You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Thorsten Schöning <ts...@am-soft.de> on 2015/08/19 21:50:24 UTC
Is it safe to redirect from HTTP to HTTPS in case of svn:externals?
Hi,
I'm implementing publicly accessible mod_davn_svn in addition to some
internally used svnserve. Some of my repos use svn:externals where we
used to defined "//internal.example.org/...", my publicly available
entry point is "https://external.example.org". For the public
"internal.example.org" is resolved as "external.example.org", so
checking out a repo from HTTPS with svn:externals used would result in
a request to "https://internal.example.org" and produce certificate
verification failures in the client because of mismatching domain
names and such.
So I thought of simply changing the svn:externals definition to
"http://internal.example.org" which I can then redirect to
"https://external.example.org" on my public server. In my tests that
seemed to work properly and the important part is that the locally
created working copy for svn:externals only contained HTTPS-URLs.
So am I correct that my approach is safe regarding that no user
passwords or such are going unencrypted over the wire if only the
first request doesn't contain such passwords and will always only be
the redirect? Any other problems which I might overlook currently?
Thanks!
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
Re: Is it safe to redirect from HTTP to HTTPS in case of svn:externals?
Posted by Thorsten Schöning <ts...@am-soft.de>.
Guten Tag Bert Huijben,
am Mittwoch, 19. August 2015 um 22:06 schrieben Sie:
> The key Subversion uses to store passwords is different between
> http and https, so a password used for https won't be used for http.
It's bit late for me, so: This is good thing in my setup, right? :-)
> There are other options to specify your externals; see 'svn help propset'
I know, but my example was simplified, my repos are still mainly
hosted by different svnserve instances, so that URIs and Ports differ
and such. I couldn't find anything better in the newer syntax for
svn:externals dealing with what I have currently...
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
RE: Is it safe to redirect from HTTP to HTTPS in case of svn:externals?
Posted by Bert Huijben <be...@qqmail.nl>.
> -----Original Message-----
> From: Thorsten Schöning [mailto:tschoening@am-soft.de]
> Sent: woensdag 19 augustus 2015 21:50
> To: users@subversion.apache.org
> Subject: Is it safe to redirect from HTTP to HTTPS in case of svn:externals?
>
> Hi,
>
> I'm implementing publicly accessible mod_davn_svn in addition to some
> internally used svnserve. Some of my repos use svn:externals where we
> used to defined "//internal.example.org/...", my publicly available
> entry point is "https://external.example.org". For the public
> "internal.example.org" is resolved as "external.example.org", so
> checking out a repo from HTTPS with svn:externals used would result in
> a request to "https://internal.example.org" and produce certificate
> verification failures in the client because of mismatching domain
> names and such.
>
> So I thought of simply changing the svn:externals definition to
> "http://internal.example.org" which I can then redirect to
> "https://external.example.org" on my public server. In my tests that
> seemed to work properly and the important part is that the locally
> created working copy for svn:externals only contained HTTPS-URLs.
>
> So am I correct that my approach is safe regarding that no user
> passwords or such are going unencrypted over the wire if only the
> first request doesn't contain such passwords and will always only be
> the redirect? Any other problems which I might overlook currently?
The key Subversion uses to store passwords is different between http and https, so a password used for https won't be used for http.
There are other options to specify your externals; see 'svn help propset'
[[
The URL may be a full URL or a relative URL starting with one of:
../ to the parent directory of the extracted external
^/ to the repository root
/ to the server root
// to the URL scheme
^/../ to a sibling repository beneath the same SVNParentPath location
]]
Bert