<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head profile="http://internetalchemy.org/2003/02/profile">
<link rel="foaf" type="application/rdf+xml" title="FOAF" href="http://www.openlinksw.com/dataspace/uda/about.rdf" />
<link rel="schema.dc" href="http://purl.org/dc/elements/1.1/" />
<meta name="dc.title" content="12. Web Application Development" />
<meta name="dc.subject" content="12. Web Application Development" />
<meta name="dc.creator" content="OpenLink Software Documentation Team ; " />
<meta name="dc.copyright" content="OpenLink Software, 1999 - 2009" />
<link rel="top" href="index.html" title="OpenLink Virtuoso Universal Server: Documentation" />
<link rel="search" href="/doc/adv_search.vspx" title="Search OpenLink Virtuoso Universal Server: Documentation" />
<link rel="parent" href="webappdevelopment.html" title="Chapter Contents" />
<link rel="prev" href=".html" title="" />
<link rel="next" href="wsacl.html" title="Web Services ACL (Access Control List)" />
<link rel="shortcut icon" href="../images/misc/favicon.ico" type="image/x-icon" />
<link rel="stylesheet" type="text/css" href="doc.css" />
<link rel="stylesheet" type="text/css" href="/doc/translation.css" />
<title>12. Web Application Development</title>
<meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8" />
<meta name="author" content="OpenLink Software Documentation Team ; " />
<meta name="copyright" content="OpenLink Software, 1999 - 2009" />
<meta name="keywords" content="" />
<meta name="GENERATOR" content="OpenLink XSLT Team" />
</head>
<body>
<div id="header">
<a name="webserver" />
<img src="../images/misc/logo.jpg" alt="" />
<h1>12. Web Application Development</h1>
</div>
<div id="navbartop">
<div>
<a class="link" href="webappdevelopment.html">Chapter Contents</a> | <a class="link" href="webappdevelopment.html" title="Web Application Development">Prev</a> | <a class="link" href="wsacl.html" title="Web Services ACL (Access Control List)">Next</a>
</div>
</div>
<div id="currenttoc">
<form method="post" action="/doc/adv_search.vspx">
<div class="search">Keyword Search: <br />
<input type="text" name="q" /> <input type="submit" name="go" value="Go" />
</div>
</form>
<div>
<a href="http://www.openlinksw.com/">www.openlinksw.com</a>
</div>
<div>
<a href="http://docs.openlinksw.com/">docs.openlinksw.com</a>
</div>
<br />
<div>
<a href="index.html">Book Home</a>
</div>
<br />
<div>
<a href="contents.html">Contents</a>
</div>
<div>
<a href="preface.html">Preface</a>
</div>
<br />
<div class="selected">
<a href="webappdevelopment.html">Web Application Development</a>
</div>
<br />
<div class="selected">
<a href="webserver.html">The HTTP Server</a>
<div>
<a href="#vspconf" title="HTTP Server Base Configuration">HTTP Server Base Configuration</a>
<a href="#virtdir" title="Virtual Directories">Virtual Directories</a>
<a href="#wsauth" title="Authentication">Authentication</a>
<a href="#wssessman" title="Session Management">Session Management</a>
<a href="#customauthsess" title="Writing Your Own Authentication and Session Handling">Writing Your Own Authentication and Session Handling</a>
<a href="#cancelwebreq" title="Cancellation of Web Requests">Cancellation of Web Requests</a>
<a href="#virtwebrobot" title="Virtuoso WebRobot API">Virtuoso WebRobot API</a>
<a href="#server_http_ext" title="HTTP Server Extensions">HTTP Server Extensions</a>
<a href="#webserverchunking" title="Chunked Transfer Encoding">Chunked Transfer Encoding</a>
<a href="#webserverviaapache" title="Using Virtuoso Server capabilities via Apache Web Server">Using Virtuoso Server capabilities via Apache Web Server</a>
<a href="#webserverhttpslistenerset" title="Setting Up the Virtuoso HTTPS Listener">Setting Up the Virtuoso HTTPS Listener</a>
</div>
</div>
<div>
<a href="wsacl.html">Web Services ACL (Access Control List)</a>
</div>
<div>
<a href="vsp1.html">Virtuoso Server Pages (VSP)</a>
</div>
<div>
<a href="vspx.html">Virtuoso Server Pages for XML (VSPX)</a>
</div>
<div>
<a href="rthwritaspxapps.html">Deploying ASP.Net Web Applications</a>
</div>
<div>
<a href="asmxhosting.html">ASMX Web Service Hosting</a>
</div>
<div>
<a href="blogger.html">Blogging & Weblogs</a>
</div>
<div>
<a href="servphpext.html">Deploying PHP Applications</a>
</div>
<div>
<a href="rthjsp.html">Deploying JSP Applications</a>
</div>
<div>
<a href="perlhosting.html">Perl Hosting</a>
</div>
<div>
<a href="pythonhosting.html">Python Hosting</a>
</div>
<div>
<a href="rubyhosting.html">Ruby Hosting</a>
</div>
<br />
</div>
<div id="text">
<a name="webserver" />
<h2>12.1. The HTTP Server</h2>
<p>When a request comes in to one of the network interfaces where
Virtuoso is listening for HTTP requests, it is matched against a set of virtual directory
path mappings. A path mapping has the following attributes:</p>
<ul>
<li>
<strong>Interface</strong> - interface coming from HTTP request</li>
<li>
<strong>Virtual Host</strong> - matched virtual host name</li>
<li>
<strong>Logical Path</strong> - logical path</li>
<li>
<strong>Mapped Path</strong> - physical location of the resource</li>
<li>
<strong>Is in DAV</strong> - If the resource is placed in WebDAV domain</li>
<li>
<strong>Default page</strong> - the name of the page to be returned if none is supplied</li>
<li>
<strong>Browseable</strong> - allows for returning the list of files in a directory if no specific file is requested</li>
<li>
<strong>Security</strong> - security restrictions to the resource</li>
<li>
<strong>Authentication Function</strong> - Virtuoso/PL procedure name, which performs authentication</li>
<li>
<strong>Realm</strong> - an string applied to Authentication function</li>
<li>
<strong>Request Post-processing Function</strong> - Virtuoso/PL procedure name, which performs post-processing action, before sending the response</li>
<li>
<strong>Database User Account</strong> - User account name, on behalf of which active content will be executed</li>
</ul>
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTP Server Conceptual Diagram" src="../images/httpconcept.jpg" />
</td>
</tr>
<tr>
<td>Figure: 12.1.1. HTTP Server Conceptual Diagram</td>
</tr>
</table>
<p>Incoming requests are also checked against the HTTP access control lists.
These lists rely on the following attributes of the connection to determine whether
the request should be answered:</p>
<ul>
<li>
<strong>Client Host or IP Address</strong> - the incoming requestor is pattern matched to specify a range.</li>
<li>
<strong>Destination Host or IP Address</strong> - Destination IP/Host match, also applicable to the proxy capabilities.</li>
</ul>
<p>The Virtuoso HTTP server is HTTP/1.1 compliant. It can accept persistent
connections from HTTP/1.1 clients. The HTTP/1.0 requests are processed as normal
without the persistent connections feature.</p>
<p>Persistent HTTP connections offer several advantages, such as:</p>
<ul>
<li>Reduced CPU usages by opening and closing fewer connections.</li>
<li>HTTP requests and responses can be pipelined on a connection.
Pipelining allows a client to make multiple requests without waiting for each
response, allowing a single TCP connection to be used much more efficiently with
lower elapsed time.</li>
<li>Network traffic is reduced.</li>
<li>Latency on subsequent requests is reduced.</li>
</ul>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="http://www.rfc-editor.org/rfc/rfc2616.txt">RFC2616</a> for more details</p>
</div>
<a name="vspconf" />
<h3>12.1.2. HTTP Server Base Configuration</h3>
<p>The <span class="computeroutput">[HTTPServer]</span> section of the
Virtuoso INI file contains parameters that directly affect the HTTP server upon
server startup. After the server has been started further configuration can be
performed using the Visual Server Administration Interface. Here is an example
of the section in the INI file:</p>
<div>
<pre class="programlisting">
[HTTPServer]
ServerPort = 8890
ServerRoot = ../vsp
ServerThreads = 2
MaxKeepAlives = 10
KeepAliveTimeout = 10
DavRoot = DAV
</pre>
</div>
<p>The meanings of these parameters are briefly explained here as a quick
reference for the most frequently used parameters:</p>
<ul>
<li>
<div class="formalpara">
<strong>ServerPort</strong>
<p>This specifies the HTTP listen port for the VSP server.</p>
</div>
</li>
<li>
<div class="formalpara">
<strong>ServerThreads</strong>
<p>This specifies the number of concurrently serviced HTTP requests.
If there are more concurrent requests, accepting the connections will be
deferred until there is a thread ready to serve each.</p>
</div>
</li>
<li>
<div class="formalpara">
<strong>ServerRoot = ../vsp</strong>
<p>This is the file system path of the root directory of files served by the Virtuoso
web server. The index.html in that directory will be served for the / URI. If relative, the path is
interpreted relative to the server's working directory.</p>
</div>
</li>
<li>
<div class="formalpara">
<strong>MaxKeepAlives = 10</strong>
<p>Connections by HTTP 1.1 clients can remain open after the initial response has been sent.
This parameters sets a cap on how many socket descriptors will at most be taken by keep alive connections.
Such connections will be dropped by the server ahead of timeout if this number would be exceeded.
Thus the maximum number of open sockets for the Virtuoso HTTP server is this number plus the number of threads.
A keep alive connection is by definition not associated to any pending processing on any thread.</p>
</div>
</li>
<li>
<div class="formalpara">
<strong>KeepAliveTimeout = 10</strong>
<p>This is a timeout in seconds before Virtuoso closes an idle HTTP 1.1 connection.</p>
</div>
</li>
<li>
<div class="formalpara">
<strong>DavRoot = DAV</strong>
<p>This specifies the root path of DAV resources. If DAV specific HTTP methods are used on Virtuoso,
these should only reference resources with paths starting with this. This is the top level DAV collection.
This is matched against URI's after the translation from external to internal URI's through the virtual directory table.
See Virtual Directories below.</p>
</div>
</li>
</ul>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>The <a href="server.html">Server Administration chapter</a> contains
a complete list of the Virtuoso INI file parameters. In particular, the
<a href="sect5_ini_HTTPServer.html">[HTTPServer] section</a>.</p>
</div>
<br />
<a name="virtdir" />
<h3>12.1.3. Virtual Directories</h3>
<p>A Virtuoso virtual directory maps logical paths to physical resource
locations accompanied by rules and/or parameters that govern how the mappings
respond to user-agent (e.g. Web browser) requests. This mechanism allows
physical locations to be obscured or simply reorganized. Some resource types
require authentication challenges, such as the Visual Server Administration
Interface, and/or special headers such as SOAP, which is another HTTP endpoint.</p>
<p>Virtual directories are useful when one server has to provide access to
several Web sites. Redirects are not a universal solution to this, it is far better to
define virtual directories that point to the other sites. Suppose that we have
two companies, "a" and "b", that are to share a Virtuoso server but want to
represented on the Web by <span class="computeroutput">www.a.com</span>
and <span class="computeroutput">www.b.com</span> respectively. Their pages
could be stored in directories "/a" and "/b" on the server, whilst virtual directories
map requests appropriately: </p>
<div>
<pre class="programlisting">
http://www.a.com/ --> /a
http://www.b.com/ --> /b
</pre>
</div>
<p>Hence, user-agent requests for <span class="computeroutput">www.a.com</span>
receive pages from /a, and likewise for "b". Requests under these domains are
mapped back to their physical location such as the request for the URI
<span class="computeroutput">http://www.a.com/images/picture.jpg</span>
retrieves the file <span class="computeroutput">/a/images/picture.jpg</span>.</p>
<p>Virtual directory definitions are held within the system table DB.DBA.HTTP_PATH.
Virtual directories can be administered in three basic ways:</p>
<ul>
<li>Using the Visual Administration Interface via a Web browser.</li>
<li>Using the functions vhost_define() and
vhost_remove().</li>
<li>Updating the system table directory using SQL statements.</li>
</ul>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="htmlconductorbar.html#httpvirtualdirs">Virtual Directory Administration UI</a>
</p>
<p>
<a href="fn_vhost_define.html">vhost_define()</a>, <a href="fn_vhost_remove.html">vhost_remove()</a>
</p>
<p>
<a href="systemtables.html#davhttppath">HTTP_PATH system table</a>
</p>
</div>
<p>Virtuoso matches user-agent requests against a logical path using
the longest entry that matches the path extracted from the URI. Suppose
we have two entries '<span class="computeroutput">/a/b</span>' and
'<span class="computeroutput">/a</span>' and a request is made of:
'<span class="computeroutput">http://foo.bar/a/b/c.html</span>', will match
the entry for '<span class="computeroutput">/a/b</span>'.</p>
<p>First, Virtuoso will attempt to locate the physical path that has been
mapped to a virtual host, interface and logical path. The virtual host
corresponds to the 'Host' header field value from HTTP/1.1 requests. If the
first step does not succeed then the server will try resolving the interface
and logical path. Failing that, the default step will attempt to resolve the path
directly to a physical location.</p>
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTP Virtual Directory Matching" src="../images/virtualdirectories.jpg" />
</td>
</tr>
<tr>
<td>Figure: 12.1.3.1. HTTP Virtual Directory Matching</td>
</tr>
</table>
<div class="note">
<div class="notetitle">Note:</div>
<p>HTTP 1.0 does not use the HOST header. Virtuoso will have little
choice but to send HTTP 1.0 user-agents the contents of the default
virtual host definition for the interface. </p>
</div>
<p>Thus if the following mappings are in effect:</p>
<div>
<pre class="programlisting">
/ -> /DAV
/doc -> http://docs.biz.com:/
/admin -> /admin
</pre>
</div>
<p>
The following translations would be made:
</p>
<div>
<pre class="programlisting">
/doc/howto/intro.html -> http://docs.biz.com:/howto/intro.html
/admin/help.vsp -> /admin/help.vsp
/gizmo/doc.xml -> /DAV/gizmo/doc.xml
</pre>
</div>
<p>
Thus, the longest match is selected and the matching substring is replaced by
the right hand side of the mapping. Note that this is also how automatic proxying takes place,
since a physical path beginning with http:// will be passed forward to a remote server.
</p>
<a name="defaultpageanddirbrws" />
<h4>12.1.3.2. Default Pages And Directory Browsing</h4>
<p>
For each virtual host or logical path pair we can define a list of default pages. If the
requested URL path is a directory then the server checks the default page definition
for that virtual directory, if a default page exists then the path will be internally
expanded to include its name, ands its contents returned.
</p>
<a name="ex_defpage" />
<div class="example">
<div class="exampletitle">Default Page</div>
<p>if we have a mapping for the host:</p>
<div>
<pre class="programlisting">www.a.com</pre>
</div>
<p>with the logical path mapping of:</p>
<div>
<pre class="programlisting">'/' mapped to '/a'</pre>
</div>
<p>with default page 'index.htm', then if the URL</p>
<div>
<pre class="programlisting">http://www.a.com/</pre>
</div>
<p>is requested the server will try to send the content of '/a/index.htm'.</p>
</div>
<p>
The same mechanism is used to determine whether a directory listing is to be
returned. If a mapping is defined to have 'Browseable' set to a number greater
than zero then the server, if a default page does not exist or is not defined,
a directory listing will be returned to the calling client.
</p>
<br />
<a name="virtandmultihosting" />
<h4>12.1.3.3. Virtual Hosting and Multi Hosting</h4>
<p>
The term Virtual Host refers to the practice of maintaining more than one server
on one machine, differentiated by their apparent host name. It is often
desirable for companies sharing a web server to have their own domains, with
web servers accessible as www.company1.com and www.company2.com, without
requiring the user to know any extra path information. The Virtual host can
be IP-based or non-IP. The IP-based (Multi Hosting) refers to practice of
having one machine listen for incoming requests on different network interfaces
and respond with different pages. The non-IP-based (Virtual Hosting) refers
to the practice of one machine having many DNS aliases, and requests from
client to a specific alias returning a different response regarding content
of 'Host' HTTP header field. Virtuoso supports IP-based, virtual IP-based,
and name-based virtual hosts. </p>
<p>
For distinct IP-based, hosts are used to determine on which interfaces
Virtuoso will listen and accept HTTP requests.
</p>
<br />
<a name="virtmetahost" />
<h4>12.1.3.4. Managing Host Metadata</h4>
<p>To add metadata in /.well-known/host-meta, execute:</p>
<div>
<pre class="programlisting">
WS.WS.host_meta_add ([app-name], [xrd-xml-fragment])
</pre>
</div>
<p>For example:</p>
<div>
<pre class="programlisting">
WS.WS.host_meta_add
(
'dbpedia.page-descriptor',
'<Link rel="http://dbpedia.org/resource-descriptor" template="http://dbpedia.org/page/{uri}"/>'
)
;
</pre>
</div>
<br />
<a name="virtproxy" />
<h4>12.1.3.5. Virtuoso As A Proxy</h4>
<p>The Virtuoso HTTP server can act as a proxy server on the same port
as the HTTP port. You can put the host and port that the Virtuoso HTTP server
is listening on, into your browser proxy settings and all requests will be
processed by it. Also this can be used to retrieve a page inside VSP.</p>
<p>The physical path setting of a virtual directory definition can be URL to
another HTTP server. In which case Virtuoso will act as a proxy to that site
when the logical path for it is requested.</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="vsp1.html#furthervsp">Virtuoso also provides VSP functions for proxying.</a>
</p>
<p>
<a href="fn_http_proxy.html">http_proxy()</a>.</p>
</div>
<p>The nature of Virtuoso's Web Proxying ability makes it easy and
seamless to bind multiple websites under one roof. Existing sites do not
have to move or change to be integrated under the Virtuoso Proxy. Simply
map them under a logical path name. They can be mapped multiple times
or from multiple ports.</p>
<p>If you already have pages written and working from other
servers via ASP or PHP, then you will be able to run these servers concurrently
with Virtuoso so they can share form data and give dynamic content from various
sources, consistent with our value proposition of maximum incorporation of new
technologies with minimum disruption to existing infrastructure. Whether
these servers were hosted on various machines or the same machine
there is no need to expose their running ports and services. This makes the
end user experience cleaner, and helps maintain some server security and/or
anonymity.</p>
<div class="note">
<div class="notetitle">Note:</div>
<p>Virtuoso provides runtime hosting capabilities and PHP support,
therefore ASP.Net and PHP and other applications can be run and hosted directly within
the file system or WebDAV.</p>
</div>
<p>Suppose that you have two machines running existing web servers that
serve various parts of your intranet. One web server may have been
constructed for or by your sales department while the other server may have
been a built by the support department. These servers could be resolved by
http://sales.mycompany.com/ and http://support.mycompany.com/ respectively.</p>
<p>You can place Virtuoso on another server and start integrating your
existing sites under this installation. You may use the Visual Server Administration
Interface or choose to use the following commands via the isql interface:</p>
<div>
<pre class="programlisting">
DB.DBA.VHOST_DEFINE(lpath=>'/sales', ppath=>'http://sales.mycompany.com/');
DB.DBA.VHOST_DEFINE(lpath=>'/support', ppath=>'http://support.mycompany.com/');
</pre>
</div>
<p>This way your old servers will exist under /sales/ and /support/ of
your new server. Now you can start adding virtuoso .vsp pages to your
new Virtuoso server and they operate interleaved with your existing pages to
add new life and functionality as required.</p>
<p>You may decide that you want to install Virtuoso onto a server
where a web server already exists. If you plan to use Virtuoso as your
default web server and the proxy to your existing server then you will need to
make sure that the servers run on different ports. The default port is 80,
you will have to configure Virtuoso to use this port from the virtuoso.ini file
and then move your existing web server port to another number.
Afterwards the procedure is similar:</p>
<div>
<pre class="programlisting">
DB.DBA.VHOST_DEFINE(lpath=>'/apache', ppath=>'http://localhost:90/');
</pre>
</div>
<a name="apachedoingproxy" />
<h5>12.1.3.5.1. Proxying Virtuoso via Apache</h5>
<p>You may also achieve the same goal as above but in reverse, using
another web server as a proxy in front of Virtuoso. If you have an existing
Apache server that you want to keep as you default web server then you can
set up a proxy within Apache to Virtuoso.</p>
<p>Firstly you will need to make sure that Apache can make use of the
mod_proxy module available from most Apache distribution sites. You then have
to make sure that it is referenced in your httpd.conf (or apache.conf) file.
You should have something like:</p>
<div>
<pre class="screen">
...
LoadModule proxy_module modules/libproxy.so
...
AddModule mod_proxy.c
...
</pre>
</div>
<a name="apachedoingproxyconf" />
<h6>Configuration steps</h6>
<p>Below we will use the <Location> directive to simplify the configuration:</p>
<div>
<pre class="programlisting">
<Location /virtuoso/>
ProxyPass http://localhost:8890/
ProxyPassReverse /
</Location>
</pre>
</div>
<ol>
<li>Set the ProxyPass directive:
<p>The ProxyPass directive makes Apache to change all incoming URLs and map
it to the internal http endpoint.</p>
<p>So when the browser makes a request for:</p>
<div>
<pre class="programlisting">
http://localhost/virtuoso/conductor/login.vsp
</pre>
</div>
<p>it is rewritten to use:</p>
<div>
<pre class="programlisting">
http://localhost:8890/conductor/login.vsp
</pre>
</div>
<p>before sending the request over to the Virtuoso server.</p>
</li>
<li>Set the ProxyPassReverse directive:
<p>The ProxyPassReverse directive rewrites the HTTP Headers that come back
from Virtuoso to map back to the external URL. This is needed for e.g. 303 Location
redirects where Virtuoso will use:</p>
<div>
<pre class="programlisting">
Location: http://localhost:8890/conductor/pageXXX.vsp
</pre>
</div>
<p>which Apache needs to rewrite to:</p>
<div>
<pre class="programlisting">
Location: http://localhost/virtuoso/conductor/pageXXX.vsp
</pre>
</div>
<p>before sending the reply back to the browser.</p>
</li>
<li>
<p>If the mapping is / ---> / instead of /virtuoso/ ---> / then the settings should be done,
since ProxyPass and ProxyPassReverse only deal with rewriting urls and http headers.</p>
<p>When however there is a path mapping, there is a third step to take:</p>
<p>Pages can contain clickable links like:</p>
<div>
<pre class="programlisting">
<a href="/conductor/mypage.vsp">Click Here</a>
</pre>
</div>
<p>If you click on this link in your browser, it would use:</p>
<div>
<pre class="programlisting">
http://localhost/conductor/mypage.vsp
</pre>
</div>
<p>which does not map back to your /virtuoso/ vpath in apache.</p>
<p>As phpBB3 has been written from outset to cater for this
situation, it will always need to recalculate fully qualified
host/path names everywhere in its pages, which is not always very practical.</p>
<p>Thus Apache needs to be configured to do page rewriting as well as in:</p>
<div>
<pre class="programlisting">
ProxyHTMLEnable On
ProxyHTMLURLMap / /virtuoso/
ProxyHTMLURLMap http://localhost:8890/ /virtuoso/
</pre>
</div>
<p>This will rewrite the content of every page to make sure that links
inside the page are rewritten to use the external mapping of this instance.</p>
<p>If you have set Virtuoso to use EnabledGzipContent=1, then you need to
tell apache it may need to gunzip the content before doing this rewrite
with the following line:</p>
<div>
<pre class="programlisting">
SetOutputFilter INFLATE;DEFLATE
</pre>
</div>
<p>Although this takes a bit extra CPU power etc, it is still practical to
setup a virtual path on user's own system that points to some external system.</p>
<p>For example, add this to your httpd.conf to get a mapping to dbpedia-live instance:</p>
<div>
<pre class="programlisting">
<Location /dbp/>
ProxyPass http://dbpedia-live.openlinksw.com/
ProxyPassReverse /
ProxyHTMLURLMap / /dbp/
ProxyHTMLURLMap http://dbpedia-live.openlinksw.com/ /dbp/
SetOutputFilter INFLATE;DEFLATE
</Location>
</pre>
</div>
<p>Now you should be able to use for ex.:</p>
<div>
<pre class="programlisting">
http://localhost/dbp/page/London
</pre>
</div>
</li>
</ol>
<br />
<a name="apachedoingproxyconfexample" />
<h6>Usage Example</h6>
<div>
<pre class="programlisting">
NameVirtualHost 82.191.21.32
<VirtualHost 82.191.21.32>
ServerName www.mysite.net <http://www.mysite.net>
...
# Disable global proxy
ProxyRequests Off
# Pass original host to Virtuoso
ProxyPreserveHost On
# Timeout waiting for Virtuoso
ProxyTimeout 300
# Set permission
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#
# Map /virtuoso/ to a local Virtuoso instance.
#
# Since ProxyPass and ProxyPassReverse only fix the Headers
# of the request, we need to use ProxyHTMLURLMap to rewrite
# content.
#
<Location /virtuoso/>
ProxyPass http://localhost:8890/
ProxyPassReverse /
# Enable rewrite rules
ProxyHTMLEnable On
ProxyHTMLURLMap / /virtuoso/
ProxyHTMLURLMap http://localhost:8890/ /virtuoso/
# Uncomment this when EnabledGzipContent=1 in virtuoso.ini
#SetOutputFilter INFLATE;DEFLATE
</Location>
</VirtualHost>
</pre>
</div>
<p>If we map the virtual host straight through to Virtuoso, we only need header rewriting and save the time/cpu power to rewrite the content: </p>
<div>
<pre class="programlisting">
#
# Map / to a local Virtuoso instance
#
# Since paths are mapped straight through, we do not have to
# rewrite the content.
#
<Location />
ProxyPass http://localhost:8890/
ProxyPassReverse /
</Location>
</pre>
</div>
<br />
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="http://www.apache.org/docs/">Apache Online Documentation</a>
</p>
</div>
<br />
<br />
<br />
<a name="wsauth" />
<h3>12.1.4. Authentication</h3>
<p>
If a Virtuoso/PL procedure is specified to perform authentication for this
mapping then it will be executed. The procedure can take one (varchar) parameter,
the 'Realm' value. The result from the procedure must be 1
if authentication successful otherwise must be zero (0).
If the procedure returns 0 this causes the processing to terminate and whatever
output the hook generated to be sent to the client. Typically this will be an
authentication challenge.
</p>
<br />
<a name="wssessman" />
<h3>12.1.5. Session Management</h3>
<p>
The Virtuoso HTTP session management consists of functions for session
variables manipulation and an ability to define a pre- and post-processing function.
The pre and post-processing functions are used to save and restore session
data between HTTP posts, usually to and from a session table.</p>
<p>Session management must be enable by settings the flag for persistent
session variables in virtual directory mapping. Virtual directory mappings use
the <strong>persistent_session_variables</strong> flag, which when
specified, session variables can be used in a post-process function to determine
if the session variables content must be stored on to the session table or not.
</p>
<p>
The post-processing function hook can be any user-defined Virtuoso/PL procedure,
it will be executed every time after processing of the active page.
</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="vsp1.html#sesmanvars">VSP Session Management and Session Variables</a>
</p>
</div>
<br />
<a name="customauthsess" />
<h3>12.1.6. Writing Your Own Authentication and Session Handling</h3>
<p>
We will explain the following precompiled procedures in Virtuoso used to
authenticate three branches of users.
</p>
<ul>
<li>
<strong>HP_AUTH_SQL_USER</strong> - VSP authentication based on DB users</li>
<li>
<strong>HP_AUTH_DAV_ADMIN</strong> - VSP authentication based on WebDAV users</li>
<li>
<strong>HP_AUTH_DAV_PROTOCOL</strong> - WebDAV repository authentication</li>
</ul>
<div>
<pre class="programlisting">
-- Authenticate against names and passwords in SYS_USERS, using HP_SECURITY for level
create procedure
DB.DBA.HP_AUTH_SQL_USER (in realm varchar)
{
declare _u_name, _u_password varchar;
declare _u_group, _u_id, allow_basic integer;
declare auth, sec, lev varchar;
declare _user varchar;
declare ses_dta, lines any;
lines := http_request_header (); -- got a request header lines
sec := http_map_get ('security_level'); -- got a security level from http mapping
if (isstring (sec))
sec := ucase (sec);
if (sec = 'DIGEST')
allow_basic := 0; -- if security is only digest then allow basic is false
else
allow_basic := 1;
auth :=
DB.DBA.vsp_auth_vec (lines); -- parse request header to got authentication credentials
if (0 <> auth) -- and if client sent any authentication information try it
{
lev := get_keyword ('authtype', auth, ''); -- check if client tried basic but
-- domain restricted to digest only
if (allow_basic = 0 and 'basic' = lev)
goto nf;
_user := get_keyword ('username', auth, '');
if ('' = _user) -- if no user name then 'bye'
return 0;
whenever not found goto nf; -- if no such user in table - 'bye'
-- got the password from users table
select U_NAME, PWD_MAGIC_CALC (U_NAME, U_PASSWORD, 1), U_GROUP, U_ID
into _u_name, _u_password, _u_group, _u_id from DB.DBA.SYS_USERS
where u_name = _user;
-- check credential against user name and password
if (0 = _u_group and 1 = DB.DBA.vsp_auth_verify_pass (auth, _u_name,
get_keyword ('realm', auth, ''),
get_keyword ('uri', auth, ''),
get_keyword ('nonce', auth, ''),
get_keyword ('nc', auth, ''),
get_keyword ('cnonce', auth, ''),
get_keyword ('qop', auth, ''),
_u_password))
{
if (http_map_get ('persist_ses_vars'))
{ -- if all is ok check for persistent variables storage
declare vars any;
declare sid varchar;
vars := null;
sid := http_param ('sid');
-- got from session table stored variables
vars := coalesce ((select deserialize (ASES_VARS)
from DB.DBA.ADMIN_SESSION where ASES_ID = sid), null);
if (sid is not null and vars is null or isarray (vars))
connection_vars_set (vars);
if (sid is not null and connection_get ('sid') is null)
{
connection_set ('sid', sid);
}
}
return 1; -- return authenticated
}
}
nf: -- all errors go there, we compose authentication header
-- and send 401 unauthorized to the client
DB.DBA.vsp_auth_get (realm, http_path (),
md5 (datestring (now ())),
md5 ('eEsSlLAaf'),
'false', lines, allow_basic);
return 0; -- return not authenticated
}
;
</pre>
</div>
<div>
<pre class="programlisting">
-- Authenticate against SYS_DAV_USER, using HP_SECURITY for level,
-- in the context of DAV administration pages accessed through regular HTTP
-- The logic is the same but in difference of password retrieval.
create procedure
DB.DBA.HP_AUTH_DAV_ADMIN (in realm varchar)
{
declare _u_name, _u_pwd varchar;
declare _u_group, _u_id, allow_basic integer;
declare auth, sec, lev varchar;
declare _user varchar;
declare ses_dta, lines any;
lines := http_request_header ();
sec := http_map_get ('security_level');
if (isstring (sec))
sec := ucase (sec);
if (sec = 'DIGEST')
allow_basic := 0;
else
allow_basic := 1;
auth := DB.DBA.vsp_auth_vec (lines);
if (0 <> auth)
{
lev := get_keyword ('authtype', auth, '');
if (allow_basic = 0 and 'basic' = lev)
goto nf;
_user := get_keyword ('username', auth, '');
if ('' = _user)
return 0;
whenever not found goto nf;
-- we tried to find out password for enabled valid WebDAV user
select U_NAME, U_PWD, U_GROUP, U_ID
into _u_name, _u_pwd, _u_group, _u_id from WS.WS.SYS_DAV_USER
where u_name = _user and U_ACCOUNT_DISABLED = 0;
if (DB.DBA.vsp_auth_verify_pass (auth, _u_name,
get_keyword ('realm', auth, ''),
get_keyword ('uri', auth, ''),
get_keyword ('nonce', auth, ''),
get_keyword ('nc', auth, ''),
get_keyword ('cnonce', auth, ''),
get_keyword ('qop', auth, ''),
_u_pwd))
{
if (http_map_get ('persist_ses_vars'))
{
declare vars any;
declare sid varchar;
vars := null;
sid := http_param ('sid');
vars := coalesce ((select deserialize (ASES_VARS)
from DB.DBA.ADMIN_SESSION where ASES_ID = sid), null);
if (vars is null or isarray (vars))
connection_vars_set (vars);
if (connection_get ('sid') is null)
{
connection_set ('sid', sid);
}
}
return (_u_id);
}
}
nf:
DB.DBA.vsp_auth_get (realm, '/admin/admin_dav',
md5 (datestring (now ())),
md5 ('vVAadAnIimMDdaNnimda'),
'false', lines, allow_basic);
return 0;
}
;
</pre>
</div>
<div>
<pre class="programlisting">
-- The same as for DAV admin pages but in the context of DAV protocol requests.
create procedure
DB.DBA.HP_AUTH_DAV_PROTOCOL (in realm varchar)
{
declare _u_name, _u_password, _perms varchar;
declare _u_id, _u_group, req_user, req_group, what integer;
declare auth varchar;
declare _user varchar;
declare our_auth_vec, lines, sec, path, req_perms, req_meth, cmp_perms, def_page varchar;
declare _method, lev, allow_basic, authenticated integer;
declare c cursor for select 1, COL_OWNER, COL_GROUP, COL_PERMS
from WS.WS.SYS_DAV_COL where WS.WS.COL_PATH (COL_ID) = path;
declare r cursor for select 2, RES_OWNER, RES_GROUP, RES_PERMS
from WS.WS.SYS_DAV_RES where RES_FULL_PATH = path;
authenticated := 0;
lines := http_request_header ();
path := http_physical_path ();
if (isarray (lines))
{
req_meth := aref (lines, 0);
if (strchr (req_meth, ' ') is not null)
req_meth := lower (substring (req_meth, 1, strchr (req_meth, ' ')));
}
-- there we compose mask for permissions compared against
-- resource or collection permission
if (req_meth = 'get' or
req_meth = 'post' or
req_meth = 'options' or
req_meth = 'propfind' or
req_meth = 'head' or
req_meth = 'trace' or
req_meth = 'copy')
cmp_perms := '1__'; -- in this case only read access needed
else if (req_meth = 'mkcol' or req_meth = 'put')
{
if (length (path) > 1
and strrchr (substring (path, 1, length(path) - 1), '/') is not null)
path := substring (path, 1,
strrchr (substring (path, 1, length(path) - 1), '/') + 1);
cmp_perms := '11_';
}
else
cmp_perms := '11_'; -- but in this we needs a read/write access
what := 0;
whenever not found goto fr;
open c (prefetch 1);
fetch c into what, req_user, req_group, req_perms;
-- get from collections owner , owner group and permissions
def_page := http_map_get ('default_page');
if (isstring (def_page))
{
path := concat (path, def_page);
what := 0;
}
fr:
close c;
if (not what)
{
whenever not found goto fe;
open r (prefetch 1);
fetch r into what, req_user, req_group, req_perms; -- if not a collection try a resource
fe:
close r;
}
sec := http_map_get ('security_level'); -- see DB user authentication
if (isstring (sec))
sec := ucase (sec);
if (sec = 'DIGEST')
allow_basic := 0;
else
allow_basic := 1;
auth := DB.DBA.vsp_auth_vec (lines);
if (0 <> auth)
{
lev := get_keyword ('authtype', auth, '');
if (allow_basic = 0 and 'basic' = lev)
goto nf;
_user := get_keyword ('username', auth);
if (_user = '' or isnull (_user))
{
goto nf;
}
whenever not found goto nf;
select U_NAME, U_PWD, U_GROUP, U_ID, U_METHODS, U_DEF_PERMS
into _u_name, _u_password, _u_group, _u_id, _method, _perms from WS.WS.SYS_DAV_USER
where U_NAME = _user and U_ACCOUNT_DISABLED = 0;
if (_u_password is null)
goto nf;
if (DB.DBA.vsp_auth_verify_pass (auth, _u_name,
coalesce(get_keyword ('realm', auth), ''),
coalesce(get_keyword ('uri', auth), ''),
coalesce(get_keyword ('nonce', auth), ''),
coalesce(get_keyword ('nc', auth),''),
coalesce(get_keyword ('cnonce', auth), ''),
coalesce(get_keyword ('qop', auth), ''),
_u_password))
{
update WS.WS.SYS_DAV_USER set U_LOGIN_TIME = now () where U_NAME = _user;
if (http_map_get ('persist_ses_vars'))
{
declare vars any;
declare sid varchar;
vars := null;
sid := http_param ('sid');
vars := coalesce ((select deserialize (ASES_VARS)
from DB.DBA.ADMIN_SESSION where ASES_ID = sid), null);
if (vars is null or isarray (vars))
connection_vars_set (vars);
if (connection_get ('sid') is null)
{
connection_set ('sid', sid);
}
}
if (connection_get ('DAVUserID') <> _u_id)
connection_set ('DAVUserID', _u_id);
authenticated := 1;
}
}
-- Check permissions
if (authenticated and _u_id = 1) -- If user is DAV admin all rights granted
return 1;
else if (not authenticated and req_perms like concat ('______', cmp_perms, '%'))
return -1; -- if not authenticated and resource
-- does have public access return authenticated
else if (authenticated and
((_u_id = req_user and req_perms like concat (cmp_perms, '%')) or
(req_group = _u_group and req_perms like concat ('___', cmp_perms, '%')) or
(req_perms like concat ('______', cmp_perms, '%'))))
return (_u_id); -- if user is owner or belongs to group
-- ownership return authenticated
else if (authenticated) -- if authenticated but does not access
-- return false but set 403 forbidden
{
http_request_status ('HTTP/1.1 403 Forbidden');
http ( concat ('<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">',
'<HTML><HEAD>',
'<TITLE>403 Forbidden</TITLE>',
'</HEAD><BODY><H1>Forbidden</H1>',
'Access to the resource is forbidden.</BODY></HTML>'));
return 0;
}
-- End check permissions
nf: -- all error cases go there, we send authentication credentials
-- and turn status 401 Unauthorized, and return false
DB.DBA.vsp_auth_get (realm, '/DAV',
md5 (datestring(now())),
md5 ('opaakki'),
'false', lines, allow_basic);
return 0;
}
;
</pre>
</div>
<div>
<pre class="programlisting">
-- Post-processing function, this will executed after processing
-- the request but before sending result to the client.
create procedure
DB.DBA.HP_SES_VARS_STORE ()
{
declare vars any;
declare sid varchar;
if (http_map_get ('persist_ses_vars') and connection_is_dirty ())
-- if connection variables changed in request and persistent variables stored
{
vars := connection_vars (); -- get all variables
connection_vars_set (null); -- set immediately to empty vector (prevent changing)
sid := get_keyword ('sid', vars, null); -- got the session ID
-- store the variables in session table
if (sid is not null)
update DB.DBA.ADMIN_SESSION set ASES_VARS = serialize (vars) where ASES_ID = sid;
}
}
;
</pre>
</div>
<p>
These functions are implemented as part of Virtuoso server by default. The user can
freely define their own procedures based on this logic to use for special
authentication (different users information table etc.) and session management.
</p>
<br />
<a name="cancelwebreq" />
<h3>12.1.7. Cancellation of Web Requests</h3>
<p>
If there are many long-running tasks processing on Virtuoso it is possible to
have denial of service. To prevent this we can use status and stop functions.
We can retrieve the URL, client IP-address, and process status code for all currently
running VSP requests, then use this information to isolated and eliminate a process.
</p>
<p>
<a href="fn_http_pending_req.html">http_pending_req()</a>
</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="vsp1.html#longhttptrans">Long HTTP Transactions</a>
</p>
</div>
<br />
<a name="virtwebrobot" />
<h3>12.1.8. Virtuoso WebRobot API</h3>
<p>
The Virtuoso WebRobot (WebCopy) is useful for retrieving Internet web sites and
storing them on to a local WebDAV repository. Once retrieved, the local copy in
the WebDAV repository can be exported to the local filesystem or another WebDAV
enabled server. The common features and usages are demonstrated in
the <a href="">WebCopy User Interface</a> in the
Visual Server Administration Interface. This document provides the actual
API's and techniques useful for some other implementations.
</p>
<a name="robotnewtarget" />
<h4>12.1.8.1. Creating A New Target</h4>
<p>
A new web server target is created by inserting a row in to
the WS.WS.VFS_SITE table and then a row in to the WS.WS.VFS_QUEUE table.
</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="systemtables.html#robotsystables">Web Robot System Tables</a> for table definitions</p>
</div>
<a name="newrobottarget" />
<div class="example">
<div class="exampletitle">Creating a new target</div>
<p>
This example creates a new target pointing to the site http://www.foo.com/help/,
with instructions to walk across foreign links, delete a local page if it is detected
that it has been removed from the remote, retrieve images, walk on entire site using
HTTP GET method. The content will be stored in /DAV/sites/www_foo_com collection
in the local WebDAV repository.
</p>
<ol>
<li>
<p>Create target for http://www.foo.com/help/</p>
<div>
<pre class="programlisting">
insert into WS.WS.VFS_SITE
(VS_DESCR,VS_HOST,VS_URL,VS_OWN,VS_ROOT,VS_NEWER,VS_DEL,
VS_FOLLOW,VS_NFOLLOW,VS_SRC,VS_OPTIONS,VS_METHOD,VS_OTHER)
values
('My first test', 'www.foo.com', '/help/', 1, 'sites/www_foo_com', '1990-01-01',
'checked', '/%;', '', 'checked', null, null, 'checked');
</pre>
</div>
</li>
<li>
<p>Create start queue entry</p>
<div>
<pre class="programlisting">
insert into WS.WS.VFS_QUEUE
(VQ_HOST,VQ_TS,VQ_URL,VQ_ROOT,VQ_STAT,VQ_OTHER)
values ('www.foo.com', now(), '/help/', 'sites/www_foo_com', 'waiting', null);
</pre>
</div>
</li>
</ol>
</div>
<br />
<a name="robotqueuehook" />
<h4>12.1.8.2. Creating A Custom Queue Hook</h4>
<p>
The custom queue hook can be used to extract the next entry from the robot's
queue following a custom algorithm. The following example extracts the
oldest entry comparing to the my_data array (this array consists of
non-desirable sites) and returns if some are found.
</p>
<a name="robotcustomqueuehook" />
<div class="example">
<div class="exampletitle">Creating A Custom Robot Queue Hook</div>
<div>
<pre class="programlisting">
create procedure
DB.DBA.my_hook (
in host varchar, in collection varchar, out url varchar, in my_data any
)
{
declare next_url varchar;
whenever not found goto done;
-- we trying to extract the oldest entry
declare cr cursor for select VQ_URL from WS.WS.VFS_QUEUE
where VQ_HOST = host and VQ_ROOT = collection and VQ_STAT = 'waiting'
order by VQ_HOST, VQ_ROOT, VQ_TS for update;
open cr;
while (1)
{
fetch cr into next_url;
if (get_keyword (host, my_data, null) is not null) -- process if host not in black-list
{
update WS.WS.VFS_QUEUE set VQ_STAT = 'pending'
where VQ_HOST = host and VQ_ROOT = collection and VQ_URL = next_url;
url := next_url;
close cr;
return 1;
}
else -- otherwise continue finding
update WS.WS.VFS_QUEUE set VQ_STAT = 'retrieved'
where VQ_HOST = host and VQ_ROOT = collection and VQ_URL = next_url;
}
done:
-- if we arrive at the bottom of the queue return false to stop processing
close cr;
return 0;
}
;
</pre>
</div>
</div>
<div class="note">
<div class="notetitle">Note:</div>
<p>The default function will return the oldest entry from queue without
any restriction. The follow/not-follow restrictions are applied to the path
on target before inserting a new queue entry.
</p>
</div>
<br />
<a name="robotretrievestart" />
<h4>12.1.8.3. Starting The Site's Retrieval/Update</h4>
<p>
The site retrieval can be performed with the WS.WS.SERV_QUEUE_TOP PL function
integrated in to the Virtuoso server.
</p>
<p>
<a href="fn_serv_queue_top.html">serv_queue_top()</a>
</p>
<br />
<a name="exporttofsordav" />
<h4>12.1.8.4. Exporting Local Content To Filesystem Or Other Webdav Enabled Server</h4>
<p>
<a href="fn_lfs_exp.html">lfs_exp</a>
</p>
<p>
<a href="fn_dav_exp.html">dav_exp</a>
</p>
<br />
<div class="tip">
<div class="tiptitle">See Also</div>
<p>
<a href="systemtables.html#robotsystables">Web Robot System tables</a>
</p>
</div>
<br />
<a name="server_http_ext" />
<h3>12.1.9. HTTP Server Extensions</h3>
<p>
The Virtuoso shared object library enables you to create your own custom
extensions to the Virtuoso HTTP server and create custom VSEs. Support
for PHP page execution was implemented using this functionality. Virtuoso
can automatically switch processing mode from VSP to PHP or some other custom
extension based on the extension of the files being requested from the HTTP server.
To enable Virtuoso to process files of a different extension you have to write a
VSE handler where part of the name contains the
extension: <strong>__http_handler_[extension]</strong>. The VSEs
for HTTP handling must have the following parameters:
</p>
<div class="funcsynopsis">
<a name="fproto_http_handler" />
<span class="funcdef">
<span class="function">__http_handler_<extension></span>
</span>
(<span class="paramdef">in <span class="parameter">resource</span> varchar</span>,
<span class="paramdef">in <span class="parameter">parameters</span> vector</span>,
<span class="paramdef">in <span class="parameter">request_header</span> vector</span>,
<span class="paramdef">inout <span class="parameter">type_flag</span> any</span>);
</div>
<ul>
<li>
<p>
<strong>resource</strong> is either the path to a
file or the content of a resource in the WebDAV store. The interpretation
of this parameter by the server is dependent of the type_flag parameter.</p>
</li>
<li>
<p>
<strong>parameters</strong> for execution, the server
will pass to this parameter a string session containing the entity body of the POST
method request.</p>
</li>
<li>
<p>
<strong>request_header</strong> is the HTTP request header
lines as an array of strings. This parameter will accept the original header as a vector.
The vector will contain the complete HTTP request header.</p>
</li>
<li>
<p>
<strong>type_flag</strong> is an in/out parameter which is a flag
for indicating the type of the first parameter. If the resource parameter is a file path
in the file system this flag should be NULL, if the resource is located in the WebDAV store
this flag should be set to URI of the WebDAV resource, something like:
virt://WS.WS.SYS_DAV_RES.RES_FULL_PATH.RES_CONTENT:/DAV/dir1/subdir/myfile.php.
Virtuoso will return in this parameter an array of two strings set to the
http response status line and the header after execution.
</p>
</li>
</ul>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="cinterface.html">Virtuoso Server Extensions Interface</a>
</p>
</div>
<br />
<a name="webserverchunking" />
<h3>12.1.10. Chunked Transfer Encoding</h3>
<p>Virtuoso supports HTTP 1.1 Chunking Encoding which allows Virtuoso to
send the user agent chunks of output as the page is still processing. Chunking
is enabled by calling <span class="computeroutput">http_flush(1)</span> within the VSP page.
Chunks are sent for every 4k worth of output generated. Chunked mode requires
the following conditions:</p>
<ul>
<li>no "Content-Length" header sent to the client using http_header()</li>
<li>no "Content-Encoding" header sent to the client using http_header()</li>
<li>use http_xslt() is not permitted</li>
<li>The client supports HTTP 1.1</li>
</ul>
<p>Failing these conditions, <span class="computeroutput">http_flush(1)</span> will be a
No-Operation.</p>
<p>Chunked mode is not supported for static content.</p>
<div class="tip">
<div class="tiptitle">See Also:</div>
<p>
<a href="fn_http_flush.html">http_flush()</a>
</p>
<p>
<a href="http://www.rfc-editor.org/rfc/rfc2616.txt">RFC-2616</a>
</p>
</div>
<br />
<a name="webserverviaapache" />
<h3>12.1.11. Using Virtuoso Server capabilities via Apache Web Server</h3>
<p>
In some situations Virtuoso services like WebDAV, JSP, PHP etc.
may need to be accessed via an Apache Web Server. All this can be done
through apache's mod_proxy to Virtuoso HTTP server and the Virtuoso HTTP
server can be configured to take requests coming only from localhost.
</p>
<p>
The following configuration makes :
The Virtuoso server to listen for HTTP requests coming ONLY from localhost.
Apache proxies the outside requests to Virtuoso HTTP server.
</p>
<div>
<pre class="programlisting">
line added to the /etc/httpd/conf/httpd.conf
(999.999.999.999, must be changed with actual IP address of external interface):
----------------------------------
Listen 8080
<VirtualHost 999.999.999.999:8080 127.0.0.1:8080>
ServerAdmin webmaster@host.example.domain
ProxyPass / http://localhost:6666/
</VirtualHost>
----------------------------------
</pre>
</div>
<div>
<pre class="programlisting">
Then changes in the virtuoso.ini
[HTTPServer] section)
...
ServerPort = 127.0.0.1:6666
...
</pre>
</div>
<br />
<a name="webserverhttpslistenerset" />
<h3>12.1.12. Setting Up the Virtuoso HTTPS Listener</h3>
<p>The Setting up of the Virtuoso HTTPS Listener can be done by using the file system or using the Virtuoso conductor.</p>
<p>Note that when you want to change from Virtuoso hosted Cert and Public Key to File System and vice versa, first should
be stopped the listener for either setup.</p>
<a name="webserverhttpslistenersetfs" />
<h4>12.1.12.1. Setting Up the Virtuoso HTTPS Listener to host Certificate and Public Key using File System</h4>
<ol>
<li>X.509 certificate Generation
<p>The WebID Protocol consumer needs an x509 certificate with v3 extension "Subject Alternate Name".
This attribute is used for the owner's Web ID. For testing purposes we used OpenSSL demo CA
to generate such certificates. If you are not using the OpenSSL demo CA, you must first setup
a self-signed CA; read OpenSSL documents on how to do this.</p>
<ol>
<li>Add the following line to the [usr_cert] section of the openssl.cnf
file:
<div>
<pre class="programlisting">
subjectAltName=$ENV::ALTNAME
</pre>
</div>
</li>
<li>Set the environment variable ALTNAME to the owner's Web ID, e.g.,
<div>
<pre class="programlisting">
export ALTNAME=URI:http://localhost/dataspace/person/myname#this
</pre>
</div>
</li>
<li>Make a self-signed certificate, e.g.,
<div>
<pre class="programlisting">
$ CA.pl -newreq (follow the dialog)
$ CA.pl -sign
</pre>
</div>
</li>
<li>When asked to commit the certificate, make sure you see several lines above, like
<div>
<pre class="programlisting">
X509v3 Subject Alternative Name:
URI:http://localhost/dataspace/person/myname#this
</pre>
</div>
</li>
<li>If your browser wants a PKCS#12 bundle, you must make one
<div>
<pre class="programlisting">
$ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out mycert.p12
</pre>
</div>
</li>
<li>Rename newcert.pem and newkey.pem, to mycert.pem
and mykey.pem for example.
</li>
</ol>
</li>
<li>Move newcert.pem, newkey.pem, and cacert.pem
into the server's working directory. In our test case, we put the keys in a 'keys'
sub-directory, and added the following lines to the [HTTPServer] section of the Virtuoso
INI file, virtuoso.ini:
<div>
<pre class="programlisting">
SSLPort = 4443
SSLCertificate = ./keys/localhost.cert.pem
SSLPrivateKey = ./keys/localhost.key.pem
X509ClientVerifyCAFile = ./keys/localhost.ca.pem
X509ClientVerify = 1
X509ClientVerifyDepth = 15
</pre>
</div>
</li>
<li>Also in the Virtuoso INI file, in the [URIQA] section, DefaultHost
(localhost:8890 below) must be edited to correspond to the DNS-resolvable host name
("CNAME") of the Virtuoso host, combined with the ServerPort as set in the
[HTTPServer] section of the same INI file.
<div>
<pre class="programlisting">
[URIQA]
DynamicLocal = 1
DefaultHost = localhost:8890
</pre>
</div>
<p>For example, if the CNAME of the host is virtuoso.example.com, and the
ServerPort is 4321, the DefaultHost should be set to
virtuoso.example.com:4321</p>
<div>
<pre class="programlisting">
[URIQA]
DynamicLocal = 1
DefaultHost = virtuoso.example.com:4321
</pre>
</div>
</li>
<li>Start the Virtuoso server, and look at the log file. Once HTTPS is up, you should see
something like:
<div>
<pre class="programlisting">
HTTPS Using X509 Client CA ....
HTTPS/X509 server online at 4443
</pre>
</div>
</li>
<li>Setting Up Firefox:
<ol>
<li>In the Preferences dialog, open the Advanced tab, and click the "View certificates" button.
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps1.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.1.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Click the "Add exception" button ,and enter the address of the HTTPS server you've just
configured, i.e. https://virtuoso.example.com:4443/</li>
<li>Click OK, and confirm the exception.
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps2.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.1.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Click to the "Your Certificates" tab, and import mycert.p12. </li>
</ol>
</li>
</ol>
<br />
<a name="webserverhttpslistenersetvt" />
<h4>12.1.12.2. Setting Up the Virtuoso HTTPS Listener to host Certificate and Public Key using Virtuoso Conductor</h4>
<ol>
<li>Go to the http://cname:port/conductor URL, enter the DBA user credentials.
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps3.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Go to System Admin->Security
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps4.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Enter the Issuer details:
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps5.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Click Generate
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps6.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Click Configure HTTPS Listeners
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps7.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Edit the new listener, and click "Generate New" key.
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps8.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Click Save
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps9.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
<li>Setting Up Firefox:
<ol>
<li>In the Preferences dialog, open the Advanced tab, and click the "View certificates" button.</li>
<li>Click the "Add exception" button and enter the address of the HTTPS server you've just
configured, i.e. https://virtuoso.example.com:443/
</li>
<li>Click OK, and confirm the exception.
<table class="figure" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img alt="HTTPS Listener" src="../images/ui/htps10.png" />
</td>
</tr>
<tr>
<td>Figure: 12.1.12.2.1. HTTPS Listener</td>
</tr>
</table>
</li>
</ol>
</li>
</ol>
<br />
<br />
<table border="0" width="90%" id="navbarbottom">
<tr>
<td align="left" width="33%">
<a href="webappdevelopment.html" title="Web Application Development">Previous</a>
<br />Contents of Web Application Development</td>
<td align="center" width="34%">
<a href="webappdevelopment.html">Chapter Contents</a>
</td>
<td align="right" width="33%">
<a href="wsacl.html" title="Web Services ACL (Access Control List)">Next</a>
<br />Web Services ACL (Access Control List)</td>
</tr>
</table>
</div>
<div id="footer">
<div>Copyright© 1999 - 2009 OpenLink Software All rights reserved.</div>
<div id="validation">
<a href="http://validator.w3.org/check/referer">
<img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" />
</a>
<a href="http://jigsaw.w3.org/css-validator/">
<img src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" height="31" width="88" />
</a>
</div>
</div>
</body>
</html>
distrib
>
Fedora
>
14
>
x86_64
>
media
>
updates
>
by-pkgid
>
71d40963b505df4524269198e237b3e3
>
files
>
995
