Since I started using HAProxy there has been nothing stopping me from using TLS for my fossil repos apart from finding the time to do it; I suppose it’s not been that long since I migrated the bulk from github, even though it has been ages since I started hosting fossil.
I just needed to update my cert to include the fossil domain, tweak my haproxy.cfg to add a new backend:
backend fossil
mode http
option httpchk
# This ones gives a 501
http-check expect status 501
server fossil 127.0.0.1:18080 check
(I am being lazy with my http checks)
and tweak the frontend section to route to this backend:
frontend https
bind :::443 v4v6 ssl crt /usr/pkg/etc/haproxy.crt no-sslv3
http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www }
reqadd X-Forwarded-Proto:\ https
acl fossil-acl hdr_beg(host) -i fossil
use_backend fossil if fossil-acl
default_backend bozohttpd
And lastly, coming up with a crappy rc.d file so I can start fossil as a server:
#!/bin/sh
#
# $NetBSD: fossil
#
# PROVIDE: fossil
# REQUIRES: network
$_rc_subr_loaded . /etc/rc.subr
name="fossil"
rcvar=$name
command="/usr/bin/su -m fossil -c '/usr/pkg/bin/fossil server --port 18080 --localhost --https --repolist /home/fossil/repos &'"
load_rc_config $name
run_rc_command "$1"
Previously I was using fossil in http mode via inetd.
Could do with writing that a bit better, but it does the job for now.
Oh, actually that wasn’t “lastly”. The last thing I needed to do was update all the headers of the skins for each Fossil repo to use secureurl instead of the default baseurl:
<base href="$secureurl/$current_page" />
which was a little bit tedious (like how you can have login-groups with Fossil it would be nice to have a “skin-group” to set one skin across all repos).
Fossil is super nice for self-hosted stuff and personal projects, you really should try it if you haven’t; It would also be nice to for group projects, but it’s hard to argue against the Github ecosystem.