> -----Original Message-----
> From: Thorsten Schöning [mailto:tschoen...@am-soft.de]
> Sent: woensdag 19 augustus 2015 21:50
> To: users@subversion.apache.org
> Subject: Is it safe to redirect from HTTP to HTTPS in case of svn:externals?
>
> Hi,
>
> I'm implementing publicly accessible mod_davn_svn in addition to some
> internally used svnserve. Some of my repos use svn:externals where we
> used to defined "//internal.example.org/...", my publicly available
> entry point is "https://external.example.org";. For the public
> "internal.example.org" is resolved as "external.example.org", so
> checking out a repo from HTTPS with svn:externals used would result in
> a request to "https://internal.example.org"; and produce certificate
> verification failures in the client because of mismatching domain
> names and such.
>
> So I thought of simply changing the svn:externals definition to
> "http://internal.example.org"; which I can then redirect to
> "https://external.example.org"; on my public server. In my tests that
> seemed to work properly and the important part is that the locally
> created working copy for svn:externals only contained HTTPS-URLs.
>
> So am I correct that my approach is safe regarding that no user
> passwords or such are going unencrypted over the wire if only the
> first request doesn't contain such passwords and will always only be
> the redirect? Any other problems which I might overlook currently?
The key Subversion uses to store passwords is different between http and https,
so a password used for https won't be used for http.
There are other options to specify your externals; see 'svn help propset'
[[
The URL may be a full URL or a relative URL starting with one of:
../ to the parent directory of the extracted external
^/ to the repository root
/ to the server root
// to the URL scheme
^/../ to a sibling repository beneath the same SVNParentPath location
]]
Bert
