Roxen.git / server / base_server / global_variables.pike

version» Context lines:

Roxen.git/server/base_server/global_variables.pike:1:   // This file is part of Roxen WebServer.   // Copyright © 1996 - 2009, Roxen IS. - // $Id: global_variables.pike,v 1.127 2012/05/10 15:53:42 grubba Exp $ + // $Id$      // #pragma strict_types   #define DEFVAR mixed...:object   #define BDEFVAR mixed...:object      #define IN_ROXEN   #include <module.h>   inherit "read_config";   inherit "basic_defvar";   #include <version.h>
Roxen.git/server/base_server/global_variables.pike:19:   {    store( "Variables", variables, 0, 0 );   }      // The following three functions are used to hide variables when they   // are not used. This makes the user-interface clearer and quite a lot   // less clobbered.      private int(0..1) cache_disabled_p() { return !query("cache"); }   private int(0..1) ident_disabled_p() { return [int(0..1)]query("default_ident"); } - #if efun(syslog) + #if constant(syslog)   private int(0..1) syslog_disabled() { return query("LogA")!="syslog"; }   #endif      protected void cdt_changed (Variable.Variable v);   void slow_req_count_changed();   void slow_req_timeout_changed();   void slow_be_timeout_changed();      #ifdef SNMP_AGENT   private int(0..1) snmp_disabled() { return !query("snmp_agent"); }
Roxen.git/server/base_server/global_variables.pike:153:    defvar( "passive_port_max", 65535, LOCALE(321, "Passive port maximum"),    TYPE_INT,    LOCALE(322, "Maximum port number to use in the PASV/EPSV response."));       defvar( "rfc2428_support", 1, LOCALE(518, "Support EPRT/EPSV"),    TYPE_FLAG,    LOCALE(528, "Enable support for the EPRT and EPSV commands (RFC2428)."    "Some firewalls don't handle these commands properly, "    "so depending on your network configuration you may need "    "to disable them. ")); +  +  defvar( "require_starttls", +  Variable.IntChoice +  (0, ([ +  -1: "Disabled", +  0: "Optional", +  1: "Required", +  ]), 0, +  LOCALE(1078, "AUTH TLS"), +  LOCALE(1079, "Whether to require the AUTH TLS command (RFC4217) " +  "before login.")));   }         void set_up_http_variables( Protocol o )   {    function(DEFVAR) defvar = o->defvar;       function do_set_cookie(Protocol o)    {    return lambda() {
Roxen.git/server/base_server/global_variables.pike:196:    defvar("set_cookie_only_once", 1,    LOCALE(76, "Logging: Set ID cookies only once"),    TYPE_FLAG,    LOCALE(77, "If set to Yes, Roxen will attempt to set unique browser "    "ID cookies only upon receiving the first request (and "    "again after some minutes). Thus, if the user doesn't allow "    "the cookie to be set, she won't be bothered with "    "multiple requests."),0, do_set_cookie( o ));   }    + protected int hide_if_empty(RequestID id, Variable.Variable var) + { +  return !sizeof(var->query()); + } +    void set_up_ssl_variables( Protocol o )   {    function(DEFVAR) defvar = o->defvar;    -  +  defvar( "ssl_keys", o->CertificateKeyChoiceVariable +  (VAR_NO_DEFAULT, +  LOCALE(1125, "SSL/TLS Certificate(s)"), +  LOCALE(1126, "<p>The TLS certificate(s) to use.</p>\n" +  "<p>Certificate and key files matching the " +  "<b>Global Variables/Settings/Certificate and " +  "Private Key Globs</b> setting " +  "are automatically imported and valid " +  "combinations are listed above.</p>\n" +  "<p>At least one certificate must be selected.</p>\n" +  "<p>The Server Name Indication (SNI) extension sent by the " +  "TLS client will be used to choose a specific certificate " +  "for the connection from the set selected here.</p>\n" +  ))); +  + #if 1 +  // Old-style SSL Certificate variables. +  // FIXME: Keep these around for at least a few major versions (10 years?).    defvar( "ssl_cert_file",    o->CertificateListVariable -  ( ({ "demo_certificate.pem" }), 0, -  LOCALE(86, "SSL certificate file"), -  LOCALE(87, "The SSL certificate file(s) to use. " -  "If a path is relative, it will first be " +  ( ({ "demo_certificate.pem" }), VAR_INVISIBLE, +  LOCALE(86, "SSL certificate file(s)"), +  LOCALE(87, "<p>The SSL certificate file(s) to use.</p>\n" +  "<p>This is a list of certificates, " +  "intermediate and root certificates, and " +  "corresponding private key files in any order.</p>\n" +  "<p>If a path is relative, it will first be "    "searched for relative to %s, " -  "and if not found there relative to %s. "))); +  "and if not found there relative to %s.</p>\n")));       defvar( "ssl_key_file",    o->KeyFileVariable -  ( "", 0, LOCALE(88, "SSL key file"), +  ( "", VAR_INVISIBLE, LOCALE(88, "SSL key file"),    LOCALE(89, "The SSL key file to use. If the path is "    "relative, it will first be searched for "    "relative to %s, and if not found there "    "relative to %s. "    "You do not have to specify a key "    "file, leave this field empty to use the " -  "certificate file only."))); +  "certificate file only. " +  "This field is obsolete, since the same setting " +  "can be done in <b>SSL certificate file(s)</b>."))); + #endif +  + #if constant(SSL.Constants.CIPHER_aead) +  // NB: This constant was added a few days after get_suites() in Pike 8.0, +  // and a single day after get_suites() in the backport to Pike 7.8. +  +  // Pike 8.0 or recent Pike 7.8. +  // They have SSL.[Cc]ontext()->get_suites(). +  +  // 112 bits is the minimum strength to still retain the +  // DES-3 suites, which are required in the TLS standards. +  // +  // FIXME: The cipher strength list ought to be generated dynamically +  // from SSL.Constants.CIPHER_effective_keylengths. +  defvar("ssl_key_bits", +  Variable.Int(112, 0, +  LOCALE(1080, "Cipher suite minimum effective key strength"), +  LOCALE(1081, +  "<p>The minimum number of effective bits to " +  "secure connections.</p>\n" +  "<p>Common ciphers (subject to availability) " +  "in order of effective key bits as of " +  "December 2015:\n" +  "<dl>\n" +  "<dt>24</dt>\n" +  "<dd>Export RC4 (aka RC4-40)</dd>\n" +  "<dt>32</dt>\n" +  "<dd>Export DES (aka DES-40)</dd>\n" +  "<dt>38</dt>\n" +  "<dd>RC4</dd>\n" +  "<dt>40</dt>\n" +  "<dd>DES</dd>\n" +  "<dt>112</dt>\n" +  "<dd>3-DES (Note that this cipher is the " +  "minimum required cipher in many versions " +  "of TLS)</dd>\n" +  "<dt>128</dt>\n" +  "<dd>AES-128</dd>\n" +  "<dd>Camellia-128</dd>\n" +  "<dt>256</dt>\n" +  "<dd>AES-256</dd>\n" +  "<dd>Camellia-256</dd>\n" +  "<dd>ChaCha20</dd>\n" +  "</dl>\n" +  "</p>\n" +  "<p>Cipher strengths lower than 112 bits are " +  "<b>NOT</b> recommended, and there are RFCs that " +  "prohibit the use of all those suites.</p>\n")))-> +  set_range(0, Variable.no_limit); + #endif +  + #if constant(SSL.ServerConnection) +  // Pike 8.0 and later has much more advanced support for SSL/TLS. +  +  defvar( "ssl_password", +  Variable.String("", VAR_INVISIBLE, +  LOCALE(1082, "SSL decryption password"), +  LOCALE(1083, "Optional password to decrypt the " +  "SSL key file(s)."))); +  +  defvar("ssl_suite_filter", +  Variable.IntChoice(0, +  ([ +  0: "Default", +  4: "Ephemeral key exchanges only", +  8: "Suite B (relaxed)", +  12: "Suite B (ephemeral only)", +  14: "Suite B (transitional)", +  15: "Suite B (strict)", +  ]), +  0, +  LOCALE(1084, "Additional suite filtering"), +  LOCALE(1085, "<p>Selects an additional cipher suite " +  "policy.</p>" +  "<p>The supported filter modes are:\n" +  "<dl>\n" +  "<dt>Default</dt>\n" +  "<dd>Use the default cipher suite selection " +  "policy, and allow all cipher suites that " +  "have sufficient strength.</dd>\n" +  "<dt>Ephemeral key exchanges only</dt>\n" +  "<dd>Only allow cipher suites that use a " +  "key exchange with ephemeral keys (aka " +  "\"Perfect Forward Security\"). Ie " +  "either ECDHE or DHE.</dd>\n" +  "<dt>Suite B (relaxed)</dt>\n" +  "<dd>Same as <b>Default</b>, but prefer the " +  "suites specified in <b>Suite B</b>.</dd>\n" +  "<dt>Suite B (ephemeral only)</dt>\n" +  "<dd>Same as <b>Ephemeral key exchanges " +  "only</b>, but prefer the suites specified " +  "in <b>Suite B</b>.</dd>\n" +  "<dt>Suite B (transitional)</dt>\n" +  "<dd>Support only the suites specified by " +  "RFCs 5430 and 6460.</dd>\n" +  "<dt>Suite B (strict)</dt>\n" +  "<dd>Support only the suites specified by " +  "RFC 6460.</dt>\n" +  "</dl>\n" +  "</p>\n" +  "<p>Note: Full Suite B operation is not " +  "supported in all configurations.</p>\n" +  "<p>Note: For full Suite B compliance a " +  "suitable certificate must also be " +  "used.</p>"))); + #endif /* SSL.ServerConnection */ + #if constant(SSL.Constants.PROTOCOL_TLS_MAX) +  mapping(SSL.Constants.ProtocolVersion: string) ssl_versions = ([ +  SSL.Constants.PROTOCOL_SSL_3_0: "SSL 3.0", +  SSL.Constants.PROTOCOL_TLS_1_0: "TLS 1.0 (aka SSL 3.1)", +  ]); + #if constant(SSL.Constants.PROTOCOL_TLS_1_1) +  // NB: The symbol may be available, but the Pike binary might be to old... +  for (SSL.Constants.ProtocolVersion v = SSL.Constants.PROTOCOL_TLS_1_1; +  v <= SSL.Constants.PROTOCOL_TLS_MAX; v++) { +  ssl_versions[v] = sprintf("TLS 1.%d", v - SSL.Constants.PROTOCOL_TLS_1_0);    } -  + #endif +  defvar("ssl_min_version", +  Variable.IntChoice(SSL.Constants.PROTOCOL_TLS_1_0, ssl_versions, 0, +  LOCALE(1086, "Minimum supported version of SSL/TLS"), +  LOCALE(1087, "<p>Reject clients that want to use a " +  "version of SSL/TLS lower than the selected " +  "version.</p>\n" +  "<p>Note: SSL 3.0 has been deprecated " +  "in RFC 7568.</p>\n"))); + #endif /* SSL.Constants.PROTOCOL_TLS_MAX */ + }         // Get the current domain. This is not as easy as one could think.   string get_domain(int|void l)   {    string s = "nowhere";    string t;       // FIXME: NT support.   
Roxen.git/server/base_server/global_variables.pike:520:   Roxen process no longer can read files it previously has written.   The start script attempts to fix this for the standard file locations.</p>"));       defvar("permanent_uid", 0, LOCALE(130, "Change uid and gid permanently"),    TYPE_FLAG,    LOCALE(131, "If this variable is set, Roxen will set it's uid and gid "    "permanently. This disables the 'exec script as user' features "    "for CGI, and also 'access files as user' in the filesystems, but "    "it gives better security."));    -  defvar("ModuleDirs", roxenloader.default_roxen_module_path, +  defvar("ModuleDirs", ({ "$LOCALDIR/modules/", "modules/" }),    LOCALE(132, "Module directories"),    TYPE_DIR_LIST,    LOCALE(133, "This is a list of directories where Roxen should look "    "for modules. Can be relative paths, from the "    "directory you started Roxen. "    "The directories are searched in order for modules."));    -  +  defvar("CertGlobs", ({ "*.pem", "certs/*.pem" }), +  LOCALE(1127, "Certificate and Private Key Globs"), +  TYPE_STRING_LIST, +  LOCALE(1128, "<p>This is a list of globs for which corresponding files " +  "will automatically be imported into the certificate " +  "database on server start.</p>\n" +  "<p>It may be left empty, in which case any certificates " +  "to use will need to be added by hand.</p>\n")) +  ->set_changed_callback(lambda() { +  roxenp()->background_run(0, roxenp()->scan_certs); +  }); +     defvar("Supports",    Variable.Text( "#include <etc/supports>\n",    VAR_MORE, LOCALE(134, "Client supports regexps"),    LOCALE(135, "What do the different clients support?\n<br />"    "The default information is normally fetched from the file "    "server/etc/supports in your Roxen directory.") ) )    -> add_changed_callback( lambda(Variable.Text s) {    roxenp()->initiate_supports();    cache.cache_expire("supports");    } );       defvar("audit", 0, LOCALE(136, "Logging: Audit trail"),    TYPE_FLAG,    LOCALE(137, "If Audit trail is set to Yes, all changes of uid will be "    "logged in the Event log."));    - #if efun(syslog) + #if constant(syslog)    defvar("LogA", "file", LOCALE(138, "Logging: Debug log method"),    TYPE_STRING_LIST|VAR_MORE,    LOCALE(139, "What method to use for the debug log, default is file, "    "but "    "syslog is also available. When using file, the output is really"    " sent to stdout and stderr, but this is handled by the "    "start script."),    ({ "file", "syslog" }));       defvar("LogSP", 1, LOCALE(140, "Logging: Log PID"),
Roxen.git/server/base_server/global_variables.pike:590: Inside #if efun(syslog)
   "All: Everything<br />"),    ({ "Fatal", "Errors", "Warnings", "Debug", "All" }),    syslog_disabled);       defvar("LogNA", "Roxen", LOCALE(148, "Logging: Log as"),    TYPE_STRING,    LOCALE(149, "When syslog is used, this will be the identification "    "of the Roxen daemon. The entered value will be appended to "    "all logs."),    0, syslog_disabled); - #endif // efun(syslog) + #endif // constant(syslog)       v = Variable.Flag (0, 0,    LOCALE(534, "Logging: Dump threads by file polling"),    LOCALE(535, #"\   <p>This option can be used to produce dumps of all the threads in the   debug log in situations where the Administration Interface doesn't   respond.</p>      <p>It works by checking for a file called \"<i>&lt;config   name&gt;</i>.dump_threads\" in the same directory as the debug log.
Roxen.git/server/base_server/global_variables.pike:717: Inside #if defined(THREADS)
   "<p>Please note that even if this is one, Roxen will still "    "be able to serve multiple requests, using a select loop based "    "system.\n"    "<i>This is quite useful if you have more than one CPU in "    "your machine, or if you have a lot of slow NFS accesses.</i></p>"    "<p>Do not increase this over 20 unless you have a "    "very good reason to do so.</p>"));   #endif // THREADS      #ifndef __NT__ -  defvar("abs_engage", 0, LOCALE(154, "Auto Restart: Enable Anti-Block-System"), +  defvar("abs_engage", 0, LOCALE(154, "Auto Maintenance: Enable Anti-Block-System"),    TYPE_FLAG|VAR_MORE,    LOCALE(155, "If set, the anti-block-system will be enabled. "    "This will restart the server after a configurable number of minutes if it "    "locks up. If you are running in a single threaded environment heavy "    "calculations will also halt the server. In multi-threaded mode bugs such as "    "eternal loops will not cause the server to reboot, since only one thread is "    "blocked. In general there is no harm in having this option enabled. "));          -  defvar("abs_timeout", 5, LOCALE(156, "Auto Restart: ABS Timeout"), +  defvar("abs_timeout", 5, LOCALE(156, "Auto Maintenance: ABS Timeout"),    TYPE_INT_LIST|VAR_MORE,    LOCALE(157, "If the server is unable to accept connection for this many "    "minutes, it will be restarted. You need to find a balance: "    "if set too low, the server will be restarted even if it's doing "    "legal things (like generating many images), if set too high you might "    "get a long downtime if the server for some reason locks up."),    ({1,2,3,4,5,10,15,30,60}),    lambda() {return !query("abs_engage");});   #endif // __NT__    -  +  defvar("auto_fetch_rxps", 0, +  LOCALE(1088, "Auto Maintenance: Enable Automatic Patch import"), +  TYPE_FLAG, +  LOCALE(1089, "Automatically fetch and import patches to the server " +  "from www.roxen.com.")); +     defvar("locale",    Variable.Language("Standard", ({ "Standard" }) +    Locale.list_languages("roxen_config"),    0, LOCALE(158, "Default language"),    LOCALE(159, "Locale, used to localize all "    "messages in Roxen. Standard means using "    "the default locale, which varies "    "according to the values of "    "the 'LC_MESSAGES' and 'LANG' environment "    "variables.")))
Roxen.git/server/base_server/global_variables.pike:773:    "generator has produced.") );       secret = Crypto.MD5.hash(""+time(1)+random(100000)+"x"+gethrtime());       definvisvar("argcache_secret","",TYPE_STRING|VAR_NO_DEFAULT);    set( "argcache_secret", secret );    // force save.          defvar("suicide_engage", 0, -  LOCALE(160, "Auto Restart: Enable Automatic Restart"), +  LOCALE(160, "Auto Maintenance: Enable Automatic Restart"),    TYPE_FLAG|VAR_MORE,    LOCALE(161, "If set, Roxen will automatically restart after a "    "configurable number of days. Since Roxen uses a monolith, "    "non-forking server model the process tends to grow in size "    "over time. This is mainly due to heap fragmentation but "    "may also sometimes be because of memory leaks.")    );       definvisvar( "last_suicide", 0, TYPE_INT );       defvar("suicide_schedule",    Variable.Schedule( ({ 2, 1, 1, 0, 4 }), 0, -  LOCALE(387,"Auto Restart: Schedule"), +  LOCALE(387,"Auto Maintenance: Restart Schedule"),    LOCALE(388, "Automatically restart the "    "server according to this schedule.") ) )    ->set_invisibility_check_callback (    lambda(RequestID id, Variable.Variable f)    {return !query("suicide_engage");}    );    -  +  defvar("patch_on_restart", 0, +  LOCALE(1090, "Auto Maintenance: Restart and apply patches"), +  TYPE_FLAG, +  LOCALE(1091, "Apply any pending imported patches when the server is " +  "automatically restarted.")) +  ->set_invisibility_check_callback ( +  lambda(RequestID id, Variable.Variable f) +  {return !query("suicide_engage");}); +     defvar ("mem_cache_gc_2", 5 * 60,    LOCALE(1045, "Cache: Memory cache GC interval"),    TYPE_INT,    LOCALE(1046, #"\   <p>Interval in seconds between RAM cache garbage collector runs. This   GC removes entries from the RAM caches that have timed out or are   stale for other reasons, thereby making more room for new entries. The   configured cache size limits are enforced when entries are added, so   this GC is not required to keep the cache sizes down.</p>