Oracle iPlanet Web Proxy Server 4.0.14 NSAPI Developer's Guide

Chapter 1 Creating Custom SAFs

This chapter describes how to write your own NSAPI plug-ins that define custom Server Application Functions (SAFs). Creating plug-ins enables you to modify or extend the built-in functionality of Proxy Server. For example, you can modify the server to handle user authorization in a special way or generate dynamic HTML pages based on information in a database.

This chapter contains the following sections:

Before writing custom SAFs, you should familiarize yourself with the request-handling process, as described in Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference. Also, before writing a custom SAF, see whether a built-in SAF already accomplishes the tasks you have in mind.

For information about predefined SAFs used in the obj.conf file, see Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference.

For a complete list of the NSAPI routines for implementing custom SAFs, see Chapter 4, NSAPI Function Reference

Future Compatibility Issues

The NSAPI interface might change in a future version of Proxy Server. To keep your custom plug-ins upgradeable :

SAF Interface

All SAFs, both custom and built-in have the same C interface regardless of the request-handling step for which they are written. These small functions are designed for a specific purpose within a specific request-response step. They receive parameters from the directive that invokes them in the obj.conf file, from the server, and from previous SAFs.

The C interface for a SAF:

int function(pblock *pb, Session *sn, Request *rq);

The SAF parameter section discusses the parameters in detail.

The SAF returns a result code that indicates whether and how it succeeded. The server uses the result code from each function to determine how to proceed with processing the request. See , for details of the result codes.

SAF Parameters

This section discusses the SAF parameters in detail. The parameters are:

pb (parameter block)

The pb parameter is a pointer to a pblock data structure that contains values specified by the directive that invokes the SAF. A pblock data structure contains a series of name-value pairs.

The following example shows a directive that invokes the basic-nsca function:


AuthTrans fn=basic-ncsa auth-type=basic dbm=/<Install_Root>
	/<Instance_Directory>/userdb/rs

In this case, the pb parameter passed to basic-ncsa contains name-value pairs that correspond to auth-type=basic and dbm=/<Install_Root>/<Instance_Directory>/userdb/rs.

NSAPI provides a set of functions for working with pblock data structures. For example, pblock_findval() returns the value for a given name in a pblock. See Parameter Block Manipulation Routines, for a summary of the most commonly used functions for working with parameter blocks.

sn (session)

The sn parameter is a pointer to a session data structure. This parameter contains variables related to an entire session, that is, the time between the opening and closing of the TCP/IP connection between the client and the server. The same sn pointer is passed to each SAF called within each request for an entire session. The following list describes the most important fields in this data structure see Chapter 4, NSAPI Function Reference for information about NSAPI routines for manipulating the session data structure.

rq (request)

The rq parameter is a pointer to a request data structure. This parameter contains variables related to the current request, such as the request headers, URI, and local file system path. The same request pointer is passed to each SAF called in the request-response process for an HTTP request.

The following list describes the most important fields in this data structure. See Chapter 4, NSAPI Function Reference for information about NSAPI routines for manipulating the request data structure.

The rq parameter is the primary mechanism for passing information throughout the request-response process. On input to a SAF, rq contains the values that were inserted or modified by previously executed SAFs. On output, rq contains any modifications or additional information inserted by the SAF. Some SAFs depend on the existence of specific information provided at an earlier step in the process. For example, a PathCheck SAF retrieves values in rq->vars that were previously inserted by an AuthTrans SAF.

Result Codes

Upon completion, a SAF returns a result code. The result code indicates what the server should do next. The result codes are:

Creating and Using Custom SAFs

Custom SAFs are functions in shared libraries that are loaded and called by the server.

ProcedureTo create a custom SAF

  1. Writing the Source Code using the NSAPI functions. Each SAF is written for a specific directive.

  2. Compiling and Linking the source code to create a shared library (.so, .sl, or .dll) file.

  3. Loading and Initializing the SAF by editing the magnus.conf file to perform the following actions:

    • Load the shared library file containing your custom SAFs

      • Initialize the SAFs if necessary

  4. Instructing the Server to Call the SAFs by editing obj.conf to call your custom SAFs at the appropriate time.

  5. Restarting the Server.

  6. Testing the SAF by accessing your server from a browser with a URL that triggers your function.

    The following sections describe these steps in greater detail.

Writing the Source Code

Write custom SAFs using NSAPI functions. For a summary of some of the most commonly used NSAPI functions, see Overview of NSAPI C Functions. For information about available routines, see Chapter 4, NSAPI Function Reference

For examples of custom SAFs, see nsapi/examples/ in the server root directory, and Chapter 3, Examples of Custom SAFs and Filters

The signature for all SAFs is:

int function(pblock *pb, Session *sn, Request *rq);

For more details on the parameters, see SAF Parameters.

Proxy Server runs as a multi-threaded single process. UNIX platforms uses two processes, a parent and a child, for historical reasons. The parent process performs some initialization and forks the child process. The child process performs further initialization and handles all of the HTTP requests.

Keep the following guidelines in mind when writing your SAF:

If necessary, write an initialization function that performs initialization tasks required by your new SAFs. The initialization function has the same signature as other SAFs:

int function(pblock *pb, Session *sn, Request *rq);

SAFs work by obtaining certain types of information from their parameters. In most cases, parameter block (pblock) data structures provide the fundamental storage mechanism for these parameters. A pblock maintains its data as a collection of name-value pairs. For a summary of the most commonly used functions for working with pblock structures, see Parameter Block Manipulation Routines.

A SAF, definition does not specifically state which directive it is written for. However, each SAF must be written for a specific directive such as AuthTrans, Service, and so on. A SAF must conform behavior consistent wit the directive for which it was written. For more details, see Required Behavior of SAFs for Each Directive.

Compiling and Linking

Compile and link your code with the native compiler for the target platform. For UNIX, use the gmake command. For Windows, use the nmake command. For Windows, use Microsoft Visual C++ 6.0 or newer. You must have an import list that specifies all global variables and functions to access from the server binary. Use the correct compiler and linker flags for your platform. Refer to the example Makefile in the server_root/plugins/nsapi/examples directory.

This section provides following guidelines for compiling and linking.

Include Directory and nsapi.h File

Add the server_root/plugins/include (UNIX) or server_root\\plugins\\include (Windows) directory to your makefile to include the nsapi.h file.

Linker Libraries

Add the server_root/bin/https/lib (UNIX) or server_root\\bin\\https\\bin (Windows) library directory to your linker command.

The following table lists the relevant libraries.

Table 1–1 Linker Libraries

Platform  

Library  

Windows 

ns-httpd40.dll (in addition to the standard Windows libraries)

HP-UX 

libns-httpd40.sl

All other UNIX platforms 

libns-httpd40.so

Linker Commands and Options for Generating a Shared Object

To generate a shared library, use the commands and options listed in the following table.

Table 1–2 Linker Commands and Options

Platform  

Options  

SolarisTM Operating System (SPARC® Platform Edition)

ld -G or cc -G

Windows 

link -LD

HP-UX 

cc +Z -b -Wl,+s -Wl,-B,symbolic

AIX 

cc -p 0 -berok -blibpath:$(LD_RPATH)

Compaq 

cc -shared

Linux 

gcc -shared

IRIX 

cc -shared

Additional Linker Flags

Use the linker flags in the following table to specify which directories should be searched for shared objects during runtime to resolve symbols.

Table 1–3 Linker Flags

Platform  

Flags  

Solaris SPARC 

-R dir:dir

Windows 

no flags, but the ns-httpd40.dll file must be in the system PATH variable

HP-UX 

-Wl,+b,dir,dir

AIX 

-blibpath:dir:dir

Compaq 

-rpath dir:dir

Linux 

-Wl,-rpath,dir:dir

IRIX 

-Wl,-rpath,dir:dir

On UNIX, you can also set the library search path using the LD_LIBRARY_PATH environment variable, which must be set when you start the server.

Compiler Flags

The following table lists the flags and defines you need to use for compilation of your source code.

Table 1–4 Compiler Flags and Defines

Parameter  

Description  

Solaris SPARC 

-DXP_UNIX -D_REENTRANT -KPIC -DSOLARIS

Windows 

-DXP_WIN32 -DWIN32 /MD

HP-UX 

-DXP_UNIX -D_REENTRANT -DHPUX

AIX 

-DXP_UNIX -D_REENTRANT -DAIX $(DEBUG)

Compaq 

-DXP_UNIX -KPIC

Linux 

-DLINUX -D_REENTRANT -fPIC

IRIX 

-o32 -exceptions -DXP_UNIX -KPIC

All platforms 

-MCC_HTTPD -NET_SSL

The following table lists the optional flags and defines you can use.

Table 1–5 Optional Flags and Defines

Flag/Define  

Platforms  

Description  

-DSPAPI20

All 

Needed for the proxy utilities function include file putil.h

Loading and Initializing the SAF

For each shared library (plug-in) containing custom SAFs to be loaded into Proxy Server, add an Init directive that invokes the load-modules SAF to obj.conf.

The syntax for a directive that calls load-modules is:

Init fn=load-modules shlib=[path]sharedlibname funcs="SAF1,...,SAFn"

For example, if you created a shared library animations.so that defines two SAFs do_small_anim() and do_big_anim() and also defines the initialization function init_my_animations, you would add the following directive to load the plug-in:


Init fn=load-modules shlib=animations.so funcs="do_small_anim,do_big_anim,
	init_my_animations"

If necessary, also add an Init directive that calls the initialization function for the newly loaded plug-in. For example, if you defined the function init_my_new_SAF() to perform an operation on the maxAnimLoop parameter, you would add a directive such as the following to magnus.conf:

Init fn=init_my_animations maxAnimLoop=5

Instructing the Server to Call the SAFs

Next, add directives to obj.conf to instruct the server to call each custom SAF at the appropriate time. The syntax for directives is:

Directive fn=function-name [name1="value1"]...[nameN="valueN"]

Depending on what your new SAF does, you might need to add just one directive to obj.conf, or you might need to add more than one directive to provide complete instructions for invoking the new SAF.

For example, if you define a new AuthTrans or PathCheck SAF, you could just add an appropriate directive in the default object. However, if you define a new Service SAF to be invoked only when the requested resource is in a particular directory or has a new kind of file extension, you would need to take extra steps.

If your new Service SAF is to be invoked only when the requested resource has a new kind of file extension, you might need to add an entry to the MIME types file so that the type value is set properly during the ObjectType stage. Then you could add a Service directive to the default object that specifies the desired type value.

If your new Service SAF is to be invoked only when the requested resource is in a particular directory, you might need to define a NameTrans directive that generates a name or ppath value that matches another object. Then, in the new object, you could invoke the new Service function.

For example, suppose your plug-in defines two new SAFs, do_small_anim() and do_big_anim(), which both take speed parameters. These functions run animations. All files to be treated as small animations reside in the directory D:/<Install_Root>/<Instance_Directory>/docs/animations/small, while all files to be treated as full-screen animations reside in the directory D:/<Install_Root>/<Instance_Directory>/docs/animations/fullscreen.

To ensure that the new animation functions are invoked whenever a client sends a request for either a small or full-screen animation, you would add NameTrans directives to the default object to translate the appropriate URLs to the corresponding path names and also assign a name to the request.


NameTrans fn=pfx2dir from="/animations/small"
 dir="/<Install_Root>/<Instance_Directory>/docs/animations/small" 
	name="small_anim"
NameTrans fn=pfx2dir from="/animations/fullscreen"
 dir="<Install_Root>/<Instance_Directory>docs/animations/fullscreen"
 name="fullscreen_anim"

You also need to define objects that contain the Service directives that run the animations and specify the speed parameter.


<Object name="small_anim">
Service fn=do_small_anim speed=40
</Object>
<Object name="fullscreen_anim">
Service fn=do_big_anim speed=20
</Object>

         

Restarting the Server

After modifying obj.conf, you need to restart the server. A restart is required for all plug-ins that implement SAFs or filters.

Testing the SAF

Test your SAF by accessing your server from a browser with a URL that triggers your function. For example, if your new SAF is triggered by requests to resources in http://server-name/animations/small, try requesting a valid resource that starts with that URI.

You should disable caching in your browser so that the server is sure to be accessed. In Netscape NavigatorTM, Press the Shift key while clicking the Reload button to ensure that the cache is not used. If the images are already in the cache, this action does not always force the client to fetch images from the source.

You might also want to disable the server cache using the cache-init SAF.

Examine the access log and error log to help with debugging.

Overview of NSAPI C Functions

NSAPI provides a set of C functions that are used to implement SAFs. These functions serve several purposes; They provide platform independence across Proxy Server operating system and hardware platforms. They provide improved performance. They are thread-safe which is a requirement for SAFs. They prevent memory leaks. And they provide functionality necessary for implementing SAFs. You should always use these NSAPI routines when defining new SAFs.

This section provides an overview of the function categories available and some of the more commonly used routines. All of the public routines are described in detail in Chapter 4, NSAPI Function Reference

The main categories of NSAPI functions are:

Parameter Block Manipulation Routines

The parameter block manipulation functions provide routines for locating, adding, and removing entries in a pblock data structure

Protocol Utilities for Service SAFs

Protocol utilities provide functionality necessary to implement Service SAFs

Memory Management

Memory management routines provide fast, platform-independent versions of the standard memory management routines. These routines also prevent memory leaks by allocating from a temporary memory, called “pooled” memory for each request, and then disposing the entire pool after each request. There are wrappers for standard memory routines for using permanent memory.

File I/O

The file I/O functions provide platform-independent, thread-safe file I/O routines.

Network I/O

Network I/O functions provide platform-independent, thread-safe network I/O routines. These routines work with SSL when SSL is enabled.

Threads

Thread functions include functions for creating your own threads that are compatible with the server’s threads. There are also routines for critical sections and condition variables.

Utilities

Utility functions include platform-independent, thread-safe versions of many standard library functions (such as string manipulation), as well as new utilities useful for NSAPI.


Note –

You cannot use an embedded null in a string, because NSAPI functions assume that a null is the end of the string. Therefore, passing Unicode-encoded content through an NSAPI plug-in.


Required Behavior of SAFs for Each Directive

SAF definitions , you should define it to do certain things, depending on which stage of the request-handling process will invoke the SAF. For example, SAFs to be invoked during the Init stage must conform to different requirements than SAFs to be invoked during the Service stage.

The rq parameter is the primary mechanism for passing information throughout the request-response process. On input to a SAF, rq contains whatever values were inserted or modified by previously executed SAFs. On output, rq contains any modifications or additional information inserted by the SAF. Some SAFs depend on the existence of specific information provided at an earlier step in the process. For example, a PathCheck SAF retrieves values in rq->vars that were previously inserted by an AuthTrans SAF.

This section outlines the expected behavior of SAFs used at each stage in the request-handling process.

For more detailed information about these SAFs, see Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference.

Init SAFs

AuthTrans SAFs

NameTrans SAFs

PathCheck SAFs

ObjectType SAFs

Input SAFs

Output SAFs

Service SAFs

Error SAFs

AddLog SAFs

Connect

DNS

Filter

Route

CGI to NSAPI Conversion

When converting a CGI variable into a SAF using NSAPI, Since the CGI environment variables are not available to NSAPI, you’ll retrieve them from the NSAPI parameter blocks. The table below indicates how each CGI environment variable can be obtained in NSAPI.

Table 1–6 Parameter Blocks for CGI Variables

CGI getenv()  

NSAPI  

AUTH_TYPE

pblock_findval("auth-type", rq->vars);

AUTH_USER

pblock_findval("auth-user", rq->vars);

CONTENT_LENGTH

pblock_findval("content-length", rq->headers);

CONTENT_TYPE

pblock_findval("content-type", rq->headers);

GATEWAY_INTERFACE

"CGI/1.1"

HTTP_*

pblock_findval( "*", rq->headers); (* is lowercase; dash replaces underscore)

PATH_INFO

pblock_findval("path-info", rq->vars);

PATH_TRANSLATED

pblock_findval("path-translated", rq->vars);

QUERY_STRING

pblock_findval("query", rq->reqpb); (GET only; POST puts query string in body data)

REMOTE_ADDR

pblock_findval("ip", sn->client);

REMOTE_HOST

session_dns(sn) ? session_dns(sn) : pblock_findval("ip", sn->client);

REMOTE_IDENT

pblock_findval( "from", rq->headers);(not usually available)

REMOTE_USER

pblock_findval("auth-user", rq->vars);

REQUEST_METHOD

pblock_findval("method", req->reqpb);

SCRIPT_NAME

pblock_findval("uri", rq->reqpb);

SERVER_NAME

char *util_hostname();

SERVER_PORT

conf_getglobals()->Vport; (as a string)

SERVER_PROTOCOL

pblock_findval("protocol", rq->reqpb);

SERVER_SOFTWARE

MAGNUS_VERSION_STRING

Sun ONE-specific:

 

CLIENT_CERT

pblock_findval("auth-cert", rq->vars)

HOST

char *session_maxdns(sn);(may be null)

HTTPS

security_active ? "ON" : "OFF";

HTTPS_KEYSIZE

pblock_findval("keysize", sn->client);

HTTPS_SECRETKEYSIZE

pblock_findval("secret-keysize", sn->client);

QUERY

pblock_findval( query", rq->reqpb); (GET only, POST puts query string in entity-body data)

SERVER_URL

http_uri2url_dynamic("","", sn, rq);

Your code must be thread-safe under NSAPI. You should use NSAPI functions that are thread-safe. Also, you should use the NSAPI memory management and other routines for speed and platform independence.