# NestorWeb ## What is this? NestorWeb is a web server for MSX computers, with support for CGI scripts. As simple as that. System requirements are: * MSX computer running MSX-DOS 2 or [Nextor](https://github.com/Konamiman/Nextor). * TCP/IP UNAPI implementation with support for passive TCP connections. ## Features and limitations The good: * Static content: serves files stored in the local filesystem. * `GET` and `HEAD` verbs supported. * Sends `Last-Modified` header as part of the response and honors the `If-Modified-Since` header if present in the request (provided that the file has a valid last modification date). * Sends files as attachments (with a `Content-Disposition: attachment` header) if `?a=1` is added to the request. * Requests containing `..` are rejected for security (so that files outside of the base directory aren't accessible) * Directory listings: when a directory is requested is sends a list of the contained files . * Disabled by default, must be enabled via command line. * Sent with a `Cache-Control` header specifying a cache duration of 1 hour. * If a request for a directory doesn't end with `/` it sends a `308 Moved Permanently` response to the same location ending with `/`, this is necessary so that relative links to files within the directory render correctly in browsers. * Default document: serves the `INDEX.HTM` file if a directory is requested (only if directory listings are disabled). * Basic authentication support. * Runs CGI scripts following [the CGI 1.1 specification](https://tools.ietf.org/html/rfc3875). See the [CGI development guide](CGI.md) for details. The not-so-good: * Serves only one client at the same time. * No MIME types for static content, `Content-Type` is never sent when serving files. * Absolutely no support for text encodings. I have no idea of what will happen when requesting a file with a non-ASCII name. * Maximum HTTP request line length supported is 256 bytes, longer request lines will be rejected. * Maximum header length supported is 256 bytes, longer headers will be truncated. * Basic authentication support... but with one single set of credentials. CGI scripts can handle authentication by themselves, though. ## Usage Run `NWEB.COM` like this: NWEB [p=] [v=0|1|2] [t=] [d=0|1] [c=0|1] [a=0|1|2] ``: Static content will be served from this directory, for example a request for `/FOO/BAR.TXT` will serve file `\FOO\BAR.TXT`. ``: TCP port number where the server will be listening for requests, default is 80. `t`: Inactivity timeout in seconds, if a client connects to the server but doesn't send any request in this time the connection will be terminated. Default value is 5 seconds. `d`: Enable directory listings when 1 (disabled by default). When disabled, a request for a directory will try to serve the default document (`INDEX.HTM`) from that directory. `c`: Enable support for CGI scripts when 1 (enabled by default). When disabled, CGI scripts will be served as regular static files. `a`: Authentication mode: * 0: No authentication required (default). * 1: Authentication required for serving static content and directory listings. * 2: Authentication required for serving static content and directory listings, and also for running CGI scripts. In authentication modes 1 and 2 two environment items named `NWEB_USER` and `NWEB_PASSWORD` must exist, they specify the set of credentials that will be accepted. ## Environment items NestorWeb makes use of the following environment items: * `NWEB_TEMP`: Temporary directory to be used by NestorWeb when running CGI scripts (required to cache the request and the response). This is optional, if not present the value of the `TEMP` item will be used instead. If that one doesn't exist either, the directory where the `NWEB.COM` file is located will be used as the temporary directory. * `NWEB_USER` and `NWEB_PASSWORD`: Credentials to be used for authentication. User and password supplied within the request must match these for the request to be successful if authentication is enabled. * `NWEB_REALM`: Value of the "realm" part in the `WWW-Authenticate` header that will be sent to the client when authentication is required but no credentials were supplied in the request. This is optional, the default value is "NestorWeb". ## CGI scripts A file will be recognized as a CGI script and executed if all of the following applies: * Support for CGI scripts is enabled. * The file has `.CGI` or `.COM` extension. * The file is located in a directory named `CGI-BIN` relative to the base directory (exactly in that directory, NOT in a subdirectory). * Authentication mode is 0 or 1, or it's 2 and proper credentials are supplied within the request. CGI scripts are implemented as regular MSX-DOS executable programs that get the request via environment items and STDIN (file handle 0), and write the response to STDOUT (file handle 1). See the [CGI development guide](CGI.md) for details. After a CGI script terminates its execution NestorWeb loads itself from disk again, therefore it's recommended to run `NWEB.COM` from a fast storage device, ideally the RAM disk. The same goes with the temporary directory: it's recommended to set `NWEB_TEMP` (or `TEMP`) to the RAM disk whenever possible (if a big enough RAM disk can be created to handle the biggest request and response that is expected to be handled by CGI scripts). ## Security considerations I shouldn't need to say this but: yes, using basic authentication over plain HTTP is highly unsecure; and storing passwords in environment items isn't any more secure either. Also no, NestorWeb hasn't passed anything remotely similar to a security audit and is not "battle-tested". But come on, this is a web server for MSX computers. If you use it for something really important or to serve sensitive data, well, it's only your fault; I provide this program as-is and... well, go and read [the license](LICENSE.txt) please. ## Last but not least... ...if you like this project **[please consider donating!](http://www.konamiman.com/msx/msx-e.html#donate)** My kids need moar shoes!