NetWare Web Server 2.51 Release Document README.TXT Copyright (c) 1995, 1996 Novell, Inc. All Rights Reserved. THIS WORK IS SUBJECT TO U.S. AND INTERNATIONAL COPYRIGHT LAWS AND TREATIES. NO PART OF THIS WORK MAY BE USED, PRACTICED, PERFORMED, COPIED, DISTRIBUTED, REVISED, MODIFIED, TRANSLATED, ABRIDGED, CONDENSED, EXPANDED, COLLECTED, COMPILED, LINKED, RECAST, TRANSFORMED, OR ADAPTED WITHOUT THE PRIOR WRITTEN CONSENT OF NOVELL, INC. ANY USE OR EXPLOITATION OF THIS WORK WITHOUT AUTHORIZATION COULD SUBJECT THE PERPETRATOR TO CRIMINAL AND CIVIL LIABILITY. DISCLAIMER Novell, Inc. makes no representations or warranties with respect to this software, and specifically disclaims any express or implied warranties of merchantability, title, or fitness for a particular purpose. Distribution of this software is forbidden without the express written consent of Novell, Inc. Novell will not be responsible for any data loss that might result from implementing this software. Novell strongly recommends a backup be made before installing this software. ****************************************************************** CAUTION ****************************************************************** Always back up your system before implementing any program/utility revision involving the low-level functions of NetWare, including re-linking of operating system .OBJ files, bindery utilities, and drive and volume operation. ****************************************************************** CONTENTS ****************************************************************** Welcome to the NetWare Web Server 2.51 product! This document contains last-minute information that is not included in the documentation. It includes the following sections: Installing the Product Server requirements NetWare Language Support Running the Administration Utility (WEBMGR.EXE) Workstation Requirements NDS Login Using the Network Button Configuring the Product Setting the NetWare Rights Checking the SYS:ETC\RESOLV.CFG File Adding New Icons Perl Interpreter Limitations Running the Product with Other Software Compatibility With the FTPSERV NLM SFT III Support DBCS Compatibility MPR 3.1 Compatibility Accessing the Online Documentation Performance Tuning PTFs Adjusting the Maximum Number of Threads User Access Control Resrict Access to All Valid Users Restrict Using Individual Users' Names Restrict Access Using User Groups Script Security Controllng Access to LCGI NLMs Restrictions and Known Problems WEBMGR.EXE Deletion of Comments in *.CFG Files Adding the NetBasic LoadableModule Directive for Upgrades ====================== Installing the Product ====================== Server Requirements ================================================ * CPU: Intel Pentium-, 80486-, 80386-based PC (80486 or higher recommended). * File Storage: Hard disk with minimum 3 MB available for the product software (not including storage for user-supplied hypertext documents). * Memory: 16 MB total RAM. * Network Operating System: NetWare 4.11. * The TCPIP NLM must be configured and loaded. NetWare Language Support ======================== NetWare Web Server 2.51 only supports the English language. When you install NetWare Web Server on a NetWare server with the LANGUAGE parameter set to French, Italian, German, or Spanish, the NetWare Web Server installation module will automatically load using English. There is no need for you to change the LANGUAGE parameter value. =============================================== Running the Administration Utility (WEBMGR.EXE) =============================================== Workstation Requirements ======================== * CPU: Intel Pentium-, 80486-, or 80386-based PC. * File Storage: Hard disk with minimum 1 MB available. * Memory: At least 8 MB RAM. * Operating System: Windows 3.1, Windows for Workgroups 3.11, or Windows 95. * Network Protocols: NetWare client (VLM or Client 32). WinSock 1.1 compliant TCP/IP stack. NDS Login ========= In order to restrict directory access to authenticated NDS users, you must be logged in to the NDS tree containing the Web Server before you launch the administration utility (WEBMGR.EXE). If you are not logged in to NDS, the Network users list will be empty. Using the Network Button ======================== If you notice that the Network button does not work inside the administration utility (WEBMGR.EXE), you may have an old COMMDLG.DLL in the C:\WINDOWS or C:\WINDOWS\SYSTEM directory. If you have a newer version of this DLL, you can simply delete the old version. If you only have the old version, you must delete the old COMMDLG.DLL and install a newer version to get the Network button to work. ======================= Configuring the Product ======================= Setting the NetWare Rights ========================== To maintain the security of your server, you should set the NetWare rights as follows: * Set the rights to the \CONFIG directory (SYS:WEB\CONFIG by default) so that the people responsible for administering the Web server are the only people with rights to this directory. * Set the rights to the scripts directories (SYS:WEB\SCRIPTS, SYS:WEB\SCRIPTS\PERL and any other script or extension directories you create) so that only people responsible for writing, managing, or editing the scripts have appropriate rights to these directories. Checking the SYS:ETC\RESOLV.CFG File ==================================== If there is a SYS:ETC\RESOLV.CFG file on your server, the Web server will automatically try to query the DNS name servers listed in the file. If DNS is not used on your network or the RESOLV.CFG file is incorrect, you will notice delayed response times on your Web server. Therefore, if your server has a SYS:ETC\RESOLV.CFG file you should make sure that * DNS is used on your network * The SYS:ETC\RESOLV.CFG file syntax is correct * The DNS name servers listed in the file are up and running Adding New Icons ================ The NetWare Web Server includes default icons for use with the automatic directory indexing feature. You can map your own icons to specific filename extensions by adding the following directive to the SYS:WEB\CONFIG\SRM.CFG file: AddIcon /icons/name_of_icon_file .filename_extension You can add as many AddIcon directives as you want. You can also use this directive to change the icon that is displayed for files with a specific filename extension. ============================ Perl Interpreter Limitations ============================ The Perl Interpreter NLM has the following functional limitations: * The chmod function can only be used to set file permissions to 0x000 (read only) or 0x777 (read write). * The opendir and readdir functions are currently unsupported. ======================================= Running the Product with Other Software ======================================= Compatibility With the FTPSERV NLM ================================== The FTPSERV.NLM provided in the NetWare NFS Services and NetWare UNIX Print Services products does not support requests from Web browsers. If you are running one of these products and would like to receive an updated FTPSERV.NLM that fixes this problem, contact your Novell Authorized Support Center or get the file FTP198.EXE from NetWire or the Novell's Support Web Server at http://support.novell.com/ SFT III Support =============== This product is compatible with SFT III. DBCS Compatibility ================== The NetWare Web Server can serve DBCS documents. However, the server will not perform any translation. Therefore, the function of RCGI extensions in DBCS environments is currently undefined. MPR 3.1 Compatibility ===================== If you are running the Multi Protocol Router 3.1 in conjunction with the Web Server, improve Web Server performance by downloading and installing the MPR31A.EXE patch. ================================== Accessing the Online Documentation ================================== The NetWare Web Server publishes both static and dynamic documents. The Dynamic Web Page Programmer's Guide is an HTML document describing how to create dynamic documents and publish them on the Web Server. It includes information on creating dynamic web pages using BASIC and Perl scripts, NLMs written to the Remote Common Gateway Interface (RCGI), and NLMs written to the Local Common Gateway Interface (LCGI). The guide is available on the Web Server CD (file:///CD_DRIVE:/products/webserv/disk1/web/docs/online/wpguide/index.htm where CD_DRIVE is the drive letter of the CD_ROM). It is also available on the Web Server (http://SERVER/online/wpguide/index.htm where SERVER is the server's hostname or IP address). ================== Performance Tuning ================== PTFs (Product Temporary Fix) ============================ When running the Web Server in SMP environments, make sure you have installed all the current SMP PTFs. Additionally, if you have enabled the NDS browser, you should make sure you have all the current Directory Service (DS) PTFs installed. If you experience out of memory errors, you may achieve better performance by adjusting the maximum number of threads. You can search for and download PTFs from Novell's Support Web Site at http://support.novell.com/home/ Adjusting the Maximum Number of Threads ======================================= The MaxThreads parameter is defined in the HTTPD.CFG file found in SYS:WEB\CONFIG directory. The MaxThreads parameter can be changed to enhance the Web Server performance. Valid values are 1 to 256. The default is 16. You can adjust the MaxThreads value to suit your network environment. Before adjusting the MaxThreads, you should carefully consider the ramifications of increasing the MaxThreads. Increasing the value does not necessarily increase performance. In fact, it could decrease performance and available memory on the server as each thread is processed by the Web Server and has acquired memory. You should consider the following when adjusting MaxThreads: * The memory available on the server. * That each thread acquires approximately 30K of memory. * The expected load on the Web Server (number of inbound requests for the Web Server to service). * Whether any Perl, BASIC, RCGI, or LCGI programs are supported. (These processes may use additional threads or memory.) * The memory and processing requirements of any NetWare or third-party products that are also installed on the server. * Any additional memory required by the server to support long file names. To determine an appropriate setting, set up your Web Server and monitor the Peak Requests field of the Web Server Console Information Log for a reasonable period (a week). This field lists a value in the form A/B, where A is the maximum number of concurrent requests handled by the Web Server since it has been running and B is the current MaxThreads setting. If you set the MaxThreads equal to the A value, the Web Server should have adequate threads to handle its peak load. You may also want to define a few extra threads if you anticipate a future increase in load. =================== User Access Control =================== There are three different methods for restricting global directory access using NDS authentication: 1. Restrict access to all valid users 2. Restrict access using individual user names 3. Restrict access using user groups These restriction methods are mutually exclusive. Choose one method and use only that method. For local directory access control, please refer to the sample ACCESS.WWW file in the WEB\SAMPLES\CONFIG directory. Restrict Access to All Valid Users ================================== To restrict access to all valid users, start the WEBMGR.EXE administration utility, go to the User Access tab, and check the "All valid users" check box. To eliminate the need for all users to have to type in the fully-qualified user name, you can manually edit the AuthUserMethod line in the ACCESS.CFG file and specify a user context, such as "AuthUserMethod nds .eng.icd.novell". AuthUserMethod defines the default authentication context so that end-users do not have to key it in at the user name and password prompt. However, if different users belong to different contexts, choose the context that the majority of the users are in and define that context in the AuthUserMethod line. Users not in the defined context will have to key in the fully-qualified user name (preceded with a dot), such as ".jsmith.eng.icd.novell". If you use this method, you should not use the individual user name method or the user group method. Restrict Access Using Individual User Names ============================================= Use this method only when the number of users is less than 25 and all users belong to the SAME NDS context. To restrict access using individual user names, start the WEBMGR.EXE administration utility, go to the User Access tab, type in the NDS context (same for all the users), and select no more than 25 users. If you restrict access using this method, when a user reads a restricted directory and is prompted for the user name and password, the user can key in just the user name. The NDS context is not needed. If you use this method, you should not use the all valid users method or the user group method. Restrict Access Using User Groups ================================= To restrict access using user groups, a user group must first be defined using NetWare NWADMIN utility. To enable this user group, manually edit the ACCESS.CFG file, adding the following two lines in the appropriate place. AuthGroupMethod nds .ou1.ou2.o Require group .groupname.context The AuthGroupMethod defines the default authentication context so that end-users do not have to key it at the user name and password prompt. However, if a user group consists of users in different contexts, choose the context that the majority of the users are in and define that context in the AuthGroupMethod line. Users in a different context will have to key in the fully-qualified user name. The Require group line simply defines the user group. The user group name should be in the fully-qualified format and preceded by a dot(.). For example, to restrict access to the web\docs directory to the user group techies.icd.novell which consists of users mostly from the context of .eng.icd.novell, the following lines should be in the section: AuthType Basic AuthName local AuthGroupMethod nds .eng.icd.novell Require group .techies.icd.novell If you use this method, you should not use the all valid users method or the individual user name method. =============== Script Security =============== As scripts allow users to run processes on your server, it is important to implement proper security measures for all scripts on your server. Implement the following measures to ensure security: * Access to all directories containing scripts should be strictly controlled. Only the people responsible for writing, managing, and editing scripts should have read and write rights to the script directories (SYS:WEB\SCRIPTS, SYS:WEB\SCRIPTS\PERL, SYS:NETBASIC\WEB, and any other script directories you create). * Only authorized scripts should be placed in the script directories. Authorized scripts should be throughly tested and debugged before being released into a production environment. * Scripts should be designed and written with security in mind and should access resources on the server in ways that do not jeopardize the security of the server. ============================== Controllng Access to LCGI NLMs ============================== The NetWare Web Server provides a special method to restrict access to LCGI programs, such as NetBasic and NDS Object Browser. To restrict access to LCGI programs, create an ACCESS.WWW file in the directory where the LCGI program resides. When a user requests an LCGI server extension in this directory, he will be prompted for a userid and password. It is important to note, once a user is authenticated to use the NetBasic LCGI extension, full access to all available NetBasic scripts is allowed. You cannot selectively place access control on different NetBasic scripts. Once a user is authenticated to use the NDS Object Browser, browsing to all available trees in NDS and all public object information is allowed. Refer to the User Access Control section for details on how to set up the ACCESS.WWW file. By default, access to NetBasic is not restricted. When NDS browsing is enabled from the WEBMGR, access is not restricted. =============================== Restrictions and Known Problems =============================== WEBMGR.EXE Deletion of Comments in *.CFG Files ============================================== The administration utility (WEBMGR.EXE) does not support user comments in *.CFG files. If you manually edit these files and add comments by preceding lines with a pound sign (#), these lines will be deleted when you run the WEBMGR utility. A set of sample *.CFG files with full comments is provided in the WEB\SAMPLES\CONFIG\ directory. Adding the NetBasic LoadableModule Directive for Upgrades ========================================================= If you are upgrading to Web Server 2.51, in order to allow users to issue requests to NetBasic scripts, you must manually edit the SRM.CFG file and add a LoadableModule directive to map URL requests to the NetBasic NLM (CGI2NMX.NLM). Add the following directive to the SRM.CFG file: LoadableModule /netbasic/ sys:web/lcgi/netbasic/cgi2nmx.nlm