On Feb 26, 2018, at 3:33 PM, Thomas Levine <[email protected]> wrote: > > Since it seems that the only dynamic stuff is in PHP and fossil, > I suggest using Apache mod_php and mod_cgi (contrary to Warren's > suggestion), as I think the configuration will be easier.
Of course, but then you lose HTTPS, which is the only reason my configuration is difficult at all. If all you wanted is reverse proxying, you’d do away with steps 1-6, simplifying the HOWTO considerably. I don’t view TLS as optional for password-protected public web resources in these post-Firesheep days. Even if you don’t care about your own Fossil repo’s security, Google has been punishing sites that are not available via HTTPS for a couple of years now, both through reduced rankings in the search engine and through increasingly strident warnings in Chrome. That’s not speculation, Google’s been announcing these things publicly: https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn There may come a day when going to an HTTP-only web site will require multiple affirmations asymptotically approaching “Yes, I’m really quite certain I want my face eaten by a rabid grue. Just let me look at this one web site first, please.” _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
