Mhttpd: Difference between revisions

From MidasWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 9: Line 9:
= Web security =
= Web security =
As part of the recent upgrade to MIDAS [[Security]], the MIDAS Web Server {{Utility|name=mhttpd}} is now (May 2015) explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server.  To connect to an experiment using {{Utility|name=mhttpd}}, a username and password are required.
As part of the recent upgrade to MIDAS [[Security]], the MIDAS Web Server {{Utility|name=mhttpd}} is now (May 2015) explicitly linked with OpenSSL to provide secure HTTPS connections via the [https://bitbucket.org/tmidas/midas/src/ecb9a8537448a8a43f7f9a2bfdb82e578208cde3/doc/mongoose/?at=develop Mongoose] web server.  To connect to an experiment using {{Utility|name=mhttpd}}, a username and password are required.
By default, users can connect from anywhere, providing they know the correct username and password. However, '''web access can be restricted''' by using the {{Utility|name=mhttpd}} access control list in the ODB at [[/Experiment ODB tree#mhttpd hosts subtree|Allowed hosts]], and/or by using the "-a" argument to  {{Utility|name=mhttpd}}.
By default, users can connect from anywhere, providing they know the correct username and password. However, web access can be restricted by using the {{Utility|name=mhttpd}} access control list in the ODB at [[/Experiment ODB tree#mhttpd hosts subtree|Allowed hosts]], and/or by using the "-a" argument to  {{Utility|name=mhttpd}}.


Alternatively, {{Utility|name=mhttpd}} can be run securely behind an Apache HTTPS proxy (see [[Security]] for details). In this case, the Mongoose/OpenSSL web server should be disabled using the arguments supplied to  {{Utility|name=mhttpd}} - see [[#To start the webserver using the oldserver|starting the web server using the oldserver]].
For '''maximum security''', it is recommended that {{Utility|name=mhttpd}} be run behind an '''Apache HTTPS proxy''' (see [[Security]] for details). In this case, {{Utility|name=mhttpd}} should be built  without OpenSSL (see [https://midas.triumf.ca/elog/Midas/1069]), or the Mongoose/OpenSSL web server should be disabled using the arguments supplied to  {{Utility|name=mhttpd}} (see [[#To start the webserver using the oldserver|starting the web server using the oldserver]]).


The option of building  {{Utility|name=mhttpd}} without OpenSSL is also supported (see [https://midas.triumf.ca/elog/Midas/1069]).
= Arguments =
= Arguments =
       -h connect to midas server [[mserver]] on given host
       -h connect to midas server [[mserver]] on given host
Line 47: Line 45:
* or to http://myhost.mydomain:8080 which will be redirected automatically to https://myhost.mydomain:8443
* or to http://myhost.mydomain:8080 which will be redirected automatically to https://myhost.mydomain:8443


The automatic redirect may be convenient for users who are used to using {{Utility|name=mhttpd}} with a particular HTTP port (e.g. 8080) for their experiment. The redirect can be disabled by setting the ODB key [[/Experiment ODB tree#http redirect to https|http redirect to https]] to "n".
The automatic redirect may be convenient for users who are used to using {{Utility|name=mhttpd}} with a particular HTTP port (e.g. 8080) for their experiment. The redirect can be disabled by setting the ODB key [[/Experiment ODB tree#http redirect to https|http redirect to https]] to "n". This also bypasses the user authentification.


=== Multiple experiments ===
=== Multiple experiments ===
Line 57: Line 55:
==  To start the webserver using the oldserver  ==
==  To start the webserver using the oldserver  ==
To run a new version of {{Utility|name=mhttpd}} using the old server (i.e. NOT the Mongoose/HTTPS server)
To run a new version of {{Utility|name=mhttpd}} using the old server (i.e. NOT the Mongoose/HTTPS server)
* ''"mhttpd --oldserver 8081 --nomg"''
* ''"mhttpd --oldserver 8087"''


This command is useful for running new versions of {{Utility|name=mhttpd}} using an Apache HTTPS proxy (see [[Security]]).
This command is useful for running new versions of {{Utility|name=mhttpd}} using an Apache HTTPS proxy (see [[Security]]) - except that it does not support [[Mjsonrpc]], so on recent versions (Sept 2016) the Programs page does not work when run like this.  





Revision as of 16:41, 13 September 2016


Links



Purpose

The mhttpd utility runs the MIDAS Web Server which allows the user to communicate with an experiment using any web browser. It is used primarily for run control.

Web security

As part of the recent upgrade to MIDAS Security, the MIDAS Web Server mhttpd is now (May 2015) explicitly linked with OpenSSL to provide secure HTTPS connections via the Mongoose web server. To connect to an experiment using mhttpd, a username and password are required. By default, users can connect from anywhere, providing they know the correct username and password. However, web access can be restricted by using the mhttpd access control list in the ODB at Allowed hosts, and/or by using the "-a" argument to mhttpd.

For maximum security, it is recommended that mhttpd be run behind an Apache HTTPS proxy (see Security for details). In this case, mhttpd should be built without OpenSSL (see [1]), or the Mongoose/OpenSSL web server should be disabled using the arguments supplied to mhttpd (see starting the web server using the oldserver).

Arguments

      -h connect to midas server mserver on given host
      -e experiment to connect to
      -v display verbose HTTP communication
      -D become a daemon
      -E only display ELog system
      -H only display history plots
      -a only allow access for specific host(s), several [-a Hostname] statements might be given (default list
                  in ODB at /Experiment/security/mhttpd hosts/allowed hosts)
      --http port - bind to specified HTTP port (default is ODB /Experiment/midas http port)
      --https port - bind to specified HTTPS port (default is ODB /Experiment/midas https port)
      --nomg use the old mhttpd web server
      --oldserver [port] - use the old web server on given port
      --nooldserver - do not use the old mhttpd web server
      -help display usage information

If using an old version (before May 2015), see old server argument list.      

Usage

To start the webserver using HTTPS/SSL (Mongoose)

  • "mhttpd" or
  • "mhttpd -v" to get debug information, or
  • "mhttpd -D" to run in the background
  • "mhttpd -a myHost1 -a myHost2" to restrict web access

All are equivalent to

  • "mhttpd --https 8443 --http 8080"

Starting mhttpd like this will redirect the default HTTP port of 8080 to the secure HTTPS port 8443. If the ports are not supplied, the default ports will be read from the ODB keys midas http port and midas https port. If ports are supplied, their values will overwrite the default values stored in the ODB. When mhttpd is started with a secure port for the first time, a password file (and optionally an SSL certificate) need to be created. See mhttpd HTTPS/SSL server for more information.

If mhttpd is started on IP host machine "myhost" using the default ports, the Midas status page can be accessed by pointing a web browser to

The automatic redirect may be convenient for users who are used to using mhttpd with a particular HTTP port (e.g. 8080) for their experiment. The redirect can be disabled by setting the ODB key http redirect to https to "n". This also bypasses the user authentification.

Multiple experiments

If multiple experiments run on the same host, a web server for each experiment must be started on a different port, e.g.

  • "mhttpd -e expt1 -D" use default ports
  • "mhttpd -e expt2 --http 8081 --https 8444 -D" use supplied ports


To start the webserver using the oldserver

To run a new version of mhttpd using the old server (i.e. NOT the Mongoose/HTTPS server)

  • "mhttpd --oldserver 8087"

This command is useful for running new versions of mhttpd using an Apache HTTPS proxy (see Security) - except that it does not support Mjsonrpc, so on recent versions (Sept 2016) the Programs page does not work when run like this.


Features

The Midas web server mhttpd provides a means for run control including monitoring of the run parameters. Its main feature is a web page invoked through any web browser accessing the Midas experimental URL at a defined port (see Usage).

The contents of this Midas status page is composed with minimal information relative to the experiment. It contains a collection of buttons and links to other pages to further describe and control the configuration of the experiment.

  • Minimal display on the main Status Page
    • Experiment name, time & date, page refresh rate
    • Standard Menu Buttons (see below)
    • User defined buttons (e.g. alias links, run scripts, custom pages etc.)
    • run comments and condition display section (if enabled)
    • Equipment list with current running condition, number of event received, event rate, data rate for each equipment.
    • Data logging statistics (number of event recorded, data size recorder, compression factor, usage storage level) if enabled.
    • Secondary Data logging (data mover) with statistics if enabled.
    • Single line of the most recent Midas message.
    • Table of the current applications connected to this experiment.
  • Standard Menu Buttons
    • Transition the state of the run (stopped/running/paused), allows user running condition parameters to be entered at the start state (see Edit-on-start Parameters).
    • Access to the full Online Database for data display and/or data content modification.
    • Display the Message Page, which shows messages generated by the MIDAS [Message System]] as well as the user using cm_msg() functions.
    • Access to ELOG Page switches to the predefined "electronic logbook".
    • Access to the Alarms Page for monitoring the different type of alarms (evaluated, programs, internals, periodic).
    • Access to the Programs Page for a status or interaction with the current running applications part of the Midas experiment.
    • Access to the History Page for graphical data representation of any ODB variables and acquired data.
    • Access to the Midas Slow Control Bus devices MSCB Page connected to this experiment.
    • Access to the Sequencer Page control/monitoring page for Sequencer i.e. interactive loading/saving/running of a run sequence based on any ODB parameters.
    • Access to the Chat Page for communication between users on the same experiment.
    • Access to the Help Page with short-cut to the Midas Help documentation resource and other information.
  • Links
    • links to all the listed equipments invoking a dedicated page for the display and possible control of the equipment parameters.
    • link to the logger configuration (if present) for the data recording.
    • link to the possible secondary logging configuration parameters (if present).

Other features include a JSON interface and Javascript library used for implementing interactive custom pages for MIDAS experiments.





HTTPS/SSL server (Mongoose)

The HTTPS/SSL (Mongoose) server is activated by running mhttpd, and by default it listens on ports 8080 and 8443 (see #Usage).


mhttpd with Mongoose requires an SSL Certificate and a password file. Ideally, an SSL Certificate issued by a well-known authority trusted by your browser should be used.

The first time mhttpd is run, if it does not find an SSL Certificate, it will print instructions on how to create a self-signed SSL Certificate. If it finds no existing password file, it will then print instructions on how to create a password file (see below for examples).


Create an SSL certificate

If no more secure SSL Certificate is available, then create a self-signed certificate by running mhttpd, and following the printed instructions :

[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
[mhttpd,ERROR] [mhttpd.cxx:17086:mongoose,ERROR] cannot find SSL certificate file "/home/user/online/test/ssl_cert.pem"
[mhttpd,ERROR] [mhttpd.cxx:17087:mongoose,ERROR] please create SSL certificate file: openssl req -new -nodes -newkey rsa:2048
-sha256 -out  ssl_cert.csr -keyout ssl_cert.key; openssl x509 -req -days 365 -sha256 -in ssl_cert.csr -signkey ssl_cert.key 
-out ssl_cert.pem; cat ssl_cert.key >> ssl_cert.pem
could not start the mongoose web server, see messages and midas.log, bye!

The certificate and key should be placed in one PEM file called ssl_cert.pem located in either MIDAS environment variables MIDAS_DIR or MIDASSYS, and the permissions on the file should be 600 or only owner read/write.

[user@dasdevpc2 test] chmod 600 ssl_cert.pem

Create a password file

Once a valid certificate is generated, when mhttpd is restarted, you will need to create a password file.

[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
[mhttpd,ERROR] [mhttpd.cxx:17137:mongoose,ERROR] mongoose web server cannot find password file "/home/user/online/test/htpasswd.txt"
[mhttpd,ERROR] [mhttpd.cxx:17138:mongoose,ERROR] please create password file: htdigest -c /home/user/online/test/htpasswd.txt test midas
could not start the mongoose web server, see messages and midas.log, bye!

Each person who is to have access to the experiment should create their own username and password. The first user (e.g. mary) creates the password file e.g. htpasswd.txt

[user@dasdevpc2 test]$ htdigest -c /home/user/online/test/htpasswd.txt test mary
Adding password for mary in realm test.
New password:
Re-type new password:
[user@dasdevpc2 test]$ mhttpd
Web server will listen on ports "8080r,8443s"
Web server will use SSL certificate file "/home/user/online/test/ssl_cert.pem"
Web server will use authentication realm "test", password file "./htpasswd.txt"

Access to the Midas status page can be obtained by pointing a web browser to

https://myhost.mydomain:8443

The first time you connect you will be asked for a username and password. Now that the password file has been created, subsequent users may create their own username and password in the same file by omitting "-c" argument in htdigest, e.g.

 htdigest  /home/user/online/test/htpasswd.txt test john

Web access can be restricted to certain hosts if desired (see #Web security).

Documentation for the version of mongoose included with MIDAS can be found at Mongoose documentation.

For more information see Elog note 1062





HTTP only (pre-May 2015) versions

Note
  • HTTP-only (pre-May2015) versions of mhttpd should only be used behind a firewall
  • If Web Security is an issue, update to the latest version of mhttpd which uses HTTPS/OpenSSL.

Arguments (old version)

   -p port        : port number e.g. 8080 (no default). See usage.
  [-h hostname ]  : see Common Parameters to MIDAS Utilities
  [-e experiment] : see Common Parameters to MIDAS Utilities
  [-v]            : display verbose HTTP communication
  [-D]            : starts program as a daemon
  [-E]            : only display ELog system
  [-H]            : only display history plots
  [-a hostname]   : only allow access for specific host(s). Several [-a Hostname] statements might be given
  [-help]  

Usage (old version)

The command mhttpd -p port can be used to start the web server (http version). In this case, the TCP/IP port number is required as an argument in order to listen to the web-based request.
e.g. if mhttpd is started on IP host machine "myhost" on port 8081 as follows

mhttpd -p 8081 -D

access to the Midas status page can be obtained by pointing a web browser to

http://myhost.mydomain:8081
Note

If multiple experiments run on the same host, a web server for each experiment must be started on a different port, e.g.

          mhttpd -e expt1 -p 8081 -D
          mhttpd -e expt2 -p 8082 -D

Improve Security with SSL Proxy

Improved security for HTTP is gained by using an SSL (https) proxy. See Setting up an SSL proxy.