAfile" points to a .pem file containing established root certificates, often named "ca-bundle.crt". This file contains multiple of these certificates. The version shipped with NaviServer is based on Mozilla's root certificates. Also, many operating systems provide these certificates (e.g., on Ubuntu /etc/ssl/certs/ca-certificates.crt). One can certainly use various sources, e.g. via symbolic links or configuration parameters. The file can be manually updated e.g. via 

          curl https://curl.se/ca/cacert.pem -o /usr/local/ns/ca-bundle.crt
  
  * "CApath" points to a directory containing CA certificates in PEM
     format. Each of the files must contain exactly one CA certificate (OpenSSL requirement).
  
     It is possible to add self-signed certificates to this directory to connect via ns_http with an HTTPS URL to this server, after running
  
         openssl rehash ${NSHOME}/certificates

     The rehash operation is performed automatically in the installation process.

- New configuration parameter "insecure" for the "httpclient" section of a server

     The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
     https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf 

- Added certificate settings to sample configuration files nsd-config.tcl and openacs-config.tcl

- Minor cleanup of Makefiles (improve consistency and configurability)

- similar changes for "ns_connchan connect|open" will follow