FAQ on Web Server Configuration
- FAQ on Web Server Configuration
- 1. I need a http-listener that responds to both IPv4 and IPv6.
- 2. How to bind Web Server to listen to a particular IP address ?
- 3. How do I combine two sed-response filter statements into one?
- 4. Using <If> conditions to redirect requests from a non-secure http-listener to a secure one ends up not redirecting the entire URI.
- 5. How can I disable ETag from the response header?
- 6. How do I enable dynamic content compression?
- 7. How do I configure cache controls for static files (e.g. all images) within Sun Java System Web Server 7 so that user-agents cache the content for 10 days?
- 8. How do I configure Web Server so that I can run at port 80 and still run as non root (webservd) user ?
- 9. Why am I'm seeing 'Error creating socket (No access rights)' when trying to start Web Server as a non-root user on port 80 on Solaris 10 even after executing usermod to alter the user privilege.
- 10. What is Chunked transfer encoding and how to enable Chunked transfer encoding within Web Server
- 11. Getting an error - Error evaluating expression: Reference to undefined variable " $headers { 'user-agent' } " - if we add <If $headers { 'user-agent' } =~ "foo" > in obj.conf in Sun Java System Web Server 7.0.
- 12. I need to get Web Server 7 to look for URI case insensitively ?
- 13.How to customize Expires Header ?
- 14. How to disable cookie encoding within web container ?
- 15. I've upgraded to Web Server 7.0 Update 2 or later and my ppath objects aren't being processed.
- 16. When my Web Server 6.1 obj.conf lines are too long, I can't start Web Server.
- 17. How to disable Web Server from displaying server information within the response header ?
- 18. How to deny existence to robots.txt from accessing the server ?
- 19. How to add flash files in web server 6.x ?
1. I need a http-listener that responds to both IPv4 and IPv6.
I have a http-listener configured for *:[port] in Sun Java System Web Server 7.0. However, in netstat output it's not listening on the IPv6 IP address. If I force it to my IPv6 address it works, but I can't get it to listen on the IPv4 interface at all then. I don't really want to have to configure multiple virtual servers to have multiple listeners if we don't have to.
When you have a listener with has <ip>*</ip> and <family>inet6</family> both as shown below it works for both IPv4 and IPv6 addresses.
<http-listener>
<name>http-listener-1</name>
<port>3333</port>
<server-name>test.sun.com</server-name>
<ip>*</ip>
<family>inet6</family>
<default-virtual-server-name>test</default-virtual-server-name>
</http-listener>
$netstat -an -f inet | grep 3333
*.3333 *.* 0 0 49152 0 LISTEN
$netstat -an -f inet6 | grep 3333
*.3333 *.* 0 0 49152 0 LISTEN
2. How to bind Web Server to listen to a particular IP address ?
A default installation of Sun Web Server 7 will create a configuration with a default virtual server and a default HTTP listener to listen on all IP addresses. This should work fine on most configurations. However, If in case, system administrators installing Sun Web Server 7 on a system with more than 1 ethernet interface would prefer to bind the server to listen / respond connection coming only on IP address.
For example, consider a system with 2 ethernet interfaces where in one ethernet connection listening on intranet and the other connected to external network. Now, in this case, site administrator would like to configure the web server to listen only on 1 IP address (say external network).
This is easily done through Web Server 7 Administration CLI command. For extensive reference on Administration Server CLI, please refer to CLI command reference manual
Note: To list all the available properties of an HTTP listener, you could run the following command /sun/webserver7/bin/wadm get-http-listener-prop --user=admin --config=<hostname> --http-listener=http-listener-1
Now, to actually bind Sun Web Server 7's HTTP listener to a particular IP address, one would be doing some thing like
/sun/webserver7/bin/wadm set-http-listener-prop --user=admin --config=<hostname> --http-listener=http-listener-1 ip=<ip address> /sun/webserver7/bin/wadm deploy-config --user=admin <hostname>
Finally, if they are unsure of the name of the listeners or wondering the list of listeners configured for their virtual server(s), they could do also run other CLI commands to get this information:
/sun/webserver7/bin/wadm list-virtual-servers --user=admin --config=<hostname> /sun/webserver7/bin/wadm get-virtual-server-prop \--user=admin --config=<hostname> --vs=<hostname>
3. How do I combine two sed-response filter statements into one?
I have two sed Output filters and want them executed as a single filter:
Output type="text/html"
fn="insert-filter"
filter="sed-response"
sed="s|https://test.sun.com|$server_url|g"
Output type="text/html"
fn="insert-filter"
filter="sed-response"
sed="s|http://test.sun.com|$server_url|g"
You can specify more than one sed parameter to the sed-response SAF:
Output type="text/html"
fn="insert-filter"
filter="sed-response"
sed="s\|https://test.sun.com\|$server_url\|g"
sed="s\|http://test.sun.com\|$server_url\|g"
Or they can be combined into one:
Output type="text/html"
fn="insert-filter"
filter="sed-response"
sed="s\|http[s]\*://test.sun.com\|$server_url\|g"
It is often helpful to get the sed pattern working as expected from the command line before integrating them into Sun Java System Web Server 7.0's obj.conf file:
% echo "HELLO HELO HELP" | sed -e 's/HELL?O/XXX/g' HELLO HELO HELP % echo "HELLO HELO HELP" | sed -e 's/HEL[L]O/XXX/g' XXX HELO HELP % echo "HELLO HELO HELP" | sed -e 's/HEL[L]*O/XXX/g' XXX XXX HELP
4. Using <If> conditions to redirect requests from a non-secure http-listener to a secure one ends up not redirecting the entire URI.
When I send a request to http://test.sun.com/dir1/redir.jsp?url=http://test.sun.com/file2, it directs to https://test.sun.com/dir1/redir.jsp instead of https://test.sun.com/dir1/redir.jsp?url=http://test.sun.com/file2. My obj.conf has:
<If not $security
and $urlhost='test.sun.com'
and $uri =~ "^/dir1/(.*)">
NameTrans fn="redirect" url="https://test.sun.com/dir1/$1"
</If>
A little more checking of the request and changing the variables used in the redirect achieves the desired redirection:
<If not $security
and $urlhost = "test.sun.com"
and $query !~ " "
and $path =~ "/redir.jsp">
NameTrans fn="redirect"
url="https://$urlhost/dir1/redir.jsp?$query"
</If>
In this particular case the desired effect could be achieved even more simply:
<If not $security
and $urlhost = "test.sun.com">
NameTrans fn="redirect"
from="/"
url-prefix="https://$urlhost/"
</If>
5. How can I disable ETag from the response header?
Sun Java System Web Server by default only includes the file size and modification time in the e-tag response calculation. e-tag data is used in HTTP to help optimize throughput, so carefully consider whether you need to disable it.
ETag can be removed from HTTP responses by editing the instance/virtual server's obj.conf as follows:
<Object name="default"> ... # Add this line at the end of the Default object, # taking into account other Output filters that # may already be present. Output fn="set-variable" remove-srvhdrs="etag" </Object>
This change can be dynamically applied to an already running instance by https-<config>/bin/reconfig.
Note: Since this requires manually editing the obj.conf, there is no Command Line Interface or Graphic User Interface command to automate this modification.
Remember that any manual changes made to the instance configuration files need to be propagated to via the admin server configuration repository by running 'pull-config' (http://docs.sun.com/app/docs/doc/820-2204/pull-config-1?l=en&a=view) using the CLI tool, or using the GUI tools. If a configuration is run in a clustered environment (multiple instances) then the GUI or CLI tools can also be used to propagate the changes to the other nodes.
See for reference:
http://docs.sun.com/app/docs/doc/820-2204/get-config-file-1?l=en&a=view
http://docs.sun.com/app/docs/doc/820-2204/set-config-file-1?l=en&a=view
http://docs.sun.com/app/docs/doc/820-2204/set-config-file-1?l=en&a=view
6. How do I enable dynamic content compression?
Use and management of dynamic content compression (using Sun java System Web Server to compress HTTP payload traffic for user-agents that support this this) is described at:
http://docs.sun.com/app/docs/doc/820-2202/gdadv?a=view
and related blogs are available at:
About HTTP compression
Dynamically compressing static files
7. How do I configure cache controls for static files (e.g. all images) within Sun Java System Web Server 7 so that user-agents cache the content for 10 days?
Edit the obj.conf as illustrated below:
<Object name="default">
AuthTrans ...
NameTrans ...
# Add these below lines after AuthTrans and NameTrans
# directive to set up 10 days of cache from current access time
<If $path =~ '^(.*)(\.(jpg|jpeg|gif|png)$">
ObjectType fn="set-variable"
insert-srvhdrs="Expires:$(httpdate($time + 864000))"
PathCheck fn="set-cache-control"
control="public,private,must-revalidate,max-age=$(httpdate($time + 864000))"
</If>
Cache control is described in the documentation here and here.
8. How do I configure Web Server so that I can run at port 80 and still run as non root (webservd) user ?
On Solaris 10 or above, you can run the following command
# become root and run the below command
# /usr/sbin/usermod -K defaultpriv=basic,net_privaddr webservd
On Linux 2.4/2.6 (RedHat Enterprise Linux 3.x, 4.x, 5.x , SuSE 9.x/10.x), you can run the below command to achieve this
Install Web Server 7 at port 1024 or above (say 7000)
Install the iptables applications if they are not already there
On a RedHat / Fedora based distribution, you would do something like apt-get install iptables
Now, configure 'iptables' so that it can forward incoming requests on port 80 to Web Server 7 running port (7001). Please note that this direction happens at Linux kernel level and your customers will not know about this translation.
/sbin/iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
/sbin/iptables -t nat -A OUTPUT -d your hostname -p tcp --dport 80 -j REDIRECT --to-ports 8080
/sbin/iptables-save
Finally, make sure iptables starts up by default after a server restart by doing something like below
chkconfig --level 35 iptables on
9. Why am I'm seeing 'Error creating socket (No access rights)' when trying to start Web Server as a non-root user on port 80 on Solaris 10 even after executing usermod to alter the user privilege.
The Web Server was installed by root and both the Administration Server and the default Web Server instance were configured to run as the webservd user. After installation the Administration Server was started. To allow the default instance to be started on port 80 by the webservd user the following command was then executed:
usermod -K defaultpriv=basic,net_privaddr webservd
However even after running this the Administration Server and the wadm command line interface could not start the default server instance and the following error was seen:
HTTP3127: http-listener-1: http://server:80: Error creating socket (No access rights)
HTTP3094: 1 listen sockets could not be created
The solution is to restart the Administration Server when logged in as the chosen non-root user (in this case webservd) after the usermod command has been run.
10. What is Chunked transfer encoding and how to enable Chunked transfer encoding within Web Server
Refer http://developers.sun.com/webtier/reference/techart/chunked_req.html
<If $code == 404 and
not -U $uri and
-U lc($uri)>
Error fn="redirect" url="$(lc($uri))"
</If>
<If $code == 404 and
not -U $uri and
-U lc($uri)>
Error fn="redirect" url="$(lc($uri))"
</If>
11. Getting an error - Error evaluating expression: Reference to undefined variable " $headers { 'user-agent' } " - if we add <If $headers { 'user-agent' } =~ "foo" > in obj.conf in Sun Java System Web Server 7.0.
Wrong way of doing this is :
<If $headers{'user-agent'} =~ "foo">
...
</If>
Correct way of doing this is :
<If defined $headers{'user-agent'} and $headers{'user-agent'} =~ "foo">
...
</If>
OR
<If defined $browser =~ "foo">
...
</If>
12. I need to get Web Server 7 to look for URI case insensitively ?
Edit your virtual server specific obj.conf so that the following change is made
<Object name="default">
AuthTrans ..
NameTrans ...
<If not -U $uri>
<If -U lc($uri)>
Error fn="redirect" url="$(lc($uri))"
<Else>
<If -U uc($uri)>
Error fn="redirect" url="$(uc($uri))"
</Else>
</If>
</If>
</Object>
13.How to customize Expires Header ?
With Web Server 6.1, to set "Expires" Header, one need to add the following directive by editing the obj.conf
Output type="application/x-javascript" fn="set-variable" set-srvhdrs="Expires: Mon, 12 May 2008 0:00:00 GMT"
Output type="image/*" fn="set-variable" set-srvhdrs="Expires: Mon, 12 May 2008 0:00:00 GMT"
Output type="text/*" fn="set-variable" set-srvhdrs="Expires: Mon, 12 May 2008 0:00:00 GMT"
However, if one wants to be able to dynamically set the "Expires" date, then one will need to use a custom NSAPI plugin A sample NSAPI plugin to do this job is available from here http://blogs.sun.com/walter/entry/nsapi_code_to_add_expires
With Web Server 7, one could use httpdate function to generate dynamic date like below
ObjectType fn="set-variable" insert-srvhdrs="$(httpdate($time + 86400))"
For more information, please refer to web server 7 documentation link available from here
http://docs.sun.com/app/docs/doc/820-2203/gbywa?a=view
14. How to disable cookie encoding within web container ?
You will need to create/edit the sun-web-app.xml file within your WEB-INF directory so that the file looks some thing like
<sun-web-app>
<property name="encodeCookies" value=false />
..
</sun-web-app>
Now, since this is part of your web application, I am afraid that one will need to manually edit this file and not possible within adminstration server GUI or CLI You can either directly edit the sun-web-app.xml within your deployed web app directory or re(package) your web application and deploy it to the container
15. I've upgraded to Web Server 7.0 Update 2 or later and my ppath objects aren't being processed.
Request-Processing Changes in Web Server 7.0u2
With the release of Web Server 7.0 update 2, there was a longstanding bug fixed in the Web Server's request processing engine. The fix changed the order in which Web Server processes objects and directives in the server's obj.conf configuration file. As a result, some small number of customers who upgrade from versions of Web Server prior to 7.0 Update 2, or later, will need to make minor changes to their obj.conf files.
The purpose of this blog entry is to show when changes to obj.conf might be required and how to make them.
Background
The fix that changed request processing was made to address bug 6531784, described as "Server can skip ppath-based objects". Previously, a URI in an incoming request could change before that URI was evaluated against all of the objects that might apply within a given pass through the obj.conf. The approach taken to address bug 6531784 fixes the problem by doing a look-ahead and assembling a list of all URIs that apply to a request before beginning a pass to process appropriate directives.
The following example shows a valid obj.conf, which the Web Server would fail to process correctly prior to this fix. When Web Server received a request for the URI /.perf, it would fail to match the ppath object, resulting in Web Server erroneously returning a 404 (Request URI Not Found) status code.
....
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="document-root" root="/export/webserver7/https-jwsse1522.red.iplanet.com/docs"
PathCheck fn="unix-uri-clean"
....
<Object ppath="/.perf">
Service fn="service-dump"
</Object>
Starting with Web Server 7.0 Update 2, the above object would correctly match an incoming request for URI /.perf
The fix to the above issue has caused request processing to follow the originally-intended design, which says that a matching named object will take precedence (be processed first) over a matching ppath object.
The effect of the above changes is that a small number of users who upgraded from earlier versions of Web Server 7.0 to Web Server 7.0 update 2 and beyond will need to make changes to their obj.conf files to make them work properly with the Web Server's corrected behaviour.
Examples of Configurations Requiring Changes
To explain more about when changes are necessary, we'll take a couple of simple examples.
In this first example, when using Web Server 7.0 or 7.0 Update 1, requests with a URI containing either "/examplesWebApp/" or "/ejemploWebApp/" would invoke the WebLogic proxy plugin (Service fn=wl_proxy, in the ppath objects):
<Object name="default"> AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true" NameTrans fn="ntrans-j2ee" name="j2ee" NameTrans fn="pfx2dir" from="/mc-icons" dir="/var/docs/icons" name="es-internal" PathCheck fn="uri-clean" PathCheck fn="check-acl" acl="default" PathCheck fn="find-pathinfo" PathCheck fn="find-index-j2ee" PathCheck fn="find-index" index-names="index.html,home.html,index.jsp" ObjectType fn="type-j2ee" ObjectType fn="type-by-extension" ObjectType fn="force-type" type="text/plain" Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common" Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Service method="TRACE" fn="service-trace" Error fn="error-j2ee" AddLog fn="flex-log" </Object> <Object name="j2ee"> Service fn="service-j2ee" method="*" </Object> <Object ppath="*/examplesWebApp/*" > Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7001 </Object> <Object ppath="*/ejemploWebApp/*"> Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7002 </Object>
Beginning with Web Server 7.0 Update 2, the wl_proxy service would not be invoked in the case where an explicit JSP name is appended to the URI. The reason is that the presence of the .jsp extension would cause the request to be assigned the name "j2ee" from executing the ntrans-j2ee NameTrans. The name assignment, since named objects now take precedence over ppath objects, will cause the "j2ee" object to be evaluated before the ppath objects, with the result that a request that would have formerly been passed to the WebLogic proxy will now be passed to the local web container for processing. The final result would be the return of a 404 to the client, since the requested content resides on a remote WebLogic server and isn't accessible through the local web container.
To fix the above problem, a conditional can be put around the ntrans-j2ee NameTrans.
An approach which works, and which may reduce changes to the customer obj.conf is to surround ntrans-j2ee NameTrans in the default object with a conditional which allows ntrans-j2ee to be executed only when one of problem URIs is not matched:
<Object name="default"> AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true" <IF $uri !~ ".*WebApp/.*" > NameTrans fn="ntrans-j2ee" name="j2ee" PathCheck fn="find-index-j2ee" ObjectType fn="type-j2ee" Error fn="error-j2ee" </IF> NameTrans fn="pfx2dir" from="/mc-icons" dir="/export4/matthew/ws70/7.0.2/instance/lib/icons" name="es-internal" PathCheck fn="uri-clean" PathCheck fn="check-acl" acl="default" PathCheck fn="find-pathinfo" PathCheck fn="find-index" index-names="index.html,home.html,index.jsp" ObjectType fn="type-by-extension" ObjectType fn="force-type" type="text/plain" Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common" Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Service method="TRACE" fn="service-trace" AddLog fn="flex-log" </Object> <Object name="j2ee"> Service fn="service-j2ee" method="*" </Object> <Object ppath="*/examplesWebApp/*" > Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7001 </Object> <Object ppath="*/ejemploWebApp/*"> Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7002 </Object>
In the above example, no J2EE components of Web Server will invoked if the URI matches the pattern(s) in the conditional.
From the Web Server forum, at forums.sun.com, I'll paraphrase a post from Arvind:
"Another example, for simple cases where there are only a few ppath objects to consider":
Note: this requires changing ppath objects to named objects and using assign-name in the default object to cause them to execute ahead of ntrans-j2ee. One assign-name NameTrans will be required for each current ppath object.
<Object name="default"> NameTrans fn="assign-name" from="/examplesWebApp/*" name="examples_proxy" NameTrans fn="assign-name" from="/ejemploWebApp/*" name="ejemplo_proxy" NameTrans fn="ntrans_j2ee" ....rest of stuff here </Object> <Object name="j2ee"> Service fn="service-j2ee" method="*" </Object> <Object name="examples_proxy" > Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7001 </Object> <Object name="ejemplo_proxy"> Service fn=wl_proxy WebLogicHost=jwsse10.red.iplanet.com WebLogicPort=7002 </Object>
In this example, an assign-name will be done before ntrans-j2ee sees the request, thus it will be handled by the appropriate named object.
"Another choice is to disable the Java web container. If you don't intend to host Java content in the proxying tier this is probably acceptable otherwise I doubt this would be a suitable choice for any deployment."
"The following config (that doesn't have Java enabled) exhibits the same behaviour [this is another way to see the change in request processing]:
mkdir /path_to_your_instance/docs/test
Put a text file there for the purposes of testing
"The following obj.conf file has a pfx2dir NameTrans that sends the file and another ppath object that denies existence.
<Object name="default"> NameTrans fn="pfx2dir" from="/test" dir="/path_to_your_instance/docs/test" name="sendfile" ObjectType fn="force-type" type="text/plain" AddLog fn="flex-log" </Object> <Object name="sendfile"> Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" </Object> <Object name="notfound" ppath="*/test/*"> PathCheck fn="deny-existence" </Object>
"A request for a file under /test will display the contents of the file...."
The object named "sendfile" will take precedence over the ppath object (named "notfound"), since a name has been assigned to the request by the pfx2dir NameTrans.
16. When my Web Server 6.1 obj.conf lines are too long, I can't start Web Server.
Web Server 6.1 allows a maximum line length of 800 characters. If you make longer lines, then Web Server will not start. If you make the change from the admin console, you may see a message like this:
File System Error: objset_scan returned NULL. Object file corrupt...
In the error log for the server, you'll see something like this:
[15/Aug/2008:13:23:39] config ( 620): CORE3185: Invalid configuration: File /export4/ws61dbg/instance/https-jwsse10.red.iplanet.com/config/server.xml, line 19, column 92: HTTP3258: Error processing obj.conf line 13: HTTP2214: unrecognized directive
In this case, don't apply the change.
If you've changed obj.conf directly, then find the line that's too-long and shorten or remove it.
Note: This limit does not exist in Web Server 7.0 and later versions.
17. How to disable Web Server from displaying server information within the response header ?
Within Sun Web Server 6.1, one could enter the following line within https-<hostname>>/config/magnus.conf and restart the server.
ServerString ""
Within Sun Web Server 7, one could do the following
a) Start Web Server 7 Administration Server
<INSTALL-ROOT>/admin-server/bin/startserv
b) Run the following command line
<INSTALL-ROOT>/bin/wadm set-http-prop --user=admin --config=<HOSTNAME> server-header=""
<INSTALL-ROOT>/bin/wadm deploy-config --user=admin <HOSTNAME>
18. How to deny existence to robots.txt from accessing the server ?
Within Sun Web Server 7, edit the corresponding obj.conf used by the virtual server, and add the following:
<Object name="default"><If $browser ~= '^[a-z0-9\ ]
$'>
PathCheck fn="deny-existence"
</If>
...
</Object>
19. How to add flash files in web server 6.x ?
You first add the below in mime.types , e.g.
hostname> <webserver root>/https-apple/config> grep swf mime.types
type=application/x-shockwave-flash exts=swf
then save and restart web server.
Then you can add the .swf flash files in your doc root.
Sometimes, IE will not play the flash files well if there is any cache-control headers, e.g.
"Cache-control: no-cache" in the web server response.
You can then remove any line, e.g.
PathCheck fn="set-cache-control" control="no-cache"
from obj.conf and then save, restart.
Sign up or Log in to add a comment or watch this page.