Windows
This is the Windows self-hosted path.
It uses the 404 distribution, which is built on the Rose base and booted with WSL2. This page does not document running the raw Windows STATIC binary as the normal Windows operator path.
The Windows operator bundle includes:
404-distro.tar.gz404-distro-manifest.json404-distro-manifest.json.sigAppData\Roaming\404\static\static.runtime.tomlAppData\Roaming\404\static\profiles\manifest.jsonAppData\Roaming\404\static\profiles\firefox-windows.jsonAppData\Roaming\404\static\profiles\chrome-windows.jsonAppData\Roaming\404\static\profiles\edge-windows.jsonAppData\Local\404\wsl\control-token
Extract 404-windows-x64.zip directly into your Windows home folder, which is usually C:\Users\<your-username>.
That extraction step should place:
404-distro.tar.gz,404-distro-manifest.json, and404-distro-manifest.json.sigin your home folder- the full
AppData\Roaming\404\statictree in the right place - the
AppData\Local\404\wsl\control-tokenfile in the right place
Before you start
- WSL2 must be available on the machine because it is the Windows host mechanism used to boot the 404 distribution
- the public profile catalog is
chrome-windows,edge-windows, andfirefox-windows - the bundled
static.runtime.tomlconfig defaults tofirefox-windows - if you use Chrome, swap
firefox-windowsforchrome-windows - if you use Edge, swap
firefox-windowsforedge-windows - STATIC listens on
127.0.0.1:4040on the Windows side once the distribution is running - the local control plane uses port
4042
For the exact tagged release page, use the latest GitHub release.
1. Verify the download matches the manifest
Run this in PowerShell:
$manifest = Get-Content "$HOME\Downloads\404-windows-x64\404-distro-manifest.json" | ConvertFrom-Json
$archiveHash = (Get-FileHash "$HOME\Downloads\404-windows-x64\404-distro.tar.gz" -Algorithm SHA256).Hash.ToLower()
"manifest version: $($manifest.version)"
"manifest artifact path: $($manifest.artifact_path)"
"manifest sha256: $($manifest.sha256)"
"archive sha256: $archiveHash"
The two SHA-256 values should match.
2. Extract the bundle into your Windows home folder
Right-click 404-windows-x64.zip, choose Extract All..., and set the destination to your Windows home folder.
In the Extract All dialog:
- click
Browse... - open
This PC → Local Disk (C:) → Users → <your-username> - click
Select Folder - click
Extract
Powershell command
3. Change the default profile
The default profile is Firefox-Windows
If you are using a Blink based profile, you'll have to use the Chrome-Windows or Edge-Windows profile.
- File:
%APPDATA%\404\static\static.runtime.toml
Line to change:
I want to use the Chrome profile
Run this in PowerShell:
I want to use the Edge profile
Run this in PowerShell:
This default configuration is as follows:
- Listener on
4040 - Control plane on
4042 - File-backed key storage
- Profiles loaded from the local
profilesdirectory beside the config file - control token loaded from the relative Windows local-app-data path
4. Import the distribution and write the Windows username file
Run these two commands in PowerShell:
wsl --import 404 "$env:LOCALAPPDATA\404\wsl\distribution" "$HOME\404-distro.tar.gz" --version 2
wsl -d 404 -- sh -lc 'printf "%s\n" "$0" > /opt/404/win-user' $env:USERNAME
5. Start the distribution and confirm start
Launch the distro:
After the distribution boots, 404-init.sh reads static.runtime.toml, best-effort attaches ttl_editor.o to eth0, and starts STATIC in proxy mode.
About eth0
The distro init script hard-codes the eBPF attach step to eth0.
There is no separate config setting for that interface yet.
On a normal WSL2 setup, eth0 is usually the right interface. If your distro uses a different name, STATIC will still start, but the packet-mutation attach step may be skipped.
I need to attach ttl_editor.o to a different interface
First, list the interfaces inside the distro:
Then attach the classifier manually, replacing <interface> with the correct name:
wsl -d 404 -- sh -lc 'tc qdisc add dev <interface> clsact 2>/dev/null || true; tc filter add dev <interface> egress bpf da obj /opt/404/ttl_editor.o sec classifier 2>/dev/null || true'
If you want that different interface to persist across boots, you currently have to edit /opt/404/404-init.sh inside the distro yourself. The bundled config does not expose an interface selector yet.
Open a second PowerShell window to confirm 404 has started:
$token = Get-Content "$env:LOCALAPPDATA\404\wsl\control-token" -Raw
Invoke-RestMethod -Headers @{ "X-404-Control-Token" = $token } http://127.0.0.1:4042/status
6. Trust the generated CA
Fetch the generated CA from the local control plane and write it to disk:
$token = Get-Content "$env:LOCALAPPDATA\404\wsl\control-token" -Raw
$ca = Invoke-RestMethod -Headers @{ "X-404-Control-Token" = $token } http://127.0.0.1:4042/ca/status
$ca.cert_pem | Set-Content "$env:LOCALAPPDATA\404\wsl\static-ca.crt"
Trust it in the Windows root store:
Manual install:
- Open
%LOCALAPPDATA%\404\wslin File Explorer. - Double-click
static-ca.crt. - Click
Install Certificate.... - Select
Current Userand clickNext. - Choose
Place all certificates in the following storeand clickBrowse.... - Select
Trusted Root Certification Authoritiesand clickOK. - Click
Nextand thenFinish.
If you use Firefox, you must import the certificate into Firefox:
- Settings → Privacy & Security → Certificates → View Certificates
- Authorities → Import
- select
%LOCALAPPDATA%\404\wsl\static-ca.crt - enable
Trust this CA to identify websites
7. Route browser traffic through the listener
The STATIC listener is located at 127.0.0.1:4040.
For Chrome or Edge:
- Windows Settings → Network & internet → Proxy
- Enable Manual proxy setup
- Address:
127.0.0.1 - Port:
4040
For Firefox:
- Settings → Network Settings → Manual proxy configuration
- HTTP Proxy:
127.0.0.1 - Port:
4040 - Check
Also use this proxy for HTTPS
At that point, browser traffic routed through the configured proxy listener will flow through the 404 distribution and into STATIC.