openacs-config.tcl

######################################################################
#
# Config parameter for an OpenACS site using NaviServer.
#
# These default settings will only work in limited circumstances.
# Two servers with default settings cannot run on the same host
#
######################################################################
ns_log notice "nsd.tcl: starting to read configuration file..."

#---------------------------------------------------------------------
# Port settings:
#
#    Change the HTTP and HTTPS port to e.g. 80 and 443 for production
#    use.  Setting the configuration parameter "httpport" or
#    "httpsport" to the special value 0 means to active the HTTP/HTTPS
#    driver for ns_http, but do not listen on this port. Without
#    loading the driver, ns_http won't be able to the protocol.
#
# Note: If the specufued port is privileged (usually < 1024), OpenACS
# must be started by root, and the run script must contain the flag
# '-b address:port' which matches the configured address and port.
#
# The "hostname" (e.h. domain names) and "ipaddress" should be set to
# actual values such that the server is reachable over the
# Internet. The default values are fine for testing purposes. One can
# specify for "hostname" and "ipaddress" also multiple values
# (e.g. IPv4 and IPv6). Multiple hostnames are used as alternative
# domain names names for the "http" and "https" server sections.
#
#    hostname	localhost
#    ipaddress	127.0.0.1  ;# listen on loopback via IPv4
#    ipaddress	0.0.0.0    ;# listen on all IPv4 addresses
#    ipaddress  ::1        ;# listen on loopback via IPv6
#    ipaddress	::0        ;# listen on all IPv6 addresses
#
# All default variables in "defaultConfig" can be overloaded by:
#
# 1) Setting these variables explicitly in this file after
#    "ns_configure_variables" (highest precedence)
#
# 2) Setting these variables as environment variables with the "oacs_"
#    prefix (suitable for e.g. docker setups).  The lookup for
#    environment variables happens in "ns_configure_variables".
#
# 3) Alter/override the variables in the "defaultConfig"
#    (lowest precedence)
#
set defaultConfig {
    hostname	localhost
    ipaddress	127.0.0.1
    httpport	8000
    httpsport	""
    nscpport    ""
    smtpdport   ""

    server     "openacs"
    serverroot	/var/www/$server
    logdir	$serverroot/log
    homedir	/usr/local/ns
    bindir	$homedir/bin
    certificate	$serverroot/etc/certfile.pem
    vhostcertificates $serverroot/etc/certificates
    db_name	$server
    db_user	nsadmin
    db_host	localhost
    db_port	""

    CookieNamespace  ad_
    cachingmode      full
    reverseproxymode false
    serverprettyname "My OpenACS Instance"

    clusterSecret    ""
    parameterSecret  ""
}

#
# Override default variables as defined by "defaultConfig" (this
# allows commenting lines)
#
# If the same domain name serves multiple OpenACS instances,
# same-named cookies will mix up.  You might consider a different
# namespace for the cookies.
#
#dict set defaultConfig CookieNamespace ad_8000_

#---------------------------------------------------------------------
# Which database do you want to use? PostgreSQL or Oracle?
#
set database postgres

#
# For Oracle, some of the defaults have to be adjusted,
# make also sure that certain environment variables are set
#
if { $database eq "oracle" } {
    dict set defaultConfig db_password "openacs"
    dict set defaultConfig db_name openacs
    dict set defaultConfig db_port 1521

    set ::env(ORACLE_HOME) /opt/oracle/product/19c/dbhome_1
    set ::env(NLS_DATE_FORMAT) YYYY-MM-DD
    set ::env(NLS_TIMESTAMP_FORMAT) "YYYY-MM-DD HH24:MI:SS.FF6"
    set ::env(NLS_TIMESTAMP_TZ_FORMAT) "YYYY-MM-DD HH24:MI:SS.FF6 TZH:TZM"
    set ::env(NLS_LANG) American_America.UTF8
}

#---------------------------------------------------------------------
# If debug is false, all debugging will be turned off.
set debug false
set verboseSQL false

set max_file_upload_size      20MB
set max_file_upload_duration   5m

#---------------------------------------------------------------------
# Set headers that should be included in every response from the
# server.
#
set http_extraheaders {
    X-Frame-Options            "SAMEORIGIN"
    X-Content-Type-Options     "nosniff"
    X-XSS-Protection           "1; mode=block"
    Referrer-Policy            "strict-origin"
}

set https_extraheaders {
    Strict-Transport-Security "max-age=31536000; includeSubDomains"
}
append https_extraheaders $http_extraheaders

######################################################################
#
# End of instance-specific settings
#
# Nothing below this point need be changed in a default install.
#
######################################################################
#
# For all potential variables defined by the dict "defaultConfig",
# allow environment variables such as "oacs_httpport" or
# "oacs_ipaddress" to override local values.
#
source [file dirname [ns_info nsd]]/../tcl/init.tcl
ns_configure_variables "oacs_" $defaultConfig

#
# For Oracle, we set the datasource to values which might be
# changed via environment variables. So, this has to happen
# after "ns_configure_variables"
#
if { $database eq "oracle" } {
    set datasource ${db_host}:${db_port}/$db_name ;# name of the pluggable database / service
}
#---------------------------------------------------------------------
# Set environment variables HOME and LANG. HOME is needed since
# otherwise some programs called via exec might try to write into the
# root home directory.
#
set ::env(HOME) $homedir
set ::env(LANG) en_US.UTF-8


ns_logctl severity "Debug(ns:driver)" $debug

#---------------------------------------------------------------------
#
# NaviServer's directories. Auto-configurable.
#
#---------------------------------------------------------------------
# Where are your pages going to live ?
set pageroot                  ${serverroot}/www
set directoryfile             "index.tcl index.adp index.html index.htm"

#---------------------------------------------------------------------
# Global server parameters
#---------------------------------------------------------------------
ns_section ns/parameters {
    ns_param	serverlog	${logdir}/error.log
    ns_param	pidfile		${logdir}/nsd.pid
    ns_param	home		$homedir
    ns_param	debug		$debug

    # Define optionally the tmpdir. If not specified, the
    # environment variable TMPDIR is used. If that is not
    # specified either, a system specific constant us used
    # (compile time macro P_tmpdir)
    #
    # ns_param        tmpdir    c:/tmp

    # Parameter for controlling caching via ns_cache. Potential values
    # are "full" or "none", future versions might allow as well
    # "cluster".  The value of "none" makes ns_cache operations to
    # no-ops, this is a very conservative value for clusters.
    #
    ns_param   cachingmode     $cachingmode  ;# default: "full"

    # Timeout for shutdown to let existing connections and background
    # jobs finish.  When this time limit is exceeded the server shuts
    # down immediately.
    #
    # ns_param shutdowntimeout 20s  ;# 20s is the default

    # Configuration of incoming connections
    #
    # ns_param listenbacklog   256  ;# default: 32; global backlog for ns_socket commands
                                     # and global default for drivers; can be refined
                                     # by driver parameter "backlog".
    # ns_param sockacceptlog     3  ;# default: 4; report, when one accept operation receives
                                     # more than this threshold number of sockets; can be refined
                                     # by driver parameter with the same name.
    #
    # Configuration of error.log
    #
    # Rolling of logfile:
    ns_param	logroll		on
    ns_param	logmaxbackup	100      ;# 10 is default
    ns_param	logrollfmt	%Y-%m-%d ;# format appended to serverlog filename when rolled
    #
    # Format of log entries in serverlog:
    # ns_param  logsec          false    ;# add timestamps in second resolution (default: true)
    # ns_param  logusec         true     ;# add timestamps in microsecond (usec) resolution (default: false)
    # ns_param  logusecdiff     true     ;# add timestamp diffs since in microsecond (usec) resolution (default: false)
    # ns_param  logthread       false    ;# add thread-info the log file lines (default: true)
    ns_param	logcolorize	true     ;# colorize log file with ANSI colors (default: false)
    ns_param	logprefixcolor	green    ;# black, red, green, yellow, blue, magenta, cyan, gray, default
    # ns_param  logprefixintensity normal;# bright or normal
    #
    # Severities to be logged (can be better controlled (also at runtime) via ns_logctl)
    #ns_param	logdebug	trueug   ;# debug messages
    #ns_param	logdev		true     ;# development message
    #ns_param   lognotice       true     ;# informational messages
    #ns_param   sanitizelogfiles 2       ;# default: 2; 0: none, 1: full, 2: human-friendly

    # ns_param	mailhost            localhost

    # ns_param	jobsperthread       0     ;# number of ns_jobs before thread exits
    # ns_param	jobtimeout          5m    ;# default "ns_job wait" timeout
    # ns_param	joblogminduration   1s    ;# default: 1s

    # ns_param	schedsperthread     0     ;# number of scheduled jobs before thread exits
    # ns_param	schedlogminduration 2s    ;# print warnings when scheduled job takes longer than that

    # Write asynchronously to log files (access log and error log)
    # ns_param	asynclogwriter	true		;# false

    #ns_param       mutexlocktrace       true   ;# default false; print durations of long mutex calls to stderr

    # Reject output operations on already closed or detached connections (e.g. subsequent ns_return statements)
    #ns_param       rejectalreadyclosedconn false ;# default: true

    # Allow concurrent create operations of Tcl interpreters.
    # Versions up to at least Tcl 8.5 are known that these might
    # crash in case two threads create interpreters at the same
    # time. These crashes were hard to reproduce, but serializing
    # interpreter creation helped. Starting with Tcl 8.6,
    # the default is set to "true".
    #ns_param        concurrentinterpcreate false   ;# default: true

    # Enforce sequential thread initialization. This is not really
    # desirably in general, but might be useful for hunting strange
    # crashes or for debugging with valgrind.
    # ns_param	tclinitlock	true           ;# default: false

    #
    # Encoding settings
    #

    # NaviServer's defaults charsets are all utf-8.  Although the
    # default charset is utf-8, set the parameter "OutputCharset"
    # here, since otherwise OpenACS uses in the meta-tags the charset
    # from [ad_conn charset], which is taken from the db and is
    # per-default ISO-8859-1.
    ns_param	OutputCharset	utf-8
    # ns_param	URLCharset	utf-8

    # In cases were UTF-8 parsing fails in forms, retry with the specified charset.
    # ns_param formfallbackcharset iso8859-1
    #
    # DNS configuration parameters
    #
    #ns_param dnscache true          ;# default: true
    #ns_param dnswaittimeout 5s      ;# time for waiting for a DNS reply; default: 5s
    #ns_param dnscachetimeout 60m     ;# time to keep entries in cache; default: 1h
    ns_param dnscachemaxsize 500KB  ;# max size of DNS cache in memory units; default: 500KB

    # Running behind proxy? Used also by OpenACS...
    ns_param reverseproxymode	$reverseproxymode
}

#---------------------------------------------------------------------
# Definition of NaviServer servers (add more servers, when true
# NaviServer virtual hosting should be used).
# ---------------------------------------------------------------------
ns_section ns/servers {
    ns_param $server $serverprettyname
}

#
# In case, a docker mapping is provided, source it to make it
# accessible during configuration. The mapping file is a Tcl script
# providing at least the Tcl dict ::docker::containerMapping
# containing the docker mapping. A dict key like "8080/tcp" (internal
# port) will return a dict containing the keys "host", "port" and
# "proto" (e.g. proto https host 192.168.1.192 port 58115).
#
if {[file exists /scripts/docker-dict.tcl]} {
    source /scripts/docker-dict.tcl
}

#---------------------------------------------------------------------
# Configuration for plain HTTP interface  -- module nssock
#---------------------------------------------------------------------
if {[info exists httpport] && $httpport ne ""} {
    #
    # We have an "httpport" configured, so load and configure the
    # module "nssock" as a global server module with the name "http".
    #
    ns_section ns/modules {
         ns_param http ${bindir}/nssock
    }

    ns_section ns/module/http {
        ns_param	defaultserver	$server
        ns_param	address		$ipaddress
        ns_param	hostname	[lindex $hostname 0]
        ns_param	port		$httpport                  ;# default 80
        ns_param	maxinput	$max_file_upload_size      ;# 1MB, maximum size for inputs (uploads)
        ns_param	recvwait	$max_file_upload_duration  ;# 30s, timeout for receive operations
        # ns_param	maxline		8192	;# 8192, max size of a header line
        # ns_param	maxheaders	128	;# 128, max number of header lines
        # ns_param	uploadpath	/tmp	;# directory for uploads
        # ns_param	maxqueuesize	256	;# 1024, maximum size of the queue of preprocessed requests
        # ns_param	backlog		256	;# 256, backlog for listen operations
        # ns_param	acceptsize	10	;# backlog; Maximum number of requests accepted at once.
        # ns_param      sockacceptlog   3       ;# ns/param sockacceptlog; report, when one accept operation
                                                 # receives more than this threshold number of sockets
        # ns_param	deferaccept     true    ;# false, Performance optimization, may cause recvwait to be ignored
        # ns_param	bufsize		16kB	;# 16kB, buffersize
        # ns_param	readahead	16kB	;# value of bufsize, size of readahead for requests
        # ns_param	sendwait	30s	;# 30s, timeout for send operations
        # ns_param	closewait	2s	;# 2s, timeout for close on socket
        # ns_param	keepwait	2s	;# 5s, timeout for keep-alive
        # ns_param	nodelay         false   ;# true; deactivate TCP_NODELAY if Nagle algorithm is wanted
        # ns_param	keepalivemaxuploadsize    500kB  ;# 0, don't allow keep-alive for upload content larger than this
        # ns_param	keepalivemaxdownloadsize  1MB    ;# 0, don't allow keep-alive for download content larger than this
        # ns_param	spoolerthreads	1	;# 0, number of upload spooler threads
        ns_param	maxupload	100kB	;# 0, when specified, spool uploads larger than this value to a temp file
        ns_param	writerthreads	2	;# 0, number of writer threads
        ns_param	writersize	1kB	;# 1MB, use writer threads for files larger than this value
        # ns_param	writerbufsize	8kB	;# 8kB, buffer size for writer threads
        # ns_param	writerstreaming	true	;# false;  activate writer for streaming HTML output (when using ns_write)

        #
        # Options for port reuse (see https://lwn.net/Articles/542629/)
        # These options require proper OS support.
        #
        # ns_param  reuseport       true    ;# false;  normally not needed to be set, set by driverthreads when necessary
        # ns_param	driverthreads	2	;# 1; use multiple driver threads; activates "reuseport"

        #
        # Extra driver-specific response headers fields to be added for
        # every request.
        #
        ns_param    extraheaders    $http_extraheaders
    }
    #
    # Define, which "host" (as supplied by the "host:" header field)
    # accepted over this driver should be associated with which
    # server. The variable hostname can contain multiple host names
    # (domain names) which are registered below.
    #
    ns_section ns/module/http/servers {
        foreach domainname $hostname {
            ns_param $server $domainname
        }
        foreach address $ipaddress {
            ns_param $server $address
        }
        if {[info exists ::docker::containerMapping] && [dict exists $::docker::containerMapping $httpport/tcp]} {
            set __host [dict get $::docker::containerMapping $httpport/tcp host]
            set __port [dict get $::docker::containerMapping $httpport/tcp port]
            ns_log notice "added white-listed address '${__host}:${__port}' for server $server on HTTP driver"
            ns_param $server ${__host}:${__port}
        }
    }
}

#---------------------------------------------------------------------
# Configuration for HTTPS interface (SSL/TLS) -- module nsssl
#---------------------------------------------------------------------

if {[info exists httpsport] && $httpsport ne ""} {
    #
    # We have an "httpsport" configured, so configure this module.
    #
    #
    # We have an "httpsport" configured, so load and configure the
    # module "nsssl" as a global server module with the name "https".
    #
    ns_section ns/modules {
        ns_param https  ${bindir}/nsssl
    }

    ns_section ns/module/https {
        ns_param defaultserver	$server
        ns_param address	$ipaddress
        ns_param port		$httpsport
        ns_param hostname	$hostname
        ns_param ciphers	"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
        #ns_param ciphersuites  "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
        ns_param protocols	"!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1"
        ns_param certificate	$certificate
        ns_param vhostcertificates $vhostcertificates ;# directory for vhost certificates of the default server
        ns_param verify		0
        ns_param writerthreads	2
        ns_param writersize	1kB
        ns_param writerbufsize	16kB	;# 8kB, buffer size for writer threads
        # ns_param writerstreaming	true	;# false
        # ns_param spoolerthreads	1	;# 0, number of upload spooler threads
        # ns_param maxupload	100kB	;# 0, when specified, spool uploads larger than this value to a temp file
        # ns_param backlog	256	;# 256, backlog for listen operations
        # ns_param acceptsize	10	;# backlog; Maximum number of requests accepted at once.
        # ns_param sockacceptlog 3      ;# ns/param sockacceptlog; report, when one accept operation
                                         # receives more than this threshold number of sockets
        # ns_param deferaccept	true    ;# false, Performance optimization
        # ns_param nodelay	false   ;# true; deactivate TCP_NODELAY if Nagle algorithm is wanted
        ns_param maxinput	$max_file_upload_size   ;# Maximum file size for uploads in bytes
        ns_param recvwait	$max_file_upload_duration  ;# 30s, timeout for receive operations
        ns_param extraheaders	$https_extraheaders
        ns_param OCSPstapling   on        ;# off; activate OCSP stapling
        # ns_param OCSPstaplingVerbose  on ;# off; make OCSP stapling more verbose
    }
    #
    # Define, which "host" (as supplied by the "host:" header field)
    # accepted over this driver should be associated with which
    # server. This parameter is for virtual servers. Here we just
    # register the $hostname and the $address (in case, the server is
    # addressed via its IP address).
    #
    ns_section ns/module/https/servers {
        foreach domainname $hostname {
            ns_param $server $domainname
        }
        foreach address $ipaddress {
            ns_param $server $address
        }
        if {[info exists ::docker::containerMapping] && [dict exists $::docker::containerMapping $httpsport/tcp]} {
            set __host [dict get $::docker::containerMapping $httpsport/tcp host]
            set __port [dict get $::docker::containerMapping $httpsport/tcp port]
            ns_log notice "added white-listed address '${__host}:${__port}' for server $server on HTTPS driver"
            ns_param $server ${__host}:${__port}
        }
    }
}


#---------------------------------------------------------------------
# Thread library (nsthread) parameters
#---------------------------------------------------------------------
ns_section ns/threads {
    ns_param	stacksize	1MB
}
#---------------------------------------------------------------------
# Extra mime types
#---------------------------------------------------------------------
ns_section ns/mimetypes {
    #  Note: NaviServer already has an exhaustive list of MIME types:
    #  see: /usr/local/src/naviserver/nsd/mimetypes.c
    #  but in case something is missing you can add it here.

    #ns_param	default		*/*
    #ns_param	noextension	text/html
    #ns_param	.pcd		image/x-photo-cd
    #ns_param	.prc		application/x-pilot
}

#---------------------------------------------------------------------
# Global fastpath parameters
#---------------------------------------------------------------------
ns_section ns/fastpath {
    #ns_param        cache               true       ;# default: false
    #ns_param        cachemaxsize        10MB       ;# default: 10MB
    #ns_param        cachemaxentry       100kB      ;# default: 8kB
    #ns_param        mmap                true       ;# default: false
    #ns_param        gzip_static         true       ;# check for static gzip; default: false
    #ns_param        gzip_refresh        true       ;# refresh stale .gz files on the fly using ::ns_gzipfile
    #ns_param        gzip_cmd            "/usr/bin/gzip -9"  ;# use for re-compressing
    #ns_param        minify_css_cmd      "/usr/bin/yui-compressor --type css"
    #ns_param        minify_js_cmd       "/usr/bin/yui-compressor --type js"
    #ns_param        brotli_static       true       ;# check for static brotli files; default: false
    #ns_param        brotli_refresh      true       ;# refresh stale .br files on the fly using ::ns_brotlifile
    #ns_param        brotli_cmd          "/usr/bin/brotli -f -Z"  ;# use for re-compressing
}

#---------------------------------------------------------------------
#
# Server-level configuration
#
#  There is only one server in NaviServer, but this is helpful when multiple
#  servers share the same configuration file.  This file assumes that only
#  one server is in use so it is set at the top in the "server" Tcl variable
#  Other host-specific values are set up above as Tcl variables, too.
#
#---------------------------------------------------------------------
#
# Server parameters
#
ns_section ns/server/$server {
    #
    # Scaling and Tuning Options
    #
    # ns_param	maxconnections	100      ;# 100; number of allocated connection structures
    ns_param    rejectoverrun   true     ;# false (send 503 when queue overruns)
    #ns_param   retryafter      5s       ;# time for Retry-After in 503 cases
    #ns_param   filterrwlocks   false    ;# default: true

    # ns_param	maxthreads	10       ;# 10; maximal number of connection threads
    ns_param	minthreads	2        ;# 1; minimal number of connection threads

    #ns_param	connsperthread	1000     ;# 10000; number of connections (requests) handled per thread
    ;# Setting connsperthread to > 0 will cause the thread to
    ;# graciously exit, after processing that many requests, thus
    ;# initiating kind-of Tcl-level garbage collection.

    # ns_param	threadtimeout	2m       ;# 2m; timeout for idle threads.
    ;# In case, minthreads < maxthreads, threads are shutdown after
    ;# this idle time until minthreads are reached.

    # ns_param	lowwatermark	10       ;# 10; create additional threads above this queue-full percentage
    ns_param	highwatermark	100      ;# 80; allow concurrent creates above this queue-is percentage
                                         ;# 100 means to disable concurrent creates
    #ns_param    connectionratelimit 200 ;# 0; limit rate per connection to this amount (KB/s); 0 means unlimited
    #ns_param    poolratelimit   200     ;# 0; limit rate for pool to this amount (KB/s); 0 means unlimited

    # Compress response character data: ns_return, ADP etc.
    #
    ns_param	compressenable	on       ;# false, use "ns_conn compress" to override
    # ns_param	compresslevel	4        ;# 4, 1-9 where 9 is high compression, high overhead
    # ns_param	compressminsize	512      ;# Compress responses larger than this
    # ns_param	compresspreinit true     ;# false, if true then initialize and allocate buffers at startup

    # Enable nicer directory listing (as handled by the OpenACS request processor)
    # ns_param	directorylisting	fancy	;# Can be simple or fancy

    #
    # Configuration of replies
    #
    # ns_param	realm		yourrealm	;# Default realm for Basic authentication
    # ns_param	noticedetail	false		;# true, return detail information in server reply
    # ns_param	noticeadp	returnnotice.adp ;# returnnotice.adp; ADP file for ns_returnnotice.
    # ns_param	errorminsize	0		;# 514, fill-up reply to at least specified bytes (for ?early? MSIE)
    # ns_param	headercase	preserve	;# preserve, might be "tolower" or "toupper"
    # ns_param	checkmodifiedsince	false	;# true, check modified-since before returning files from cache. Disable for speedup

    #
    # Extra server-specific response headers fields to be added for
    # every response on this server
    #
    #ns_param    extraheaders    {...}
}

########################################################################
# Connection thread pools.
#
#  Per default, NaviServer uses a "default" connection pool, which
#  needs no extra configuration.  Optionally, multiple connection
#  thread pools can be configured using the following parameters.
#
#       map
#       connsperthread
#       highwatermark
#       lowwatermark
#       maxconnections
#       rejectoverrun
#       retryafter
#       maxthreads
#       minthreads
#       poolratelimit
#       connectionratelimit
#       threadtimeout
#
# In order to define thread pools, do the following:
#
#  1. Add pool names to "ns/server/$server/pools"
#  2. Configure pools with the noted parameters
#  3. Map method/URL combinations for these pools
#
#  All unmapped method/URL's will go to the default server pool of the
#  server.
#
########################################################################

ns_section ns/server/$server/pools {
    #
    # To activate connection thread pools, uncomment one of the
    # following lines and/or add other pools.

    #ns_param   monitor	"Monitoring actions to check healthiness of the system"
    #ns_param   fast	"Fast requests, e.g. less than 10ms"
    #ns_param   slow    "Slow lane pool, for request remapping"
}

ns_section ns/server/$server/pool/monitor {
    ns_param   minthreads 2
    ns_param   maxthreads 2

    ns_param   map "GET /SYSTEM"
    ns_param   map "GET /acs-admin"
    ns_param   map "GET /admin/nsstats"
    ns_param   map "GET /ds"
    ns_param   map "GET /request-monitor"
    ns_param   map "POST /SYSTEM"
    ns_param   map "POST /acs-admin"
    ns_param   map "POST /admin/nsstats"
    ns_param   map "POST /ds"
}

ns_section ns/server/$server/pool/fast {
    ns_param   minthreads 2
    ns_param   maxthreads 2
    ns_param   rejectoverrun true

    ns_param   map "GET /*.png"
    ns_param   map "GET /*.PNG"
    ns_param   map "GET /*.jpg"
    ns_param   map "GET /*.pdf"
    ns_param   map "GET /*.gif"
    ns_param   map "GET /*.mp4"
    ns_param   map "GET /*.ts"
    ns_param   map "GET /*.m3u8"
}

ns_section ns/server/$server/pool/slow {
    ns_param   minthreads 2
    ns_param   maxthreads 5
    ns_param   maxconnections 600
    ns_param   rejectoverrun true
}


#---------------------------------------------------------------------
# Special HTTP pages
#---------------------------------------------------------------------
ns_section ns/server/$server/redirects {
    ns_param   404 /shared/404
    ns_param   403 /shared/403
    ns_param   503 /shared/503
    ns_param   500 /shared/500
}

#---------------------------------------------------------------------
# ADP (AOLserver Dynamic Page) configuration
#---------------------------------------------------------------------
ns_section ns/server/$server/adp {
    ns_param	enabledebug	$debug
    ns_param	map		/*.adp		;# Extensions to parse as ADP's
    # ns_param	map		"/*.html"	;# Any extension can be mapped
    #
    # ns_param	cache		true		;# false, enable ADP caching
    # ns_param	cachesize	10MB		;# 5MB, size of ADP cache
    # ns_param	bufsize		5MB		;# 1MB, size of ADP buffer
    #
    # ns_param	trace		true		;# false, trace execution of adp scripts
    # ns_param	tracesize	100		;# 40, max number of entries in trace
    #
    # ns_param	stream		true		;# false, enable ADP streaming
    # ns_param	enableexpire	true		;# false, set "Expires: now" on all ADP's
    # ns_param	safeeval	true		;# false, disable inline scripts
    # ns_param	singlescript	true		;# false, collapse Tcl blocks to a single Tcl script
    # ns_param	detailerror	false		;# true,  include connection info in error backtrace
    # ns_param	stricterror	true		;# false, interrupt execution on any error
    # ns_param	displayerror	true		;# false, include error message in output
    # ns_param	trimspace	true		;# false, trim whitespace from output buffer
    # ns_param	autoabort	false		;# true,  failure to flush a buffer (e.g. closed HTTP connection) generates an ADP exception
    #
    # ns_param	errorpage	/.../errorpage.adp	;# page for returning errors
    # ns_param	startpage	/.../startpage.adp	;# file to be run for every adp request; should include "ns_adp_include [ns_adp_argv 0]"
    # ns_param	debuginit	some-proc		;# ns_adp_debuginit, proc to be executed on debug init
    #
}

ns_section ns/server/$server/adp/parsers {
    ns_param	fancy		".adp"
}

#
# Tcl Configuration
#
ns_section ns/server/$server/tcl {
    ns_param	library		${serverroot}/tcl
    ns_param	debug		$debug
    # ns_param	nsvbuckets	16       ;# default: 8
    # ns_param	nsvrwlocks      false    ;# default: true
}

ns_section ns/server/$server/fastpath {
    ns_param	serverdir	${homedir}
    ns_param	pagedir		${pageroot}
    #
    # Directory listing options
    #
    # ns_param	directoryfile     "index.adp index.tcl index.html index.htm"
    # ns_param	directoryadp      $pageroot/dirlist.adp ;# default ""
    # ns_param	directoryproc     _ns_dirlist           ;# default "_ns_dirlist"
    # ns_param	directorylisting  fancy ;# default "simple"; can be "simple",
    #                                   ;# "fancy" or "none"; parameter for _ns_dirlist
    # ns_param	hidedotfiles      true  ;# default false; parameter for _ns_dirlist
    #
}

#---------------------------------------------------------------------
# HTTP client (ns_http) configuration
#---------------------------------------------------------------------
ns_section ns/server/$server/httpclient {
    #
    # Set default keep-alive timeout for outgoing ns_http requests
    #
    #ns_param	keepalive       5s       ;# default: 0s

    #
    # Configure log file for outgoing ns_http requests
    #
    ns_param	logging		on       ;# default: off
    ns_param	logfile		${logdir}/httpclient.log
    ns_param	logrollfmt	%Y-%m-%d ;# format appended to log filename
    #ns_param	logmaxbackup	100      ;# 10, max number of backup log files
    #ns_param	logroll		true     ;# true, should server log files automatically
    #ns_param	logrollonsignal	true     ;# false, perform roll on a sighup
    #ns_param	logrollhour	0        ;# 0, specify at which hour to roll
 }

#---------------------------------------------------------------------
# OpenACS specific settings (per server)
#---------------------------------------------------------------------
#
# Define/override OpenACS kernel parameter for $server
#
ns_section ns/server/$server/acs {
    #
    # Provide optionally a different cookie namespace (used for
    # prefixing OpenACS cookies). This is important when e.g.
    # multiple servers are running on different ports of the same
    # host, but should not share cookies.
    #
    ns_param CookieNamespace $CookieNamespace
    #
    # Define a mapping between MIME types and CSP rules for static
    # files. The mapping is of the form of a Tcl dict. The mapping is
    # used e.g. in "security::csp::add_static_resource_header".
    #
    ns_param StaticCSP {
        image/svg+xml "script-src 'none'"
    }

    #
    # The following option should causes on acs-admin/server-restart
    # the usage of "ns_shutdown -restart" instead of plain
    # "ns_shutdown".  This seems to be required in current Windows
    # installations. Default is 0.
    #
    # ns_param NsShutdownWithNonZeroExitCode 1

    #
    # Should deprecated log be used? Use value of 1 on legacy
    # sites. Default is 1.
    #
    # ns_param WithDeprecatedCode 0

    #
    # Should user_ids be included in log files? Some sensitive sites
    # do not allow this. Default is 0.
    #
    # ns_param LogIncludeUserId 1
    #

    #
    # Cluster secret for intra-cluster communications. Clustering will
    # not be enabled if no value is provided.
    #
    ns_param clusterSecret $clusterSecret

    #
    # "parameterSecret" is needed for signed query and form parameters
    #
    ns_param parameterSecret             $parameterSecret
}


# Define/override OpenACS package parameters in section
# ending with /acs/PACKAGENAME
#
# Provide tailored sizes for the site node cache in acs-tcl:
#
ns_section ns/server/$server/acs/acs-tcl {
    # ns_param SiteNodesCacheSize        2000000
    # ns_param SiteNodesIdCacheSize       100000
    # ns_param SiteNodesChildenCacheSize  100000
    # ns_param SiteNodesPrefetch  {/file /changelogs /munin}
    # ns_param UserInfoCacheSize          2000000
}

#
# Set for all package instances of acs-mail-lite the
# EmailDeliveryMode. Setting this to "log" is useful for developer
# instances.
#
ns_section ns/server/$server/acs/acs-mail-lite {
    # ns_param EmailDeliveryMode log
}

#
# API browser configuration: setting IncludeCallingInfo to "true" is
# useful mostly for developer instances.
#
ns_section ns/server/$server/acs/acs-api-browser {
    # ns_param IncludeCallingInfo true
}

#---------------------------------------------------------------------
# WebDAV Support (optional, requires oacs-dav package to be installed
#---------------------------------------------------------------------
ns_section ns/server/$server/tdav {
    ns_param	propdir            ${serverroot}/data/dav/properties
    ns_param	lockdir            ${serverroot}/data/dav/locks
    ns_param	defaultlocktimeout 300
}

ns_section ns/server/$server/tdav/shares {
    ns_param	share1		"OpenACS"
    # ns_param	share2		"Share 2 description"
}

ns_section ns/server/$server/tdav/share/share1 {
    ns_param	uri		"/dav/*"
    # all WebDAV options
    ns_param	options		"OPTIONS COPY GET PUT MOVE DELETE HEAD MKCOL POST PROPFIND PROPPATCH LOCK UNLOCK"
}

#ns_section ns/server/$server/tdav/share/share2 {
# ns_param	uri "/share2/path/*"
# read-only WebDAV options
# ns_param options "OPTIONS COPY GET HEAD MKCOL POST PROPFIND PROPPATCH"
#}


#---------------------------------------------------------------------
# Access log -- nslog
#---------------------------------------------------------------------
ns_section ns/server/$server/module/nslog {
    #
    # General parameters for access.log
    #
    ns_param	file			${logdir}/access.log
    # ns_param	maxbuffer		100	;# 0, number of logfile entries to keep in memory before flushing to disk
    #
    # Control what to log
    #
    # ns_param	suppressquery	true	;# false, suppress query portion in log entry
    # ns_param	logreqtime	true	;# false, include time to service the request
    ns_param	logpartialtimes	true	;# false, include high-res start time and partial request durations (accept, queue, filter, run)
    ns_param    logthreadname   true    ;# default: false; include thread name for linking with error.log
    # ns_param	formattedtime	true	;# true, timestamps formatted or in secs (unix time)
    # ns_param	logcombined	true	;# true, Log in NSCA Combined Log Format (referer, user-agent)
    ns_param	checkforproxy	$reverseproxymode ;# false, check for proxy header (X-Forwarded-For)
    ns_param	masklogaddr     true    ;# false, mask IP address in log file for GDPR (like anonip IP anonymizer)
    ns_param	maskipv4        255.255.255.0  ;# mask for IPv4 addresses
    ns_param	maskipv6        ff:ff:ff:ff::  ;# mask for IPv6 addresses

    #
    # Add extra entries to the access log via specifying a Tcl
    # list of request header fields in "extendedheaders"
    #
    if {[ns_config "ns/server/$server/acs" LogIncludeUserId 0]} {
        ns_param   extendedheaders    "X-User-Id"
    }

    #
    #
    # Control log file rolling
    #
    # ns_param	maxbackup	100	;# 10, max number of backup log files
    # ns_param	rolllog		true	;# true, should server log files automatically
    # ns_param	rollhour	0	;# 0, specify at which hour to roll
    # ns_param	rollonsignal	true	;# false, perform roll on a sighup
    ns_param	rollfmt		%Y-%m-%d ;# format appended to log filename
}

#---------------------------------------------------------------------
#
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files
# inside NaviServer are vastly superior to CGIs.
#
#---------------------------------------------------------------------
# ns_section ns/server/$server/modules {
#     ns_param	nscgi ${bindir}/nscgi
# }
# ns_section ns/server/$server/module/nscgi {
#     ns_param  map	"GET  /cgi-bin ${serverroot}/cgi-bin"
#     ns_param  map	"POST /cgi-bin ${serverroot}/cgi-bin"
#     ns_param  Interps CGIinterps
#     ns_param  allowstaticresources true    ;# default: false
# }
# ns_section ns/interps/CGIinterps {
#     ns_param .pl "/usr/bin/perl"
# }

#---------------------------------------------------------------------
#
# PAM authentication
#
#---------------------------------------------------------------------
# ns_section ns/server/$server/modules {
#     ns_param	nspam ${bindir}/nspam
# }
# ns_section ns/server/$server/module/nspam {
#     ns_param	PamDomain "pam_domain"
# }

#---------------------------------------------------------------------
#
# Database drivers:
#
# Make sure the drivers are compiled and put it in $bindir.
#
#---------------------------------------------------------------------
ns_section ns/db/drivers {

    if { $database eq "oracle" } {
        ns_param	nsoracle           ${bindir}/nsoracle
    } else {
        ns_param	postgres       ${bindir}/nsdbpg
        #
        ns_logctl severity "Debug(sql)" -color blue $verboseSQL
    }

    if { $database eq "oracle" } {
        ns_section ns/db/driver/nsoracle
        ns_param	maxStringLogLength -1
        ns_param	LobBufferSize      32768
    } else {
        ns_section ns/db/driver/postgres
        # Set this parameter, when "psql" is not on your path (OpenACS specific)
        # ns_param	pgbin	"/usr/local/pg960/bin/"
    }
}

# Database Pools: This is how NaviServer "talks" to the RDBMS. You
# need three for OpenACS, named here pool1, pool2 and pool3. Most
# queries use to first pool, nested queries (i.e. in a db_foreach,
# which is actually not recommended) use pool2 and so on. Make sure to
# set the "db_*" the variables with actual values on top of this file.
#
# NaviServer can have different pools connecting to different databases
# and even different database servers.  See
#
#     http://openacs.org/doc/tutorial-second-database
#
ns_section ns/server/$server/db {
    ns_param	pools              pool1,pool2,pool3
    ns_param	defaultpool        pool1
}
ns_section ns/db/pools {
    ns_param	pool1              "Pool 1"
    ns_param	pool2              "Pool 2"
    ns_param	pool3              "Pool 3"
}

ns_section ns/db/pool/pool1 {
    # ns_param	maxidle            0     ;# time interval for shut-down of idle connections; default: 5m
    # ns_param	maxopen            0     ;# time interval for maximum time of open connections; default: 60m
    # ns_param  checkinterval      5m    ;# check pools for stale handles in this interval
    ns_param	connections        15
    ns_param    LogMinDuration     10ms  ;# when SQL logging is on, log only statements above this duration
    ns_param	logsqlerrors       $debug
    if { $database eq "oracle" } {
        ns_param	driver             nsoracle
        ns_param	datasource         $datasource
        ns_param	user               $db_name
        ns_param	password           $db_password
    } else {
        ns_param	driver             postgres
        ns_param	datasource         ${db_host}:${db_port}:dbname=${db_name}
        ns_param	user               $db_user
        ns_param	password           ""
    }
}
#
# In case, you want to activate (more intense) SQL logging at runtime,
# consider the two commands (e.g. entered over ds/shell)
#
#    ns_logctl severity "Debug(sql)" on
#    ns_db logminduration pool1  10ms
#

ns_section ns/db/pool/pool2 {
    # ns_param	maxidle            0
    # ns_param	maxopen            0
    # ns_param  checkinterval      5m    ;# check pools for stale handles in this interval
    ns_param	connections        5
    ns_param    LogMinDuration     10ms  ;# when SQL logging is on, log only statements above this duration
    ns_param	logsqlerrors       $debug
    if { $database eq "oracle" } {
        ns_param	driver             nsoracle
        ns_param	datasource         $datasource
        ns_param	user               $db_name
        ns_param	password           $db_password
    } else {
        ns_param	driver             postgres
        ns_param	datasource         ${db_host}:${db_port}:dbname=${db_name}
        ns_param	user               $db_user
        ns_param	password           ""
    }
}

ns_section ns/db/pool/pool3 {
    # ns_param	maxidle            0
    # ns_param	maxopen            0
    # ns_param  checkinterval      5m    ;# check pools for stale handles in this interval
    ns_param	connections        5
    # ns_param  LogMinDuration     0ms  ;# when SQL logging is on, log only statements above this duration
    ns_param	logsqlerrors       $debug
    if { $database eq "oracle" } {
        ns_param	driver             nsoracle
        ns_param	datasource         $datasource
        ns_param	user               $db_name
        ns_param	password           $db_password
    } else {
        ns_param	driver             postgres
        ns_param	datasource         ${db_host}:${db_port}:dbname=${db_name}
        ns_param	user               $db_user
        ns_param	password           ""
    }
}


#---------------------------------------------------------------------
# Which modules should be loaded for $server?  Missing modules break
# the server, so don't uncomment modules unless they have been
# installed.

ns_section ns/server/$server/modules {
    ns_param nslog ${bindir}/nslog
    ns_param nsdb ${bindir}/nsdb
    ns_param nsproxy ${bindir}/nsproxy

    #
    # Determine, if libthread is installed. First check for a version
    # having the "-ns" suffix. If this does not exist, check for a
    # legacy version without it.
    #
    set libthread [lindex [lsort [glob -nocomplain $homedir/lib/thread*/libthread-ns*[info sharedlibextension]]] end]
    if {$libthread eq ""} {
        set libthread [lindex [lsort [glob -nocomplain $homedir/lib/thread*/libthread*[info sharedlibextension]]] end]
    }
    if {$libthread eq ""} {
        ns_log notice "No Tcl thread library installed in $homedir/lib/"
    } else {
        ns_param	libthread $libthread
        ns_log notice "Use Tcl thread library $libthread"
    }

    # authorize-gateway package requires dqd_utils
    # ns_param	dqd_utils dqd_utils[expr {int($::tcl_version)}]

    # LDAP authentication
    # ns_param	nsldap             ${bindir}/nsldap

    # These modules aren't used in standard OpenACS installs
    # ns_param	nsperm             ${bindir}/nsperm
}

#---------------------------------------------------------------------
# Example configuration for the NaviServer Control Port (nscp)
#
# To enable:
#
# 1. Define an address and port to listen on. For security reasons
#    listening on any ipaddress other than the loopback address
#    (127.0.0.1 or ::1) is not recommended. For this script, it can be
#    activated by setting the variable "nscpport" to a valid port used
#    for listening (e.g. 9999).
#
# 2. Decide whether you wish to enable features such as password
#    echoing at login time, and command logging.
#
# 3. Add a list of authorized users and passwords. The entries
#    take the following format:
#
#    <user>:<encryptedPassword>:
#
#    You can use the ns_crypt Tcl command to generate an encrypted
#    password. The ns_crypt command uses the same algorithm as the
#    Unix crypt(3) command. You could also use passwords from the
#    /etc/passwd file.
#
#    The first two characters of the password are the salt - they can be
#    anything since the salt is used to simply introduce disorder into
#    the encoding algorithm.
#
#    ns_crypt <key> <salt>
#    ns_crypt x t2
#
#    The configuration example below adds the user "nsadmin" with a
#    password of "x".
#
# 4. Make sure the "nscp" module is loaded in the modules section.
#
ns_section "ns/server/${server}/module/nscp" {
    ns_param address 127.0.0.1
    ns_param port $nscpport
    ns_param echopassword 1
    ns_param cpcmdlogging 1
}

ns_section "ns/server/${server}/module/nscp/users" {
    ns_param user "nsadmin:t2GqvvaiIUbF2:"
}

ns_section "ns/server/${server}/modules" {
    if {$nscpport ne ""} {ns_param nscp nscp}
}

#
# nsproxy configuration
#
ns_section ns/server/$server/module/nsproxy {
    # ns_param	maxworkers         8
    # ns_param	sendtimeout        5s
    # ns_param	recvtimeout        5s
    # ns_param	waittimeout        100ms
    # ns_param	idletimeout        5m
    # ns_param	logminduration     1s
}

#
# nsstats configuration (global module)
#
# When installed under acs-subsite/www/admin/nsstats.tcl it is due to
# its /admin/ location safe from public access.
#
ns_section ns/module/nsstats {
    ns_param enabled  1
    ns_param user     ""
    ns_param password ""
    ns_param bglocks  {oacs:sched_procs}
}


#
# Sample letsencrypt configuration.
#
# To use this, it is necessary to install the NaviServer letsencrypt
# module first, uncomment the two "ns_param" lines, and provide your
# desired domain names.
#
ns_section "ns/server/${server}/modules" {
    #ns_param letsencrypt tcl
}
ns_section ns/server/${server}/module/letsencrypt {

    # Provide one or more domain names (latter for multi-domain SAN
    # certificates). These values are a default in case the domains
    # are not provided by other means (e.g. "letsencrypt.tcl").  In
    # case multiple NaviServer virtual hosts are in used, this
    # definition must be on the ${server}, which is used for
    # obtaining updates (e.g. main site) although it retrieves a
    # certificate for many subsites.

    #ns_param domains { openacs.org openacs.net fisheye.openacs.org cvs.openacs.org }
}

#
# Sample configuration for the nssmtpd module.
#
# To use this, it is necessary to install the NaviServer nssmtpd
# module first, and to provide a nonempty "smtpdport" below, and set
# the package parameter "EmailDeliveryMode" in the acs-mail-lite
# package to "nssmtpd". See: https://openacs.org/xowiki/outgoing_email
#
ns_section "ns/server/${server}/module/nssmtpd" {
    ns_param port $smtpdport
    ns_param address 127.0.0.1
    ns_param relay localhost:25
    ns_param spamd localhost
    ns_param initproc smtpd::init
    ns_param rcptproc smtpd::rcpt
    ns_param dataproc smtpd::data
    ns_param errorproc smtpd::error
    ns_param relaydomains "localhost"
    ns_param localdomains "localhost"
    #
    # Next section is for STARTTLS functionality:
    #
    #ns_param certificate "pathToYourCertificateChainFile.pem"
    #ns_param cafile ""
    #ns_param capath ""
    #ns_param ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

    ns_param logging on ;# default: off
    ns_param logfile ${logdir}/smtpsend.log
    ns_param logrollfmt %Y-%m-%d ;# format appended to log filename
    #ns_param logmaxbackup 100 ;# 10, max number of backup log files
    #ns_param logroll true ;# true, should server log files automatically
    #ns_param logrollonsignal true ;# false, perform roll on a sighup
    #ns_param logrollhour 0 ;# 0, specify at which hour to roll
}
ns_section ns/server/${server}/modules {
    if {$smtpdport ne ""} {ns_param nssmtpd nssmtpd}
}



#ns_logctl severity Debug(ns:driver) on
#ns_logctl severity Debug(request) on
#ns_logctl severity Debug(task) on
#ns_logctl severity Debug(connchan) on
ns_logctl severity debug $debug
ns_logctl severity "Debug(sql)" $verboseSQL

#
# If you want to activate core dumps, one can use the following command
#
#ns_log notice "nsd.tcl: ns_rlimit coresize [ns_rlimit coresize unlimited]"

ns_log notice "nsd.tcl: using threadsafe tcl: [info exists ::tcl_platform(threaded)]"
ns_log notice "nsd.tcl: finished reading configuration file."