» cFos Personal Net documentation, Miscellaneous features

Miscellaneous features

cFos PNet can call a maintenance script once per day. You can configure the script name with the key daily_maintenance= <script url> and the time, when it is run with maintenance_time=hh:mm:ss in the section [param] of the GLOBAL.INI file. <script url> is the location of the script beginning with / for the public directory.

cFos PNet uses the Windows HTTP Server API. This allows several application to listen to the default HTTP port 80. The HTTP Server API shares this port among all applications using the HTTP Server API.

To decide which application gets the HTTP request, the HTTP Server API needs to know a URL match rule for each application. This rule is configured by the host_name= in the section [param] of the GLOBAL.INI file. Default is + , ie. match all URLs. See http://msdn.microsoft.com/en-us/library/aa364698(v=vs.85).aspx for how to limit URL matching to coexist with other applications. Unfortunately Skype currently uses port 80 exclusively. For cFos PNet to work on port 80 you need to disable port 80 and 443 usage in the Skype advanced, connections setup.

cFos PNet / the HTTP Server API also supports SSL. To use SSL you need register an SSL certificate. This certificate should be registered with one of the SSL certificate agencies. Otherwise the user's web browser will not be able to verify that the server identity is not forged.

Here are the steps of how to create and register your (unsigned) certificate with the standard Windows methods:
1. run makecert -r -sr LocalMachine -ss MY -a sha1 -n "CN=spaceship.dyndns.org" -sky exchange -pe -eku 1.3.6.1.5.5.7.3.1
2. to get the certificates thumbprint:
> mmc
> file -> add/remove snap-in -> certificates -> computer account -> local computer, then: "view personal certificates" and view the thumbprint under certificate data. Use the thumbprint without spaces as certhash for the following netsh command (use httpcfg instead of netsh under systems before vista):
3. netsh http add sslcert ipport=0.0.0.0:443 certhash=46aab740254a12c9146142067f5cf69e583154ad appid={a227f2f9-d103-4e0f-92a4-7086c8ab35ac}

To use an existing SSL certificate you need to make sure it is in a Windows compatible format. For example, if you have a certificate from a unix system it may be a .PEM file. Download openssl and use the following command to convert it:

copy ca1.cer+ca2.cer+mycert.cer all.cer
openssl pkcs12 -export -out wwwcfosde.pfx -inkey cfos-private.key.pem -in all.cer

where mycert.cer is your certificate and ca1.cer and ca2.cer (and ca3.cer, etc.) are 2 intermediate CA certificates required for the chain of trust.
mycert.cer must be in x.509 format. You can use openssl to convert it to x.509 format if necessary. The output mycert.pfx is in the pkcs#12 format which Windows can read.

  • Now start MMC, file -> add/remove snap-in -> certificates -> computer account -> local computer, then: "view personal certificates" and view certificates. Right-click -> all tasks -> import and import mycert.pfx.
  • You also need to import the certificate(s) into "Intermediate Certification Authorities -> Certificates". Otherwise no trust chain will be transmitted by the server, see http://support.microsoft.com/kb/954755
  • View the thumbprint of your imported certificate and enter the following command:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=<certhash> appid={a227f2f9-d103-4e0f-92a4-7086c8ab35ac}.

    As <certhash> you need to use the thumbprint without spaces.

For IPv6 the ipport parameter of the netsh command must be: ipport=[::]:443.

To delete the certificate from the SSL port, run
> netsh http delete sslcert ipport=0.0.0.0:443
> netsh http show sslcert
In case you have to modify your certificates, you need to remove the old certificates with the
> netsh http delete
command and add your modified certificates via
> netsh http add ...
command.

cFos Personal Net documentation

Powered by cFos Personal Net Web Server
Practice random kindness and senseless acts of beauty