tclhttpd-users — Discussion and general Q&A for TclHttpd

Re: [Tclhttpd-users] Sanity check..

[Nicolas B. <ni...@ma...>]

Colin McCormack wrote:

>On Thu, 2004-10-07 at 19:14, Nicolas Boretos wrote:
>
>  
>
>>As much as I 
>>understand, "tclhttpd" is my "single user", and that
>>read/writes are sequential/serialized, the equivalent of opening a 
>>console and playing with the mk db...
>>    
>>
>
>That's a good way to look at it.
>  
>
So, does this mean you feel that I should not have concurrency issues w/ 
th mk?

>  
>
>>We are running single threaded tclkit, with the stripped down 
>>tclhttpdmin.kit for the web-server, on a debian3 box
>>    
>>
>
>Debian and tclhttpd?  You are clearly a man of discretion and good
>taste. :)
>
>  
>
>>A few key points about the app.
>>1. A .tclaccess file permits access to the db
>>    
>>
>
>Wrong place.  Should be a .tml file (just dir/.tml is sourced in.)
>  
>
I'm not sure I get it;-(...The .tclaccess file  calls the browsers login 
stuff...I'm not sure that a .tml file is designed for this
Or, am I mis-understanding you...

>  
>
>>2. From then on,  ncgi package is used for user_id and all form variables
>>3. The whole app uses self-posting .tml pages, with Doc_Redirects to the 
>>next page...
>>    
>>
>
>I like this approach, I like .tml pages.
>  
>
I do too..

>Handling state through Redirects is a pain though.  Perhaps we should
>come up with a nicer abstraction to cover the messy details of building
>systems of DFSAs to represent interactions via templates.
>  
>
Great idea!...Errr, WTF is a DFSA?
I have really gotten burned redirects and form variables with it this 
time...
This project kinda went like this...
Are you sure you dont want a desktop app? No, it's a really simple app 
they say, and the Web is good ;-)
We started with simple entry (submits)---o.k
Then "they" wanted to edit the stuff.. So now we had to populate the 
pages w/ data read.(now we have logics like new record? old record? etc..)
We also had to read and overwrite the db with the edits.....
Then they wanted "sessions within a page", good case for mk's nested 
views here...but correctly populating the pages w/ db reads became a chore..
Then they wanted to query the db, see all records, but be able to edit 
only their own data....
And now they want to distribute the app at some point read-only ('bout 
my only saving grace here... tclhttpd-startkit anyone?

>One facility you should become familiar with is [Httpd_Suspend] and
>[Httpd_Resume], which allows you to leave the connection open (for some
>period) while processing other incoming connections.  It might be useful
>in this application.
>  
>
I think in this case I would probably want the opposite; meaning I want 
to complete my current mk transaction before moving on
to the next...

regards,

nicolas

Re: [Tclhttpd-users] Sanity check..

[Colin M. <co...@ch...>]

On Thu, 2004-10-07 at 19:14, Nicolas Boretos wrote:

> As much as I 
> understand, "tclhttpd" is my "single user", and that
> read/writes are sequential/serialized, the equivalent of opening a 
> console and playing with the mk db...

That's a good way to look at it.

> We are running single threaded tclkit, with the stripped down 
> tclhttpdmin.kit for the web-server, on a debian3 box

Debian and tclhttpd?  You are clearly a man of discretion and good
taste. :)

> A few key points about the app.
> 1. A .tclaccess file permits access to the db

Wrong place.  Should be a .tml file (just dir/.tml is sourced in.)

> 2. From then on,  ncgi package is used for user_id and all form variables
> 3. The whole app uses self-posting .tml pages, with Doc_Redirects to the 
> next page...

I like this approach, I like .tml pages.

Handling state through Redirects is a pain though.  Perhaps we should
come up with a nicer abstraction to cover the messy details of building
systems of DFSAs to represent interactions via templates.

One facility you should become familiar with is [Httpd_Suspend] and
[Httpd_Resume], which allows you to leave the connection open (for some
period) while processing other incoming connections.  It might be useful
in this application.

-- 
Colin McCormack <co...@ch...>

[Tclhttpd-users] Sanity check..

[Nicolas B. <ni...@ma...>]

Hello,

A quick sanity check from tclhttpd users would be appreciated..
We have developed a web-db, data entry app that uses tclhttpd to "proxy" 
read/writes to a Metakit db, in-process; not as a cgi call.
We have about 10 users that use the db, most of the time, 1-3 users 
might be reading/writing at the same time....

My question is:
I am aware that metakit is basically a single user db, but as I said, it 
is run under tclhttpd..
Is there any potential problem in using this approach. As much as I 
understand, "tclhttpd" is my "single user", and that
read/writes are sequential/serialized, the equivalent of opening a 
console and playing with the mk db...

We are running single threaded tclkit, with the stripped down 
tclhttpdmin.kit for the web-server, on a debian3 box

I discussed this approach w/ JCW, and he seems to feel that this 
approach should not create any mk problems, but
want to run this by this list.

A few key points about the app.
1. A .tclaccess file permits access to the db
2. From then on,  ncgi package is used for user_id and all form variables
3. The whole app uses self-posting .tml pages, with Doc_Redirects to the 
next page...

regards and thanx in advance,
nicolas boretos

Re: [Tclhttpd-users] MS virus bogus URLs

[David G. <dav...@po...>]

Colin McCormack <co...@ch...> wrote:

>I've been noticing quite a few extremely long bogus URLs, presumably
>from MS virus-ridden machines attempting a buffer overflow in some
>lamentably bad MS web server (ISS?)
>
>The URLs have the form SEARCH / followed by 64Kb of 0x902f 0xb102 ...
>
>I think this really clags up our regexp at lib/httpd.tcl line 611 (the
>one in state 1,$start which splits the line up into prototype and URL)
>although it's hard for me to tell because the xemacs buffer I'm using to
>test usually crashes when I try to manipulate the 64k literal string :)
>
>I wonder what people think might be good effective protective measures
>against this 'sploit?


How about an ignore list of IPs the user may want to block?  I got about a
dozen attempts a day to act as a mail proxy from a few repeating IPs.  I
block them at my router, but a list tclhttpd used would be a feature I
would make use of.
-- 
David Gravereaux <dav...@po...>
[species: human; planet: earth,milkyway(western spiral arm),alpha sector]

Re: [Tclhttpd-users] Sourcing starkit files...

[Brent W. <we...@pa...>]

>>>"Heravi, Mel M." said:
 > I have a script Junk.cgi in cgi-bin directory, which source(es) a
 > starkit that I placed in the cgi-bin directory. Somehow the "Source"
 > command seems to look into mk4tcl to get the file !!! Is this true ? If
 > so, how can I source a file from within a starkit(ed) application ?

You have to be a bit careful with CGI and starkits.
First, if you put your cgi-bin directory inside your starkit,
then try to access those scripts, its gonna fail because the
host operating system is trying to run those scripts.  But, it
has no idea about what is inside the starkit.

--
Brent Welch
Software Architect, Panasas Inc
Delivering the premier storage system for scalable Linux clusters

www.panasas.com
we...@pa...

[Tclhttpd-users] Sourcing starkit files...

[Heravi, M. M. <mel...@hp...>]

I have a script Junk.cgi in cgi-bin directory, which source(es) a
starkit that I placed in the cgi-bin directory. Somehow the "Source"
command seems to look into mk4tcl to get the file !!! Is this true ? If
so, how can I source a file from within a starkit(ed) application ?

[Tclhttpd-users] TclHttpd Question on cgi-bin...

[Heravi, M. M. <mel...@hp...>]

i have starkit(ed) my entire website into site.kit and placed it in
cgi-bin
directory
created a "run.cgi" in the cgi-bin

it works fine when i run "main.tcl" from tclhttpd dir, but when i wrap
it to
create a tclhttpd.exe file,
i get the message that "The page cannot be displayed"

can someone help ?

PS:- Why it it looking in the mk database ?=20
I got a little further using debug and here is the result:=20

httpd % puts $::errorInfo
file open failed
    while executing
"mk::file open mk4vfs1
C:/tmp/Tclhttpd.exe/htdocs/cgi-bin/RedOlive/asp.kit -readonly"
    ("eval" body line 1)
    invoked from within
"eval [list mk::file open $db $file] $args"
    (procedure "::mk4vfs::_mount" line 4)
    invoked from within

Re: [Tclhttpd-users] [Fwd: Access Control in tclhttpd]

[Colin M. <co...@ch...>]

Thanks Erik,

I'll take this offline and see if Svenn and I can work out what's going
on.  If there's general value, I'll feed it back.

Colin.

On Fri, 2004-10-01 at 04:21, Erik Leunissen wrote:
> Forwarded from c.l.t.
> 
> -------- Original Message --------
> Subject: Access Control in tclhttpd
> Date: 27 Sep 2004 13:20:57 -0700
> From: sve...@bj...
> Organization: http://groups.google.com
> Newsgroups: comp.lang.tcl
> 
> Hi,
> 
> I have installed vanilla tclhttpd 3.5.1 on my winxp machine to have a
> httpd server to run usemod wiki as a cgi-bin. I cannot use apache as
> its install wants to access the registry which is closed for userland
> modifications. Tclhttpd runs fine and I can browse the pages contained
> in the default distribution.
> 
> Except the password protected pages.
> 
> I have read the acces control page and see that in order to create
> users and passwords I should use the Access Control Editor with the
> usernale webmaster and the password that is saved in
> c:\tmp\tclhttpd.default. I notice that tclhttpd recreates a new
> password each time I start the server, but when I want to access the
> Access Control Editor with the username and the currently generated
> password, I get no access.
> 
> I have looked around on tcl'ers wiki and in the Practical Programming
> in Tcl and Tk and searched the group without getting any wiser.
> The Use of Access Editor talks about AuthUserFile and AuthGroupFile,
> but they are supposed to live in /usr/local/htaccess which I guess is
> unix only.
> 
> I found a passwd and a group file in
> c:\tcl\lib\tclhttpd3.5.1\htaccess\win32 but I don't know what to do
> with them as I guess they contain encrypted passwords.
> 
> Does anybody have a stupid end users guide to getting access control
> right on tclhttpd?
-- 
Colin McCormack <co...@ch...>

[Tclhttpd-users] [Fwd: Access Control in tclhttpd]

[Erik L. <e.l...@hc...>]

Forwarded from c.l.t.

-------- Original Message --------
Subject: Access Control in tclhttpd
Date: 27 Sep 2004 13:20:57 -0700
From: sve...@bj...
Organization: http://groups.google.com
Newsgroups: comp.lang.tcl

Hi,

I have installed vanilla tclhttpd 3.5.1 on my winxp machine to have a
httpd server to run usemod wiki as a cgi-bin. I cannot use apache as
its install wants to access the registry which is closed for userland
modifications. Tclhttpd runs fine and I can browse the pages contained
in the default distribution.

Except the password protected pages.

I have read the acces control page and see that in order to create
users and passwords I should use the Access Control Editor with the
usernale webmaster and the password that is saved in
c:\tmp\tclhttpd.default. I notice that tclhttpd recreates a new
password each time I start the server, but when I want to access the
Access Control Editor with the username and the currently generated
password, I get no access.

I have looked around on tcl'ers wiki and in the Practical Programming
in Tcl and Tk and searched the group without getting any wiser.
The Use of Access Editor talks about AuthUserFile and AuthGroupFile,
but they are supposed to live in /usr/local/htaccess which I guess is
unix only.

I found a passwd and a group file in
c:\tcl\lib\tclhttpd3.5.1\htaccess\win32 but I don't know what to do
with them as I guess they contain encrypted passwords.

Does anybody have a stupid end users guide to getting access control
right on tclhttpd?

-- 
Svenn

[Tclhttpd-users] Generic Caching support

[Colin M. <co...@ch...>]

I've just created a module suitable for /custom which provides generic
caching.

[Cache_Fetch] will send a cached version of a file to the client (if it
exists, and is newer than the proffered path)

[Cache_Store] will store typed content to a cache file, and send the
content to the client.

I've rewritten the stml handler to use this facility.  It's here on the
wiki: http://mini.net/tcl/12549 and I'll move it into custom/ distro
when it's been tested and bedded in.

The upshot is that it should now be possible to use [Doc_$type]
processing to do everything Template processing now does, but for
arbitrary interpreters/transformers over arbitrary file
types/extensions.

Generic caching is also fully integrated with per-socket post-filtering.

I imagine it would be usable for Direct domains, too.
-- 
Colin McCormack <co...@ch...>

[Tclhttpd-users] mini-tutorial on Content-Type

[Colin M. <co...@ch...>]

I was feeling energetic in a documentation kind of way, so I threw
together a mini-tutorial on the subject of file extensions and
Content-Type here: http://mini.net/tcl/11569

It was prompted by my thinking about Matthias Hoffmann's problem, and
the questions of generic templating, not-found handling, wrapping,
stacking and such, but it doesn't address Matthias' problems.
-- 
Colin McCormack <co...@ch...>

Re: [Tclhttpd-users] tclhttpd3.5.1.kit URL-dispatching error

[Brent W. <we...@pa...>]

Hmm - this has a ring of familiarity to it.  I believe it has to do
with the way the web server hunts around for index files that doesn't
quite work in the starkit.  I cannot recall the exact difficultly.

The error message is misleading, if I recall correctly, and actually
something has gone wrong a bit earlier.

>>>Matthias Hoffmann said:
 > Hello again,
 > 
 > on my windows systems, starting the tclhttpd3.5.1.kit gives a wired
 > error. I've set up things (.rc, environment, httproot,  and so on) to
 > work just as my existing productive tclhttpd server (not
 > starpack/tclkit
 > based, that version is 3.4.2, tclsh 8.4.4), and at first glance it
 > looks
 > like everything is working fine. But checking several URLs it turnes
 > out
 > that only those are working, which have .TMLs with [Doc_Dynamic] or
 > .TMLs for which the .HTM(L) is not generated yet. Otherwise, it seems
 > that one level of the hierachy specified in the URL is removed, so the
 > resulting URL gives a not found error, e.g.:
 > 
 > URL is http://localhost/edv/adm/index
 > Klicking on it gives /adm/index.htm not found
 > 
 > What went wrong here?!

--
Brent Welch
Software Architect, Panasas Inc
Delivering the premier storage system for scalable Linux clusters

www.panasas.com
we...@pa...

[Tclhttpd-users] tclhttpd3.5.1.kit URL-dispatching error

[Matthias H. <M.H...@hm...>]

Hello again,

on my windows systems, starting the tclhttpd3.5.1.kit gives a wired 
error. I've set up things (.rc, environment, httproot,  and so on) to 
work just as my existing productive tclhttpd server (not starpack/tclkit 
based, that version is 3.4.2, tclsh 8.4.4), and at first glance it looks 
like everything is working fine. But checking several URLs it turnes out 
that only those are working, which have .TMLs with [Doc_Dynamic] or 
.TMLs for which the .HTM(L) is not generated yet. Otherwise, it seems 
that one level of the hierachy specified in the URL is removed, so the 
resulting URL gives a not found error, e.g.:

URL is http://localhost/edv/adm/index
Klicking on it gives /adm/index.htm not found

What went wrong here?!

Regards,

-- 
Hamburg Münchener Krankenkasse, Hauptverwaltung
Matthias Hoffmann
Systemtechnik HV 202.1
Schäferkampsallee 16
D-20357 Hamburg
Tel. +49 40 41535-232
Fax  +49 40 41535-359
Mail M.H...@hm...

[Tclhttpd-users] tclhttpd3.5.1.kit startup error on windows

[Matthias H. <M.H...@hm...>]

Hello!

on my windows systems, starting the tclhttpd3.5.1.kit gives the follow 
error:

Error processing main startup script 
"D:\PGM\WebSrv5\bin\tclhttpd3.5.1.kit\bin\h
ttpdthread.tcl".
couldn't open "/tmp/tclhttpd.default": no such file or directory
    while executing
"open $Config(AuthDefaultFile) w 0660"
    invoked from within
"if {[info exists Config(Auth)]} {
    foreach {var val} $Config(Auth) {
        if {[string match user,* $var]} {
            # encrypt the password
            set salt [..."
    (file 
"D:/PGM/WebSrv5/bin/tclhttpd3.5.1.kit/bin/../lib/tclhttpd3.5.1/auth.tc
l" line 72)
    invoked from within
"source 
D:/PGM/WebSrv5/bin/tclhttpd3.5.1.kit/bin/../lib/tclhttpd3.5.1/auth.tcl"
    ("package ifneeded" script)
    invoked from within
"package require httpd::auth    "
:
:
I think, the reason is the following statement in AUTH.TCL, wich 
silently ignores platform dependencies....:

if {![info exists Config(AuthDefaultFile)]} {
    set Config(AuthDefaultFile) /tmp/tclhttpd.default
}

Shure, after MD <drive:>/TMP, the thing works. But the position of a 
temporary file should better be acquired from the system or at least 
looked up at the  usual system specific positions (at windows, env(temp) 
or env(tmp) for the user specific temp path).

Best regards,

-- 
Hamburg Münchener Krankenkasse, Hauptverwaltung
Matthias Hoffmann
Systemtechnik HV 202.1
Schäferkampsallee 16
D-20357 Hamburg
Tel. +49 40 41535-232
Fax  +49 40 41535-359
Mail M.H...@hm...

Re: [Tclhttpd-users] Re: Generating Certs for TclHttpd.

[Angel S. <xt...@am...>]

Colin McCormack wrote:

>For what it's worth,
>
>sampleapps/ca/ contains a working facility to generate a server
>certificate and kick off https server on the fly.
>
>On Wed, 2004-09-15 at 13:31, Angel Sosa wrote:
>  
>
>>>>    Would you be able to supply a complete sample of a literal 
>>>>openssl.cnf configuration file, literal instructions to generate the 
>>>>keys, self signed certs, requests and root CA? Please assume that I am signi
>>>>        
>>>>
>>>    ng 
>>>      
>>>
>>>>my own certs. And finally any changes that need to be made to match the 
>>>>openssl.cnf and the tclhttpd.rc configuration file.  I have tried 
>>>>various examples to no avail. I have also used the TLS tcl package piece 
>>>>to other sites and it works just fine. I have followed the example in 
>>>>your readme that is included with the CD of your latest book. But to no 
>>>>avail when it comes to SSL as it relates to TclHttpd.
>>>>        
>>>>
Colin,
   
    Thanks for your help!

    I did get the SSL portion to work with Mr. Welch last set of 
instructions.

    In reference to your suggestion:

    I do see the sampleapps/ directory underneath tclhttpd3.5.1/ . But I 
did not find the ca/ subdirectory. These are the directories directly 
underneath

        sampleapps/

            addnode/
            ddehack/
            login_cookie/
            session/
            sunscript/
            bugdb/
            kit_forms/
            mkweb/
           sendsock/
           snmp/
           upload/

I also searched from the root of the source directory "tclhttpd3.5.1/" I 
will look further.

    Thanks Again.

    From:

        Angel Sosa xt...@am...

Re: [Tclhttpd-users] Re: Generating Certs for TclHttpd.

[Colin M. <co...@ch...>]

For what it's worth,

sampleapps/ca/ contains a working facility to generate a server
certificate and kick off https server on the fly.

On Wed, 2004-09-15 at 13:31, Angel Sosa wrote:
> > >     Would you be able to supply a complete sample of a literal 
> > > openssl.cnf configuration file, literal instructions to generate the 
> > > keys, self signed certs, requests and root CA? Please assume that I am signi
> >     ng 
> > > my own certs. And finally any changes that need to be made to match the 
> > > openssl.cnf and the tclhttpd.rc configuration file.  I have tried 
> > > various examples to no avail. I have also used the TLS tcl package piece 
> > > to other sites and it works just fine. I have followed the example in 
> > > your readme that is included with the CD of your latest book. But to no 
> > > avail when it comes to SSL as it relates to TclHttpd.
-- 
Colin McCormack <co...@ch...>

Re: [Tclhttpd-users] File Upload Domain

[Colin M. <co...@ch...>]

Shouldn't be necessary to mod upload.tcl.

Firstly, you can specify -unique 1 to the upload domain, and all file
names will have .[clock clicks] appended to them.

You can also specify -command cmd to the domain, and write a callback
proc to get control after upload completion, at which point you can
rename or denature them as you see fit.

You can also limit the max filesize, max number of files and total
filesize, so it's pretty cool.

Of course, if what you're worried about is the possibility of someone
uploading a .tml file, I would recommend that you don't put your upload
directory *anywhere* under a document root, thus nobody can ever execute
anything that's uploaded.  If you want to subsequently move the files
under a docroot, after inspection, use the -command callback for it.

Colin.

On Thu, 2004-09-16 at 15:22, Jeff Smith wrote:
> Hi all,
> 
> Is there a way of preventing certain file names or
> file extensions from being uploaded via the file
> upload domain? At the moment I am thinking of
> modifying upload.tcl. Am I on the right track or is
> there a better way?
> 
> Kind Regards
> 
> Jeff Smith
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> TclHttpd-users mailing list
> Tcl...@li...
> https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
-- 
Colin McCormack <co...@ch...>

[Tclhttpd-users] File Upload Domain

[Jeff S. <hea...@ya...>]

Hi all,

Is there a way of preventing certain file names or
file extensions from being uploaded via the file
upload domain? At the moment I am thinking of
modifying upload.tcl. Am I on the right track or is
there a better way?

Kind Regards

Jeff Smith


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

[Tclhttpd-users] Re: Generating Certs for TclHttpd.

[Angel S. <xt...@am...>]

Brent Welch wrote:

>I'll attach the readme that I put together the last time I created certs.
>I believe this is newer than what is on the book's CD.  I would appreciate
>it if you would try stepping through this and telling me specifically
>what steps don't work.  We should end up with working directions!
>
>  
>
>>>>Angel Sosa said:
>>>>        
>>>>
> >     Dear Mr Welch,
> > 
> >        I am sure you receive tons of email but if you permit me I would 
> > like to ask a question about TclHttpd. I have been using it for the last 
> > six months with a lot of success. I would like to move to the next level and
>      
> > enable the SSL portion of the web server. I have all of the modules 
> > needed in order for SSL to work and  the supporting TCL packages. I have 
> > SSL working in other scenarios. But I am having a lot of trouble 
> > applying the Keys, PEMS and the CERTS under the proper categories with in th
>     e 
> > tclhttpd.rc configuration file. Just for additional information, I have 
> > tested the same setup with Apache 2.x and SSL works fine. I 
> > also have a VPN working with SSL. The only Web server I am running is 
> > TclHttpd. The port 80 stuff works just fine. I have also taken traces 
> > with Ethereal. I have traced the traffic going to 443. The hello packet 
> > goes out but soon after that the TclHttpd resets the connection. 443 is 
> > only used by TclHttpd. And it has also been tried on other ports as well 
> > including 8016. And I still have not been successful with same results as 44
>     3.
> > 
> >     Would you be able to supply a complete sample of a literal 
> > openssl.cnf configuration file, literal instructions to generate the 
> > keys, self signed certs, requests and root CA? Please assume that I am signi
>     ng 
> > my own certs. And finally any changes that need to be made to match the 
> > openssl.cnf and the tclhttpd.rc configuration file.  I have tried 
> > various examples to no avail. I have also used the TLS tcl package piece 
> > to other sites and it works just fine. I have followed the example in 
> > your readme that is included with the CD of your latest book. But to no 
> > avail when it comes to SSL as it relates to TclHttpd.
> > 
> >     Thank you Mr. Welch for your time. If their is someone you can refer 
> > me to in case you do not have the time, that would  work too.
> > 
> >     Angel Sosa xt...@am...
> > 
>
>--
>Brent Welch
>Software Architect, Panasas Inc
>Delivering the premier storage system for scalable Linux clusters
>
>www.panasas.com
>we...@pa...
>
>  
>
>------------------------------------------------------------------------
>
>While TclHttpd can support SSL, you will need to add a number of
>software components to complete your SSL server.
>
>At the base is either RSAREF or OpenSSL.  Within the United States there are
>patent restrictions that limit you to using RSAREF from RSA Inc.  Actually,
>you can also build OpenSSL with a "no patents" option.  Both of these packages
>create a crypto library with the same interface.
>        http://www.rsa.com
>        http://www.openssl.org
>
>Next comes the "TLS" Tcl extension, which uses the crypto library.
>The development home page for TLS is
>        http://sourceforge.net/projects/tls/
>I have used the 1.4.1 version for a number of years, although
>there is a recent 1.5.0 version.  At SourceForge there are
>binary releases for Linux and Solaris that save you the chore
>of building OpenSSL.
>
>If you can run tclsh and
>        package require tls
>then you are almost ready to go.
>
>Finally you need keys and certificates for your server.  OpenSSL comes with
>a command-line utility called "openssl" that you can use to generate keys
>and certificates.  The RSFREF utility is "sslc", but provides essentially
>the same features.  The general process is that you generate a public-private
>key pair (using the "genrsa" command for sslc or openssl)
>    sslc genrsa -out skey.pem
>Next you create a certificate request
>    sslc req -config /path/to/ssl.cnf -new -nodex -out ./server.pem -key ./skey.pem
>and send this to a certificate authority for signing. 
>One example Certificate Authority is
>    http://www.verisign.com
>
>Once you get the signed certificate back, edit the tclhttpd.rc file so they
>accurately record the location of your keyfile and certificate.
>The server should then be able to listen for SSL connections on the https port.
>
>You can also bootstrap yourself into your own CA by following the steps
>outlined below.  This lets you sign your own certificate requests to
>make valid certificates, but browsers will prompt users to validate the
>key when they visit your site.
>
>You'll need the "openssl" command line utility that's
>built when you build openssl.  Here is what I did with
>openssl-0.9.7d
>
>0. Build and install openssl.  It installs into /usr/local/ssl
>   I left the openssl.cnf file unchanged, and created a sub-directory
>   to hold all the CA (certificate authority) stuff, as
>   /usr/local/ssl/demoCA.
>
>1. Use the "misc/CA.sh" script as a front-end for the "openssl ca"
>   command, which needs to be set up correctly.
>   First, we initialize the CA:
>   misc/CA.sh -newca
>
>  The -newca script does two things, approximately:
>  (If you ran misc/CA.sh -newca, then you don't need to do 1(a, b, c)
>  1(a). generate a private key for your test CA
>     cd /usr/local/ssl
>     bin/openssl genrsa -out demoCA/private/cakey.pem
>
>  1(b). build a certificate request
>     bin/openssl req -x509 -nodes -out demoCA/cacert.pem -key demoCA/private/cakey.pem -new
>
>  1(c). create a serial, index.txt, and other empty directories expected
>    by the ca subcommand of openssl
>
>
>  You've now got a CA certificate "cacert.pem".
>  It's "self-signed".
>  Its private key is "private/cakey.pem".
>
>We'll now make a server key, certificate request,
>and we'll use the CA cert we just made to sign it
>and generate our final certificate. (I couldn't get the
>CA.sh front-end to work for me in this case, so I did
>the following commands directly.)
>
>2. generate a server key
>   bin/openssl genrsa -out key1.pem
>
>3. generate a certificate request
>   bin/openssl req -nodes -out req.pem -key key1.pem -new
>
>4. generate the server certificate
>   bin/openssl ca -keyfile demoCA/private/cakey.pem \
>        -cert demoCA/cacert.pem -in req.pem
>
>Because I didn't use "-out", the cert was generated into
>demoCA/newcerts as 01.pem (or 02.pem, ...)
>You've now got a server certificate "demoCA/newcerts/01.pem".
>Its private key is key1.pem.
>It's signed by your own CA.
>
>You can make any number of certs by repeating steps
>two through four again with different file names.
>
>To set up tclhttpd, copy the key and the cert into the
>tclhttpd/certs subdirectory.  E.g., 
>cd /usr/local/tclhttpd-3.5.1/
>mkdir certs
>cp /usr/local/ssl/key1.pem certs/skey.pem
>cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem
>
>It appears that the default location for the certs directory
>is a "bin/certs", a subdirectory of the bin directory.  If
>you want to change that, edit bin/tclhttpd.rc and fix
>the SSL_CADIR setting.
>
>  
>
Thank You Mr. Welch for responding. I followed your advice and it 
worked.  The only change I would make to the newest set of instructions  
is  the following : I would change,

"cp /usr/local/ssl/demoCA/newcerts/02.pem certs/server.pem"

to

"cp /usr/local/ssl/demoCA/newcerts/01.pem certs/server.pem"

However, this was not my issue. My problems were more centered around trying to match openssl.cnf to tclhttpd.rc. Your revised set of instructions made it clear what needed to be corrected.

	Thanks again Mr. Welch

		Angel Sosa xt...@am...

[Tclhttpd-users] Re: Generating Certs for TclHttpd.

[Brent W. <we...@pa...>]

I'll attach the readme that I put together the last time I created certs.
I believe this is newer than what is on the book's CD.  I would appreciate
it if you would try stepping through this and telling me specifically
what steps don't work.  We should end up with working directions!

>>>Angel Sosa said:
 >     Dear Mr Welch,
 > 
 >        I am sure you receive tons of email but if you permit me I would 
 > like to ask a question about TclHttpd. I have been using it for the last 
 > six months with a lot of success. I would like to move to the next level and
      
 > enable the SSL portion of the web server. I have all of the modules 
 > needed in order for SSL to work and  the supporting TCL packages. I have 
 > SSL working in other scenarios. But I am having a lot of trouble 
 > applying the Keys, PEMS and the CERTS under the proper categories with in th
     e 
 > tclhttpd.rc configuration file. Just for additional information, I have 
 > tested the same setup with Apache 2.x and SSL works fine. I 
 > also have a VPN working with SSL. The only Web server I am running is 
 > TclHttpd. The port 80 stuff works just fine. I have also taken traces 
 > with Ethereal. I have traced the traffic going to 443. The hello packet 
 > goes out but soon after that the TclHttpd resets the connection. 443 is 
 > only used by TclHttpd. And it has also been tried on other ports as well 
 > including 8016. And I still have not been successful with same results as 44
     3.
 > 
 >     Would you be able to supply a complete sample of a literal 
 > openssl.cnf configuration file, literal instructions to generate the 
 > keys, self signed certs, requests and root CA? Please assume that I am signi
     ng 
 > my own certs. And finally any changes that need to be made to match the 
 > openssl.cnf and the tclhttpd.rc configuration file.  I have tried 
 > various examples to no avail. I have also used the TLS tcl package piece 
 > to other sites and it works just fine. I have followed the example in 
 > your readme that is included with the CD of your latest book. But to no 
 > avail when it comes to SSL as it relates to TclHttpd.
 > 
 >     Thank you Mr. Welch for your time. If their is someone you can refer 
 > me to in case you do not have the time, that would  work too.
 > 
 >     Angel Sosa xt...@am...
 > 

--
Brent Welch
Software Architect, Panasas Inc
Delivering the premier storage system for scalable Linux clusters

www.panasas.com
we...@pa...

[Tclhttpd-users] Session templates

[Colin M. <co...@ch...>]

I've put up a page http://mini.net/tcl/12423 which implements a new
suffix .stml as a drop-in extension to tclhttpd.

.stml files are nearly identical to .tml files, but are expanded within
a cookie session's interpreter, which can persist state between server
restarts.

This should be good for per-user data, and is able to store form/query
data persistently, and can use that data to generate content.
-- 
Colin McCormack <co...@ch...>

Re: [Tclhttpd-users] precompiled cgi?

[Wart <wa...@ko...>]

Ok, good to know.

I updated RFE 1026567 with a new patch that includes a better spec file
as well as support for the -daemon flag to httpd.tcl.

If there are no objections then I'm like to submit this to Fedora for
inclusion in some future upcoming release.

--Mike

On Mon, 2004-09-13 at 19:34, Brent Welch wrote:
> There is no good reason for env to be there.
> Feel free to nuke it from your spec file, if that is possible.
> I can toss it from the CVS repository.
> 
> >>>Wart said:
>  > I'm trying to develop an updated spec file for tclhttpd so that it can
>  > be included in future Fedora releases.
>  > 
>  > While testing out the packaging, I noticed that tclhttpd has a binary
>  > file checked into cvs:  htdocs/cgi-bin/env
>  > 
>  > What is this file used for, and why is it in CVS as a binary file
>  > instead of compiling it from source?  The inclusion of this file wreaks
>  > havoc on the rpm dependency list because it generates a requirement on
>  > libc.so.1, which isn't part of any recent Fedora/Redhat distributions.
>  > 
>  > --Wart
>  > 
>  > 
>  > 
>  > -------------------------------------------------------
>  > This SF.Net email is sponsored by BEA Weblogic Workshop
>  > FREE Java Enterprise J2EE developer tools!
>  > Get your free copy of BEA WebLogic Workshop 8.1 today.
>  > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
>  > _______________________________________________
>  > TclHttpd-users mailing list
>  > Tcl...@li...
>  > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
>  > 
> 
> --
> Brent Welch
> Software Architect, Panasas Inc
> Delivering the premier storage system for scalable Linux clusters
> 
> www.panasas.com
> we...@pa...
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM. 
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> TclHttpd-users mailing list
> Tcl...@li...
> https://lists.sourceforge.net/lists/listinfo/tclhttpd-users

Re: [Tclhttpd-users] Forking httpd.tcl

[Brent W. <we...@pa...>]

Hmm - I don't recall that one.  I always put an & into my
/etc/rc.d whatever startup scripts.  But, if you have expect and
fork, you could add a "-fork" or "-daemon" flag to leverage that.

>>>Wart said:
 > I seem to recall from the Ajuba days that we added some code to tclhttpd
 > so that it would fork itself into the background during startup (using
 > Expect, I believe).  Whatever happened to that change?  I'd like to be
 > able to start tclhttpd in the background without using '&'.
 > 
 > --Wart
 > 
 > 
 > 
 > 
 > 
 > -------------------------------------------------------
 > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
 > Project Admins to receive an Apple iPod Mini FREE for your judgement on
 > who ports your project to Linux PPC the best. Sponsored by IBM. 
 > Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
 > _______________________________________________
 > TclHttpd-users mailing list
 > Tcl...@li...
 > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
 > 

--
Brent Welch
Software Architect, Panasas Inc
Delivering the premier storage system for scalable Linux clusters

www.panasas.com
we...@pa...

Re: [Tclhttpd-users] precompiled cgi?

[Brent W. <we...@pa...>]

There is no good reason for env to be there.
Feel free to nuke it from your spec file, if that is possible.
I can toss it from the CVS repository.

>>>Wart said:
 > I'm trying to develop an updated spec file for tclhttpd so that it can
 > be included in future Fedora releases.
 > 
 > While testing out the packaging, I noticed that tclhttpd has a binary
 > file checked into cvs:  htdocs/cgi-bin/env
 > 
 > What is this file used for, and why is it in CVS as a binary file
 > instead of compiling it from source?  The inclusion of this file wreaks
 > havoc on the rpm dependency list because it generates a requirement on
 > libc.so.1, which isn't part of any recent Fedora/Redhat distributions.
 > 
 > --Wart
 > 
 > 
 > 
 > -------------------------------------------------------
 > This SF.Net email is sponsored by BEA Weblogic Workshop
 > FREE Java Enterprise J2EE developer tools!
 > Get your free copy of BEA WebLogic Workshop 8.1 today.
 > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
 > _______________________________________________
 > TclHttpd-users mailing list
 > Tcl...@li...
 > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
 > 

--
Brent Welch
Software Architect, Panasas Inc
Delivering the premier storage system for scalable Linux clusters

www.panasas.com
we...@pa...

[Tclhttpd-users] Forking httpd.tcl

[Wart <wa...@ko...>]

I seem to recall from the Ajuba days that we added some code to tclhttpd
so that it would fork itself into the background during startup (using
Expect, I believe).  Whatever happened to that change?  I'd like to be
able to start tclhttpd in the background without using '&'.

--Wart