Fossil

Check-in [d7008b3457]
Login
Home Timeline Docs Branches Tickets Wiki DownloadMore...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:A general simplification of the server-side TLS logic: Do not store server-certs in settings. Remove the ssl-config subcommands that try to do that. Change command-line options for server-TLS mode on "fossil server" and "fossil http": --cert for the cert file, --pkey for the private key, and omit --tls and --ssl. This check-in supercedes [/timeline?r=tls-server-fix|the tls-server-fix branch]. See [forum:/forumpost/de470658fdf45100|forum post de470658fdf45100].
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: d7008b34579d2f411784cedca493b05c7be6a9723094acd2c0bb6f11bd8468bb
User & Date: drh 2022-01-17 16:56:51.467
References
2022-01-17
13:47
This branch superceded by [d7008b34579d2f41|check-in d7008b34579d2f41] and therefore closed. Was: move the checking for --https to before verify_options is called Closed-Leaf check-in: 60d1581ff0 user: rdb tags: tls-server-fix
Context
2022-01-17
18:10
Fix the "fossil sync" command so that it works with options -u and --all at the same time. check-in: 95014ae996 user: drh tags: trunk
16:56
A general simplification of the server-side TLS logic: Do not store server-certs in settings. Remove the ssl-config subcommands that try to do that. Change command-line options for server-TLS mode on "fossil server" and "fossil http": --cert for the cert file, --pkey for the private key, and omit --tls and --ssl. This check-in supercedes [/timeline?r=tls-server-fix|the tls-server-fix branch]. See [forum:/forumpost/de470658fdf45100|forum post de470658fdf45100]. check-in: d7008b3457 user: drh tags: trunk
2022-01-16
18:42
The output of "fossil configuration --help" had two different ways -R was described, one wrong. The newer one was of a more consistent format with the rest of the help ([decd537016 | thus why it was added]) so removed the older one and reworked the newer one to be more accurate. check-in: 6cb0fc2591 user: wyoung tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/db.c. 
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332

** If set, this will override the OS default list of
** OpenSSL CAs. If unset, the default list will be used.
** Some platforms may add additional certificates.
** Checking your platform behaviour is required if the
** exact contents of the CA root is critical for your
** application.
*/
/*
** SETTING: ssl-cert          width=40 block-text sensitive
** The text of SSL server certificate and private key used by commands
** like "fossil server".  The text should be in the PEM format.  Use
** the "fossil ssl-config load-certs" command to change this setting.
*/
/*
** SETTING: ssl-cert-file     width=40 sensitive
** The name of a file that contains the SSL server certificate, or
** optionally the concatenation of the certificate and private key,
** for use by Fossil when it is acting as a server.  If this file
** contains only the certificate, then the ssl-key-file setting must
** contain the name of a file containing the private key.
*/
/*
** SETTING: ssl-identity     width=40 sensitive
** The full pathname to a file containing a certificate
** and private key in PEM format. Create by concatenating
** the certificate and private key files.
**
** This identity will be presented to SSL servers to
** authenticate this client, in addition to the normal
** password authentication.
*/
/*
** SETTING: ssl-key-file     width=40 sensitive
** The name of a file that contains the SSL server certificate private
** key.  Used in combination with "ssl-cert-file".
*/
#ifdef FOSSIL_ENABLE_TCL
/*
** SETTING: tcl              boolean default=off sensitive
** If enabled Tcl integration commands will be added to the TH1
** interpreter, allowing arbitrary Tcl expressions and
** scripts to be evaluated from TH1.  Additionally, the Tcl
** interpreter will be able to evaluate arbitrary TH1








<
<
<
<
<
<
<
<
<
<
<
<
<
<










<
<
<
<
<








4290
4291
4292
4293
4294
4295
4296














4297
4298
4299
4300
4301
4302
4303
4304
4305
4306





4307
4308
4309
4310
4311
4312
4313

** If set, this will override the OS default list of
** OpenSSL CAs. If unset, the default list will be used.
** Some platforms may add additional certificates.
** Checking your platform behaviour is required if the
** exact contents of the CA root is critical for your
** application.
*/














/*
** SETTING: ssl-identity     width=40 sensitive
** The full pathname to a file containing a certificate
** and private key in PEM format. Create by concatenating
** the certificate and private key files.
**
** This identity will be presented to SSL servers to
** authenticate this client, in addition to the normal
** password authentication.
*/





#ifdef FOSSIL_ENABLE_TCL
/*
** SETTING: tcl              boolean default=off sensitive
** If enabled Tcl integration commands will be added to the TH1
** interpreter, allowing arbitrary Tcl expressions and
** scripts to be evaluated from TH1.  Additionally, the Tcl
** interpreter will be able to evaluate arbitrary TH1
Changes to src/http_ssl.c. 
695
696
697
698
699
700
701
702
703
704
705


706
707
708
709
710
711
712
713
714
715
716
717
718






719
720
721
722
723
724
725




726
727
728
729
730
731
732
733
734

735
736
737
738

739
740
741
742
743
744
745

**
** If zKeyFile and zCertFile are not NULL, then they are the names
** of disk files that hold the certificate and private-key for the
** server.  If zCertFile is not NULL but zKeyFile is NULL, then
** zCertFile is assumed to be a concatenation of the certificate and
** the private-key in the PEM format.
**
** If zCertFile is NULL, then "ssl-cert" setting is consulted
** to get the certificate and private-key (concatenated together, in
** the PEM format).  If there is no ssl-cert setting, then
** a built-in self-signed cert is used.


*/
void ssl_init_server(const char *zCertFile, const char *zKeyFile){
  if( sslIsInit==0 ){
    const char *zTlsCert;
    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    sslCtx = SSL_CTX_new(SSLv23_server_method());
    if( sslCtx==0 ){
      ERR_print_errors_fp(stderr);
      fossil_fatal("Error initializing the SSL server");
    }
    if( zCertFile && zCertFile[0] ){






      if( SSL_CTX_use_certificate_chain_file(sslCtx,zCertFile)!=1 ){
        ERR_print_errors_fp(stderr);
        fossil_fatal("Error loading CERT file \"%s\"", zCertFile);
      }
      if( zKeyFile==0 ) zKeyFile = zCertFile;
      if( SSL_CTX_use_PrivateKey_file(sslCtx, zKeyFile, SSL_FILETYPE_PEM)<=0 ){
        ERR_print_errors_fp(stderr);




        fossil_fatal("Error loading PRIVATE KEY from file \"%s\"", zKeyFile);
      }
    }else
    if( (zTlsCert = db_get("ssl-cert",0))!=0 ){
      if( sslctx_use_cert_from_mem(sslCtx, zTlsCert, -1)
       || sslctx_use_pkey_from_mem(sslCtx, zTlsCert, -1)
      ){
        fossil_fatal("Error loading the CERT from the"
                     " 'ssl-cert' setting");

      }
    }else if( sslctx_use_cert_from_mem(sslCtx, sslSelfCert, -1)
           || sslctx_use_pkey_from_mem(sslCtx, sslSelfPKey, -1) ){
      fossil_fatal("Error loading self-signed CERT");

    }
    if( !SSL_CTX_check_private_key(sslCtx) ){
      fossil_fatal("PRIVATE KEY \"%s\" does not match CERT \"%s\"",
           zKeyFile, zCertFile);
    }
    SSL_CTX_set_mode(sslCtx, SSL_MODE_AUTO_RETRY);
    sslIsInit = 2;








<
<
<
|
>
>


|
<








|
>
>
>
>
>
>







>
>
>
>
|
<
|
<
<
<
<
|
<
>
|
<
<
<
>








695
696
697
698
699
700
701



702
703
704
705
706
707

708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734

735




736

737
738



739
740
741
742
743
744
745
746

**
** If zKeyFile and zCertFile are not NULL, then they are the names
** of disk files that hold the certificate and private-key for the
** server.  If zCertFile is not NULL but zKeyFile is NULL, then
** zCertFile is assumed to be a concatenation of the certificate and
** the private-key in the PEM format.
**



** If zCertFile is "unsafe-builtin", then a built-in self-signed cert
** is used.  This built-in cert is insecure and should only be used for
** testing and debugging.
*/
void ssl_init_server(const char *zCertFile, const char *zKeyFile){
  if( sslIsInit==0 && zCertFile ){

    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    sslCtx = SSL_CTX_new(SSLv23_server_method());
    if( sslCtx==0 ){
      ERR_print_errors_fp(stderr);
      fossil_fatal("Error initializing the SSL server");
    }
    if( fossil_strcmp(zCertFile,"unsafe-builtin")==0 ){
      if( sslctx_use_cert_from_mem(sslCtx, sslSelfCert, -1)
       || sslctx_use_pkey_from_mem(sslCtx, sslSelfPKey, -1)
      ){
        fossil_fatal("Error loading self-signed CERT and KEY");
      }
    }else{
      if( SSL_CTX_use_certificate_chain_file(sslCtx,zCertFile)!=1 ){
        ERR_print_errors_fp(stderr);
        fossil_fatal("Error loading CERT file \"%s\"", zCertFile);
      }
      if( zKeyFile==0 ) zKeyFile = zCertFile;
      if( SSL_CTX_use_PrivateKey_file(sslCtx, zKeyFile, SSL_FILETYPE_PEM)<=0 ){
        ERR_print_errors_fp(stderr);
        if( strcmp(zKeyFile,zCertFile)==0 ){
          fossil_fatal("The private key is not found in \"%s\". "
            "Either append the private key to the certification in that "
            "file or use a separate --pkey option to specify the private key.",
            zKeyFile);

        }else{




          fossil_fatal("Error loading the private key from file \"%s\"",

             zKeyFile);
        }



      }
    }
    if( !SSL_CTX_check_private_key(sslCtx) ){
      fossil_fatal("PRIVATE KEY \"%s\" does not match CERT \"%s\"",
           zKeyFile, zCertFile);
    }
    SSL_CTX_set_mode(sslCtx, SSL_MODE_AUTO_RETRY);
    sslIsInit = 2;

864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888

**
** This command is used to view or modify the TLS (Transport Layer
** Security) configuration for Fossil.  TLS (formerly SSL) is the
** encryption technology used for secure HTTPS transport.
**
** Sub-commands:
**
**   clear-cert                  Remove information about server certificates.
**                               This is a subset of the "scrub" command.
**
**   load-cert PEM-FILES...      Identify server certificate files. These
**                               should be in the PEM format.  There are
**                               normally two files, the certificate and the
**                               private-key.  By default, the text of both
**                               files is concatenated and added to the
**                               "ssl-cert" setting.  Use --filename to store
**                               just the filenames.
**
**   remove-exception DOMAINS    Remove TLS cert exceptions for the domains
**                               listed.  Or remove them all if the --all
**                               option is specified.
**
**   scrub ?--force?             Remove all SSL configuration data from the
**                               repository. Use --force to omit the
**                               confirmation.








<
<
<
<
<
<
<
<
<
<
<








865
866
867
868
869
870
871











872
873
874
875
876
877
878

**
** This command is used to view or modify the TLS (Transport Layer
** Security) configuration for Fossil.  TLS (formerly SSL) is the
** encryption technology used for secure HTTPS transport.
**
** Sub-commands:
**











**   remove-exception DOMAINS    Remove TLS cert exceptions for the domains
**                               listed.  Or remove them all if the --all
**                               option is specified.
**
**   scrub ?--force?             Remove all SSL configuration data from the
**                               repository. Use --force to omit the
**                               confirmation.

899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004

  if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){
    zCmd = "show";
    nCmd = 4;
  }else{
    zCmd = g.argv[2];
    nCmd = strlen(zCmd);
  }
  if( strncmp("clear-cert",zCmd,nCmd)==0 && nCmd>=4 ){
    int bForce = find_option("force","f",0)!=0;
    verify_all_options();
    if( !bForce ){
      Blob ans;
      char cReply;
      prompt_user(
        "Confirm removing of the SSL server certificate from this repository.\n"
        "The removal cannot be undone.  Continue (y/N)? ", &ans);
      cReply = blob_str(&ans)[0];
      if( cReply!='y' && cReply!='Y' ){
        fossil_exit(1);
      }
    }
    db_unprotect(PROTECT_ALL);
    db_multi_exec(
      "PRAGMA secure_delete=ON;"
      "DELETE FROM config "
      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
    );
    db_protect_pop();
  }else
  if( strncmp("load-cert",zCmd,nCmd)==0 && nCmd>=4 ){
    int bFN = find_option("filename",0,0)!=0;
    int i;
    Blob allText = BLOB_INITIALIZER;
    int haveCert = 0;
    int haveKey = 0;
    verify_all_options();
    db_begin_transaction();
    db_unprotect(PROTECT_ALL);
    db_multi_exec(
      "PRAGMA secure_delete=ON;"
      "DELETE FROM config "
      " WHERE name IN ('ssl-cert','ssl-cert-file','ssl-cert-key');"
    );
    nHit = 0;
    for(i=3; i<g.argc; i++){
      Blob x;
      int isCert;
      int isKey;
      if( !file_isfile(g.argv[i], ExtFILE) ){
        fossil_fatal("no such file: \"%s\"", g.argv[i]);
      }
      blob_read_from_file(&x, g.argv[i], ExtFILE);
      isCert = strstr(blob_str(&x),"-----BEGIN CERTIFICATE-----")!=0;
      isKey = strstr(blob_str(&x),"-----BEGIN PRIVATE KEY-----")!=0;
      if( !isCert && !isKey ){
        fossil_fatal("not a certificate or a private key: \"%s\"", g.argv[i]);
      }
      if( isCert ){
        if( haveCert ){
          fossil_fatal("more than one certificate provided");
        }
        haveCert = 1;
        if( bFN ){
          db_set("ssl-cert-file", file_canonical_name_dup(g.argv[i]), 0);
        }else{
          blob_append(&allText, blob_buffer(&x), blob_size(&x));
        }
        if( isKey && !haveKey ){
          haveKey = 1;
          isKey = 0;
        }
      }
      if( isKey ){
        if( haveKey ){
          fossil_fatal("more than one private key provided");
        }
        haveKey = 1;
        if( bFN ){
          db_set("ssl-key-file", file_canonical_name_dup(g.argv[i]), 0);
        }else{
          blob_append(&allText, blob_buffer(&x), blob_size(&x));
        }
      }
    }
    if( !haveCert ){
      if( !haveKey ){
        fossil_fatal("missing certificate and private-key");
      }else{
        fossil_fatal("missing certificate");
      }
    }else if( !haveKey ){
      fossil_fatal("missing private-key");
    }
    if( !bFN ){
      db_set("ssl-cert", blob_str(&allText), 0);
    }
    db_protect_pop();
    db_commit_transaction();
  }else
  if( strncmp("scrub",zCmd,nCmd)==0 && nCmd>4 ){
    int bForce = find_option("force","f",0)!=0;
    verify_all_options();
    if( !bForce ){
      Blob ans;
      char cReply;
      prompt_user(








<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<








889
890
891
892
893
894
895




























































































896
897
898
899
900
901
902

  if( g.argc==2 || (g.argc>=3 && g.argv[2][0]=='-') ){
    zCmd = "show";
    nCmd = 4;
  }else{
    zCmd = g.argv[2];
    nCmd = strlen(zCmd);
  }




























































































  if( strncmp("scrub",zCmd,nCmd)==0 && nCmd>4 ){
    int bForce = find_option("force","f",0)!=0;
    verify_all_options();
    if( !bForce ){
      Blob ans;
      char cReply;
      prompt_user(

1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122

         "  priority over built-in paths and environment variables\n\n"
      );
    }

    fossil_print("ssl-identity:      %s\n", db_get("ssl-identity",""));
    if( verbose ){
      fossil_print("\n"
         "  This setting is the name of a file that contains the PEM-format\n"
         "  certificate and private-key used by Fossil clients to authenticate\n"
         "  with servers. Few servers actually require this, so this setting\n"
         "  is usually blank.\n\n"
      );
    }

    zValue = db_get("ssl-cert",0);
    if( zValue ){
      fossil_print("ssl-cert:          (%d-byte PEM)\n", (int)strlen(zValue));
    }else{
      fossil_print("ssl-cert:\n");
    }
    if( verbose ){
      fossil_print("\n"
         "  This setting is the PEM-formatted value of the SSL server\n"
         "  certificate and private-key, used by Fossil when it is acting\n"
         "  as a server via the \"fossil server\" command or similar.\n\n"
      );
    }
    
    fossil_print("ssl-cert-file:     %s\n", db_get("ssl-cert-file",""));
    fossil_print("ssl-key-file:      %s\n", db_get("ssl-key-file",""));
    if( verbose ){
      fossil_print("\n"
         "  This settings are the names of files that contain the certificate\n"
         "  private-key used by Fossil when it is acting as a server.\n\n"
      );
    }

    db_prepare(&q,
       "SELECT name, '' FROM global_config"
       " WHERE name GLOB 'cert:*'"
       "UNION ALL "








|
|
|
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<








980
981
982
983
984
985
986
987
988
989
990























991
992
993
994
995
996
997

         "  priority over built-in paths and environment variables\n\n"
      );
    }

    fossil_print("ssl-identity:      %s\n", db_get("ssl-identity",""));
    if( verbose ){
      fossil_print("\n"
        "  This setting is the name of a file that contains the PEM-format\n"
        "  certificate and private-key used by Fossil clients to authenticate\n"
        "  with servers. Few servers actually require this, so this setting\n"
        "  is usually blank.\n\n"























      );
    }

    db_prepare(&q,
       "SELECT name, '' FROM global_config"
       " WHERE name GLOB 'cert:*'"
       "UNION ALL "

1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191

    db_exec_sql(blob_str(&sql));
    db_protect_pop();
    db_commit_transaction();
    blob_reset(&sql);
  }else
  /*default*/{
    fossil_fatal("unknown sub-command \"%s\".\nshould be one of:"
                 " clear-cert load-cert remove-exception scrub show",
       zCmd);
  }
}

/*
** WEBPAGE: .well-known
**








|








1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066

    db_exec_sql(blob_str(&sql));
    db_protect_pop();
    db_commit_transaction();
    blob_reset(&sql);
  }else
  /*default*/{
    fossil_fatal("unknown sub-command \"%s\".\nshould be one of:"
                 " remove-exception scrub show",
       zCmd);
  }
}

/*
** WEBPAGE: .well-known
**
Changes to src/main.c. 
2595
2596
2597
2598
2599
2600
2601

2602

2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616

/*
** Check for options to "fossil server" or "fossil ui" that imply that
** SSL should be used, and initialize the SSL decoder.
*/
static void decode_ssl_options(void){
#if FOSSIL_ENABLE_SSL
  const char *zCertFile = 0;

  zCertFile = find_option("tls-cert-file",0,1);

  if( zCertFile ){
    g.httpUseSSL = 1;
    ssl_init_server(zCertFile, zCertFile);
  }
  if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){
    g.httpUseSSL = 1;
    ssl_init_server(0,0);
  }
#endif
}

/*
** COMMAND: http*
**








>
|
>


|
<
|
<
|








2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607

2608

2609
2610
2611
2612
2613
2614
2615
2616

/*
** Check for options to "fossil server" or "fossil ui" that imply that
** SSL should be used, and initialize the SSL decoder.
*/
static void decode_ssl_options(void){
#if FOSSIL_ENABLE_SSL
  const char *zCertFile = 0;
  const char *zKeyFile = 0;
  zCertFile = find_option("cert",0,1);
  zKeyFile = find_option("pkey",0,1);
  if( zCertFile ){
    g.httpUseSSL = 1;
    ssl_init_server(zCertFile, zKeyFile);

  }else if( zKeyFile ){

    fossil_fatal("--pkey without a corresponding --cert");
  }
#endif
}

/*
** COMMAND: http*
**

2642
2643
2644
2645
2646
2647
2648


2649
2650
2651
2652
2653
2654
2655

** If the --localauth option is given, then automatic login is performed
** for requests coming from localhost, if the "localauth" setting is not
** enabled.
**
** Options:
**   --acme              Deliver files from the ".well-known" subdirectory
**   --baseurl URL       base URL (useful with reverse proxies)


**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias N     Treat URIs of the form /doc/N/... as if they were
**                          /doc/ckout/...
**   --extroot DIR       document root for the /ext extension mechanism
**   --files GLOB        comma-separate glob patterns for static file to serve
**   --host NAME         specify hostname of the server
**   --https             signal a request coming in via https








>
>








2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657

** If the --localauth option is given, then automatic login is performed
** for requests coming from localhost, if the "localauth" setting is not
** enabled.
**
** Options:
**   --acme              Deliver files from the ".well-known" subdirectory
**   --baseurl URL       base URL (useful with reverse proxies)
**   --cert FILE         Use TLS (HTTPS) encryption with the certificate (the
**                       fullchain.pem) taken from FILE.
**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias N     Treat URIs of the form /doc/N/... as if they were
**                          /doc/ckout/...
**   --extroot DIR       document root for the /ext extension mechanism
**   --files GLOB        comma-separate glob patterns for static file to serve
**   --host NAME         specify hostname of the server
**   --https             signal a request coming in via https

2674
2675
2676
2677
2678
2679
2680

2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694

**   --nocompress        do not compress HTTP replies
**   --nodelay           omit backoffice processing if it would delay
**                       process exit
**   --nojail            drop root privilege but do not enter the chroot jail
**   --nossl             signal that no SSL connections are available
**   --notfound URL      use URL as "HTTP 404, object not found" page.
**   --out FILE          write results to FILE instead of to standard output

**   --repolist          If REPOSITORY is directory, URL "/" lists all repos
**   --scgi              Interpret input as SCGI rather than HTTP
**   --skin LABEL        Use override skin LABEL
**   --ssl               Use TLS (HTTPS) encryption.  Alias for --tls
**   --th-trace          trace TH1 execution (for debugging purposes)
**   --tls               Use TLS (HTTPS) encryption.
**   --tls-cert-file FN  Read the TLS certificate and private key from FN
**   --usepidkey         Use saved encryption key from parent process. This is
**                       only necessary when using SEE on Windows.
**
** See also: [[cgi]], [[server]], [[winsrv]]
*/
void cmd_http(void){
  const char *zIpAddr = 0;








>



<

<
<








2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686

2687


2688
2689
2690
2691
2692
2693
2694

**   --nocompress        do not compress HTTP replies
**   --nodelay           omit backoffice processing if it would delay
**                       process exit
**   --nojail            drop root privilege but do not enter the chroot jail
**   --nossl             signal that no SSL connections are available
**   --notfound URL      use URL as "HTTP 404, object not found" page.
**   --out FILE          write results to FILE instead of to standard output
**   --pkey FILE         Read the private key used for TLS from FILE.
**   --repolist          If REPOSITORY is directory, URL "/" lists all repos
**   --scgi              Interpret input as SCGI rather than HTTP
**   --skin LABEL        Use override skin LABEL

**   --th-trace          trace TH1 execution (for debugging purposes)


**   --usepidkey         Use saved encryption key from parent process. This is
**                       only necessary when using SEE on Windows.
**
** See also: [[cgi]], [[server]], [[winsrv]]
*/
void cmd_http(void){
  const char *zIpAddr = 0;

2974
2975
2976
2977
2978
2979
2980


2981
2982
2983
2984
2985
2986
2987

** --localauth option is present and the "localauth" setting is off and the
** connection is from localhost.  The "ui" command also enables --repolist
** by default.
**
** Options:
**   --acme              Deliver files from the ".well-known" subdirectory.
**   --baseurl URL       Use URL as the base (useful for reverse proxies)


**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias NAME  Treat URIs of the form /doc/NAME/... as if they were
**                       /doc/ckout/...
**   --create            Create a new REPOSITORY if it does not already exist
**   --extroot DIR       Document root for the /ext extension mechanism
**   --files GLOBLIST    Comma-separated list of glob patterns for static files
**   --fossilcmd PATH    Full pathname of the "fossil" executable on the remote








>
>








2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989

** --localauth option is present and the "localauth" setting is off and the
** connection is from localhost.  The "ui" command also enables --repolist
** by default.
**
** Options:
**   --acme              Deliver files from the ".well-known" subdirectory.
**   --baseurl URL       Use URL as the base (useful for reverse proxies)
**   --cert FILE         Use TLS (HTTPS) encryption with the certificate (the
**                       fullchain.pem) taken from FILE.
**   --chroot DIR        Use directory for chroot instead of repository path.
**   --ckout-alias NAME  Treat URIs of the form /doc/NAME/... as if they were
**                       /doc/ckout/...
**   --create            Create a new REPOSITORY if it does not already exist
**   --extroot DIR       Document root for the /ext extension mechanism
**   --files GLOBLIST    Comma-separated list of glob patterns for static files
**   --fossilcmd PATH    Full pathname of the "fossil" executable on the remote

3006
3007
3008
3009
3010
3011
3012
3013

3014
3015
3016

3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031

**                       of the given file.
**   --max-latency N     Do not let any single HTTP request run for more than N
**                       seconds (only works on unix)
**   --nobrowser         Do not automatically launch a web-browser for the
**                       "fossil ui" command.
**   --nocompress        Do not compress HTTP replies
**   --nojail            Drop root privileges but do not enter the chroot jail
**   --nossl             signal that no SSL connections are available (Always

**                       set by default for the "ui" command)
**   --notfound URL      Redirect
**   --page PAGE         Start "ui" on PAGE.  ex: --page "timeline?y=ci"

**   -P|--port TCPPORT   listen to request on port TCPPORT
**   --repolist          If REPOSITORY is dir, URL "/" lists repos.
**   --scgi              Accept SCGI rather than HTTP
**   --skin LABEL        Use override skin LABEL
**   --ssl               Use TLS (HTTPS) encryption.  Alias for --tls
**   --th-trace          trace TH1 execution (for debugging purposes)
**   --tls               Use TLS (HTTPS) encryption.
**   --tls-cert-file FN  Read the TLS certificate and private key from FN
**   --usepidkey         Use saved encryption key from parent process.  This is
**                       only necessary when using SEE on Windows.
**
** See also: [[cgi]], [[http]], [[winsrv]]
*/
void cmd_webserver(void){
  int iPort, mxPort;        /* Range of TCP ports allowed */








|
>
|
|

>




<

<
<








3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024

3025


3026
3027
3028
3029
3030
3031
3032

**                       of the given file.
**   --max-latency N     Do not let any single HTTP request run for more than N
**                       seconds (only works on unix)
**   --nobrowser         Do not automatically launch a web-browser for the
**                       "fossil ui" command.
**   --nocompress        Do not compress HTTP replies
**   --nojail            Drop root privileges but do not enter the chroot jail
**   --nossl             do not force redirects to SSL even if the repository
**                       setting "redirect-to-https" requests it.  This is set
**                       by default for the "ui" command.
**   --notfound URL      Redirect to URL if a page is not found.
**   --page PAGE         Start "ui" on PAGE.  ex: --page "timeline?y=ci"
**   --pkey FILE         Read the private key used for TLS from FILE.
**   -P|--port TCPPORT   listen to request on port TCPPORT
**   --repolist          If REPOSITORY is dir, URL "/" lists repos.
**   --scgi              Accept SCGI rather than HTTP
**   --skin LABEL        Use override skin LABEL

**   --th-trace          trace TH1 execution (for debugging purposes)


**   --usepidkey         Use saved encryption key from parent process.  This is
**                       only necessary when using SEE on Windows.
**
** See also: [[cgi]], [[http]], [[winsrv]]
*/
void cmd_webserver(void){
  int iPort, mxPort;        /* Range of TCP ports allowed */
This page was generated in about 0.03s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32