Menu
▾
▴
naviserver-devel — Developer discussion
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
(53) |
Mar
(62) |
Apr
(88) |
May
(55) |
Jun
(204) |
Jul
(52) |
Aug
|
Sep
(1) |
Oct
(94) |
Nov
(15) |
Dec
(68) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(130) |
Feb
(105) |
Mar
(34) |
Apr
(61) |
May
(41) |
Jun
(92) |
Jul
(176) |
Aug
(102) |
Sep
(247) |
Oct
(69) |
Nov
(32) |
Dec
(140) |
| 2007 |
Jan
(58) |
Feb
(51) |
Mar
(11) |
Apr
(20) |
May
(34) |
Jun
(37) |
Jul
(18) |
Aug
(60) |
Sep
(41) |
Oct
(105) |
Nov
(19) |
Dec
(14) |
| 2008 |
Jan
(3) |
Feb
|
Mar
(7) |
Apr
(5) |
May
(123) |
Jun
(5) |
Jul
(1) |
Aug
(29) |
Sep
(15) |
Oct
(21) |
Nov
(51) |
Dec
(3) |
| 2009 |
Jan
|
Feb
(36) |
Mar
(29) |
Apr
|
May
|
Jun
(7) |
Jul
(4) |
Aug
|
Sep
(4) |
Oct
|
Nov
(13) |
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
(9) |
Apr
(11) |
May
(16) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(7) |
Feb
(3) |
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
(92) |
Nov
(28) |
Dec
(16) |
| 2013 |
Jan
(9) |
Feb
(2) |
Mar
|
Apr
(4) |
May
(4) |
Jun
(6) |
Jul
(14) |
Aug
(12) |
Sep
(4) |
Oct
(13) |
Nov
(1) |
Dec
(6) |
| 2014 |
Jan
(23) |
Feb
(19) |
Mar
(10) |
Apr
(14) |
May
(11) |
Jun
(6) |
Jul
(11) |
Aug
(15) |
Sep
(41) |
Oct
(95) |
Nov
(23) |
Dec
(11) |
| 2015 |
Jan
(3) |
Feb
(9) |
Mar
(19) |
Apr
(3) |
May
(1) |
Jun
(3) |
Jul
(11) |
Aug
(1) |
Sep
(15) |
Oct
(5) |
Nov
(2) |
Dec
|
| 2016 |
Jan
(7) |
Feb
(11) |
Mar
(8) |
Apr
(1) |
May
(3) |
Jun
(17) |
Jul
(12) |
Aug
(3) |
Sep
(5) |
Oct
(19) |
Nov
(12) |
Dec
(6) |
| 2017 |
Jan
(30) |
Feb
(23) |
Mar
(12) |
Apr
(32) |
May
(27) |
Jun
(7) |
Jul
(13) |
Aug
(16) |
Sep
(6) |
Oct
(11) |
Nov
|
Dec
(12) |
| 2018 |
Jan
(1) |
Feb
(5) |
Mar
(6) |
Apr
(7) |
May
(23) |
Jun
(3) |
Jul
(2) |
Aug
(1) |
Sep
(6) |
Oct
(6) |
Nov
(10) |
Dec
(3) |
| 2019 |
Jan
(26) |
Feb
(15) |
Mar
(9) |
Apr
|
May
(8) |
Jun
(14) |
Jul
(10) |
Aug
(10) |
Sep
(4) |
Oct
(2) |
Nov
(20) |
Dec
(10) |
| 2020 |
Jan
(10) |
Feb
(14) |
Mar
(29) |
Apr
(11) |
May
(25) |
Jun
(21) |
Jul
(23) |
Aug
(12) |
Sep
(19) |
Oct
(6) |
Nov
(8) |
Dec
(12) |
| 2021 |
Jan
(29) |
Feb
(9) |
Mar
(8) |
Apr
(8) |
May
(2) |
Jun
(2) |
Jul
(9) |
Aug
(9) |
Sep
(3) |
Oct
(4) |
Nov
(12) |
Dec
(13) |
| 2022 |
Jan
(4) |
Feb
|
Mar
(4) |
Apr
(12) |
May
(15) |
Jun
(7) |
Jul
(10) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(8) |
Dec
|
| 2023 |
Jan
(15) |
Feb
|
Mar
(23) |
Apr
(1) |
May
(2) |
Jun
(10) |
Jul
|
Aug
(22) |
Sep
(19) |
Oct
(2) |
Nov
(20) |
Dec
|
| 2024 |
Jan
(1) |
Feb
|
Mar
(16) |
Apr
(15) |
May
(6) |
Jun
(4) |
Jul
(1) |
Aug
(1) |
Sep
|
Oct
(13) |
Nov
(18) |
Dec
(6) |
| 2025 |
Jan
(12) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(11) |
Jun
(5) |
Jul
(4) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Gustaf N. <ne...@wu...> - 2014-07-10 15:50:02
|
Am 09.07.14 21:18, schrieb Jeff Rogers: > If I understand correctly, this codepath if used for a non-file based > return, so e.g., "ns_return -binary" should get here. The code paths are more complex and depend also on the settings of the configuration file (e.g. caching, mmap, ...); when i was working on the async writer i created the call-graph [1] below (manually, might contain errors; just did if for the parts i was interested in). ReturnRange() is reached for file-descriptor based and for data based deliveries > It's looks to be looping over the ranges set from Ns_ConnParseRange, but > using index 0 instead of index i. that is of course a (potential) bug, although the particular path is not met from the test cases (we have currently 42 test cases for range requests, covering single and multiple byte ranges). > I would expect the result to be that > the first requested range is returned multiple times, but it seems to > return multiple ranges just fine. I was able to construct a failing > byterange test with an incorrect length (if the multiple ranges are > different sizes rather than all the same size), but the content is still > correct, which is puzzling. > > Also, it looks like ranges aren't supported at all for character data > (e.g., adp responses or non-binary ns_return). Is this intentional and > desirable? It seems reasonable at first glance, since the most useful > use case for ranges is large binaries, but it seems a bit inconsistent. as mentioned a while earlier on the list, the call graph of the data delivery logic is quite complex and might be simplified. I've simplified it in some steps when working on the async writer, but still, more can be done. yes, currently range requests are ignored for e.g. .adp requests, but they are -supposed to be - fully supported on file-requests, which are in practice the most important cases (e.g. various pdf readers depend on this, i think i have seen this as well range requests on video formats). Seems that so far, no-one had needs for range requests on dynamic content, which is often useless (e.g. language settings lead to different message strings on systems like e.g. OpenACS), but there might certainly be use-cases for that. the best start is usually to add a test case. I've added a test case showing that range requests are ignored on .adp requests. -gustaf neumann [1] http://openacs.org/xowiki/file/writer.png |
|
From: Jeff R. <dv...@di...> - 2014-07-09 22:00:42
|
There's no builtin way I know of to define a default extension. I would
do this with a preauth filter, something like this:
=== default_extension.tcl ===
ns_log notice "Loading default extension"
proc default_extension {why} {
set url [ns_conn url]
# set loglvl notice
set loglvl debug
ns_log $loglvl "default_extension url: $url"
set file [ns_url2file $url]
ns_log $loglvl "default_extension file: $file"
if {![file exists $file]} {
if {[file exists $file.adp]} {
ns_log $loglvl "adp extension for $file found"
ns_internalredirect $url.adp
} elseif {[file exists $file.html]} {
ns_log $loglvl "html extension for $file found"
ns_internalredirect $url.html
} else {
ns_log $loglvl "no default extension for $file found"
# will just fall through
}
}
return filter_ok
}
ns_register_filter preauth * * default_extension
ns_log notice "Loaded default extension"
=== cut here ===
You could also implement similar logic in a url2file handler.
Maybe this is something generally useful enough (something like apache
MultiViews) to include as a default module, although in that case it
would make sense to make it configurable from the config file.
-J
John Buckman wrote:
> I was wondering if there was simple of of defining the default filename
> extension naviserver looks for, like there is for
> "ns_param directoryfile" but for any url where the filename extension
> isn't specified in the url.
>
> For example, if you go to:
> http://localhost/about
>
> I want "about.adp" to be the file that is loaded.
>
> I've done this in aolserver two ways:
>
> 1) with a 404 handler
> 2) or with a code path in request.c (see code sample below)
>
> -john
>
>
>
> ====
> /* john buckman added 4/14/06 */
> /* check if should add default filename extension of .adp */
> /* only if no / on end of url which indicates a directory */
> char * dotpos;
> if (ds2.string[ds2.length - 1] != '/') {
> /* if not . in the entire url, or if there is a dot before the
> final / (indicating a . in a
> directory name, which is ok, then add the default filename
> extension */
> dotpos = strrchr(ds2.string, '.');
> if ((dotpos == NULL) || (strchr(dotpos, '/') != NULL)) {
> Ns_DStringAppend(&ds2, ".adp");
> /* Ns_Log(Notice, "added default extension to get '%s'",
> ds2.string); */
> }
> }
> /* end john buckman added */
>
> request->url = ns_strdup(ds2.string);
> ===
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
|
|
From: John B. <jo...@ma...> - 2014-07-09 20:31:42
|
I was wondering if there was simple of of defining the default filename extension naviserver looks for, like there is for "ns_param directoryfile" but for any url where the filename extension isn't specified in the url.
For example, if you go to:
http://localhost/about
I want "about.adp" to be the file that is loaded.
I've done this in aolserver two ways:
1) with a 404 handler
2) or with a code path in request.c (see code sample below)
-john
====
/* john buckman added 4/14/06 */
/* check if should add default filename extension of .adp */
/* only if no / on end of url which indicates a directory */
char * dotpos;
if (ds2.string[ds2.length - 1] != '/') {
/* if not . in the entire url, or if there is a dot before the final / (indicating a . in a
directory name, which is ok, then add the default filename extension */
dotpos = strrchr(ds2.string, '.');
if ((dotpos == NULL) || (strchr(dotpos, '/') != NULL)) {
Ns_DStringAppend(&ds2, ".adp");
/* Ns_Log(Notice, "added default extension to get '%s'", ds2.string); */
}
}
/* end john buckman added */
request->url = ns_strdup(ds2.string);
=== |
|
From: Jeff R. <dv...@di...> - 2014-07-09 19:18:39
|
Hi all,
As part of porting a feature to naviserver, I'm trying to understand all
the code paths that outgoing data can take. I think I found a bug in the
range handling code, but I can't figure out how to tickle it, which
makes me wonder if there's something less-obvious going on.
This code from return.c:ReturnRange (~lines 889-893) looks wrong to me:
for (i = 0; i < rangeCount; i++) {
vbuf[0].iov_base = (void *)(intptr_t)bufs[0].offset;
vbuf[0].iov_len = bufs[0].length;
len += bufs[0].length;
}
If I understand correctly, this codepath if used for a non-file based
return, so e.g., "ns_return -binary" should get here.
It's looks to be looping over the ranges set from Ns_ConnParseRange, but
using index 0 instead of index i. I would expect the result to be that
the first requested range is returned multiple times, but it seems to
return multiple ranges just fine. I was able to construct a failing
byterange test with an incorrect length (if the multiple ranges are
different sizes rather than all the same size), but the content is still
correct, which is puzzling.
Also, it looks like ranges aren't supported at all for character data
(e.g., adp responses or non-binary ns_return). Is this intentional and
desirable? It seems reasonable at first glance, since the most useful
use case for ranges is large binaries, but it seems a bit inconsistent.
Cheers,
-J
|
|
From: Gustaf N. <ne...@wu...> - 2014-06-29 10:30:17
|
Dear friends,
NaviServer 4.99.6 is available. The new version is tagged with
naviserver-4.99.6 in mercurial and is as well available at source-forge
(naviserver, modules, documentation pages).
Below is the section for 4.99.6 from the NEWS file
all the best
-gustaf neumann
======================================
NaviServer 4.99.6, released 2014-06-29
======================================
Changes relative to 4.99.5
198 files changed, 4972 insertions(+), 2657 deletions(-)
New Features/Performance Improvements:
* Added support for delivering static gzipped content
via ns/fastpath.
NaviServer allows now deliver gzipped content for static files
in cases the client requests for this. The gzipped files
are stored
statically in the file system like the unzipped content. Therefore
the file delivery of gzipped content can be performed without
runtime penalty. NaviServer compares the time stamps of the
compressed and uncompressed content. If the time-stamp of the
uncompressed content is changed, NaviServer refreshes the
compressed content automatically.
The static gzip delivery is controlled over the following
configuration parameters:
- parameter "gzip_static" for "ns/fastpath" (default false)
Send the gzipped version of the file if available and the
client accepts gzipped content. When a file path/foo.ext is
requested, and there exists a file path/foo.ext.gz, and the
timestamp of the gzipped file is equal or newer than the
source file, use the gzipped file for delivery.
- parameter "gzip_cmd" for "ns/fastpath" (default "")
Command for zipping files in case the (static) gzipped
version of the file is older than the source. The command is
just used for re- gzipping outdated files, it does not
actively compress files, which were previously not
compressed (this would be wasteful for e.g. large tmp
files, there is not cleanup, etc.). If this parameter is not
defined, outdated gzipped files are ignored, and a warning
is written to the error.log. Example setting:
"/usr/bin/gzip -9".
- parameter "gzip_refresh" (default false)
When the parameter is set to true and the modification time
of the compressed file is older than the modification time
of the source then refresh the compressed file automatically
with the command "::ns_gzipfile source target". When this
parameter is not defined (or the refresh cmd fails),
outdated gzip-ed files are ignored, a warning is written to
the error.log and the content is delivered uncompressed.
The content is never delivered gzipped on range requests.
* Security improvements:
- Prevent potential HTTP response splitting attack: all response
header fields are sanitized to avoid injection of header file
contents potentially leading to HTTP response splitting attacks.
- Improved nsssl driver
* provide forward secrecy and DH key exchange with precompiled
defaults
* support elliptic curve cryptography (ECDH)
* deactivated SSLv2
- By using parameter "extraheaders" (see below) in nsssl one can
activate HTTP Strict Transport Security (HSTS) for nsssl (see
https://bitbucket.org/naviserver/nsssl/)
- The sample configuration of nsssl leads to a "A+" rating from
SSL labs.
* Mime-types overhaul:
- NaviServer supports now the all mimetypes as defined via RFCs,
W3C and IANA
- Some incorrect mimetypes are fixed
- scripted mimetype definitions produce warnings on overwriting
of mimetypes and on useless definitions.
* Modules update:
- include nsdbi* in packaged module tar file
- extended options in ns_dbi for dbi_rows
- added compatibility to nsdns for new versions of DiG (9.10.*)
- fixes for nsudp (HTTP over UDP), nsdbpg, nszlib,
nssmtpd, nsstats
Bug Fixes:
* Tcl argument list parser: The old implementation could lead to
crashes when Tcl_Objs where shared and the internal validation
of the internal representation failed.
Tcl_GetIndexFromObj() validates internal representations based
on the pointer of the base string table, which works only
reliably with static string tables. Since command definitions
contain non-static fields (which cannot be determined at compile
time) NaviServer can't use static string tables, but uses
stack-allocated string tables for command definitions. This can
lead to mix-ups for shared Tcl_Objs (keeping base of string
table and index) in case two string tables are at the same
position on the stack. As a consequence, the internal
representation with a potentially wrong index is reused,
leading to potential crashes. Now. the caching is only allowed
for non-shared Tcl_Objs.
* Module loading: Previous versions of NaviServer loaded always
"global modules" after per-server modules (and after blueprint
generation). If e.g. a database modules was loaded globally, it
was not possible to refer to its defined command from the
blueprint. Now, just the loading of network modules happens in
the strict old order.
* Ns_CacheUnsetValue() is now more robust against code, where
freeProc calls a ns_cache operation (such as
e.g. nsdbipg). Before that modification, double free operations
were possible when the cache was pruned.
* Make sure to initialize all members of Ns_DriverInitData to zero
* sockcallback.c: fix size of reallocation unit (many thanks to
Wolfgang Winkler for pointing this out)
* tclmisc.c: fix incorrect type for allocation unit (sha context
instead of md5 context)
* Fix flag settings in ns_adp_parse
* Fix clock ensemble oddity in blueprint (error message: Error:
time zone ":Tcl/Localtime" not found; many thanks to
David Osborne)
* Save Tcl interpreter aliases and ensembles in blueprint (Many
thanks to Jeff Rogers)
* Fix generation of documentation: dtplite from tcllib 1.15 does
not allow spaces in "titles" of manpages. Fix all manpages, such
that build-doc works again.
Documentation improvements:
* Doc page for ns_return: added section for describing
fastpath configuration
* Document that "ns_conn compress 0" can deactivate compression
* Updated documentation of deprecated commands in the source
* Fixed/updated/extended various man pages such as ns_tmpnam,
ns_getform, ns_set
* Removed obsolete commands from the documentation (ns_set with
-persist, -shared, ns_share)
Tcl API Changes:
* ns_setcookie, ns_getcookie ns_deletecookie:
- ns_setcookie, ns_deletecookie: added flag "-replace" to
replace already issued cookie requests in output headers; the
same option is used in OpenACS.
- ns_setcookie: added option "-discard" as specified in RFC 2965
- ns_getcookie: added option ?-include_set_cookies bool? to
search cookies being set as well (from output headers); the
same option is used in OpenACS.
* ns_http:
- Added flags "-file /varName/" and "-spoolsize /int/" to
"ns_http wait". If the content of the obtained file is larger
or equal than spoolsize, it is spooled to temp file,
and the name of the temp file is returned in the
variable provided by "-file". These options make it
possible to retrieve also large
content (e.g. video files) via ns_http without bloating memory
- Additional parameter "-decompress" for "ns_http wait" to
compress the result on the fly (incrementally) in
case it is content encoding is "gzip"
* ns_time: add option "ns_time format" to print a time
in the sec:usec format in secs in a decimal dot notation
* Mark ns_tmpnam as deprecated since it uses an
deprecated C-library function (use ns_mktemp instead)
* Allow "ns_mktemp" to be called without template
(makes migration from ns_tmpnam simpler)
* Mark ns_connsendfp as deprecated (it was already
documented as deprecated, superseded by ns_writefp)
C API Changes:
None
Incompatible API Changes:
None
Configuration Changes:
* New parameter "extraheaders" to drivers (e.g. nssock,
nsssl). This feature allows an admin to specify extra reply
headers sent back on every request. By using this feature, one
can activate for example HTTP Strict Transport Security (HSTS)
for nsssl (see https://bitbucket.org/naviserver/nsssl/)
* Update man pages and sample config files
Command Line Changes:
None
Code Changes:
* Added compatibility with OpenSolaris (e.g. OmniOS).
* Code Cleanup
- reduce variable scopes to improve locality
- Get rid of CVS variables
- make test for byte-array safe for changes introduced in
Tcl 8.6 and back-ported to Tcl 8.5
(see e.g. http://core.tcl.tk/tcl/info/91be696bf3)
- defined new macro NS_GNUC_DEPRECATED_FOR() to be able to provide
replacement hint and use it where appropriate
- improve error message
* Test environment:
- nstest::http: added flag "-getmultiheaders" to return all
header fields (multiset) with the specified name
* Build environment:
- use recommended autoconf constants quoting
- deactivate AM_* macros (get rid of warnings), since
these are not used by autogen.sh
- replace obsolete macro AC_TRY_RUN, AC_TRY_LINK
- use recent version of install-sh and tcl.m4
- additional make target: cppcheck
* Extended regression test
|
|
From: Gustaf N. <ne...@wu...> - 2014-06-21 06:43:33
|
Dear all, Cesareo, you are right. For CVE-2014-0224, an upgrade of openssl + restart of naviserver is sufficient. There is no need to upgrade naviserver or nsssl. -gustaf neumann Am 20.06.14 23:45, schrieb Cesáreo García Rodicio: > Hi! > > I had an F in Qualys SSL Labs due to the most recent openssl bug > (SSL/TLS MITM vulnerability (CVE-2014-0224): > https://www.openssl.org/news/secadv_20140605.txt). > > So, > - I've upgrade openssl (in my box via debian apt-get update and > apt-get upgrade). Now with OpenSSL 1.0.1e 11 Feb 2013 > - I've upgrade naviserver (to TIP version). I think nssl module was > not updated. > > And it worked, now I get A+. > > I think that it wasn't a naviserver issue but I post it here just to > keep informed our community. > > Thanks > Cesareo > |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-06-20 21:45:44
|
Hi! I had an F in Qualys SSL Labs due to the most recent openssl bug (SSL/TLS MITM vulnerability (CVE-2014-0224): https://www.openssl.org/news/secadv_20140605.txt). So, - I've upgrade openssl (in my box via debian apt-get update and apt-get upgrade). Now with OpenSSL 1.0.1e 11 Feb 2013 - I've upgrade naviserver (to TIP version). I think nssl module was not updated. And it worked, now I get A+. I think that it wasn't a naviserver issue but I post it here just to keep informed our community. Thanks Cesareo |
|
From: Gustaf N. <ne...@wu...> - 2014-06-19 15:13:36
|
Dear all,
i've done some more cleanup, added regression tests for ns_adp_parse,
and put version 4.90.6b2 to sourceforge.
all the best
-gustaf neumann
Am 18.06.14 13:14, schrieb Gustaf Neumann:
> Dear Andrei,
>
> many thanks for the report. There was indeed a bug in the code
> handling the "-file" flag of ns_adp_parse, and surprisingly, there is
> no test case for this in the regression test. Furthermore, OpenACS
> uses its own template management using effectively just the string
> variant of ns_adp_parse, so we did not notice this.
>
> Please test the fixes, that i've just committed to bitbucket, these
> should solve the problem. I'll add some tests to the regression test
> and look into some border cases in the next available time slots.
>
> best regards
> -gustaf neumann
>
> Am 18.06.14 08:30, schrieb Clinciu Andrei:
>>
>> Hi,
>>
>> First of all I want to thank you for providing updates, bugfixes and
>> advancing this wonderful web server that supports TCL. It's one of
>> the many webservers out there that uses tcl but almost the single who
>> is so beautiful and powerful.
>>
>> For some months (when time allows it), I've been working on a
>> specific web framework for naviserver. But now I've stumbled upon a
>> sinister error. I had this a while ago with the 4.99.5 server but
>> solved it quite quickly. While installing the newest version from
>> Sourceforge (I also tried it from bitbucket).
>> I get the following rather annoying "parsed/cached TCL /ADP code":
>> <%if {[info proc
>> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp]
>> == {}} { proc
>> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp
>> {} { uplevel [for { <% set title [mc "Index of %s" [mc Clasa]] dict
>> set pageinfo title $title dict set pageinfo breadcrumb " {-url 1 {[mc
>> Home]} #} {-active 1 {[mc Clasa]} } " dict set pageinfo menu " { -url
>> 1 {[mc Create] [mc Clasa]} [my getUrl create]} { -url 1 -show 0 {[mc
>> Admin] [mc Clasa]} [my getUrl admin]} " ns_puts [$bhtml htmltag h1
>> $title] #TODO select only from a specific school -where [list [list
>> scoala_id 2]] ns_puts [$bhtml gridView -toSelect [list id an nume
>> scoala ] $model [list -relations 1 ] ] %> } {0} {} {}]}}
>> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp
>> %>
>>
>> On every page where I use an ns_adp_parse -file
>>
>> However, the server settings are the same as with my working 4.99.5
>> server.
>>
>> The following code snippet didn't seem to be the problem earlier, but
>> now it just won't work.
>> append page [ns_adp_parse -file
>> ../views/$controller/$view.adp {*}$vars ]
>> ns_adp_include ../views/$layout.adp -pageinfo $pageinfo
>> -bhtml $bhtml $page
>>
>> I had the same problem when both
>> ns_param cache true and ns_param enabletclpages
>> true (which is now false) were enabled.
>>
>> A logical next step would be to disable caching OR surround the
>> ns_adp_parse with another ns_adp_parse.. and the following happens:
>>
>> **
>> invalid command name "<%"
>> while executing
>> "<%"
>> (procedure "adp:/opt/ns/www/176.56.238.107/lostmvc/views/user/login.adp" line 2)
>> **Is there something wrong with ns_adp_parse that it doesn't do it's
>> job right anymore? This means I should remove the <% %> but why?
>> The same error seems to occur also when the code is surrounded by an
>> ns_adp_eval.
>>
>> No current workaround found:(. This is really bugging me...
>>
>> Code seems to work without any problems in the previous version of
>> the webserver, what gives?
>>
>> Any ideas how to fix this?
>>
>> Should I stick to the old version instead?
>>
>> Thanks again for the great support!
>>
>> With regards,
>> Clinciu Andrei George
>>
>>
>> "Vorba buna, zambetul si fapta binefacatoare sunt raze ale soarelui
>> rasfrante in sufletul omului."
>> "A good word, a smile and a good deed are just like rays of the sun
>> reflected in man's soul." by Nicolae Iorga
>>
>>
|
|
From: Gustaf N. <ne...@wu...> - 2014-06-18 11:14:49
|
Dear Andrei,
many thanks for the report. There was indeed a bug in the code handling
the "-file" flag of ns_adp_parse, and surprisingly, there is no test
case for this in the regression test. Furthermore, OpenACS uses its own
template management using effectively just the string variant of
ns_adp_parse, so we did not notice this.
Please test the fixes, that i've just committed to bitbucket, these
should solve the problem. I'll add some tests to the regression test and
look into some border cases in the next available time slots.
best regards
-gustaf neumann
Am 18.06.14 08:30, schrieb Clinciu Andrei:
>
> Hi,
>
> First of all I want to thank you for providing updates, bugfixes and
> advancing this wonderful web server that supports TCL. It's one of the
> many webservers out there that uses tcl but almost the single who is
> so beautiful and powerful.
>
> For some months (when time allows it), I've been working on a specific
> web framework for naviserver. But now I've stumbled upon a sinister
> error. I had this a while ago with the 4.99.5 server but solved it
> quite quickly. While installing the newest version from Sourceforge (I
> also tried it from bitbucket).
> I get the following rather annoying "parsed/cached TCL /ADP code":
> <%if {[info proc
> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp]
> == {}} { proc
> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp
> {} { uplevel [for { <% set title [mc "Index of %s" [mc Clasa]] dict
> set pageinfo title $title dict set pageinfo breadcrumb " {-url 1 {[mc
> Home]} #} {-active 1 {[mc Clasa]} } " dict set pageinfo menu " { -url
> 1 {[mc Create] [mc Clasa]} [my getUrl create]} { -url 1 -show 0 {[mc
> Admin] [mc Clasa]} [my getUrl admin]} " ns_puts [$bhtml htmltag h1
> $title] #TODO select only from a specific school -where [list [list
> scoala_id 2]] ns_puts [$bhtml gridView -toSelect [list id an nume
> scoala ] $model [list -relations 1 ] ] %> } {0} {} {}]}}
> adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp
> %>
>
> On every page where I use an ns_adp_parse -file
>
> However, the server settings are the same as with my working 4.99.5
> server.
>
> The following code snippet didn't seem to be the problem earlier, but
> now it just won't work.
> append page [ns_adp_parse -file ../views/$controller/$view.adp
> {*}$vars ]
> ns_adp_include ../views/$layout.adp -pageinfo $pageinfo
> -bhtml $bhtml $page
>
> I had the same problem when both
> ns_param cache true and ns_param enabletclpages
> true (which is now false) were enabled.
>
> A logical next step would be to disable caching OR surround the
> ns_adp_parse with another ns_adp_parse.. and the following happens:
>
> **
> invalid command name "<%"
> while executing
> "<%"
> (procedure "adp:/opt/ns/www/176.56.238.107/lostmvc/views/user/login.adp" line 2)
> **Is there something wrong with ns_adp_parse that it doesn't do it's
> job right anymore? This means I should remove the <% %> but why?
> The same error seems to occur also when the code is surrounded by an
> ns_adp_eval.
>
> No current workaround found:(. This is really bugging me...
>
> Code seems to work without any problems in the previous version of the
> webserver, what gives?
>
> Any ideas how to fix this?
>
> Should I stick to the old version instead?
>
> Thanks again for the great support!
>
> With regards,
> Clinciu Andrei George
>
>
> "Vorba buna, zambetul si fapta binefacatoare sunt raze ale soarelui
> rasfrante in sufletul omului."
> "A good word, a smile and a good deed are just like rays of the sun
> reflected in man's soul." by Nicolae Iorga
>
>
|
|
From: Clinciu A. <the...@ya...> - 2014-06-18 06:30:59
|
Hi,
First of all I want to thank you for providing updates, bugfixes and
advancing this wonderful web server that supports TCL. It's one of the
many webservers out there that uses tcl but almost the single who is so
beautiful and powerful.
For some months (when time allows it), I've been working on a specific web framework for naviserver. But
now I've stumbled upon a sinister error. I had this a while ago with the 4.99.5 server but solved it quite quickly. While installing the newest
version from Sourceforge (I also tried it from bitbucket).
I get the following rather annoying "parsed/cached TCL /ADP code":
<%if {[info proc
adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp] == {}} { proc
adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp {} { uplevel [for {
<% set title [mc "Index of %s" [mc Clasa]] dict set pageinfo title $title dict set pageinfo breadcrumb " {-url 1 {[mc Home]} #} {-active 1 {[mc Clasa]} } " dict set pageinfo menu " { -url 1 {[mc Create] [mc Clasa]} [my getUrl create]} { -url 1 -show 0 {[mc Admin] [mc Clasa]} [my getUrl admin]}
" ns_puts [$bhtml htmltag h1 $title]
#TODO select only from a specific school -where [list [list scoala_id
2]]
ns_puts [$bhtml gridView -toSelect [list id an nume scoala ] $model
[list -relations 1 ] ]
%> } {0} {} {}]}}
adp:/opt/ns/www/176.56.238.107/lostmvc/modules/School/views/clasa/index.adp %>
On every page where I use an ns_adp_parse -file
However, the server settings are the same as with my working 4.99.5 server.
The following code snippet didn't seem to be the problem earlier, but now it just won't work.
append page [ns_adp_parse -file ../views/$controller/$view.adp {*}$vars ]
ns_adp_include ../views/$layout.adp -pageinfo $pageinfo -bhtml $bhtml $page
I had the same problem when both
ns_param cache true and ns_param enabletclpages true (which is now false) were enabled.
A logical next step would be to disable caching OR surround the ns_adp_parse with another ns_adp_parse.. and the following happens:
invalid command name "<%" while executing
"<%" (procedure "adp:/opt/ns/www/176.56.238.107/lostmvc/views/user/login.adp" line 2)Is there something wrong with ns_adp_parse that it doesn't do it's job right anymore? This means I should remove the <% %> but why?
The same error seems to occur also when the code is surrounded by an ns_adp_eval.
No current workaround found:(. This is really bugging me...
Code seems to work without any problems in the previous version of the webserver, what gives?
Any ideas how to fix this?
Should I stick to the old version instead?
Thanks again for the great support!
With regards,
Clinciu Andrei George
"Vorba buna, zambetul si fapta binefacatoare sunt raze ale soarelui rasfrante in sufletul omului."
"A good word, a smile and a good deed are just like rays of the sun reflected in man's soul." by Nicolae Iorga |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-29 11:28:49
|
Dear Gustaf,
Thanks, That's it
Thanks
Cesáreo
El 29/mayo/14 04:12, Gustaf Neumann escribió:
> Dear Cesáreo,
>
> "maxinput" is needed for the nsssl driver as well. The configuration
> values are not
> passed automatically from nssock to nsssl.
>
> -gustaf
>
> Am 28.05.14 23:53, schrieb Cesáreo García Rodicio:
>> Hi
>>
>> I'm not completely sure that this is an naviserver issue (or an openacs)
>> but just in case (before to post in Openacs forum)
>>
>> I get
>> "Request Entity Too Large
>> The request entity (e.g. file to be uploaded) is too large</em>"
>>
>> uploading big files (2MB) to Photo Album (in OpenACS) (vía httpS)
>>
>> It has occurred to me with Naviserver (but not with Aolserver). I've
>> keep aolserver config parameters, I mean:
>>
>> ---------
>> set max_file_upload_mb 20
>> set max_file_upload_min 5
>>
>> ns_section ns/server/${server}/module/nssock
>>
>> ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}]
>> ns_param recvwait [expr {$max_file_upload_min * 60}]
>> ---------
>>
>> am I missing anything? Does maxinput applies to nssl config too?
>>
>> Thanks
>> Cesáreo
>>
>> ------------------------------------------------------------------------------
>> Time is money. Stop wasting it! Get your web API in 5 minutes.
>> www.restlet.com/download
>> http://p.sf.net/sfu/restlet
>> _______________________________________________
>> naviserver-devel mailing list
>> nav...@li...
>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
>
|
|
From: Gustaf N. <ne...@wu...> - 2014-05-29 10:56:39
|
Dear friends, We had recently some security related updates, so i think we should proceed to a next release. Therefore, i've added a first draft of the next release to sourceforge (including modules) https://sourceforge.net/projects/naviserver/files/naviserver/4.99.6/ If you have something to commit back to bitbucket, it would be a good time now. Below is a first draft of the summary of changes since 4.99.5 all the best -gustaf neumann ============================= ====================================== NaviServer 4.99.6, released 2014-XX-XX ====================================== Changes relative to 4.99.5 196 files changed, 4883 insertions(+), 2632 deletions(-) New Features: * Added support for delivering static gzipped content via ns/fastpath. NaviServer allows now deliver gzipped content fro static files in cases the client requests for this. The gzipped files are stored statically in the file system like the unzipped content. Therefore the file delivery of gzipped content can be performed without runtime penalty. NaviServer compares the time stamps of the compressed and uncompressed content. If the time-stamp of the uncompressed content is changed, NaviServer refreshes the compressed content automatically. The static gzip delivery is controlled over the following configuration parameters: - parameter "gzip_static" for "ns/fastpath" (default false) Send the gzipped version of the file if available and the client accepts gzipped content. When a file path/foo.ext is requested, and there exists a file path/foo.ext.gz, and the timestamp of the gzipped file is equal or newer than the source file, use the gzipped file for delivery. - parameter "gzip_cmd" for "ns/fastpath" (default "") Command for zipping files in case the (static) gzipped version of the file is older than the source. The command is just used for re- gzipping outdated files, it does not actively compress files, which were previously not compressed (this would be wasteful for e.g. large tmp files, there is not cleanup, etc.). If this parameter is not defined, outdated gzipped files are ignored, and a warning is written to the error.log. Example setting: "/usr/bin/gzip -9". - parameter "gzip_refresh" (default false) When the parameter is set to true and the modification time of the compressed file is older than the modification time of the source then refresh the compressed file automatically with the command "::ns_gzipfile source target". When this parameter is not defined (or the refresh cmd fails), outdated gzip-ed files are ignored, a warning is written to the error.log and the content is delivered uncompressed. The content is never deliver gzipped on range requests, * Security improvements: - Prevent potential HTTP response splitting attack: all response header fields are sanitized to avoid injection of header file contents potentially leading to HTTP response splitting attacks. - Improved nsssl driver * provide forward secrecy and DH key exchange with precompiled defaults * support elliptic curve cryptography (ECDH) * deactivated SSLv2 - By using parameter "extraheaders" (see below) in nsssl one can activate HTTP Strict Transport Security (HSTS) for nsssl (see https://bitbucket.org/naviserver/nsssl/) - The sample configuration of nsssl leads to a "A+" rating from SSL labs. * Mime-types overhaul: - NaviServer supports now the all mimetypes as defined via RFCs, W3C and IANA - Some incorrect mimetypes are fixed - scripted mimetype definitions produce warnings on overwriting of mimetypes and on useless definitions. * Modules update: - include nsdbi* in packaged module tar file - extended options in ns_dbi for dbi_rows - added compatibility to nsdns for new versions of DiG (9.10.*) - fixes for nsudp (HTTP over UDP), nsdbpg, nszlib, nssmtpd, nsstats Performance Improvements: Bug Fixes: * Tcl argument list parser: The old implementation could lead to crashes when Tcl_Objs where shared and the internal validation of the internal representation failed. Tcl_GetIndexFromObj() validates internal representations based on the pointer of the base string table, which works only reliably with static string tables. Since command definitions contain non-static fields (which cannot be determined at compile time) NaviServer can't use static string tables, but uses stack-allocated string tables for command definitions. This can lead to mix-ups for shared Tcl_Objs (keeping base of string table and index) in case two string tables are at the same position on the stack. As a consequence, the internal representation with a potentially wrong index is reused, leading to potential crashes. Now. the caching is only allowed for non-shared Tcl_Objs. * Module loading: Previous versions of NaviServer loaded always "global modules" after per-server modules (and after blueprint generation). If e.g. a database modules was loaded globally, it was not possible to refer to its defined command from the blueprint. Now, just the loading of network modules happens in the strict old order. * Ns_CacheUnsetValue() is now more robust against code, where freeProc calls a ns_cache operation (such as e.g. nsdbipg). Before that modification, double free operations were possible when the cache was pruned. * Make sure to initialize all members of Ns_DriverInitData to zero * sockcallback.c: fix size of reallocation unit (many thanks to Wolfgang Winkler for pointing this out) * tclmisc.c: fix incorrect type for allocation unit (sha context instead of md5 context) * fix clock ensemble oddity in blueprint (error message: Error: time zone ":Tcl/Localtime" not found; many thanks to David Osborne) * save Tcl interpreter aliases and ensembles in blueprint (Many thanks to Jeff Rogers) * Fix generation of documentation: dtplite from tcllib 1.15 does not allow spaces in "titles" of manpages. Fix all manpages, such that build-doc works again. Documentation improvements: * Doc page for ns_return: added section for describing fastpath configuration * Document that "ns_conn compress 0" can deactivate compression * Updated documentation of deprecated commands in the source * Fixed/updated/extended various man pages such as ns_tmpnam, ns_getform, ns_set * Removed obsolete commands from the documentation (ns_set with -persist, -shared, ns_share) Tcl API Changes: * ns_setcookie, ns_getcookie ns_deletecookie: - ns_setcookie, ns_deletecookie: added flag "-replace" to replace already issued cookie requests in output headers; the same option is used in OpenACS. - ns_setcookie: added option "-discard" as specified in RFC 2965 - ns_getcookie: added option ?-include_set_cookies bool? to search cookies being set as well (from output headers); the same option is used in OpenACS. * ns_http: - Added flags "-file /varName/" and "-spoolsize /int/" to "ns_http wait". If the content of the obtained file is larger or equal than spoolsize, it is spooled to temp file, and the name of the temp file is returned in the variable provided by "-file". These options make it possible to retrieve also large content (e.g. video files) via ns_http without bloating memory - Additional parameter "-decompress" for "ns_http wait" to compress the result on the fly (incrementally) in case it is content encoding is "gzip" * ns_time: add option "ns_time format" to print a time in the sec:usec format in secs in a decimal dot notation * Allow "ns_mktemp" to be called without template (makes migration simpler) * Mark ns_tmpnam as deprecated since it uses an deprecated C-library function (use ns_mktemp instead) * Mark ns_connsendfp as deprecated as documented (is superseded by ns_writefp) C API Changes: Incompatible API Changes: Configuration Changes: * New parameter "extraheaders" to drivers (e.g. nssock, nsssl). This feature allows an admin to specify extra reply headers sent back on every request. By using this feature, one can activate for example HTTP Strict Transport Security (HSTS) for nsssl (see https://bitbucket.org/naviserver/nsssl/) * Update man pages and sample config files Command Line Changes: Code Changes: * Added compatibility with OpenSolaris (e.g. OmniOS). * Code Cleanup - reduce variable scopes to improve locality - Get rid of CVS variables - make test for byte-array safe for changes introduced in tcl 8.6 and back-ported to Tcl 8.5 (see e.g. http://core.tcl.tk/tcl/info/91be696bf3) - defined new macro NS_GNUC_DEPRECATED_FOR() to be able to provide replacement hint and use it where appropriate - improve error message * Test environment: - nstest::http: added flag "-getmultiheaders" to return all header fields (multiset) with the specified name * Build environment: - use recommended autoconf constants quoting - deactivate AM_* macros (get rid of warnings), since these are not used by autogen.sh - replace obsolete macro AC_TRY_RUN, AC_TRY_LINK - use recent version of install-sh and tcl.m4 * Extended regression test |
|
From: Gustaf N. <ne...@wu...> - 2014-05-29 07:12:16
|
Dear Cesáreo,
"maxinput" is needed for the nsssl driver as well. The configuration
values are not
passed automatically from nssock to nsssl.
-gustaf
Am 28.05.14 23:53, schrieb Cesáreo García Rodicio:
> Hi
>
> I'm not completely sure that this is an naviserver issue (or an openacs)
> but just in case (before to post in Openacs forum)
>
> I get
> "Request Entity Too Large
> The request entity (e.g. file to be uploaded) is too large</em>"
>
> uploading big files (2MB) to Photo Album (in OpenACS) (vía httpS)
>
> It has occurred to me with Naviserver (but not with Aolserver). I've
> keep aolserver config parameters, I mean:
>
> ---------
> set max_file_upload_mb 20
> set max_file_upload_min 5
>
> ns_section ns/server/${server}/module/nssock
>
> ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}]
> ns_param recvwait [expr {$max_file_upload_min * 60}]
> ---------
>
> am I missing anything? Does maxinput applies to nssl config too?
>
> Thanks
> Cesáreo
>
> ------------------------------------------------------------------------------
> Time is money. Stop wasting it! Get your web API in 5 minutes.
> www.restlet.com/download
> http://p.sf.net/sfu/restlet
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
--
Univ.Prof. Dr. Gustaf Neumann
WU Vienna
Institute of Information Systems and New Media
Welthandelsplatz 1, A-1020 Vienna, Austria
|
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-28 21:53:25
|
Hi
I'm not completely sure that this is an naviserver issue (or an openacs)
but just in case (before to post in Openacs forum)
I get
"Request Entity Too Large
The request entity (e.g. file to be uploaded) is too large</em>"
uploading big files (2MB) to Photo Album (in OpenACS) (vía httpS)
It has occurred to me with Naviserver (but not with Aolserver). I've
keep aolserver config parameters, I mean:
---------
set max_file_upload_mb 20
set max_file_upload_min 5
ns_section ns/server/${server}/module/nssock
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}]
ns_param recvwait [expr {$max_file_upload_min * 60}]
---------
am I missing anything? Does maxinput applies to nssl config too?
Thanks
Cesáreo
|
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-12 11:28:44
|
Dear Gustaf! Ok Thanks! I'll check it out. I resolved it using hg pull / hg update but I'll test using install-ns.sh (amazing and very useful script ;-) ). I tried tcllib 1.16 as they said in http://core.tcl.tk/tcllib/home but perhaphs they have change repositories. It seems to be that current download is not in sourceforge (http://core.tcl.tk/tcllib/wiki?name=Downloads) . Any way I did only to test. Cheers, Cesáreo El 11/mayo/14 20:15, Gustaf Neumann escribió: > Dear Cesáreo > > the new version of install-ns.sh on openacs.org allows now to use HEAD > as well for the modules. > > Concerning tcllib 1.16: There is no 1.16 on sourceforge > http://sourceforge.net/projects/tcllib/files/tcllib/ > > Not sure, this is intentional, but i'll contact the tcl guys about this. > > -gustaf neumann > > > Am 09.05.14 16:06, schrieb Cesáreo García Rodicio: >> Hi Gustaf >> >> I can imagine that. >> >> Anyway, only if it would be a good idea to use HEAD with modules. My >> case use was now only with nsssl so I was trying to "update to HEAD" >> every month or so. >> >> Also, if you are going to check install-ns. I try to use 1.16 version of >> tcllib (not 1.15) and it fails (404 error). I didn't check carefully but >> it you test. >> >> Thanks >> Cesáreo >> >> El 09/mayo/14 10:28, Gustaf Neumann escribió: >>> Hi Cesáreo, >>> >>> the various modules are distributed over multiple repositories, which has >>> several implications on directory structures, dependencies are more >>> complicated having multiple checkouts, etc.. We should have a new release >>> soon, then we will have again the modules.tar file. The normal install >>> case should be based on releases. >>> >>> ... and i'll check over the weekend to have a version of install-ns.sh >>> to give better feedback when installing from "HEAD". >>> >>> -gn >>> >>> Am 09.05.14 14:41, schrieb Cesáreo García Rodicio: >>>> Hi! >>>> >>>> I'm trying to set up the amazing install-ns.sh (it works nice for me) to >>>> use HEAD version. Not only with Naviserver but with Modules too. >>>> >>>> It works nice with naviserver but there is no Modules HEAD File[1] >>>> >>>> Is it possible to use HEAD file of modules? >>>> >>>> Thanks >>>> Cesáreo >>>> >>>> >>>> >>>> >>>> [1]404 Error >>>> Location: >>>> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >>>> [following] >>>> --2014-05-09 09:32:05-- >>>> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >>>> Resolving downloads.sourceforge.net... 216.34.181.59 >>>> Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. >>>> HTTP request sent, awaiting response... 404 Not Found >>>> 2014-05-09 09:32:06 ERROR 404: Not Found. >>>> >>> > > > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > naviserver-devel mailing list > nav...@li... > https://lists.sourceforge.net/lists/listinfo/naviserver-devel > |
|
From: Gustaf N. <ne...@wu...> - 2014-05-11 23:15:32
|
Dear Cesáreo the new version of install-ns.sh on openacs.org allows now to use HEAD as well for the modules. Concerning tcllib 1.16: There is no 1.16 on sourceforge http://sourceforge.net/projects/tcllib/files/tcllib/ Not sure, this is intentional, but i'll contact the tcl guys about this. -gustaf neumann Am 09.05.14 16:06, schrieb Cesáreo García Rodicio: > Hi Gustaf > > I can imagine that. > > Anyway, only if it would be a good idea to use HEAD with modules. My > case use was now only with nsssl so I was trying to "update to HEAD" > every month or so. > > Also, if you are going to check install-ns. I try to use 1.16 version of > tcllib (not 1.15) and it fails (404 error). I didn't check carefully but > it you test. > > Thanks > Cesáreo > > El 09/mayo/14 10:28, Gustaf Neumann escribió: >> Hi Cesáreo, >> >> the various modules are distributed over multiple repositories, which has >> several implications on directory structures, dependencies are more >> complicated having multiple checkouts, etc.. We should have a new release >> soon, then we will have again the modules.tar file. The normal install >> case should be based on releases. >> >> ... and i'll check over the weekend to have a version of install-ns.sh >> to give better feedback when installing from "HEAD". >> >> -gn >> >> Am 09.05.14 14:41, schrieb Cesáreo García Rodicio: >>> Hi! >>> >>> I'm trying to set up the amazing install-ns.sh (it works nice for me) to >>> use HEAD version. Not only with Naviserver but with Modules too. >>> >>> It works nice with naviserver but there is no Modules HEAD File[1] >>> >>> Is it possible to use HEAD file of modules? >>> >>> Thanks >>> Cesáreo >>> >>> >>> >>> >>> [1]404 Error >>> Location: >>> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >>> [following] >>> --2014-05-09 09:32:05-- >>> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >>> Resolving downloads.sourceforge.net... 216.34.181.59 >>> Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. >>> HTTP request sent, awaiting response... 404 Not Found >>> 2014-05-09 09:32:06 ERROR 404: Not Found. >>> >> |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-09 16:00:59
|
Dear Gustaf!
It is working now (an A+) with my nssl setup[1]. I had to:
- Include StartSSL Certificates in certificado.pem. In these order:
Server Certificate
Subclase Certificate
Root Certificate
Private Key
DH parameters
- HEAD installation (I use hg pull / hg update in nssl module)
Thanks!
Cesáreo
[1] #---------------------------------------------------------------------
# Configuración Módulo SSL
# https://bitbucket.org/naviserver/nsssl
#---------------------------------------------------------------------
ns_section "ns/server/${server}/module/nsssl"
ns_param certificate $serverroot/etc/certificado.pem
# As in https://wiki.mozilla.org/Security/Server_Side_TLS
ns_param ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
ns_param protocols "SSLv3, TLSv1"
ns_param verify 0
ns_param extraheaders { Strict-Transport-Security
"max-age=31536000; includeSubDomains"}
El 24/abril/14 04:28, Gustaf Neumann escribió:
> Dear Cesáreo,
>
> Concerning the chain issue: the .pem file can/should contain multiple
> certificates (the chain).
> Instructions how to obtain the chain are usually available from your
> certificate provider
>
> http://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain
> http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor
>
> From the qualys report for your site, it seems as if you have not
> configured
> HTTP Strict Transport Security correctly (see next-scripting.org for an
> example) yet.
> Note that you have to update and install naviserver to the tip version
> for this feature.
> When you connect to connect to your site via https, check via e.g.
> firebug, whether
> it sends the line "Strict-Transport-Security: max-age=31536000;
> includeSubDomains"
> in the response.
>
> all the best
> -gustaf neumann
>
> Am 22.04.14 16:23, schrieb Cesáreo García Rodicio:
>> Gustaf,
>>
>> Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to
>> work fine.
>>
>> But I had some "chain issues" yet (I only get an A rating, not A+).
>>
>> Do I have to add, I mean "echo whatever >> certificate.pem", to
>> certificate.pem?
>>
>> El 12/abril/14 14:54, Gustaf Neumann escribió:
>>> One more update: There is now an additional feature in NaviServer to
>>> allow a site admin to
>>> add extra reply header fields with little effort. The nssock and nsssl
>>> driver accept new a parameter
>>> extraheaders which contains an attribute/value list of extra reply
>>> header fields. By using e.g.
>>>
>>> ns_section ns/server/${servername}/module/nsssl
>>> ...
>>> ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains"}
>>> ...
>>>
>>> one can activate HTTP Strict Transport Security (HSTS) for https
>>> connections. With this activated,
>>> one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs.
>>>
>>> all the best
>>> -gustaf neumann
>>>
>>> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
>>> http://dev.chromium.org/sts
>>> https://tools.ietf.org/html/rfc6797
>>>
>>> Am 10.04.14 11:53, schrieb Gustaf Neumann:
>>>> Dear Friends,
>>>>
>>>> the bitbucket repository contains a new version of the nsssl module of
>>>> NaviServer that
>>>> makes it easier to obtain from Qualys SSL Labs an "A" rating with
>>>> actual versions
>>>> of openssl by supporting more ciphers.
>>>>
>>>> All the best
>>>> -gustaf neumann
>>>>
>>>> New in Version 0.5:
>>>> - Support for Elliptic Curve Cryptography
>>>> (such as Elliptic Curve Diffie-Hellman (ECDH))
>>>> - Provide compiled-in defaults for DH parameters
>>>> - Handling several SSL and TLS bugs.
>>>> - Deactivated SSLv2
>>>>
>
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
|
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-09 15:10:00
|
Hi As Gustaf said 5 years ago[1] (with aolserver), tdom version 0.83 has an annoying bug easy to fix. I think that it have not always occurred to me, but today I did a clean install and I've seen it again. If you use tdom (like with openacs) you'll see that error and you have to edit YOUR_NS_DIR/lib/tdom0.8.3/pkgIndex.tcl and add a blank space. I send it here only to report it just in case (to not-pros like me ;-) ) Cheers Cesáreo [1]. https://groups.yahoo.com/neo/groups/tdom/conversations/topics/1872 |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-09 14:07:06
|
Hi Gustaf I can imagine that. Anyway, only if it would be a good idea to use HEAD with modules. My case use was now only with nsssl so I was trying to "update to HEAD" every month or so. Also, if you are going to check install-ns. I try to use 1.16 version of tcllib (not 1.15) and it fails (404 error). I didn't check carefully but it you test. Thanks Cesáreo El 09/mayo/14 10:28, Gustaf Neumann escribió: > Hi Cesáreo, > > the various modules are distributed over multiple repositories, which has > several implications on directory structures, dependencies are more > complicated having multiple checkouts, etc.. We should have a new release > soon, then we will have again the modules.tar file. The normal install > case should be based on releases. > > ... and i'll check over the weekend to have a version of install-ns.sh > to give better feedback when installing from "HEAD". > > -gn > > Am 09.05.14 14:41, schrieb Cesáreo García Rodicio: >> Hi! >> >> I'm trying to set up the amazing install-ns.sh (it works nice for me) to >> use HEAD version. Not only with Naviserver but with Modules too. >> >> It works nice with naviserver but there is no Modules HEAD File[1] >> >> Is it possible to use HEAD file of modules? >> >> Thanks >> Cesáreo >> >> >> >> >> [1]404 Error >> Location: >> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >> [following] >> --2014-05-09 09:32:05-- >> http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net >> Resolving downloads.sourceforge.net... 216.34.181.59 >> Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. >> HTTP request sent, awaiting response... 404 Not Found >> 2014-05-09 09:32:06 ERROR 404: Not Found. >> > > > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > naviserver-devel mailing list > nav...@li... > https://lists.sourceforge.net/lists/listinfo/naviserver-devel > |
|
From: Gustaf N. <ne...@wu...> - 2014-05-09 13:47:05
|
Hi Cesáreo, the various modules are distributed over multiple repositories, which has several implications on directory structures, dependencies are more complicated having multiple checkouts, etc.. We should have a new release soon, then we will have again the modules.tar file. The normal install case should be based on releases. ... and i'll check over the weekend to have a version of install-ns.sh to give better feedback when installing from "HEAD". -gn Am 09.05.14 14:41, schrieb Cesáreo García Rodicio: > Hi! > > I'm trying to set up the amazing install-ns.sh (it works nice for me) to > use HEAD version. Not only with Naviserver but with Modules too. > > It works nice with naviserver but there is no Modules HEAD File[1] > > Is it possible to use HEAD file of modules? > > Thanks > Cesáreo > > > > > [1]404 Error > Location: > http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net > [following] > --2014-05-09 09:32:05-- > http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net > Resolving downloads.sourceforge.net... 216.34.181.59 > Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. > HTTP request sent, awaiting response... 404 Not Found > 2014-05-09 09:32:06 ERROR 404: Not Found. > |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-05-09 12:42:12
|
Hi! I'm trying to set up the amazing install-ns.sh (it works nice for me) to use HEAD version. Not only with Naviserver but with Modules too. It works nice with naviserver but there is no Modules HEAD File[1] Is it possible to use HEAD file of modules? Thanks Cesáreo [1]404 Error Location: http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net [following] --2014-05-09 09:32:05-- http://downloads.sourceforge.net/sourceforge/naviserver/naviserver-HEAD-modules.tar.gz?download&failedmirror=heanet.dl.sourceforge.net Resolving downloads.sourceforge.net... 216.34.181.59 Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2014-05-09 09:32:06 ERROR 404: Not Found. |
|
From: Gustaf N. <ne...@wu...> - 2014-04-24 07:29:08
|
Dear Cesáreo, Concerning the chain issue: the .pem file can/should contain multiple certificates (the chain). Instructions how to obtain the chain are usually available from your certificate provider http://superuser.com/questions/644343/how-do-you-fix-an-incomplete-ssl-chain http://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor From the qualys report for your site, it seems as if you have not configured HTTP Strict Transport Security correctly (see next-scripting.org for an example) yet. Note that you have to update and install naviserver to the tip version for this feature. When you connect to connect to your site via https, check via e.g. firebug, whether it sends the line "Strict-Transport-Security: max-age=31536000; includeSubDomains" in the response. all the best -gustaf neumann Am 22.04.14 16:23, schrieb Cesáreo García Rodicio: > Gustaf, > > Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to > work fine. > > But I had some "chain issues" yet (I only get an A rating, not A+). > > Do I have to add, I mean "echo whatever >> certificate.pem", to > certificate.pem? > > El 12/abril/14 14:54, Gustaf Neumann escribió: >> One more update: There is now an additional feature in NaviServer to >> allow a site admin to >> add extra reply header fields with little effort. The nssock and nsssl >> driver accept new a parameter >> extraheaders which contains an attribute/value list of extra reply >> header fields. By using e.g. >> >> ns_section ns/server/${servername}/module/nsssl >> ... >> ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains"} >> ... >> >> one can activate HTTP Strict Transport Security (HSTS) for https >> connections. With this activated, >> one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs. >> >> all the best >> -gustaf neumann >> >> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security >> http://dev.chromium.org/sts >> https://tools.ietf.org/html/rfc6797 >> >> Am 10.04.14 11:53, schrieb Gustaf Neumann: >>> Dear Friends, >>> >>> the bitbucket repository contains a new version of the nsssl module of >>> NaviServer that >>> makes it easier to obtain from Qualys SSL Labs an "A" rating with >>> actual versions >>> of openssl by supporting more ciphers. >>> >>> All the best >>> -gustaf neumann >>> >>> New in Version 0.5: >>> - Support for Elliptic Curve Cryptography >>> (such as Elliptic Curve Diffie-Hellman (ECDH)) >>> - Provide compiled-in defaults for DH parameters >>> - Handling several SSL and TLS bugs. >>> - Deactivated SSLv2 >>> |
|
From: Cesáreo G. R. <ce...@ce...> - 2014-04-22 14:23:55
|
Gustaf,
Amazing Work! I build nsssl 0.6 and I add extraheaders and it seems to
work fine.
But I had some "chain issues" yet (I only get an A rating, not A+).
Do I have to add, I mean "echo whatever >> certificate.pem", to
certificate.pem?
El 12/abril/14 14:54, Gustaf Neumann escribió:
> One more update: There is now an additional feature in NaviServer to
> allow a site admin to
> add extra reply header fields with little effort. The nssock and nsssl
> driver accept new a parameter
> extraheaders which contains an attribute/value list of extra reply
> header fields. By using e.g.
>
> ns_section ns/server/${servername}/module/nsssl
> ...
> ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains"}
> ...
>
> one can activate HTTP Strict Transport Security (HSTS) for https
> connections. With this activated,
> one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs.
>
> all the best
> -gustaf neumann
>
> http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> http://dev.chromium.org/sts
> https://tools.ietf.org/html/rfc6797
>
> Am 10.04.14 11:53, schrieb Gustaf Neumann:
>> Dear Friends,
>>
>> the bitbucket repository contains a new version of the nsssl module of
>> NaviServer that
>> makes it easier to obtain from Qualys SSL Labs an "A" rating with
>> actual versions
>> of openssl by supporting more ciphers.
>>
>> All the best
>> -gustaf neumann
>>
>> New in Version 0.5:
>> - Support for Elliptic Curve Cryptography
>> (such as Elliptic Curve Diffie-Hellman (ECDH))
>> - Provide compiled-in defaults for DH parameters
>> - Handling several SSL and TLS bugs.
>> - Deactivated SSLv2
>>
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
>
>
>
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
|
|
From: Gustaf N. <ne...@wu...> - 2014-04-12 12:54:56
|
One more update: There is now an additional feature in NaviServer to
allow a site admin to
add extra reply header fields with little effort. The nssock and nsssl
driver accept new a parameter
extraheaders which contains an attribute/value list of extra reply
header fields. By using e.g.
ns_section ns/server/${servername}/module/nsssl
...
ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains"}
...
one can activate HTTP Strict Transport Security (HSTS) for https
connections. With this activated,
one can obtain an "A+" rating with NaviServer + ssl from Qualys SSL Labs.
all the best
-gustaf neumann
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
http://dev.chromium.org/sts
https://tools.ietf.org/html/rfc6797
Am 10.04.14 11:53, schrieb Gustaf Neumann:
> Dear Friends,
>
> the bitbucket repository contains a new version of the nsssl module of
> NaviServer that
> makes it easier to obtain from Qualys SSL Labs an "A" rating with
> actual versions
> of openssl by supporting more ciphers.
>
> All the best
> -gustaf neumann
>
> New in Version 0.5:
> - Support for Elliptic Curve Cryptography
> (such as Elliptic Curve Diffie-Hellman (ECDH))
> - Provide compiled-in defaults for DH parameters
> - Handling several SSL and TLS bugs.
> - Deactivated SSLv2
>
|
|
From: Gustaf N. <ne...@wu...> - 2014-04-10 09:53:54
|
Dear Friends, the bitbucket repository contains a new version of the nsssl module of NaviServer that makes it easier to obtain from Qualys SSL Labs an "A" rating with actual versions of openssl by supporting more ciphers. All the best -gustaf neumann New in Version 0.5: - Support for Elliptic Curve Cryptography (such as Elliptic Curve Diffie-Hellman (ECDH)) - Provide compiled-in defaults for DH parameters - Handling several SSL and TLS bugs. - Deactivated SSLv2 |
14 messages has been excluded from this view by a project administrator.
