docs.intersystems.com
InterSystems IRIS Data Platform 2019.2  /  Web Gateway Configuration Guide

Web Gateway Configuration Guide
Web Servers for Microsoft Windows
Previous section           Next section
InterSystems: The power behind what matters   
Search:  


This chapter describes how to manually configure web servers from Microsoft and Apache on systems running Windows. and describes the most common configuration for IIS 7 and later, and Apache. It contains the following sections:
The Appendix, Alternative Configurations for Microsoft Windows, describes other atypical configuration options.
When you install the Web Gateway using the Web Gateway standalone installer, you can select the option to automatically configure a Microsoft IIS web server to work with CSP. If you do not choose this option, you can configure your web server manually. If you installed the Web Gateway through the InterSystems IRIS™ installer or if you want to configure an Apache server to work with CSP, you must do so manually as described in this chapter.
Microsoft IIS All Versions
If you are using IIS as your web server, follow these steps to configure your web server for all versions of IIS.
  1. Set permissions for the Web Gateway components. For details, see the section “Setting Permissions for the Web Gateway Components”.
  2. Configure the web application path. For details, see the section “Configuring the Web Application Path”.
  3. Enable URLs with /bin. For details, see the section “Enabling URLs with /bin”.
  4. If you are using IIS 7 or later, see the section “Microsoft IIS 7”. If you have an atypical configuration, see the appendix Alternative Configurations for Microsoft Windows.
Setting Permissions for the Web Gateway Components
Regardless of which Web Gateway configuration option you choose, you need to assign appropriate permissions to web resources held outside the standard IIS documents root (for example, C:\inetpub\wwwroot).
IIS 7 does not, by default, allow the user of a web application to access anything outside the scope of the pre-configured documents root unless you assign Read & Execute and Write permissions for those external resources to the following user or groups:
[machine_name]\IIS_IUSRS
And:
[machine_name]\Users
Note that IIS_IUSRS represents the user (group) under which IIS worker processes operate. It replaces the IUSR_[machine_name] user group found in IIS versions earlier than version 7. Applications controlled through IIS (such as the Web Gateway) operate with the level of privilege assigned to IIS_IUSRS.
For CSP, resources external the web server's root usually include the following:
Web Gateway binary components:
C:\Inetpub\CSPGateway
Static file components:
install-dir\CSP\
Permissions can be manually assigned to these folders via Windows Explorer as follows:
  1. Right select the folder name and select Properties.
  2. Select the Security tab.
  3. Select Edit.
  4. Select Add.
  5. In the Enter the object names to select text box enter:
    [machine_name]\IIS_IUSRS
  6. Select Check Names and OK.
  7. Select [machine_name]\IIS_IUSRS in the Group or Usernames window, then:
  8. Assign Read & Execute and Write permissions in the Permissions window.
  9. Select Apply and OK.
  10. Repeat the above process for the [machine_name]\Users user group.
Full read and write permissions for the Web Gateway configuration and event log files (CSP.ini and CSP.log) should be assigned to the IIS user group. For example, at the Windows command prompt, enter:
cacls CSP.ini /E /G IIS_IUSRS:F
cacls CSP.log /E /G IIS_IUSRS:F
Of course, this can also be done via Windows Explorer.
Configuring the Web Application Path
This section describes the procedure for configuring the web application path (such as csp) for IIS. These procedures are common to all Web Gateway configuration options for IIS.
IIS is configured in the Internet Information Services (IIS) Manager control panel. Subdirectories configured under the documents root can be classed as either Virtual or Applications. Virtual subdirectories (or aliases) are mapped to physical equivalents (Windows directories). The same applies to subdirectories classed as Applications except that, in addition to defining the physical equivalent, you can associate the application with a particular application pool. The default is DefaultAppPool.
Since web applications are served through the Web Gateway, the hosting subdirectories (such as /csp) should be configured as Applications.
In a default CSP configuration, the /csp application path is mapped to the physical location install-dir\CSP. All the static files are located under this root (\csp\broker…).
  1. Open the Internet Information Services (IIS) Manager.
  2. In the left panel, expand the top level to reveal the Web Sites section, then the Default Web Site section. Highlight the Default Web Site section:
    [MACHINE_NAME] ([machine_name]\[user_name])
                Web Sites
                        Default Web Site
  3. In the right panel, select View Applications.
  4. Again in the right panel, select Add Application.
  5. In the Add Application dialogue, enter:
    Alias: csp
    Physical path: install-dir\CSP\
  6. Select OK.
If you are using a Web Gateway solution based on an atypical option, set up an application called /bin under the /csp application. Map this to the physical directory holding the Web Gateway binaries. For example:
Map application /csp/bin to C:\Inetpub\CSPGateway
Enabling URLs with /bin
If you installed the Web Gateway using the InterSystems IRIS installer, this step was done automatically for you. If you are installing the Web Gateway manually, you need to do this step. (See this external web site for more details and alternative ways to accomplish this http://weblogs.asp.net/owscott/archive/2008/03/05/iis7-blocks-viewing-access-to-files-in-bin-and-other-asp-net-folders.aspx.) To enable URLs that contain /bin, add the following location tag to your applicationHost.config file:
<location path="sitename.com/subfolder/bin/debug">
    <system.webServer>
        <security>
           <requestFiltering>
              <hiddenSegments>
                 <remove segment="bin" />                    
               </hiddenSegments>
           </requestFiltering>
        </security>
     </system.webServer>
 </location>
Restarting IIS
This section describes what happens when IIS is restarted via the various control panels:
Most configuration changes can be made in real-time to an active IIS installation. However, the Internet Information Services (IIS) Manager control panel provides stop, start, and restart options. These are useful for the refreshing the web server configuration but does not result in an active Web Gateway installation being reinitialized (the Web Gateway DLLs are not reloaded).
To force IIS to restart, so that the Web Gateway modules are reloaded, then restart the World Wide Web Publishing service via the main Windows Services control panel.
Troubleshooting
This section describes problems that commonly occur in configuring third-party modules (both Native and ISAPI) to work with IIS.
The most common problem likely to be encountered is that, after reconfiguring, requests to IIS fail with the following error:
Service Unavailable
HTTP Error 503. The service is unavailable.
This usually indicates that the default Application Pool has terminated.
  1. Open the Internet Information Services (IIS) Manager window.
  2. In the left panel expand the top level to reveal the Application Pools section.
    [MACHINE_NAME] ([machine_name]\[user_name])
    Application Pools
  3. Check that the Default Application Pool (DefaultAppPool), or whatever application pool your server is configured to use, is marked with a Status of Started.
  4. Restart the application pool if necessary (using the options in the right panel).
  5. If problems persist, look for clues in the main Windows Event Log: the Applications section. In particular, check for the following error message:
    Failed to find the RegisterModule entrypoint in the module DLL C:\Inetpub\CSPGateway\CSPms.dll. The data is the error.
    This, for example, indicates that the version of Web Gateway DLLs that you are using do not implement the Native Modules interface. Either obtain later DLLs from InterSystems or configure the Web Gateway to work through the conventional ISAPI interface.
As with all software, restarting often clears transient problems: To completely restart IIS, restart the World Wide Web Publishing service via the main Windows Services control panel.
Do not use the Add Wildcard Script Map utility to map file extensions. If you do, you may see this error: The specified module required by the handler is not in the modules list. If you are adding a script map handler mapping, the IsapiModule or the CgiModule must in the modules list. Instead use Add Module Mapping for * to map file extensions using a wildcard.
If URLs with /bin in them are not working, see the section “Manual Step for Enabling URLs with /bin
Microsoft IIS 7 or Later
The Microsoft ISAPI extensions (CSPms.dll, CSPmsSys.dll and CSPcms.dll) have been adapted such that they can work directly to the Native Modules interface in IIS 7 and later.
The Web Gateway modules supplied with InterSystems IRIS can work with the Native Modules in IIS 7. They can also be used with ISAPI extensions. There are additional configuration options for customers who are using the NSD. This section describes how to configure your IIS 7 web server to work with the Native Modules. The appendix Alternative Configurations for Microsoft Windows contains information on configuring IIS 7 for other configurations.
Install Locations for IIS 7
Install the Web Gateway components and the CSP static files as follows:
  1. The default location for the Native Modules
    The default location for these modules is:
    C:\Inetpub\CSPGateway
    The configuration file (CSP.ini) and Event Log (CSP.log) are written in this directory for non NSD-based connectivity options.
  2. HyperEvents Components
    The default location for these files is:
    install-dir\csp\broker
  3. Miscellaneous static resources used by the Management Portal
    A number of static web resources (such as image files) are required by the Management Portal. The default location for these files is:
    install-dir\csp\sys
Recommended Option: Using Native Modules (CSPms*.dll)
This is the recommended and most-used configuration option. It uses the Native Modules interface introduced with IIS 7. This option provides the best performance.
For other configuration options using ISAPI or NSD, see the appendix Alternative Configuration Options for Microsoft Windows.
Register the Native Modules and configure the web server so that it recognizes CSP requests (files of type .csp, .cls, and .zen) and passes them to the Web Gateway for processing. Include any additional files that might be required for your installation (such as, for example, special CSP resources needed for DeepSee).
Registering the Native Modules
DLLs: CSPms.dll and CSPmsSys.dll
Before these modules can be used they must be registered with IIS. This is done in the Internet Information Services (IIS) Manager control panel.
  1. Open the Internet Information Services (IIS) Manager window.
  2. In the left panel, highlight: [MACHINE_NAME] ([machine_name]\[user_name])
  3. In the middle panel, double-click the Modules icon.
  4. In the right panel, select Add Native Module (or Configure Native Modules). The precise wording depends on the build of IIS in use.
  5. Select Register and enter the following in the Register Native Module dialogue:
    Name: CSPms
    Path: C:\Inetpub\CSPGateway\CSPms.dll
    Select OK.
  6. In the left panel, expand the top level and expand Web Sites, and Default Web Site. Highlight Default Web Site:
    [MACHINE_NAME] ([machine_name]\[user_name])
                Web Sites
                        Default Web Site
  7. In the right panel, select Add Native Module.
  8. Select CSPms and select OK.
Mapping the CSP File Extensions
Note:
Do NOT use Add Wildcard Script Mapping utility for this file extension mapping process; it gives you an error! Instead, use the utility called Add Module Mapping for *.
Map the CSP file extensions to the Web Gateway Native Modules as follows:
Extension Native Module Binary
*.csp CSPms C:\Inetpub\CSPGateway\CSPms.dll
*.cls CSPms C:\Inetpub\CSPGateway\CSPms.dll
*.zen CSPms C:\Inetpub\CSPGateway\CSPms.dll
*.cxw CSPms C:\Inetpub\CSPGateway\CSPms.dll
  1. Open the Internet Information Services (IIS) Manager window.
  2. In the left panel, expand the top level and expand Web Sites, then the Default Web Site section. Highlight Default Web Site:
    [MACHINE_NAME] ([machine_name]\[user_name])
                Web Sites
                        Default Web Site
    Note:
    This activates CSP for the whole web site. To restrict the use of CSP to specific virtual sub-directories (such as /csp/) focus control on the appropriate subdirectory (under Default Web Site) before creating the mappings. Repeat the process for each virtual subdirectory from which CSP content is to be served.
  3. In the middle panel, double-click the Handler Mappings icon.
  4. In the right panel, select Add Module Mapping.
  5. In the Add Module Mappings dialogue, enter the following details:
    Request Path: *.csp
    Module: (select CSPms from the dropdown)
    Name: WebGateway_csp
  6. Select Request Restrictions and ensure that the box is not checked next to Invoke handler only if request is mapped to. This action sets the value of Path Type to Unspecified, as shown in the Handler Mappings table.
  7. Select OK to return to the Add Module Mappings dialogue and select OK again.
  8. Repeat the above process to add the following Module Mappings:
    Request Path: *.cls
    Module: (select CSPms from the list)
    Name: WebGateway_cls
    Request Path: *.zen
    Module: (select CSPms from the list)
    Name: WebGateway_zen
    Request Path: *.cxw
    Module: (select CSPms from the list)
    Name: WebGatewayManagement
Registering Additional File Types with CSP
To configure additional file types to be processed by CSP, replicate the configuration created for the usual file extensions (that is,.csp,. .cls, .zen) for the new file extension(s).
If you need to serve other static files through the Web Gateway or need to access the Management Portal through this web server, add mappings for file types .jpg, .gif, .png, .css, and .js.
To map requests for all files to CSP for a given path, set up the following wildcard entry for that path:
Extension Native Module Binary
* CSPms C:\Inetpub\CSPGateway\CSPms.dll
Operating and Managing the Web Gateway
To access the Web Gateway’s systems management suite, point your browser at the following location:
http://<ip_address>/csp/bin/Systems/Module.cxw
The CSP engine is automatically invoked for requested files that contain a .csp, .cls, or .zen extension. For example:
http://<ip_address>/csp/samples/menu.csp
If you see an unauthorized user error message, refer to the security notes in the section “Web Gateway and Security”.
Configuring IIS to Return SOAP Fault Details
An InterSystems IRIS web service that encounters an error may return an HTTP 500 error without the associated SOAP fault details. By default, IIS returns extended error information only to local clients. However, you can modify this behavior in the <httpErrors> element within the configuration file web.config. To do so, add the following section to instruct IIS to dispatch detailed error information to all clients.
<configuration>
    <system.webServer>
       <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>
Use caution with this approach as sensitive information about the hosting environment may be revealed to clients. An alternative approach that avoids the security concerns of using errorMode="Detailed” is to instead use the existingResponse="PassThrough" directive.
<configuration>
    <system.webServer>
       <httpErrors existingResponse="PassThrough" />
    </system.webServer>
</configuration>
Restart IIS after making changes to the configuration.
You can make these changes manually to the IIS web.config file. Or, for a better, less error prone, approach, use the Configuration Editor built into the IIS Manager.
  1. In the IIS Manager, from the Connections panel on the left, select the path which corresponds to the web service. For example: Default Web Site, then csp.
  2. In the middle panel, under the section heading Management at the bottom, double-click on Configuration Editor.
  3. In the Configuration Editor dropdown at the top labeled Section, expand system.webServer and click httpErrors.
  4. Click on the value next to existingResponse and use the dropdown to view the options. Select PassThrough.
  5. In the Actions pane on the right, click Apply.
  6. Restart IIS after making changes to the configuration.
Further information about error handling in IIS can be found at:
http://www.iis.net/configreference/system.webserver/httperrors
Apache Servers
Apache is supplied by the Apache Group and can be downloaded free of charge from: http://www.apache.org.
The complete source code to Apache is available from Apache for download together with clear instructions for building the server. To build Apache under Windows, you must have the Microsoft C compiler (Visual C++) version 5.0 or later. Instead of building the server yourself, you can instead download prebuilt kits for Windows. The prebuilt kits are, generally, a few builds behind the latest Apache source code.
This guide assumes that the Web Gateway components are installed in the following directory:
C:\Program Files\Apache Group\Apache\WebGateway
It is assumed that the web server is installed under:
C:\Program Files\Apache Group\Apache\
If the layout is different on your system, amend the configuration directives in the following sections, as appropriate.
First follow the directions in the section “Install Locations with Apache Servers (All Options)”, then follow the directions in the section “Recommended Option: Apache API Modules (CSPa4.dll) ” that follows or, if you are installing an atypical configuration, see the appendix Alternative Configurations for Microsoft Windows.
Install Locations with Apache Servers (All Options)
All users of the Apache server should follow the directions in this section.
Install the Web Gateway components and the CSP static files as follows:
  1. CGI and other dynamically-linked modules:
    The common files for all Apache versions are:
    Separate binaries for Apache Version 2.4.x are:
    The default location for these binaries is:
    C:\Program Files\Apache Group\Apache\WebGateway\bin
    The original location (install-dir\csp\bin) is used to hold the Web Gateway components required for serving the Management Portal for the specific instance of InterSystems IRIS.
    The configuration file (CSP.ini) and Event Log (CSP.log) are written in this directory for non NSD-based connectivity options.
    The modules with Sys appended are special modules for accessing the Web Gateway Management pages. The runtime modules (that is, those without Sys) have no access to the systems management forms.
  2. HyperEvents Components
    The default location for these files is:
    install-dir\csp\broker
  3. Miscellaneous static resources used by the CSP Samples
    A number of static web resources (such as image files) are required by the CSP Samples. The default location for these files is:
    install-dir\csp\samples
  4. Miscellaneous static resources used by the Management Portal
    A number of static web resources (such as image files) are required by the Management Portal. The default location for these files is:
    install-dir\csp\sys
Recommended Option: Apache API Modules (CSPa24.dll)
This is the option that is used by the Private Web Server that serves the Management Portal.
This connectivity option is relatively new and offers the best performance as well as being the easiest to configure. Apache under Windows is entirely multi-threaded and its modules persist in memory from the time Apache is started. These two essential characteristics make it possible to implement the Web Gateway’s functionality as a set of stand-alone modules.
If you are installing an atypical configuration, see the appendix Alternative Configurations for Microsoft Windows
The modules CSPap*.dll (Runtime) and CSPapSys*.dll (Web Gateway systems management) are dynamically-linked modules that are designed to work the same way as the corresponding Microsoft ISAPI DLLs. For Apache 2.4.x, these modules are named: CSPa24.dll and CSPa24Sys.dll.
Configure the web server so that it recognizes CSP requests (files of type .csp, .cls, and .zen) and passes them to the Web Gateway module for processing.
The web server configuration file (httpd.conf) is in the following directory:
C:\Program Files\Apache Group\Apache\conf
  1. Apache 2.4.x: Add the section below to the end of httpd.conf.
    LoadModule csp_module_sa c:/iris/csp/bin/CSPa24.dll 
    <Location "/csp/bin/Systems/"> 
    SetHandler csp-handler-sa 
    </Location> 
    <Location "/csp/bin/RunTime/"> 
    SetHandler csp-handler-sa 
    </Location> 
    CSPFileTypes csp cls zen cxw 
    Alias /csp/ c:/iris/csp/ 
    <Directory "c:/iris/csp"> 
        AllowOverride None 
        Options MultiViews FollowSymLinks ExecCGI 
        Require all granted
        <FilesMatch "\.(log|ini|pid|exe)$"> 
        Require all denied 
        </FilesMatch>
    </Directory> 
    Apache 2.2.x: Add the section below to the end of httpd.conf
    LoadModule csp_module_sa c:/iris/csp/bin/CSPa22.dll 
    <Location "/csp/bin/Systems/"> 
    SetHandler csp-handler-sa 
    </Location> 
    <Location "/csp/bin/RunTime/"> 
    SetHandler csp-handler-sa 
    </Location> 
    CSPFileTypes csp cls zen cxw 
    Alias /csp/ c:/iris/csp/ 
    <Directory "c:/iris/csp"> 
        AllowOverride None 
        Options MultiViews FollowSymLinks ExecCGI 
        Order allow,deny
                  Allow from all
        <FilesMatch "\.(log|ini|pid|exe)$"> 
        Deny from all
        </FilesMatch>
    </Directory> 
    Apache 2.0.x: Add the section above using CSPa2.dll to the end of httpd.conf
  2. Restart Apache after making changes to httpd.conf.
Registering Additional File Types with CSP
Apache API modules always recognize the following reserved file extensions:
.csp .cls .zen .cxw 
You may have other files that you want to send to CSP for processing. For example, if you need to serve other static files through the Web Gateway or need to access the Management Portal through this web server, add mappings for file types .jpg, .gif, .png, .css, and .js.
You can configure Apache to recognize what files to pass on to CSP in any of the following ways:
By CSP location directive
Use the CSP directive to request that all files within a certain location be processed by CSP. The following requests that all files and directories under the /csp path be processed by CSP.
<Location /csp>
   CSP On 
   SetHandler csp-handler-sa
</Location> 
For example, all the following would be sent to CSP for processing:
/csp/ 
/csp/samples/menu.csp 
/csp/sys/ 
By file extension — CSPFileTypes directive
The CSPFileTypes directive works for requests for files that have extensions (such as /csp/menu.csp). It does not work for requests for files that do not have file extensions (such as /csp/menu).
This parameter is processed by the Web Gateway’s Apache modules and can be globally defined at the server definition level (in httpd.conf) or restricted within the definition for a location or directory block.
By file type: The following directive requests that files of type xxx and yyy be processed by CSP.
CSPFileTypes xxx yyy 
By location: The following requests that files of type xxx and yyy be processed by CSP but only for locations under /csp (including subdirectories, such as /csp/samples and so on).
<Location /csp/> 
   CSPFileTypes xxx yyy
</Location>
Using the wildcard character, the following requests that all files under path /csp (and /csp/samples and so on) be processed by CSP.
<Location /csp/> 
   CSPFileTypes * 
</Location> 
By MIME type
In addition to recognizing the file extensions listed above, CSP can also recognize files for the following MIME types:
application/x-csp
and
text/csp
For example, to add the file extension xxx to the list of files processed by CSP, use:
LoadModule csp_module_sa /iris/csp/bin/CSPa24.dll
AddType application/x-csp csp cls zen xxx
One of the problems with using MIME types to associate types of file with CSP is that Apache checks to ensure that the path to the resource (that is, the hosting directory) physically exists, and returns a file not found error if it does not. It does not, however, check to ensure that the file requested physically exists – which is appropriate for resources served by CSP since they are served by InterSystems IRIS and are virtual as far as the web server is concerned. The “By MIME type” approach is therefore only suitable for cases where the application’s path structure can be replicated on the web server.
Operating and Managing the Web Gateway with Apache API
To access the Web Gateway Management pages, point your browser at:
http://localhost:<port_no>/csp/bin/Systems/Module.cxw
Notice the use of the cxw file extension. This extension prevents Apache attempting to load and run these DLLs through the Apache Group ISAPI interface. Also, remember that URL paths and files names are case-sensitive under Apache.
If you see an Unauthorized User error message, refer to the section on “security considerations”.
The CSP engine is automatically invoked for requested files that contain a .csp, .cls, or .zen extension. For example:
http://localhost:<port_no>/csp/samples/menu.csp
Nginx Servers
Nginx is an Open Source product. The source code can be downloaded free of charge from:
http://nginx.org/
Some prebuilt kits are available for Windows which are, generally, a few builds behind the latest Nginx build. However, given that extensions must be compiled into the Nginx core, it is necessary to build the web server locally from the source code in order to include support for CSP.
This guide is assumes that the CSP/Web Gateway components are installed in the following location:
install-dir\csp\
It is assumed that the web server is installed in:
C:\nginx\
If the layout is different on your system, be sure to amend the configuration directives described in the following sections, as appropriate.
Installation
The Web Gateway components and the CSP static files should be installed as follows:
  1. Dynamically linked Universal Web Gateway Modules
    The default location for these binaries is:
    install-dir\csp\bin
    The configuration file (CSP.ini) and Event Log (CSP.log) are written in this directory.
    The modules with Sys appended are special modules for accessing the CSP systems management suite. The runtime modules (that is, those without Sys) have no access to the systems management forms.
  2. HyperEvents Components
    The default location for these files is:
    install-dir\csp\broker
    If these files are to be served as static components directly by the web server they should be copied to the following location:
    C:\nginx\html\csp\broker
  3. Miscellaneous static resources used by the Management Portal
    A number of static web resources (such as image files) are required by the Management Portal. The default location for these files is:
    install-dir\csp\sys
    Copy these to the following location if they are to be served directly by the web server:
    C:\nginx\html\csp\sys
Building the Nginx web server for CSP
Most of the Web Gateway functionality is provided by the Universal Modules (CSPx[Sys].dll). For CSP access, Nginx can be built and configured to communicate with these Universal Modules through a small compiled-in module:
ngx_http_csp_module_sa.c
Prerequisites for building Nginx:
The build instructions given here are based on the official documentation for building Nginx under Windows:
http://nginx.org/en/docs/howto_build_on_win32.html
The Nginx documentation stipulates that the following third party add-ons are also required:
However, it is possible to create a fully functional server without these components, provided the final installation doesn’t require the functionality that would otherwise be provided by them.
The default configuration script for building Nginx, including all optional modules listed above, is as follows:
auto/configure --with-cc=cl --builddir=objs --prefix= \
--conf-path=conf/nginx.conf --pid-path=logs/nginx.pid \
--http-log-path=logs/access.log --error-log-path=logs/error.log \
--sbin-path=nginx.exe \
--http-client-body-temp-path=temp/client_body_temp \
--http-proxy-temp-path=temp/proxy_temp \
--http-fastcgi-temp-path=temp/fastcgi_temp \
--with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs/lib/pcre-8.32 \
--with-zlib=objs/lib/zlib-1.2.7 \
--with-openssl=objs/lib/openssl-1.0.1e \
--with-select_module --with-http_ssl_module --with-ipv6
The build process can be modified to exclude optional modules:
Procedure for building Nginx for CSP
  1. Working in a MSYS shell, create the working directory structure suggested in the Nginx documentation:
    /opt/
  2. Working in /opt, check-out the Nginx source code using the following command:
    hg clone http://hg.nginx.org/nginx
    This places the Nginx source code under: /opt/nginx/
  3. Create a directory for the CSP extension:
    /opt/nginx/objs/lib/csp/
  4. Copy the module source code (ngx_http_csp_module_sa.c and cspapi.h) to the directory created in the previous step.
  5. In the same directory, create a configuration file called config. This file should contain the following lines:
    ngx_addon_name=ngx_http_csp_module_sa
    HTTP_MODULES="$HTTP_MODULES ngx_http_csp_module_sa"
    NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_csp_module_sa.c"
  6. Working in /opt/nginx/, configure the Nginx build environment:
    auto/configure --with-cc=cl --builddir=objs --prefix= \
    --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid \
    --http-log-path=logs/access.log --error-log-path=logs/error.log \
    --sbin-path=nginx.exe \
    --http-client-body-temp-path=temp/client_body_temp \
    --http-proxy-temp-path=temp/proxy_temp \
    --http-fastcgi-temp-path=temp/fastcgi_temp \
    --with-cc-opt=-DFD_SETSIZE=1024 --without-http_rewrite_module \
    --without-http_gzip_module \
    --with-select_module --with-ipv6 \
    --add-module=objs/lib/csp
    Note the final line containing the instructions to include the CSP module.
  7. Compile Nginx:
    nmake -f objs/Makefile
    If successful, you should find the server (nginx.exe) in: /opt/nginx/objs/
  8. Install Nginx:
    The easiest way to do this is to first download and install a pre-built version of Nginx for Windows to obtain the directory structure (usually under C:\nginx\) then replace the nginx.exe file in that installation with the one created locally.
    The typical directory structure for an operational Nginx installation is as follows:
    Directory of C:\nginx
    
    03/07/2017  09:09    <DIR>          .
    03/07/2017  09:09    <DIR>          ..
    26/06/2017  10:14    <DIR>          conf
    26/06/2017  10:14    <DIR>          contrib
    10/05/2018  12:53    <DIR>          csp
    26/06/2017  10:14    <DIR>          docs
    26/06/2017  10:14    <DIR>          html
    10/05/2018  15:57    <DIR>          logs
    04/07/2017  15:52           715,264 nginx.exe
    26/06/2017  10:17    <DIR>          scgi_temp
    26/06/2017  10:17    <DIR>          temp
    26/06/2017  10:17    <DIR>          uwsgi_temp
    Replace the copy of nginx.exe in this directory with the version created by the build procedure.
Using the Universal Web Gateway Modules (CSPx*.dll)
The Universal Modules CSPx.dll (Run-time) and CSPxSys.dll (Web Gateway systems management) are dynamically linked modules that are designed to be loaded by a CSP-enabled Nginx installation.
The web server should be configured such that it recognizes CSP requests (files of type .csp, .cls, and .zen) and passes them to the Web Gateway module for processing
The web server configuration file (nginx.conf) is found in the following directory:
C:\nginx\conf
The following configuration directives are provided for the CSP extension:
For Windows, the thread stack size must be increased to 2MB. To do this, add the following directive to the top of the Nginx configuration file (before the http section):
thread_stack_size 2000000;
Place the following directive within the http configuration block:
CSPModulePath C:/iris/csp/bin/;
This directive enables Nginx to find the Universal Gateway Modules (CSPx[Sys].dll) and the associated configuration (CSP.ini).
Nginx can now be configured to pass all requests for a certain path to CSP or just certain file types.
Enabling CSP for a Particular Path
Place the following section within the appropriate server configuration block:
location /csp {
CSP On;
}
Registering Specific File Types with CSP
Place the following section within the appropriate server configuration block:
location /csp {
CSPFileTypes  csp cls zen cxw;
}
Starting and Stopping Nginx
First, ensure that Nginx has read/write permissions to the location holding the Universal Gateway Modules (C:/iris/csp/bin/). This is the location where the Web Gateway configuration and Event Log files are maintained (CSP.ini and CSP.log).
To start Nginx:
C:\nginx\nginx
To stop Nginx:
C:\nginx\nginx –s stop
Operating and Managing the Web Gateway
To access the Web Gateway’s systems management suite, point your browser:
http://<ip_address>/csp/bin/Systems/Module.cxw
Notice the use of the cxw file extension.
The CSP engine is automatically invoked for requested files containing the .csp, .cls, or .zen extensions. For example:
http://<ip_address>/csp/samples/menu.csp
If you see an Unauthorized User error message, refer to the section on security considerations in this book.
Building Nginx to Work with the CSP NSD Component
Nginx can be built to work with the Web Gateway’s network service daemon component (CSPnsd[Sv].exe), as opposed to the Universal Modules (CSPx[Sys].dll). To do this, modify the build and configuration procedure as follows:
The usual reason for preferring to use the NSD component is to obtain full and reliable support for CSP state-aware mode (Preserve mode). However, in order to get the best results with Nginx, it is recommended that applications should be entirely stateless.


Previous section           Next section
Send us comments on this page
View this book as PDF   |  Download all PDFs
Copyright © 1997-2019 InterSystems Corporation, Cambridge, MA
Content Date/Time: 2019-08-22 05:46:30