Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Server Documentation Update. This ckeckin contains instructions for using Fossil as a windows service and with stunnel as an https proxy. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | server-docs |
Files: | files | file ages | folders |
SHA3-256: |
8b7c563d4999f99150b16be3a902ced1 |
User & Date: | ckennedy 2019-08-15 16:16:22.643 |
Context
2019-08-16
| ||
01:58 | Merged recent spell check fixes into this branch so we don't revert any of them. ... (check-in: a9fd086f user: wyoung tags: server-docs) | |
2019-08-15
| ||
16:16 | Server Documentation Update. This ckeckin contains instructions for using Fossil as a windows service and with stunnel as an https proxy. ... (check-in: 8b7c563d user: ckennedy tags: server-docs) | |
2019-08-13
| ||
23:29 | Additional documentation on CGI configuration options. Updates to the change log. New hyperlinks interconnecting the various documents. ... (check-in: fbc3b2f7 user: drh tags: trunk) | |
Changes
Added www/server/windows/index.md.
> > > > > | 1 2 3 4 5 | # Using Windows as a Fossil Server - [Fossil as a Service](service.md) - [Using stunnel with Fossil on Windows](stunnel.md) |
Added www/server/windows/service.md.
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | # Fossil as a Windows Service If you need Fossil to start automatically on Windows, it is suggested to install Fossil as a Windows Service. ## Assumptions 1. You have Administrative access to a Windows 2012r2 or above server. 2. You have PowerShell 5.1 or above installed. ## Place Fossil on Server However you obtained your copy of Fossil, it is recommended that you follow Windows conventions and place it within `\Program Files (x86)\FossilSCM`. Since Fossil is a 32bit binary, this is the proper location for the executable. This way Fossil is in an expected location and you will have minimal issues with Windows interfering in your ability to run Fossil as a service. You will need Administrative rights to place fossil at the recommended location. You do NOT need to add this location to the path, though you may do so if you wish. ## Make Fossil a Windows Service Luckily the hard work to use Fossil as a Windows Service has been done by the Fossil team. We simply have to install it with the proper command line options. As of Fossil 2.9 the built in `fossil winsrv` command is failing, so an alternative service install using PowerShell is documented here. The below should all be entered as a single line in an Administrative PowerShell console. ```PowerShell New-Service -Name fossil -DisplayName fossil -BinaryPathName '"C:\Program Files (x86)\FossilSCM\fossil.exe" server --port 8080 --repolist "D:/Path/to/Repos"' -StartupType Automatic ``` Please note the use of forward slashes in the paths passed to Fossil. Windows will accept either back slashes or forward slashes in path names, but Fossil has a preference for forward slashes. The use of `--repolist` will make this a multiple repository server. If you want to serve only a single repository, then leave off the `--repolist` parameter and provide the full path to the proper repository file. Other options are listed in the [fossil server](/help?cmd=server) documentation. The service will be installed by default to use the Local Service account. Since Fossil only needs access to local files, this is fine and causes no issues. The service will not be running once installed. You will need to start it to proceed (the `-StartupType Automatic` parameter to `New-Service` will result in the service auto-starting on boot). This can be done by entering ```PowerShell Start-Service -Name fossil ``` in the PowerShell console. Congratulations, you now have a base http accessible Fossil server running on Windows. |
Added www/server/windows/stunnel.md.
> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | # Using stunnel with Fossil on Windows While there are many ways to configure Fossil as a server using various web servers (Apache, IIS, nginx, etc.), this document will focus on setting up a minimal Fossil server using only Fossil's native [server capabilities](server.wiki#standalone) and [stunnel](https://www.stunnel.org/) to provide a TLS proxy. It is recommended for public repositories to go to the extra step of configuring stunnel to provide a proper HTTPS setup. ## Assumptions 1. You have Administrative access to a Windows 2012r2 or above server. 2. You have PowerShell 5.1 or above installed. 3. You have acquired a certificate either from a Public CA or an Internal CA. These instructions were tested with Fossil 2.10 and stunnel 5.55. Other versions may not function in a similar manner. There is a bug in Fossil 2.9 and earlier that prevents these versions of Fossil from properly constructing https URLs when used with stunnel as a proxy. Please make sure you are using Fossil 2.10 or later on Windows. ## Configure Fossil Service for https Following most of [Fossil as a Windows Service](service.md), you will need to change the command to install the Fossil Service to configure it properly for use with stunnel as an https proxy. Run the following instead: ```PowerShell New-Service -Name fossil-secure -DisplayName fossil-secure -BinaryPathName '"C:\Program Files (x86)\FossilSCM\fossil.exe" server --localhost --port 8080 --https --repolist "D:/Path/to/Repos"' -StartupType Automatic ``` The use of `--localhost` means Fossil will only listen for traffic on the local host on the designated port - 8080 in this case - and will not respond to network traffic. Using `--https` will tell Fossil to generate HTTPS URLs rather than HTTP ones. `New-Service` does not automatically start a service on install, so you will need to enter the following to avoid rebooting the server: ```PowerShell Start-Service -Name fossil-secure ``` ## Install stunnel 5.55 Download stunnel from the [downloads](https://www.stunnel.org/downloads.html) page. Select the latest stunnel windows package (at the time of writing this is `stunnel-5.55-win64-installer.exe`). Execute the installer and make sure you install openSSL tools when you install stunnel. You will need this to convert your certificate from PFX to PEM format. Even though the installer says it is for win64, it installs stunnel by default to `\Program Files (x86)\stunnel`. ## Get your certificate ready for Stunnel Whether you use a Public Certificate Authority or Internal Certificate Authority, the next step is exporting the certificate from Windows into a format useable by Stunnel. ### Export Certificate from Windows If your certificate is installed via Windows Certificate Management, you will need to export the certificate into a usable format. You can do this either using the Windows Certificate Management Console, or PowerShell. #### Certificate Management Console Start `mmc.exe` as an Administrator. Select 'File>Add/Remove Snapin', select 'Certificates' from the list, and click 'Add'. Select 'Computer Account', 'Next', 'Local Computer', and then 'Finish'. In the Console Root, expand 'Certificates', then 'Personal', and select 'Certificates'. In the middle pane find and select your certificate. Right click the certificate and select 'All Tasks>Export'. You want to export as PFX the Private Key, include all certificates in the certification path, and use a password only to secure the file. Enter a path and file name to a working directory and complete the export. Continue with [Convert Certificate from PFX to PEM](#convert). #### PowerShell If you know the Friendly Name of the Certificate this is relatively easy. Since you need to export the private key as well, you must run the following from an Administrative PowerShell console. ```PowerShell $passwd = ConvertTo-SecureString -string "yourpassword" -Force -AsPlainText Get-ChildItem Cert:\LocalMachine\My | Where{$_.FriendlyName -eq "FriendlyName"} | Export-PfxCertificate -FilePath fossil-scm.pfx -Password $passwd ``` You will now have your certificate stored as a PFX file. <a name="convert"></a> ### Convert Certificate from PFX to PEM For this step you will need the openssl tools that were installed with stunnel. ```PowerShell # Add stunnel\bin directory to path for this session. $env:PATH += ";${env:ProgramFiles(x86)}\stunnel\bin" # Export Private Key openssl.exe pkcs12 -in fossil-scm.pfx -out fossil-scm.key -nocerts -nodes # Export the Certificate openssl.exe pkcs12 -in fossil-scm.pfx -out fossil-scm.pem -nokeys ``` Now move `fossil-scm.key` and `fossil-scm.pem` to your stunnel config directory (by default this should be located at `\Program Files (x86)\stunne\config`). ## stunnel Configuration Next, open up the `stunnel.conf` file located at `\Program Files (x86)\stunnel\config` and add the below section. ```dosini ; proxy to fossil-scm service [fossil] accept = 443 connect = 8080 cert = fossil-scm.pem key = fossil-scm.key TIMEOUTclose = 0 ``` After completing the above configuration restart the stunnel service in Windows with the following: ```PowerShell Restart-Service -Name stunnel ``` ## Open up port 443 in the Windows Firewall The following instructions are for the [Windows Advanced Firewall](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). If you are using a different Firewall, please consult your Firewall documentation for how to open port 443 for inbound traffic. The following command should be entered all on one line. ```PowerShell New-NetFirewallRule -DisplayName "Allow Fossil Inbound" -Description "Allow Fossil inbound on port 443 using Stunnel as TLS Proxy." -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow -Program "C:\Program Files (x86)\Stunnel\bin\stunnel.exe" ``` You should now be able to access your new Fossil Server via HTTPS. |