| iMatix home page
| Xitami home page
| << | < | > | >>
Xitami Xitami
Version 2.3b

Administration

Xitami Under Windows

The Windows version of Xitami provides a simple control panel that lets you start, stop, and monitor the web server. The service version is easily installed as an NT service, or can be run as a command-line program. It then accepts the command-line switches described later.

Xitami Under UNIX

Under UNIX, Xitami can run as a foreground process or a daemon. You can run it interactively to test your configuration, and then configure your system inittab or start-up scripts to run it automatically.  

This is the command-line syntax for Xitami:

Syntax: xitami [options...]
Options:
  -r directory     Root directory for web pages (webpages).
  -c directory     Directory for CGI programs (cgi-bin).
  -b portbase      Shift HTTP port 80 by this value.  E.g. to run
                   Xitami on port 7080, do 'xitami -b 7000'.
  -l filename      Log file for output (xitami.log).
  -a filename      Authentication file (xitami.aut).
  -q               Quite mode: no messages or log.
  -s               Server mode: run as background job.
  -t               Trace all socket i/o operations to log file.
  -v               Show Xitami version information.
  -h               Show summary of command-line options.

The -s option has no effect on Windows systems; under UNIX it does the following: Xitami recreates itself as a background process, ignoring the SIGHUP signal.

Testing Xitami

Run Xitami as described in the installation section. Connect with a browser to the URL: http://hostname/ or http://hostname:5080/. If Xitami is correctly installed, you should see a page entitled: "Welcome To Xitami". Please read this page and try the various links and buttons to ensure that Xitami is working correctly. If you install your own web pages, you can still access the Xitami Welcome page by using the URL: http://hostname/default.htm.

Using Xitami

These options can be changed. The webpages directory can be any relative (depending on the directory where Xitami is run) or absolute directory (with a full path name).

The cgi-bin directory can be specified in various ways - see the section on CGI programming in Xitami.

Xitami will negotiate with the web browser to find a file when the URL does not specify a filename. It will search for an HTML file called index.htm, index.html, default.htm, or default.html, in that order. If none of these files are found, Xitami returns the directory listing, formatted as an HTML page.

You should install a file called 'index.htm' in the webpages directory, to override the 'default.htm' file used by Xitami.

User Authentication

Xitami supports the HTTP/1.0 Basic Authentication protocol. This is a minimalistic security approach that is quick and supported by all browsers, but which should not be used for very sensitive data, since the user name and password can be extracted from the TCP/IP packets sent by the browser.

The xitami.aut file holds the authentication information. This file is not encoded, but is not accessible by browsers unless you place it in the webpages directory. You can modify this file on the fly; Xitami will reload it after a short delay (the server:refresh option).

Protection is applied to directories or individual URLs. This is what an authentication file looks like:

#  Authorization file for XITAMI
#  Each [Entry] defines a protected URL or directory.
#  The directory name is followed by user=password pairs
#
[/Admin]
    admin=top secret
    realm=On-Line Administration
[stats/index.htm]
    root=PakYupTon
    admin=QzeCat96
    webmask=local
[/private]
    jacky="funny;password"
    sarah=arabica
    jonas=realtime

Each section name specifies an URI or a directory name; the leading slash is optional. When checking a resource called "/pub/mypages/file", Xitami will look for entries in this order:

[/pub/mypages/file]
[pub/mypages/file]
[/pub/mypages]
[pub/mypages]
[/pub]
[pub]
[/]

The directory or URL name is not case-sensitive; Xitami always treats it as lower-case. On systems where filenames are case-sensitive, "PRIVATE" and "private" are treated as equal by Xitami, and are both handled by the authentication data for [Private]. The user name is also case-insensitive. The password is case-insensitive if the option security:password-case is set to 0.

Passwords can contain any printable character except ' and ". If you edit or create the password file by hand or using scripts, use double quotes around passwords to make sure that special characters like ; and # (which indicate comments) are treated as part of the password.

The entry 'webmask=' is treated in a special manner; this defines the set of valid IP addresses for clients trying to access the directory. The section on webmasks provides more details. If you define an entry consisting only of 'webmask=', Xitami will treat this as a resource that is protected (has an entry) but has no valid users.

The entry 'realm=' is also treated in a special manner; this defines the 'Realm' for the authentication. The realm is returned to the browser, and is the basis upon which it will remember user names and passwords. If you use the same realm for several directories or URLs, make sure that the user names and passwords also match. If no realm is defined, Xitami returns the [Entry] name as the realm.

A password "-" is treated as meaning 'not allowed' for that user. If there is only one user defined, the resource will be inaccessible. This is used, for example, in the default xitami.aut file to indicate that the administration URL '/admin' is not accessibly until a non-default password has been entered. An empty password is treated as meaning 'non required' for that user.

Xitami Log Files

Xitami logs errors and information to the file 'xitami.log'. This file is always opened in append mode. It looks something like this:

96/12/05 20:19:41: I: OPEN port=80
96/12/06 07:22:03: I: OPEN port=80

Xitami logs all HTTP requests to the file 'access.log', which follows the common CERN/NCSA standard for web server log files. The log file format consists of lines in this format:

host - user [DD/Mon/YYYY:hh:mm:ss] "request" ddd bbbb "referer" "agent"
This field: Has this purpose:
host IP number of requesting host
user Userid sent for authentication, or -
request HTTP request sent by client
ddd Status code returned by server
bbbb Size of data sent, excluding HTTP header
referer Referer document, or ""
agent User agent (browser), or ""

The access log files are automatically cycled: when Xitami starts, it will save any existing file before starting a new access log. The old access log file is given a name based on the time when it was last modified.

Building Multilanguage Web Sites

Xitami accepts the HTTP Accept-Language field and tries to do something useful with it. Not all browsers let you set this field, but some do. This field lets users specify their preferences for particular versions of documents. For instance, if a user specifies that they prefer documents in French, then English, the Accept-Language field will contain "fr, en". Xitami handles this as follows, for a document URL "file.htm":

Security Aspects

Xitami does not currently conform to the expected model of Unix security for web servers; this is an evolution that we are working towards. The main limitation is that Xitami does not use the Unix setuid option to switch to a 'harmless' user after opening its main HTTP port. You can run Xitami on a non-root port, such as 5080. The second limitation is that Xitami runs all CGIs and SSI scripts using its own user id.


| << | < | > | >>
| Welcome To Xitami | Table Of Contents | Installing Xitami | Administration | Configuration | Using The Common Gateway Interface (CGI) | Using SSI and Filters | Image Maps | Virtual Hosting | The FTP service | A Beginner's Guide | Writing Web Server Extension (WSX) Agents | Extending Xitami with External Peer Processes | FAQ | Technical Implementation | Getting Support | Release History | License Agreement
iMatix
Copyright © 1996-97 iMatix