> -----Original Message----- > From: Thorsten Schöning [mailto:tschoen...@am-soft.de] > Sent: woensdag 19 augustus 2015 21:50 > To: users@subversion.apache.org > Subject: Is it safe to redirect from HTTP to HTTPS in case of svn:externals? > > Hi, > > I'm implementing publicly accessible mod_davn_svn in addition to some > internally used svnserve. Some of my repos use svn:externals where we > used to defined "//internal.example.org/...", my publicly available > entry point is "https://external.example.org". For the public > "internal.example.org" is resolved as "external.example.org", so > checking out a repo from HTTPS with svn:externals used would result in > a request to "https://internal.example.org" and produce certificate > verification failures in the client because of mismatching domain > names and such. > > So I thought of simply changing the svn:externals definition to > "http://internal.example.org" which I can then redirect to > "https://external.example.org" on my public server. In my tests that > seemed to work properly and the important part is that the locally > created working copy for svn:externals only contained HTTPS-URLs. > > So am I correct that my approach is safe regarding that no user > passwords or such are going unencrypted over the wire if only the > first request doesn't contain such passwords and will always only be > the redirect? Any other problems which I might overlook currently?
The key Subversion uses to store passwords is different between http and https, so a password used for https won't be used for http. There are other options to specify your externals; see 'svn help propset' [[ The URL may be a full URL or a relative URL starting with one of: ../ to the parent directory of the extracted external ^/ to the repository root / to the server root // to the URL scheme ^/../ to a sibling repository beneath the same SVNParentPath location ]] Bert