Fossil SCM
Moved the section on stunnel configuration from www/server.wiki to www/ssl.wiki, adding links from one to the other. Also changed all remaining references to "SSL" in server.wiki to "TLS".
Commit
355c16a528d03e799befc20378f461053ce09724c2f2692b8a559c682a36f895
Parent
67e30333d14e093…
2 files changed
+12
-41
+26
-9
+12
-41
| --- www/server.wiki | ||
| +++ www/server.wiki | ||
| @@ -23,11 +23,11 @@ | ||
| 23 | 23 | <blockquote> |
| 24 | 24 | There are basically four ways to set up a Fossil server: |
| 25 | 25 | |
| 26 | 26 | <ol> |
| 27 | 27 | <li>A stand-alone server |
| 28 | - <li>Using inetd or xinetd or stunnel | |
| 28 | + <li>Using inetd, xinetd, or stunnel | |
| 29 | 29 | <li>CGI |
| 30 | 30 | <li>SCGI (a.k.a. SimpleCGI) |
| 31 | 31 | </ol> |
| 32 | 32 | |
| 33 | 33 | Each of these can serve either a single repository, or a directory hierarchy |
| @@ -72,11 +72,11 @@ | ||
| 72 | 72 | Both commands have additional command-line options that can be used to refine |
| 73 | 73 | their behavior. See the [/help/server|online documentation] for an overview. |
| 74 | 74 | </blockquote> |
| 75 | 75 | |
| 76 | 76 | |
| 77 | -<h2 id="inetd">Fossil as an inetd/xinetd or stunnel service</h2> | |
| 77 | +<h2 id="inetd">Fossil as an inetd/xinetd service</h2> | |
| 78 | 78 | |
| 79 | 79 | <blockquote> |
| 80 | 80 | |
| 81 | 81 | A Fossil server can be launched on-demand by inetd or xinetd using |
| 82 | 82 | the [/help/http|fossil http] command. To launch Fossil from inetd, modify |
| @@ -142,38 +142,20 @@ | ||
| 142 | 142 | off of the wire. |
| 143 | 143 | |
| 144 | 144 | Inetd or xinetd must be enabled, and must be (re)started whenever their configuration |
| 145 | 145 | changes - consult your system's documentation for details. |
| 146 | 146 | |
| 147 | -[https://www.stunnel.org/ | Stunnel version 5] is an inetd-like process that | |
| 148 | -accepts and decodes SSL-encrypted connections. Fossil can be run directly from | |
| 149 | -stunnel in a manner similar to inetd and xinetd. This can be used to provide | |
| 150 | -a secure link to a Fossil project. The configuration needed to get stunnel5 | |
| 151 | -to invoke Fossil is very similar to the inetd and xinetd examples shown above. | |
| 152 | -The relevant parts of an stunnel configuration might look something | |
| 153 | -like the following: | |
| 154 | - | |
| 155 | -<blockquote><pre><nowiki> | |
| 156 | -[https] | |
| 157 | -accept = www.ubercool-project.org:443 | |
| 158 | -TIMEOUTclose = 0 | |
| 159 | -exec = /usr/bin/fossil | |
| 160 | -execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https | |
| 161 | -</nowiki></pre></blockquote> | |
| 162 | - | |
| 163 | -See the stunnel5 documentation for further details about the /etc/stunnel/stunnel.conf | |
| 164 | -configuration file. Note that the [/help/http|fossil http] command should include | |
| 165 | -the --https option to let Fossil know to use "https" instead of "http" as the scheme | |
| 166 | -on generated hyperlinks. | |
| 167 | - | |
| 168 | -Using inetd or xinetd or stunnel is a more complex setup | |
| 147 | +Using inetd or xinetd is a more complex setup | |
| 169 | 148 | than the "standalone" server, but it has the |
| 170 | 149 | advantage of only using system resources when an actual connection is |
| 171 | 150 | attempted. If no-one ever connects to that port, a Fossil server will |
| 172 | 151 | not (automatically) run. It has the disadvantage of requiring "root" access |
| 173 | 152 | and therefore may not normally be available to lower-priced "shared" servers |
| 174 | -on the internet. | |
| 153 | +on the Internet. | |
| 154 | + | |
| 155 | +The configuration for <tt>stunnel</tt> is similar, but it is covered in | |
| 156 | +[./ssl.wiki#stunnel|a separate document]. | |
| 175 | 157 | </blockquote> |
| 176 | 158 | |
| 177 | 159 | <h2 id="cgi">Fossil as CGI</h2> |
| 178 | 160 | |
| 179 | 161 | <blockquote> |
| @@ -279,28 +261,17 @@ | ||
| 279 | 261 | <blockquote><pre> |
| 280 | 262 | fossil server $REPOSITORY --scgi --localhost --port 9000 |
| 281 | 263 | </pre></blockquote> |
| 282 | 264 | </blockquote> |
| 283 | 265 | |
| 284 | -<h2 id="tls">Securing a repository with SSL</h2> | |
| 266 | +<h2 id="tls">Securing a repository with TLS</h2> | |
| 285 | 267 | |
| 286 | 268 | <blockquote> |
| 287 | -Using either CGI or SCGI, it is trivial to use SSL to | |
| 288 | -secure the server. Simply set up the Fossil CGI scripts etc. as above, | |
| 289 | -but modify the Apache (or IIS, etc.) server to require SSL (that is, a | |
| 290 | -URL with "https://") in order to access the CGI script directory. This | |
| 291 | -may also be accomplished (on Apache, at least) using appropriate | |
| 292 | -".htaccess" rules. | |
| 293 | - | |
| 294 | -If you are using "inetd" to serve your repository, then you simply need | |
| 295 | -to add "/usr/bin/stunnel" (perhaps on a different path, depending on your | |
| 296 | -setup) before the command line to launch Fossil. | |
| 297 | - | |
| 298 | -At this stage, the standalone server (e.g. "fossil server") does not | |
| 299 | -support SSL. | |
| 300 | - | |
| 301 | -For more information, see <a href="./ssl.wiki">Using SSL with Fossil</a>. | |
| 269 | + Fossil's built-in HTTP server (e.g. "fossil server") does not support | |
| 270 | + TLS, but there are multiple ways to protect your Fossil server with | |
| 271 | + TLS. All of this is covered in a separate document, <a | |
| 272 | + href="./ssl.wiki">Using TLS-Encrypted Communications with Fossil</a>. | |
| 302 | 273 | </blockquote> |
| 303 | 274 | |
| 304 | 275 | <h2 id="loadmgmt">Managing Server Load</h2> |
| 305 | 276 | |
| 306 | 277 | <blockquote> |
| 307 | 278 |
| --- www/server.wiki | |
| +++ www/server.wiki | |
| @@ -23,11 +23,11 @@ | |
| 23 | <blockquote> |
| 24 | There are basically four ways to set up a Fossil server: |
| 25 | |
| 26 | <ol> |
| 27 | <li>A stand-alone server |
| 28 | <li>Using inetd or xinetd or stunnel |
| 29 | <li>CGI |
| 30 | <li>SCGI (a.k.a. SimpleCGI) |
| 31 | </ol> |
| 32 | |
| 33 | Each of these can serve either a single repository, or a directory hierarchy |
| @@ -72,11 +72,11 @@ | |
| 72 | Both commands have additional command-line options that can be used to refine |
| 73 | their behavior. See the [/help/server|online documentation] for an overview. |
| 74 | </blockquote> |
| 75 | |
| 76 | |
| 77 | <h2 id="inetd">Fossil as an inetd/xinetd or stunnel service</h2> |
| 78 | |
| 79 | <blockquote> |
| 80 | |
| 81 | A Fossil server can be launched on-demand by inetd or xinetd using |
| 82 | the [/help/http|fossil http] command. To launch Fossil from inetd, modify |
| @@ -142,38 +142,20 @@ | |
| 142 | off of the wire. |
| 143 | |
| 144 | Inetd or xinetd must be enabled, and must be (re)started whenever their configuration |
| 145 | changes - consult your system's documentation for details. |
| 146 | |
| 147 | [https://www.stunnel.org/ | Stunnel version 5] is an inetd-like process that |
| 148 | accepts and decodes SSL-encrypted connections. Fossil can be run directly from |
| 149 | stunnel in a manner similar to inetd and xinetd. This can be used to provide |
| 150 | a secure link to a Fossil project. The configuration needed to get stunnel5 |
| 151 | to invoke Fossil is very similar to the inetd and xinetd examples shown above. |
| 152 | The relevant parts of an stunnel configuration might look something |
| 153 | like the following: |
| 154 | |
| 155 | <blockquote><pre><nowiki> |
| 156 | [https] |
| 157 | accept = www.ubercool-project.org:443 |
| 158 | TIMEOUTclose = 0 |
| 159 | exec = /usr/bin/fossil |
| 160 | execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https |
| 161 | </nowiki></pre></blockquote> |
| 162 | |
| 163 | See the stunnel5 documentation for further details about the /etc/stunnel/stunnel.conf |
| 164 | configuration file. Note that the [/help/http|fossil http] command should include |
| 165 | the --https option to let Fossil know to use "https" instead of "http" as the scheme |
| 166 | on generated hyperlinks. |
| 167 | |
| 168 | Using inetd or xinetd or stunnel is a more complex setup |
| 169 | than the "standalone" server, but it has the |
| 170 | advantage of only using system resources when an actual connection is |
| 171 | attempted. If no-one ever connects to that port, a Fossil server will |
| 172 | not (automatically) run. It has the disadvantage of requiring "root" access |
| 173 | and therefore may not normally be available to lower-priced "shared" servers |
| 174 | on the internet. |
| 175 | </blockquote> |
| 176 | |
| 177 | <h2 id="cgi">Fossil as CGI</h2> |
| 178 | |
| 179 | <blockquote> |
| @@ -279,28 +261,17 @@ | |
| 279 | <blockquote><pre> |
| 280 | fossil server $REPOSITORY --scgi --localhost --port 9000 |
| 281 | </pre></blockquote> |
| 282 | </blockquote> |
| 283 | |
| 284 | <h2 id="tls">Securing a repository with SSL</h2> |
| 285 | |
| 286 | <blockquote> |
| 287 | Using either CGI or SCGI, it is trivial to use SSL to |
| 288 | secure the server. Simply set up the Fossil CGI scripts etc. as above, |
| 289 | but modify the Apache (or IIS, etc.) server to require SSL (that is, a |
| 290 | URL with "https://") in order to access the CGI script directory. This |
| 291 | may also be accomplished (on Apache, at least) using appropriate |
| 292 | ".htaccess" rules. |
| 293 | |
| 294 | If you are using "inetd" to serve your repository, then you simply need |
| 295 | to add "/usr/bin/stunnel" (perhaps on a different path, depending on your |
| 296 | setup) before the command line to launch Fossil. |
| 297 | |
| 298 | At this stage, the standalone server (e.g. "fossil server") does not |
| 299 | support SSL. |
| 300 | |
| 301 | For more information, see <a href="./ssl.wiki">Using SSL with Fossil</a>. |
| 302 | </blockquote> |
| 303 | |
| 304 | <h2 id="loadmgmt">Managing Server Load</h2> |
| 305 | |
| 306 | <blockquote> |
| 307 |
| --- www/server.wiki | |
| +++ www/server.wiki | |
| @@ -23,11 +23,11 @@ | |
| 23 | <blockquote> |
| 24 | There are basically four ways to set up a Fossil server: |
| 25 | |
| 26 | <ol> |
| 27 | <li>A stand-alone server |
| 28 | <li>Using inetd, xinetd, or stunnel |
| 29 | <li>CGI |
| 30 | <li>SCGI (a.k.a. SimpleCGI) |
| 31 | </ol> |
| 32 | |
| 33 | Each of these can serve either a single repository, or a directory hierarchy |
| @@ -72,11 +72,11 @@ | |
| 72 | Both commands have additional command-line options that can be used to refine |
| 73 | their behavior. See the [/help/server|online documentation] for an overview. |
| 74 | </blockquote> |
| 75 | |
| 76 | |
| 77 | <h2 id="inetd">Fossil as an inetd/xinetd service</h2> |
| 78 | |
| 79 | <blockquote> |
| 80 | |
| 81 | A Fossil server can be launched on-demand by inetd or xinetd using |
| 82 | the [/help/http|fossil http] command. To launch Fossil from inetd, modify |
| @@ -142,38 +142,20 @@ | |
| 142 | off of the wire. |
| 143 | |
| 144 | Inetd or xinetd must be enabled, and must be (re)started whenever their configuration |
| 145 | changes - consult your system's documentation for details. |
| 146 | |
| 147 | Using inetd or xinetd is a more complex setup |
| 148 | than the "standalone" server, but it has the |
| 149 | advantage of only using system resources when an actual connection is |
| 150 | attempted. If no-one ever connects to that port, a Fossil server will |
| 151 | not (automatically) run. It has the disadvantage of requiring "root" access |
| 152 | and therefore may not normally be available to lower-priced "shared" servers |
| 153 | on the Internet. |
| 154 | |
| 155 | The configuration for <tt>stunnel</tt> is similar, but it is covered in |
| 156 | [./ssl.wiki#stunnel|a separate document]. |
| 157 | </blockquote> |
| 158 | |
| 159 | <h2 id="cgi">Fossil as CGI</h2> |
| 160 | |
| 161 | <blockquote> |
| @@ -279,28 +261,17 @@ | |
| 261 | <blockquote><pre> |
| 262 | fossil server $REPOSITORY --scgi --localhost --port 9000 |
| 263 | </pre></blockquote> |
| 264 | </blockquote> |
| 265 | |
| 266 | <h2 id="tls">Securing a repository with TLS</h2> |
| 267 | |
| 268 | <blockquote> |
| 269 | Fossil's built-in HTTP server (e.g. "fossil server") does not support |
| 270 | TLS, but there are multiple ways to protect your Fossil server with |
| 271 | TLS. All of this is covered in a separate document, <a |
| 272 | href="./ssl.wiki">Using TLS-Encrypted Communications with Fossil</a>. |
| 273 | </blockquote> |
| 274 | |
| 275 | <h2 id="loadmgmt">Managing Server Load</h2> |
| 276 | |
| 277 | <blockquote> |
| 278 |
+26
-9
| --- www/ssl.wiki | ||
| +++ www/ssl.wiki | ||
| @@ -211,19 +211,36 @@ | ||
| 211 | 211 | it behind some kind of HTTPS proxy. |
| 212 | 212 | |
| 213 | 213 | |
| 214 | 214 | <h3 id="stunnel">stunnel Alone</h3> |
| 215 | 215 | |
| 216 | -Conceptually, the simplest option is to [https://www.stunnel.org/|set up | |
| 217 | -stunnel]. A typical configuration is to run Fossil as an HTTP server | |
| 218 | -bound to localhost only, then export access to it via HTTPS with stunnel | |
| 219 | -encrypting access to Fossil instance hiding behind it. | |
| 220 | - | |
| 221 | -The difficulty comes in configuring it, which really wants a guide that | |
| 222 | -no one has written for us yet. Until that appears, you'll have to read | |
| 223 | -the stunnel documentation and that of your TLS certificate provider to | |
| 224 | -work out how to set this up. | |
| 216 | +[https://www.stunnel.org/ | <tt>stunnel</tt>] is an | |
| 217 | +[https://en.wikipedia.org/wiki/Inetd | <tt>inetd</tt>]-like process that | |
| 218 | +accepts and decodes TLS-encrypted connections. It can directly proxy | |
| 219 | +Fossil communications, allowing secure TLS-encrypted communications to a | |
| 220 | +Fossil repository server. You simply need to install <tt>stunnel</tt> | |
| 221 | +and then place something like this in its main configuration file, | |
| 222 | +<tt>stunnel.conf</tt>: | |
| 223 | + | |
| 224 | +<nowiki><pre> | |
| 225 | + [https] | |
| 226 | + accept = www.ubercool-project.org:443 | |
| 227 | + TIMEOUTclose = 0 | |
| 228 | + exec = /usr/bin/fossil | |
| 229 | + execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https | |
| 230 | +</pre></nowiki> | |
| 231 | + | |
| 232 | +The directory where that file goes varies between OSes, so check the man | |
| 233 | +pages on your system to find out where it should be locally. | |
| 234 | + | |
| 235 | +See the <tt>stunnel</tt> documentation for further details about this | |
| 236 | +configuration file. | |
| 237 | + | |
| 238 | +It is important that the [/help/http | <tt>fossil http</tt>] command in | |
| 239 | +that configuration include the <tt>--https</tt> option to let Fossil | |
| 240 | +know to use "<tt>https</tt>" instead of "<tt>http</tt>" as the URL | |
| 241 | +scheme on generated hyperlinks. | |
| 225 | 242 | |
| 226 | 243 | |
| 227 | 244 | <h3 id="althttpd">stunnel + althttpd</h3> |
| 228 | 245 | |
| 229 | 246 | The public SQLite and Fossil web sites can't just use stunnel + Fossil |
| 230 | 247 |
| --- www/ssl.wiki | |
| +++ www/ssl.wiki | |
| @@ -211,19 +211,36 @@ | |
| 211 | it behind some kind of HTTPS proxy. |
| 212 | |
| 213 | |
| 214 | <h3 id="stunnel">stunnel Alone</h3> |
| 215 | |
| 216 | Conceptually, the simplest option is to [https://www.stunnel.org/|set up |
| 217 | stunnel]. A typical configuration is to run Fossil as an HTTP server |
| 218 | bound to localhost only, then export access to it via HTTPS with stunnel |
| 219 | encrypting access to Fossil instance hiding behind it. |
| 220 | |
| 221 | The difficulty comes in configuring it, which really wants a guide that |
| 222 | no one has written for us yet. Until that appears, you'll have to read |
| 223 | the stunnel documentation and that of your TLS certificate provider to |
| 224 | work out how to set this up. |
| 225 | |
| 226 | |
| 227 | <h3 id="althttpd">stunnel + althttpd</h3> |
| 228 | |
| 229 | The public SQLite and Fossil web sites can't just use stunnel + Fossil |
| 230 |
| --- www/ssl.wiki | |
| +++ www/ssl.wiki | |
| @@ -211,19 +211,36 @@ | |
| 211 | it behind some kind of HTTPS proxy. |
| 212 | |
| 213 | |
| 214 | <h3 id="stunnel">stunnel Alone</h3> |
| 215 | |
| 216 | [https://www.stunnel.org/ | <tt>stunnel</tt>] is an |
| 217 | [https://en.wikipedia.org/wiki/Inetd | <tt>inetd</tt>]-like process that |
| 218 | accepts and decodes TLS-encrypted connections. It can directly proxy |
| 219 | Fossil communications, allowing secure TLS-encrypted communications to a |
| 220 | Fossil repository server. You simply need to install <tt>stunnel</tt> |
| 221 | and then place something like this in its main configuration file, |
| 222 | <tt>stunnel.conf</tt>: |
| 223 | |
| 224 | <nowiki><pre> |
| 225 | [https] |
| 226 | accept = www.ubercool-project.org:443 |
| 227 | TIMEOUTclose = 0 |
| 228 | exec = /usr/bin/fossil |
| 229 | execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https |
| 230 | </pre></nowiki> |
| 231 | |
| 232 | The directory where that file goes varies between OSes, so check the man |
| 233 | pages on your system to find out where it should be locally. |
| 234 | |
| 235 | See the <tt>stunnel</tt> documentation for further details about this |
| 236 | configuration file. |
| 237 | |
| 238 | It is important that the [/help/http | <tt>fossil http</tt>] command in |
| 239 | that configuration include the <tt>--https</tt> option to let Fossil |
| 240 | know to use "<tt>https</tt>" instead of "<tt>http</tt>" as the URL |
| 241 | scheme on generated hyperlinks. |
| 242 | |
| 243 | |
| 244 | <h3 id="althttpd">stunnel + althttpd</h3> |
| 245 | |
| 246 | The public SQLite and Fossil web sites can't just use stunnel + Fossil |
| 247 |