** users can not be deleted.
*/
/*
** SETTING: ssh-command      width=40 sensitive
** The command used to talk to a remote machine with  the "ssh://" protocol.
*/

/*
** SETTING: ssl-acme         boolean default=off
** If true, allow web pages with a path of "/.well-known/..." to retrieve
** files stored in the ".well-known" subdirectory in the same directory as
** the repository.  This is needed by tools such as "certbot" to verify a
** certificate signing request.
*/
/*
** SETTING: ssl-ca-location  width=40 sensitive
** The full pathname to a file containing PEM encoded
** CA root certificates, or a directory of certificates
** with filenames formed from the certificate hashes as
** required by OpenSSL.
**

**
** This command is used to view or modify the TLS (Transport Layer
** Security) configuration for Fossil.  TLS (formerly SSL) is the
** encryption technology used for secure HTTPS transport.
**
** Sub-commands:
**
**   acme ON/OFF                 Activate or deactivate web access to files in
**                               the "./well-known" directory.  This must be on
**                               to support "certbot".
**
**   clear-cert                  Remove information about server certificates.
**                               This is a subset of the "scrub" command.
**
**   load-cert PEM-FILES...      Identify server certificate files. These
**                               should be in the PEM format.  There are
**                               normally two files, the certificate and the
**                               private-key.  By default, the text of both

  if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){
    zCmd = "show";
    nCmd = 4;
  }else{
    zCmd = g.argv[2];
    nCmd = strlen(zCmd);
  }
  if( strncmp("acme",zCmd,nCmd)==0 ){
    if( g.argc!=4 ) usage("acme ON/OFF");
    db_unprotect(PROTECT_CONFIG);
    if( is_truth(g.argv[3]) ){
      db_set_int("ssl-acme",1,0);
    }else if( is_false(g.argv[3]) ){
      db_unset("ssl-acme",0);
    }else{
      fossil_fatal("unknown argument: \"%s\"", g.argv[3]);
    }
    db_protect_pop();
  }else
  if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
    int bForce = find_option("force","f",0)!=0;
    verify_all_options();
    if( !bForce ){
      Blob ans;
      char cReply;
      prompt_user(

         "  This setting is the name of a file that contains the PEM-format\n"
         "  certificate and private-key used by Fossil clients to authentice\n"
         "  with servers. Few servers actually require this, so this setting\n"
         "  is usually blank.\n\n"
      );
    }

    fossil_print("ssl-acme:          %s\n",
           db_get_boolean("ssl-acme",0) ? "on" : "off");
    if( verbose ){
      fossil_print("\n"
         "  This setting enables web access to files in the \".well-known\"\n"
         "  subdirectory in the same directory as the repository. Such access\n"
         "  is required to obtain a certificate from services like\n"
         "  \"Let's Encrypt\" using the tools like \"certbot\".\n\n"
      );
    }

    zValue = db_get("ssl-cert",0);
    if( zValue ){
      fossil_print("ssl-cert:          (%d-byte PEM)\n", (int)strlen(zValue));
    }else{
      fossil_print("ssl-cert:\n");
    }
    if( verbose ){

       zCmd);
  }
}

/*
** WEBPAGE: .well-known
**

** If the "ssl-acme" setting is true, then this page returns the content
** of files found in the ".well-known" subdirectory of the same directory
** that contains the repository file.  This facilitates Automated Certificate
** Management using tools like "certbot".
**
** The content is returned directly, without any interpretation, using
** a generic mimetype.
*/
void wellknown_page(void){
  char *zPath = 0;
  const char *zTail = P("name");
  Blob content;
  int i;
  char c;
  if( !db_get_boolean("ssl-acme",0) ) goto wellknown_notfound;
  if( g.zRepositoryName==0 ) goto wellknown_notfound;
  if( zTail==0 ) goto wellknown_notfound;
  zPath = mprintf("%z/.well-known/%s", file_dirname(g.zRepositoryName), zTail);
  for(i=0; (c = zTail[i])!=0; i++){
    if( fossil_isalnum(c) ) continue;
    if( c=='.' ){
      if( i==0 || zTail[i-1]=='/' || zTail[i-1]=='.' ) goto wellknown_notfound;

  int fSqlStats;          /* True if --sqltrace or --sqlstats are present */
  int fSqlPrint;          /* True if --sqlprint flag is present */
  int fCgiTrace;          /* True if --cgitrace is enabled */
  int fQuiet;             /* True if -quiet flag is present */
  int fJail;              /* True if running with a chroot jail */
  int fHttpTrace;         /* Trace outbound HTTP requests */
  int fAnyTrace;          /* Any kind of tracing */

  char *zHttpAuth;        /* HTTP Authorization user:pass information */
  int fSystemTrace;       /* Trace calls to fossil_system(), --systemtrace */
  int fSshTrace;          /* Trace the SSH setup traffic */
  int fSshClient;         /* HTTP client flags for SSH client */
  int fNoHttpCompress;    /* Do not compress HTTP traffic (for debugging) */
  char *zSshCmd;          /* SSH command string */
  const char *zHttpCmd;   /* External program to do HTTP requests */

#endif
        if( c=='/' ) continue;
        if( c=='_' ) continue;
        if( c=='-' && zRepo[j-1]!='/' ) continue;
        if( c=='.' && fossil_isalnum(zRepo[j-1]) && fossil_isalnum(zRepo[j+1])){
          continue;
        }

        if( c=='.' && strncmp(&zRepo[j-1],"/.well-known/",12)==0 && j==nBase+1){

          /* We allow .well-known as the top-level directory for ACME */
          continue;
        }
        /* If we reach this point, it means that the request URI contains
        ** an illegal character or character combination.  Provoke a
        ** "Not Found" error. */
        szFile = 1;

          Blob content;
          blob_read_from_file(&content, file_cleanup_fullpath(zRepo), ExtFILE);
          cgi_set_content_type(zMimetype);
          cgi_set_content(&content);
          cgi_reply();
          return;
        }















        zRepo[j] = '.';
      }

      /* If we reach this point, it means that the search of the PATH_INFO
      ** string is finished.  Either zRepo contains the name of the
      ** repository to be used, or else no repository could be found and
      ** some kind of error response is required.

** thus also no redirecting from http: to https: will take place.
**
** If the --localauth option is given, then automatic login is performed
** for requests coming from localhost, if the "localauth" setting is not
** enabled.
**
** Options:

**   --baseurl URL       base URL (useful with reverse proxies)
**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias N     Treat URIs of the form /doc/N/... as if they were
**                          /doc/ckout/...
**   --extroot DIR       document root for the /ext extension mechanism
**   --files GLOB        comma-separate glob patterns for static file to serve
**   --host NAME         specify hostname of the server

  zHost = find_option("host", 0, 1);
  if( zHost ) cgi_replace_parameter("HTTP_HOST",zHost);
  g.zMainMenuFile = find_option("mainmenu",0,1);
  if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
    fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
  }
  decode_ssl_options();


  /* We should be done with options.. */
  verify_all_options();
  if( g.httpUseSSL ){
    if( useSCGI ){
      fossil_fatal("SSL not (yet) supported for SCGI");
    }

** having to log in.  This can be disabled by turning off the "localauth"
** setting.  Automatic login for the "server" command is available if the
** --localauth option is present and the "localauth" setting is off and the
** connection is from localhost.  The "ui" command also enables --repolist
** by default.
**
** Options:

**   --baseurl URL       Use URL as the base (useful for reverse proxies)
**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias NAME  Treat URIs of the form /doc/NAME/... as if they were
**                       /doc/ckout/...
**   --create            Create a new REPOSITORY if it does not already exist
**   --extroot DIR       Document root for the /ext extension mechanism
**   --files GLOBLIST    Comma-separated list of glob patterns for static files

    flags |= HTTP_SERVER_LOCALHOST;
  }
  g.zCkoutAlias = find_option("ckout-alias",0,1);
  g.zMainMenuFile = find_option("mainmenu",0,1);
  if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
    fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);
  }


  /* Undocumented option:  --debug-nofork
  **
  ** This sets the HTTP_SERVER_NOFORK flag, which causes only the
  ** very first incoming TCP/IP connection to be processed.  Used for
  ** debugging, since debugging across a fork() can be tricky
  */