Fossil

Check-in [ce4b4bae]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Added some named anchors to www/server/any/stunnel.md
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | server-docs
Files: files | file ages | folders
SHA3-256: ce4b4bae311ac87026f7efa4ec5de9c763dda09a0b8bd3350ae9fb352c114cc3
User & Date: wyoung 2019-08-16 09:55:20
Context
2019-08-16
10:11
Moved the "Serving via althttpd" material from www/ssl.wiki to a new document, www/server/any/althttpd.md, linked from www/server.wiki. check-in: 2e19fcee user: wyoung tags: server-docs
09:55
Added some named anchors to www/server/any/stunnel.md check-in: ce4b4bae user: wyoung tags: server-docs
09:54
Moved the stunnel proxying docs from www/ssl.wiki to a new document www/server/any/stunnel.md, and pointed www/server.wiki at it. Also replaced some similar material in this branch's new www/server/windows/stunnel.md file at this generic document. Between these two changes, the generic stunnel docs now cover the reverse proxying option for the first time. (The old version used the socket activation method exclusively.) The new document also gives a more realistic configuration, showing Let's Encrypt paths and a sensible ciphersuite configuration. check-in: 53b2e866 user: wyoung tags: server-docs
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to www/server/any/stunnel.md.

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
..
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
that made the request.

You can run `stunnel` in one of two modes: socket activation — much like
in our [`inetd` doc](./inetd.md) — and as an HTTP reverse proxy. We’ll
cover both cases here, separately.


## Socket Activation

The following `stunnel.conf` configuration configures it to run Fossil
in socket activation mode, launching Fossil only when an HTTPS hit comes
in, then shutting it back down as soon as the transaction is complete:

```dosini
    [fossil]
................................................................................

It is important that the [`fossil http`](/help/http) command in that
configuration include the `--https` option to let Fossil know to use
“`https://`” instead of “`http://`” in generated hyperlinks.



## Reverse Proxy

You can instead have Fossil running in the background in [standalone
HTTP server mode](./none.md), bound to a high random TCP port number on
localhost via the `--localhost` and `--port` flags, then configure
`stunnel` to reverse proxy public HTTPS connections down to it via HTTP.

The configuration is the same as the above except that you drop the







|







 







|







8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
..
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
that made the request.

You can run `stunnel` in one of two modes: socket activation — much like
in our [`inetd` doc](./inetd.md) — and as an HTTP reverse proxy. We’ll
cover both cases here, separately.


## S<a name="sa"></a>ocket Activation

The following `stunnel.conf` configuration configures it to run Fossil
in socket activation mode, launching Fossil only when an HTTPS hit comes
in, then shutting it back down as soon as the transaction is complete:

```dosini
    [fossil]
................................................................................

It is important that the [`fossil http`](/help/http) command in that
configuration include the `--https` option to let Fossil know to use
“`https://`” instead of “`http://`” in generated hyperlinks.



## <a name="proxy"></a>Reverse Proxy

You can instead have Fossil running in the background in [standalone
HTTP server mode](./none.md), bound to a high random TCP port number on
localhost via the `--localhost` and `--port` flags, then configure
`stunnel` to reverse proxy public HTTPS connections down to it via HTTP.

The configuration is the same as the above except that you drop the