Mhttpd: Difference between revisions

From MidasWiki
Jump to navigation Jump to search
No edit summary
 
(14 intermediate revisions by 2 users not shown)
Line 8: Line 8:


= Web security =
= Web security =
As part of the recent upgrade to MIDAS [[Security]], the MIDAS Web Server {{Utility|name=mhttpd}} is now (May 2015) explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server.  To connect to an experiment using {{Utility|name=mhttpd}}, a username and password are required.
By default, users can connect from anywhere, providing they know the correct username and password. However, Web access to {{Utility|name=mhttpd}} can be restricted by using the Mongoose [[#Access Control List|Access Control List]]. 


Alternatively, mhttpd can be run securely behind an apache https proxy, which may be more convenient if firewalling other processes as well. This can be done with the latest version of mhttpd using the http port (i.e. without the Mongoose redirect). The option of building  {{Utility|name=mhttpd}} without OpenSSL is also supported (see [https://midas.triumf.ca/elog/Midas/1069]).  
For '''maximum web security''', {{Utility|name=mhttpd}} should be run behind a password-protected '''Apache/nginx HTTPS proxy''' (see [[Security]] for details).
 
By default (since March 2020) mhttpd binds to port 8080, <b>and accepts connections from localhost only</b>. This is ideal behaviour if you are behind an Apache/nginx proxy. You may change the port number by editing the ''localhost port'' ODB key in the [[Webserver ODB tree]].
 
To change the security model (e.g. to allow http/https connections from other machines), see the relevant keys in the [[Webserver ODB tree]].
 
= Arguments =
= Arguments =
If using an old version (before May 2015), see [[#Insecure (pre-May 2015) versions|old server]] argument list.
       -a add hostname to the hostlist of hosts allowed to connect to mhttpd
 
       -h connect to midas server [[mserver]] on given host
       -e experiment to connect to
       -e experiment to connect to
      -h connect to midas server (mserver) on given host
       -v display verbose HTTP communication
       -v display verbose HTTP communication
       -D become a daemon
       -D become a daemon
       -E only display ELog system
       -E only display ELog system
       -H only display history plots
       -H only display history plots
       -a only allow access for specific host(s), several [-a Hostname] statements might be given  (old server only)
       --verbose-mg - trace mongoose web requests
       -help display usage information
       --trace-mg - trace mongoose events
       --mg [port,port,port,...] use the mongoose web server (default) on specified ports
       --no-trace-mg-recv - do not trace mongoose recv events
          (defaults are taken from ODB).  See [[#Usage|usage]].
      --no-trace-mg-send - dop not trace mongoose send events
       --nomg use the old mhttpd web server
       --no-multithread - disable mongoose multithreading
       --oldserver [port] - use the old mhttpd web server on given port
       --no-passwords - disable password protection
       --nooldserver - do not use the old mhttpd web server
       --no-hostlist - disable access control host list


= Usage =
= Usage =
To start the webserver :
== To start the webserver ==
: mhttpd
* ''"mhttpd"'' or
which is equivalent to
* ''"mhttpd -v"'' to get debug information, or
: mhttpd --mg 8443s,8080r
* ''"mhttpd -D"'' to run in the background
* ''"mhttpd -a myHost1 -a myHost2"'' to restrict web access
 
If you have enabled https connections in the [[Webserver ODB tree]], a password file (and optionally an SSL certificate) need to be created when {{Utility|name=mhttpd}} is started for the first time. See [[#HTTPS/SSL server (Mongoose)|mhttpd HTTPS/SSL server]] for more information.


Starting {{Utility|name=mhttpd}} like this will redirect the default HTTP port of 8080 to the secure HTTPS port 8443. If the ports are not supplied, the default ports will be read from the ODB key [[/Experiment ODB tree#Mongoose listening_port|Mongoose listening_port]]. If ports are supplied, their values will overwrite the default values stored in the ODB. When {{Utility|name=mhttpd}} is started with a secure port for the first time, a SSL certificate and password need to be created. See [[#HTTPS/SSL server (Mongoose)|mhttpd HTTPS/SSL server]] for more information.
=== Multiple experiments ===
If [[Exptab|multiple experiments]] run on the same host, a web server for each experiment must be started on a different port. Use the [[Webserver ODB tree]] in each experiment to specify which ports to use.


If {{Utility|name=mhttpd}} is started on IP host machine "myhost" using the default ports, the [[#Features|''Midas status page'']] can be accessed by pointing a web browser to
=== IPv6 support ===
https://myhost.mydomain:8443
or to
http://myhost.mydomain:8080 which will be redirected automatically to https://myhost.mydomain:8443


The automatic redirect may be convenient for users who are used to using {{Utility|name=mhttpd}} with a particular HTTP port (e.g. 8080) for their experiment.
By default, {{Utility|name=mhttpd}} enables IPv6 support. This is fine on most modern operating systems, but some older ones (including SL7) may not understand the IPv6 localhost address (::0). If {{Utility|name=mhttpd}} fails to start because it can't bind to ::0, disable "Enable IPv6" in the [[Webserver ODB tree]].


=== Debugging "Cannot mg_bind address" problems ===


If {{Utility|name=mhttpd}} print errors like this when you try to start it, there are two possible issues.


;Note
[mhttpd,ERROR] [mhttpd.cxx:19309:mongoose_listen,ERROR] Cannot mg_bind address "localhost:8081"
If [[Exptab|multiple experiments]] run on the same host, a web server for each experiment must be started on a different port, e.g.
          mhttpd -e expt1 --mg 8443s,8080r -D
          mhttpd -e expt2 --mg 8444s,8081r -D


* Some other program may be using the port you specified. You could try finding which program that is with "lsof -i :8081" or similar.
* If the problematic address is "[::0]:8081" (rather than "localhost:8081"), then you may not have full IPv6 support. Try disabling "Enable IPv6" in the [[Webserver ODB tree]].


= Features =
= Features =
Line 88: Line 91:


Other features include a JSON interface and Javascript library used for implementing interactive [[Custom Page|custom pages]] for MIDAS experiments.
Other features include a JSON interface and Javascript library used for implementing interactive [[Custom Page|custom pages]] for MIDAS experiments.
As of March 2020, you may also [[/Webserver_ODB_tree#Proxy|use mhttpd as a proxy to other webservers]].


<br>
<br>
Line 95: Line 100:




= HTTPS/SSL server (Mongoose) =
= Enabling SSL (https) support =
 
{{Utility|name=mhttpd}} is built on the [[https://github.com/cesanta/mongoose|Mongoose embedded web server]], and by default it listens on port 8080 on localhost only. 
 
If you want to listen on a secure port, you must:
* Configure which ports to listen on in the [[Webserver ODB tree]]
* Build mhttpd with SSL support enabled
* Create an SSL certificate
* Create a password file
 
{{Utility|name=mhttpd}} with Mongoose requires an '''SSL Certificate''' and a '''password file'''.  Ideally, an SSL Certificate issued by a well-known authority trusted by your browser should be used.
 
The first time {{Utility|name=mhttpd}} is run, if it does not find an SSL Certificate, it will print instructions on how to [[#Create an SSL certificate|create a self-signed SSL Certificate]]. If it finds no existing password file, it will then print instructions on how to [[#Create a password file|create a password file]] (see below for examples).
 
== Build mhttpd with SSL support ==
 
SSL support is optional in mhttpd and is disabled by default! If you try to use an https port in mhttpd but do not have SSL support, the midas message log will show an error message like


The HTTPS/SSL ([https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose]) server is activated using "mhttpd --mg" and by default it listens on port 8443.
  [mhttpd,ERROR] [mhttpd.cxx:19180:mongoose_listen,ERROR] https port "8443" requested, but mhttpd compiled without MG_ENABLE_SSL


The example SSL certificate provided in midas git is self-signed, and it should be replaced with your own certificate. For instructions on generating your own signed certificate, remove it and run "mhttpd --mg" - it will print the correct instructions.
SSL support relies on the mbedtls package, which can be downloaded using a handy makefile shortcut. After downloading mbedtls, you must re-run "cmake" so that it will pick up the new mbedtls files and enable SSL support when compiling mhttpd:
  [user@dasdevpc2 test]$ rm /home/user/packages/midas/ssl_cert.pem   
 
cd $MIDASSYS
make mbedtls
cd build
cmake ..
  # Look for the line like "-- MIDAS: Found MBEDTLS in /path/to/midas/mbedtls"
make install
 
== Create an SSL certificate ==
If mhttpd is configured to open an https connection, an SSL certificate is required. If needed, you may create a self-signed certificate by running {{Utility|name=mhttpd}}, and following the printed instructions:
  [user@dasdevpc2 test]$ mhttpd
  [user@dasdevpc2 test]$ mhttpd
  Web server will listen on ports "8080r,8443s"
  Web server will listen on ports "8080r,8443s"
Line 109: Line 139:
  could not start the mongoose web server, see messages and midas.log, bye!
  could not start the mongoose web server, see messages and midas.log, bye!


The certificate and key should be placed in one PEM file called ssl_cert.pem located in either MIDAS environment variables [[MIDAS environment variables#MIDAS_DIR|MIDAS_DIR]] or [[MIDAS environment variables#MIDASSYS|MIDASSYS]], and the permissions on the file should be 600  or only owner r/w
The certificate and key should be placed in one PEM file called ssl_cert.pem located in either MIDAS environment variables [[MIDAS environment variables#MIDAS_DIR|MIDAS_DIR]] or [[MIDAS environment variables#MIDASSYS|MIDASSYS]], and the permissions on the file should be 600  or only owner read/write.
  [user@dasdevpc2 test] chmod 600 ssl_cert.pem
  [user@dasdevpc2 test] chmod 600 ssl_cert.pem


Once a valid certificate is generated (or if using the example certificate as below) when mhttpd is restarted, you will need to create a password file.  
Note that web browsers give scary warnings to users about accepting connections to servers with self-signed certificates. It is much better to get a full certificate from [[https://letsencrypt.org/Let's Encrypt]] or another certificate authority.
 
== Create a password file ==
If mhttpd is configured to require passwords for access, you will need to create a password file using htdigest. Running mhttpd will tell you on the command-line (and in the midas message log) what you need to do.  
    
    
  [user@dasdevpc2 test]$ mhttpd
  [user@dasdevpc2 test]$ mhttpd
  Web server will listen on ports "8080r,8443s"
  Web server will listen on ports "8080r,8443s"
  Web server will use SSL certificate file "/home/user/packages/midas/ssl_cert.pem"
  Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
  [mhttpd,ERROR] [mhttpd.cxx:17137:mongoose,ERROR] mongoose web server cannot find password file "/home/user/online/test/htpasswd.txt"
  [mhttpd,ERROR] [mhttpd.cxx:17137:mongoose,ERROR] mongoose web server cannot find password file "/home/user/online/test/htpasswd.txt"
  [mhttpd,ERROR] [mhttpd.cxx:17138:mongoose,ERROR] please create password file: htdigest -c /home/user/online/test/htpasswd.txt test midas
  [mhttpd,ERROR] [mhttpd.cxx:17138:mongoose,ERROR] please create password file: htdigest -c /home/user/online/test/htpasswd.txt test midas
Line 128: Line 161:
  [user@dasdevpc2 test]$ mhttpd
  [user@dasdevpc2 test]$ mhttpd
  Web server will listen on ports "8080r,8443s"
  Web server will listen on ports "8080r,8443s"
  Web server will use SSL certificate file "/home/user/packages/midas/ssl_cert.pem"
  Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
  Web server will use authentication realm "test", password file "./htpasswd.txt"
  Web server will use authentication realm "test", password file "./htpasswd.txt"


Line 137: Line 170:
   htdigest  /home/user/online/test/htpasswd.txt test john
   htdigest  /home/user/online/test/htpasswd.txt test john


Web access can be restricted to certain hosts if desired (see [[#Web security]]).
Documentation for the version of mongoose included with MIDAS can be found at [http://ladd00.triumf.ca/~daqweb/doc/midas-devel/doc/mongoose/ Mongoose documentation].  
Documentation for the version of mongoose included with MIDAS can be found at [http://ladd00.triumf.ca/~daqweb/doc/midas-devel/doc/mongoose/ Mongoose documentation].  


For more information see [https://midas.triumf.ca/elog/Midas/1062 Elog note 1062]
For more information see [https://midas.triumf.ca/elog/Midas/1062 Elog note 1062]


== Access Control List ==
By default, web access to the Midas web server mhttpd is not restricted. The Mongoose Access Control List (ACL) can be used to restrict access to the web server. The ACL used by Mongoose is contained in the ODB key [[/Experiment ODB tree#Mongoose access_control_list|Mongoose access_control_list]].  The format of the ACL is described under access_control_list  [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/Options.md?at=develop Mongoose Configuration Options].


== Older versions ==


=== Pre-March 2020 ===


For '''maximum web security''', {{Utility|name=mhttpd}} should be run behind a password-protected '''Apache/nginx HTTPS proxy''' (see [[Security]] for details).  {{Utility|name=mhttpd}} should be built with HTTPS and built-in passwords disabled, http access restricted to localhost (or the host of the httpd, if they are not the same).


Alternatively, mhttpd can be run with '''good web security''' using password-protected secure HTTPS connections. This is the default case, where mhttpd is explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://github.com/cesanta/mongoose Mongoose] web server.  To connect to an experiment using {{Utility|name=mhttpd}}, a username and password are required.


==== Pre-March 2020 mhttpd Arguments ====
      -h connect to midas server [[mserver]] on given host
      -e experiment to connect to
      -v display verbose HTTP communication
      -D become a daemon
      -E only display ELog system
      -H only display history plots
      -a only allow access for specific host(s), several [-a Hostname] statements might be given (default list
                  in ODB at [[/Experiment ODB tree#mhttpd hosts subtree|/Experiment/security/mhttpd hosts/allowed hosts]])
      --http port - bind to specified HTTP port (default is ODB [[/Experiment ODB tree#midas http port|/Experiment/midas http port]])
      --https port - bind to specified HTTPS port (default is ODB [[/Experiment ODB tree#midas https port|/Experiment/midas https port]])
      -help display usage information


<br>
--------
<br>
<div style="background-color:whitesmoke; font-size:90%">
= HTTP only (pre-May 2015) versions =
;Note
* If Web [[Security]] is an issue, update to the latest version of mhttpd which uses HTTPS/OpenSSL.
* HTTP-only (pre-May2015) versions of mhttpd should only be used behind a firewall
== Arguments (old version) ==


    -p port        : port number e.g. 8080 (no default). See [[#Usage|usage]].
=== Much older ===
  [-h hostname ]  : see [[Common Parameters to MIDAS Utilities]]
  [-e experiment] : see [[Common Parameters to MIDAS Utilities]]
  [-v]            : display verbose HTTP communication
  [-D]            : starts program as a daemon
  [-E]            : only display ELog system
  [-H]            : only display history plots
  [-a hostname]  : only allow access for specific host(s). Several [-a Hostname] statements might be given
  [-help] 


== Usage (old version) == 
Documentation on older versions of mhttpd can be found at [[Old and Obsolete Versions]].
The command '''mhttpd -p port''' can be used to start the web server (http version). In this case, the TCP/IP port number is '''required''' as an argument in order to listen to the web-based request.
<br>e.g. if mhttpd is started on IP host machine "myhost" on port 8081 as follows
: mhttpd -p 8081 -D
access to the [[#Features|''Midas status page'']] can be obtained by pointing a web browser to
http://myhost.mydomain:8081


;Note
If [[Exptab|multiple experiments]] run on the same host, a web server for each experiment must be started on a different port, e.g.
          mhttpd -e expt1 -p 8081 -D
          mhttpd -e expt2 -p 8082 -D


== Improve Security with SSL Proxy ==
Improved security for HTTP is gained by using an SSL (https) proxy. See [[Setup MIDAS experiment#mhttpd with HTTP|Setting up an SSL proxy]].
</div>


[[Category:Utilities]]
[[Category:Utilities]]
[[Category:Web server mhttpd]]
[[Category:Web server mhttpd]]
[[Category:Run control]]
[[Category:Run control]]

Latest revision as of 08:01, 25 October 2021


Links



Purpose

The mhttpd utility runs the MIDAS Web Server which allows the user to communicate with an experiment using any web browser. It is used primarily for run control.

Web security

For maximum web security, mhttpd should be run behind a password-protected Apache/nginx HTTPS proxy (see Security for details).

By default (since March 2020) mhttpd binds to port 8080, and accepts connections from localhost only. This is ideal behaviour if you are behind an Apache/nginx proxy. You may change the port number by editing the localhost port ODB key in the Webserver ODB tree.

To change the security model (e.g. to allow http/https connections from other machines), see the relevant keys in the Webserver ODB tree.

Arguments

      -a add hostname to the hostlist of hosts allowed to connect to mhttpd
      -e experiment to connect to
      -h connect to midas server (mserver) on given host
      -v display verbose HTTP communication
      -D become a daemon
      -E only display ELog system
      -H only display history plots
      --verbose-mg - trace mongoose web requests
      --trace-mg - trace mongoose events
      --no-trace-mg-recv - do not trace mongoose recv events
      --no-trace-mg-send - dop not trace mongoose send events
      --no-multithread - disable mongoose multithreading
      --no-passwords - disable password protection
      --no-hostlist - disable access control host list

Usage

To start the webserver

  • "mhttpd" or
  • "mhttpd -v" to get debug information, or
  • "mhttpd -D" to run in the background
  • "mhttpd -a myHost1 -a myHost2" to restrict web access

If you have enabled https connections in the Webserver ODB tree, a password file (and optionally an SSL certificate) need to be created when mhttpd is started for the first time. See mhttpd HTTPS/SSL server for more information.

Multiple experiments

If multiple experiments run on the same host, a web server for each experiment must be started on a different port. Use the Webserver ODB tree in each experiment to specify which ports to use.

IPv6 support

By default, mhttpd enables IPv6 support. This is fine on most modern operating systems, but some older ones (including SL7) may not understand the IPv6 localhost address (::0). If mhttpd fails to start because it can't bind to ::0, disable "Enable IPv6" in the Webserver ODB tree.

Debugging "Cannot mg_bind address" problems

If mhttpd print errors like this when you try to start it, there are two possible issues.

[mhttpd,ERROR] [mhttpd.cxx:19309:mongoose_listen,ERROR] Cannot mg_bind address "localhost:8081"

  • Some other program may be using the port you specified. You could try finding which program that is with "lsof -i :8081" or similar.
  • If the problematic address is "[::0]:8081" (rather than "localhost:8081"), then you may not have full IPv6 support. Try disabling "Enable IPv6" in the Webserver ODB tree.

Features

The Midas web server mhttpd provides a means for run control including monitoring of the run parameters. Its main feature is a web page invoked through any web browser accessing the Midas experimental URL at a defined port (see Usage).

The contents of this Midas status page is composed with minimal information relative to the experiment. It contains a collection of buttons and links to other pages to further describe and control the configuration of the experiment.

  • Minimal display on the main Status Page
    • Experiment name, time & date, page refresh rate
    • Standard Menu Buttons (see below)
    • User defined buttons (e.g. alias links, run scripts, custom pages etc.)
    • run comments and condition display section (if enabled)
    • Equipment list with current running condition, number of event received, event rate, data rate for each equipment.
    • Data logging statistics (number of event recorded, data size recorder, compression factor, usage storage level) if enabled.
    • Secondary Data logging (data mover) with statistics if enabled.
    • Single line of the most recent Midas message.
    • Table of the current applications connected to this experiment.
  • Standard Menu Buttons
    • Transition the state of the run (stopped/running/paused), allows user running condition parameters to be entered at the start state (see Edit-on-start Parameters).
    • Access to the full Online Database for data display and/or data content modification.
    • Display the Message Page, which shows messages generated by the MIDAS [Message System]] as well as the user using cm_msg() functions.
    • Access to ELOG Page switches to the predefined "electronic logbook".
    • Access to the Alarms Page for monitoring the different type of alarms (evaluated, programs, internals, periodic).
    • Access to the Programs Page for a status or interaction with the current running applications part of the Midas experiment.
    • Access to the History Page for graphical data representation of any ODB variables and acquired data.
    • Access to the Midas Slow Control Bus devices MSCB Page connected to this experiment.
    • Access to the Sequencer Page control/monitoring page for Sequencer i.e. interactive loading/saving/running of a run sequence based on any ODB parameters.
    • Access to the Chat Page for communication between users on the same experiment.
    • Access to the Help Page with short-cut to the Midas Help documentation resource and other information.
  • Links
    • links to all the listed equipments invoking a dedicated page for the display and possible control of the equipment parameters.
    • link to the logger configuration (if present) for the data recording.
    • link to the possible secondary logging configuration parameters (if present).

Other features include a JSON interface and Javascript library used for implementing interactive custom pages for MIDAS experiments.

As of March 2020, you may also use mhttpd as a proxy to other webservers.





Enabling SSL (https) support

mhttpd is built on the [embedded web server], and by default it listens on port 8080 on localhost only.

If you want to listen on a secure port, you must:

  • Configure which ports to listen on in the Webserver ODB tree
  • Build mhttpd with SSL support enabled
  • Create an SSL certificate
  • Create a password file


mhttpd with Mongoose requires an SSL Certificate and a password file. Ideally, an SSL Certificate issued by a well-known authority trusted by your browser should be used.

The first time mhttpd is run, if it does not find an SSL Certificate, it will print instructions on how to create a self-signed SSL Certificate. If it finds no existing password file, it will then print instructions on how to create a password file (see below for examples).

Build mhttpd with SSL support

SSL support is optional in mhttpd and is disabled by default! If you try to use an https port in mhttpd but do not have SSL support, the midas message log will show an error message like

[mhttpd,ERROR] [mhttpd.cxx:19180:mongoose_listen,ERROR] https port "8443" requested, but mhttpd compiled without MG_ENABLE_SSL

SSL support relies on the mbedtls package, which can be downloaded using a handy makefile shortcut. After downloading mbedtls, you must re-run "cmake" so that it will pick up the new mbedtls files and enable SSL support when compiling mhttpd:

cd $MIDASSYS
make mbedtls
cd build
cmake ..
# Look for the line like "-- MIDAS: Found MBEDTLS in /path/to/midas/mbedtls"
make install

Create an SSL certificate

If mhttpd is configured to open an https connection, an SSL certificate is required. If needed, you may create a self-signed certificate by running mhttpd, and following the printed instructions:

[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
[mhttpd,ERROR] [mhttpd.cxx:17086:mongoose,ERROR] cannot find SSL certificate file "/home/user/online/test/ssl_cert.pem"
[mhttpd,ERROR] [mhttpd.cxx:17087:mongoose,ERROR] please create SSL certificate file: openssl req -new -nodes -newkey rsa:2048
-sha256 -out  ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key 
-out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem
could not start the mongoose web server, see messages and midas.log, bye!

The certificate and key should be placed in one PEM file called ssl_cert.pem located in either MIDAS environment variables MIDAS_DIR or MIDASSYS, and the permissions on the file should be 600 or only owner read/write.

[user@dasdevpc2 test] chmod 600 ssl_cert.pem

Note that web browsers give scary warnings to users about accepting connections to servers with self-signed certificates. It is much better to get a full certificate from [Encrypt] or another certificate authority.

Create a password file

If mhttpd is configured to require passwords for access, you will need to create a password file using htdigest. Running mhttpd will tell you on the command-line (and in the midas message log) what you need to do.

[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
[mhttpd,ERROR] [mhttpd.cxx:17137:mongoose,ERROR] mongoose web server cannot find password file "/home/user/online/test/htpasswd.txt"
[mhttpd,ERROR] [mhttpd.cxx:17138:mongoose,ERROR] please create password file: htdigest -c /home/user/online/test/htpasswd.txt test midas
could not start the mongoose web server, see messages and midas.log, bye!

Each person who is to have access to the experiment should create their own username and password. The first user (e.g. mary) creates the password file e.g. htpasswd.txt

[user@dasdevpc2 test]$ htdigest -c /home/user/online/test/htpasswd.txt test mary
Adding password for mary in realm test.
New password:
Re-type new password:
[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
Web server will use authentication realm "test", password file "./htpasswd.txt"

Access to the Midas status page can be obtained by pointing a web browser to

https://myhost.mydomain:8443

The first time you connect you will be asked for a username and password. Now that the password file has been created, subsequent users may create their own username and password in the same file by omitting "-c" argument in htdigest, e.g.

 htdigest  /home/user/online/test/htpasswd.txt test john

Web access can be restricted to certain hosts if desired (see #Web security).

Documentation for the version of mongoose included with MIDAS can be found at Mongoose documentation.

For more information see Elog note 1062


Older versions

Pre-March 2020

For maximum web security, mhttpd should be run behind a password-protected Apache/nginx HTTPS proxy (see Security for details). mhttpd should be built with HTTPS and built-in passwords disabled, http access restricted to localhost (or the host of the httpd, if they are not the same).

Alternatively, mhttpd can be run with good web security using password-protected secure HTTPS connections. This is the default case, where mhttpd is explicitly linked with OpenSSL to provide secure HTTPS connections via the Mongoose web server. To connect to an experiment using mhttpd, a username and password are required.

Pre-March 2020 mhttpd Arguments

      -h connect to midas server mserver on given host
      -e experiment to connect to
      -v display verbose HTTP communication
      -D become a daemon
      -E only display ELog system
      -H only display history plots
      -a only allow access for specific host(s), several [-a Hostname] statements might be given (default list
                  in ODB at /Experiment/security/mhttpd hosts/allowed hosts)
      --http port - bind to specified HTTP port (default is ODB /Experiment/midas http port)
      --https port - bind to specified HTTPS port (default is ODB /Experiment/midas https port)
      -help display usage information


Much older

Documentation on older versions of mhttpd can be found at Old and Obsolete Versions.