Purpose
A quick description on how to set up fossil using httpd on OpenBSD including some configuration files. Nothing particularly rocket science based. You might use to run a set of fossil servers on a small server.Status
This isn't as nice as it should be, if people are interested the best way would be to reinstall a demo version. Which I'm happy to do. Feel free to contact Phil, maybe we do it on a Raspberry PI or ...Again apologies for the quality, still its free. I'm also working on the toolset (currently fossil-pit) for automating a group of fossils (like chisel but for a small team). We use the prototype in this site.
Good luck
OpenBSD
See https://www.openbsd.org for the details of how to install OpenBSD. We are using OpenBSD for a few reasons:- Its moderately secure.
- It provides diversity, our other servers and clients run other OS.
- Its easy (IMHO) to maintain.
Just follow the install instructions, put it on the network.
Download the source for fossil and compile a static version
This needs to be installed in /var/www/bin/fossil since we are going run everything chrooted.Setup scripts for each of your projects
For example /var/www/cgi-bin/EDS contains:#!/bin/fossil repository: /FOSSILS/EDS.fossil errorlog: /access-logs/EDS.log
The /bin/fossil and the errorlog are both chrooted so /var/www/access-logs
httpd setup: /etc/httpd.conf
Note that this is not in the chrooted jail, we've gone a bit overboard on check but in summary:- Its all chrooted to /var/www
- We use https for most of the projects (whence acme)
- http://../EDS is the home page and just does a 301 redirect to https
- Anything else on http we just drop
- Then on https: we have a set of projects along with EDS, e.g. happy-camper.
- Any https connections that don't have a - we just drop.
chroot "/var/www"
server "default" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/*.*" { # drop anything like *.php, ...
block drop
}
location "/EDS" { # if they don't guess they get nothing
block return 301 "https://\$HTTP_HOST\$REQUEST_URI"
}
location "/*" { # if it isn't EDS* just drop it
block drop
}
}
server "secure" {
listen on * tls port 443
tls certificate "/etc/ssl/eds.power.on.net.fullchain.pem"
tls key "/etc/ssl/private/eds.power.on.net.key"
hsts
# this connection max request is necessary to do
# reasonable size checkins lest you get a 413 error.
connection max request body 100000000
# authenticate with htpasswd # ttt
root "/htdocs"
location "/" {
request rewrite "/EDS/index"
}
location "/EDS*" {
fastcgi # socket "/run/slowcgi.sock"
root "/cgi-bin"
}
# all real projects have at least one - which
# slows the script kiddies down.
location "/*-*" {
fastcgi # socket "/run/slowcgi.sock"
root "/cgi-bin"
}
location "/*" {
block drop
}
}
types {
include "/usr/share/misc/mime.types"
}
acme
You'll need to do the key generation thing and modify the names. See /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.1 2019/01/08 07:14:10 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain eds.power.on.net {
# alternative names { secure.example.com }
domain key "/etc/ssl/private/eds.power.on.net.key"
domain full chain certificate "/etc/ssl/eds.power.on.net.fullchain.pem"
sign with letsencrypt
}