Discussion:
How to redirect http to https with Apache/SVN/SSL
Daniel B. Thurman
16 years ago
Permalink
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.

Is it possible to do?

Here is what I have in my subversion.conf file:
=======================================
<VirtualHost host.domain.com:80>
ServerName host.domain.com
RequestHeader edit Destination ^http https early
#Redirect / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:443>
[...]
</VirtualHost>
=======================================

Using the following works:
$ svn list https://host.domain.com/svn/svn1
branches/
tags/
trunk/

But using the following with either RequestHeader or Redirect fails:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 405 Method Not Allowed
(http://host.domain.com)

Is there a way to make this work?

Dan
Patrick W. Barnes
16 years ago
Permalink
...
<VirtualHost host.domain.com:80>
ServerName host.domain.com
...
RewriteEngine On
RewriteRule ^/$ https://host.domain.com/ [R,L]
RewriteRule ^/(.*) https://host.domain.com/$1 [R,L]
</VirtualHost>

Note the second rewrite rule, which allows anything not simply pointing at the
root location to also be redirected, maintaining the rest of the URL.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/ee6dec11/attachment.bin
Patrick W. Barnes
16 years ago
Permalink
Post by Daniel B. Thurman
<VirtualHost host.domain.com:80>
ServerName host.domain.com
...
RewriteEngine On
RewriteRule ^/$ https://host.domain.com/ [R,L]
RewriteRule ^/(.*) https://host.domain.com/$1 [R,L]
</VirtualHost>
Forgot to mention...

Redirecting SVN causes it to display a message to the user, rather than follow
the redirect. Since I assume you want to force SSL to be used, setting up
non-HTTPS access or having Apache proxy non-HTTPS queries is probably not what
you want, and having SVN display that message and force users to specify HTTPS
may be your best option.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/7e4fe0c3/attachment.bin
Daniel B. Thurman
16 years ago
Permalink
...
Thanks!
I tried your above suggestion, and this is what I got:

$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 302 Found (http://host.domain.com)

Is this expected?
The above modification changes the error code from
"405 Method Not Allowed" to "302 Found (http://host.domain.com)"
Daniel B. Thurman
16 years ago
Permalink
...
Thanks!
I tried your above suggestion, and this is what I got:

$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 302 Found (http://host.domain.com)

Is this expected?
The above modification changes the error code from
"405 Method Not Allowed" to "302 Found (http://host.domain.com)"
Patrick W. Barnes
16 years ago
Permalink
Post by Daniel B. Thurman
<VirtualHost host.domain.com:80>
ServerName host.domain.com
...
RewriteEngine On
RewriteRule ^/$ https://host.domain.com/ [R,L]
RewriteRule ^/(.*) https://host.domain.com/$1 [R,L]
</VirtualHost>
Forgot to mention...

Redirecting SVN causes it to display a message to the user, rather than follow
the redirect. Since I assume you want to force SSL to be used, setting up
non-HTTPS access or having Apache proxy non-HTTPS queries is probably not what
you want, and having SVN display that message and force users to specify HTTPS
may be your best option.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/7e4fe0c3/attachment-0001.bin
Craig White
16 years ago
Permalink
...
----
try...

RedirectPermanent /svn/ https://host.domain.com/svn

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
Thanks, but it does not work:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently (http://host.domain.com)

Dan
Craig White
16 years ago
Permalink
...
----
if this is what it actually reported, then you didn't implement
correctly. What is document root in /etc/http/conf.d/ssl.conf ?

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
From: /etc/httpd/conf.d/ssl.conf:
===================================================
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName host.domain.com:443
===================================================
Patrick W. Barnes
16 years ago
Permalink
Post by Craig White
Post by Daniel B. Thurman
Post by Craig White
----
try...
RedirectPermanent /svn/ https://host.domain.com/svn
Craig
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently
(http://host.domain.com)
----
if this is what it actually reported, then you didn't implement
correctly. What is document root in /etc/http/conf.d/ssl.conf ?
Actually, that is exactly the documented behavior. RedirectPermanent sends
back a 301 status message to the client. A web browser would respond by
quietly following the redirect, but Subversion does not do that. Subversion,
when presented with any 30x redirect, will dump a message and fail rather than
follow the redirect... which is exactly why it will never do what Daniel wants
it to do.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090511/0d8cef4f/attachment.bin
Daniel B. Thurman
16 years ago
Permalink
...
So, does that mean there is no solution that can work for what I
am trying to do? I was also hoping to confine redirection only
to the /svn location.

From everywhere I looked on the Internet, many claim to get it
working but I have not been able to duplicate it. I constantly get
various errors from the different schemes I have tried, to force
redirection from http to https for subversion @ /svn only.

Using the Proxy command, it sorta works but as you pointed it out,
and I have verified it, the http works except that it does not actually
"switch" to https asking for an SSL self-signed certificate but it works
if I use the https:// URL string.

I sure hope it is not something I have done wrong in my conf.d/*.conf
files as I discovered that my early attempts in setting up a basic SVN
setup was foiled by having system-config-httpd.conf overriding everything
and by removing this file, I was able to get to the point where I am now.
Craig White
16 years ago
Permalink
...
----
I use PermanentRedirect to give end users simplified URL's and redirect
them to a much more complicated path so they don't have to type that
into various web browsers and it works.

If I were using SVN & WebDAV, I would want them to use the direct URL
and not try to sleight of hand because there could be so many different
clients that react in different and unpredictable ways and for the most
part, once the client has been given the URL, the configuration is done.
Also, if the redirect is a self-signed certificate, various clients may
not be expecting them, let alone never being able to figure out how to
deal with them.

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Craig White
16 years ago
Permalink
...
----
I use PermanentRedirect to give end users simplified URL's and redirect
them to a much more complicated path so they don't have to type that
into various web browsers and it works.

If I were using SVN & WebDAV, I would want them to use the direct URL
and not try to sleight of hand because there could be so many different
clients that react in different and unpredictable ways and for the most
part, once the client has been given the URL, the configuration is done.
Also, if the redirect is a self-signed certificate, various clients may
not be expecting them, let alone never being able to figure out how to
deal with them.

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
So, does that mean there is no solution that can work for what I
am trying to do? I was also hoping to confine redirection only
to the /svn location.

From everywhere I looked on the Internet, many claim to get it
working but I have not been able to duplicate it. I constantly get
various errors from the different schemes I have tried, to force
redirection from http to https for subversion @ /svn only.

Using the Proxy command, it sorta works but as you pointed it out,
and I have verified it, the http works except that it does not actually
"switch" to https asking for an SSL self-signed certificate but it works
if I use the https:// URL string.

I sure hope it is not something I have done wrong in my conf.d/*.conf
files as I discovered that my early attempts in setting up a basic SVN
setup was foiled by having system-config-httpd.conf overriding everything
and by removing this file, I was able to get to the point where I am now.
Daniel B. Thurman
16 years ago
Permalink
...
From: /etc/httpd/conf.d/ssl.conf:
===================================================
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName host.domain.com:443
===================================================
Patrick W. Barnes
16 years ago
Permalink
Post by Craig White
Post by Daniel B. Thurman
Post by Craig White
----
try...
RedirectPermanent /svn/ https://host.domain.com/svn
Craig
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently
(http://host.domain.com)
----
if this is what it actually reported, then you didn't implement
correctly. What is document root in /etc/http/conf.d/ssl.conf ?
Actually, that is exactly the documented behavior. RedirectPermanent sends
back a 301 status message to the client. A web browser would respond by
quietly following the redirect, but Subversion does not do that. Subversion,
when presented with any 30x redirect, will dump a message and fail rather than
follow the redirect... which is exactly why it will never do what Daniel wants
it to do.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090511/0d8cef4f/attachment-0001.bin
Craig White
16 years ago
Permalink
...
----
if this is what it actually reported, then you didn't implement
correctly. What is document root in /etc/http/conf.d/ssl.conf ?

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
Thanks, but it does not work:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently (http://host.domain.com)

Dan
Daniel B. Thurman
16 years ago
Permalink
...
After much digging on the Internet, I found the solution I wanted:

<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:80>
[...]
</VirtualHost>

Dan
Daniel B. Thurman
16 years ago
Permalink
...
DRAT! TYPO!

Should be:

<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:443>
[...]
</VirtualHost>

My mistake was the 2nd VirtualHost clause where 80 should be 443:

Now, that's better ;)
Dan
Patrick W. Barnes
16 years ago
Permalink
Post by Daniel B. Thurman
DRAT! TYPO!
<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>
<VirtualHost host.domain.com:443>
[...]
</VirtualHost>
Now, that's better ;)
Keep in mind that having Apache proxy non-HTTPS queries will mean that the
link from the client to the server will NOT be SSL-protected. Traffic from the
SVN client to your server will be in the clear.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/dd8c3ff6/attachment.bin
Daniel B. Thurman
16 years ago
Permalink
...
Oh! DRAT!! I have noted that when using http://[...], the
SSL certificate is not being requested, so you appear to be correct.

So far, I have not been successful with any of the suggestions offered
so far. If anyone has a (potential) solution, please let me know?

Dan
Daniel B. Thurman
16 years ago
Permalink
...
Oh! DRAT!! I have noted that when using http://[...], the
SSL certificate is not being requested, so you appear to be correct.

So far, I have not been successful with any of the suggestions offered
so far. If anyone has a (potential) solution, please let me know?

Dan
Daniel B. Thurman
16 years ago
Permalink
...
Sigh, I tested http://[...] and it appears that SSL certification is not
being requested, so it appears that you are correct.

I will keep trying. If anyone has a (potential) solution, please let me
know?

Dan
Arthur Pemberton
16 years ago
Permalink
...
Why don't you just turn of http? And/or redirect all http to https?
--
Fedora 10
(www.pembo13.com)
Daniel B. Thurman
16 years ago
Permalink
...
Then that would mean that my normal website for anonymous users
would be forced use https when it is not required?

As it is, I could just drop the <VirtualHost host.domain.com:80>
code block for subversion and who cares if subversion reports an error
for those attempting to use the http:[...]/svn/svnX string, as it would
not be allowed except for https.

Seems nicer to force http to https only for /svn requests but perhaps
there is no solution/support for it... from what I can tell, others have
claimed to get this to work but I have not been able to duplicate it.
Patrick W. Barnes
16 years ago
Permalink
...
If you really do not mind Subversion displaying an error for non-SSL requests,
then your solution is very easy. Just move your configuration for /svn inside
of your SSL <VirtualHost> configuration. Non-SSL Subversion requests would
fail with a 404 error, non-SSL requests elsewhere on your site would be
unaffected.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090511/ffc479f2/attachment.bin
Arthur Pemberton
16 years ago
Permalink
...
Put a redirect to https inside a <Location> tag then
--
Fedora 10
(www.pembo13.com)
Daniel B. Thurman
16 years ago
Permalink
...
I tried that, it does not work:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently (http://host.domain.com)
Daniel B. Thurman
16 years ago
Permalink
...
I tried that, it does not work:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 301 Moved Permanently (http://host.domain.com)
Patrick W. Barnes
16 years ago
Permalink
...
If you really do not mind Subversion displaying an error for non-SSL requests,
then your solution is very easy. Just move your configuration for /svn inside
of your SSL <VirtualHost> configuration. Non-SSL Subversion requests would
fail with a 404 error, non-SSL requests elsewhere on your site would be
unaffected.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090511/ffc479f2/attachment-0001.bin
Arthur Pemberton
16 years ago
Permalink
...
Put a redirect to https inside a <Location> tag then
--
Fedora 10
(www.pembo13.com)
Daniel B. Thurman
16 years ago
Permalink
...
Then that would mean that my normal website for anonymous users
would be forced use https when it is not required?

As it is, I could just drop the <VirtualHost host.domain.com:80>
code block for subversion and who cares if subversion reports an error
for those attempting to use the http:[...]/svn/svnX string, as it would
not be allowed except for https.

Seems nicer to force http to https only for /svn requests but perhaps
there is no solution/support for it... from what I can tell, others have
claimed to get this to work but I have not been able to duplicate it.
Bill Davidsen
16 years ago
Permalink
...
I think you had it with the redirect causing an error in svn. The change to
https needs to be done at the request end (AFAIK) so if svn can't/won't do that
properly you are better off failing it with a useful error than having the
traffic to you be unencrypted.

My opinion only, the client is not working in a good way, break it rather than
having it work in an actively BAD way.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
Daniel B. Thurman
16 years ago
Permalink
...
Yes, that was what I thought, since there is no real way
to get a redirect with svn in the picture. I tried it in all
sorts of ways but was not able to. It would be nice if
there was a way to do a redirect cleanly, but alas, it's
not to be had.
Craig White
16 years ago
Permalink
...
----
not that this is going to help but you are trying to solve a client
problem with a server solution. I don't see your problem as not being
able to 'redirect cleanly' because in my mind, 'RedirectPermanent' is as
clean as you can get but rather the client application apparently
doesn't have enough http skills to deal with the Redirect information it
has been given by the server. Probably some of that is about security
because you really don't want an unsophisticated client to willy nilly
accept redirection to another host/site/URL.

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
Yes, it makes sense what you are saying.
Matthew Saltzman
16 years ago
Permalink
...
FWIW, the subversion version in F10 is quite nice about informing you
about the redirect:

$ svn co http://my.svn.host/svn/MyProject Project
svn: Repository moved permanently to
'https://my.svn.host/svn/MyProject'; please relocate

$ rpm -q subversion
subversion-1.5.4-3.x86_64
--
Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
Matthew Saltzman
16 years ago
Permalink
...
FWIW, the subversion version in F10 is quite nice about informing you
about the redirect:

$ svn co http://my.svn.host/svn/MyProject Project
svn: Repository moved permanently to
'https://my.svn.host/svn/MyProject'; please relocate

$ rpm -q subversion
subversion-1.5.4-3.x86_64
--
Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
Daniel B. Thurman
16 years ago
Permalink
...
Yes, it makes sense what you are saying.
Craig White
16 years ago
Permalink
...
----
not that this is going to help but you are trying to solve a client
problem with a server solution. I don't see your problem as not being
able to 'redirect cleanly' because in my mind, 'RedirectPermanent' is as
clean as you can get but rather the client application apparently
doesn't have enough http skills to deal with the Redirect information it
has been given by the server. Probably some of that is about security
because you really don't want an unsophisticated client to willy nilly
accept redirection to another host/site/URL.

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
Yes, that was what I thought, since there is no real way
to get a redirect with svn in the picture. I tried it in all
sorts of ways but was not able to. It would be nice if
there was a way to do a redirect cleanly, but alas, it's
not to be had.
Arthur Pemberton
16 years ago
Permalink
...
Why don't you just turn of http? And/or redirect all http to https?
--
Fedora 10
(www.pembo13.com)
Bill Davidsen
16 years ago
Permalink
...
I think you had it with the redirect causing an error in svn. The change to
https needs to be done at the request end (AFAIK) so if svn can't/won't do that
properly you are better off failing it with a useful error than having the
traffic to you be unencrypted.

My opinion only, the client is not working in a good way, break it rather than
having it work in an actively BAD way.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
Daniel B. Thurman
16 years ago
Permalink
...
Oh! DRAT!! I have noted that when using http://[...], the
SSL certificate is not being requested, so you appear to be correct.

So far, I have not been successful with any of the suggestions offered
so far. If anyone has a (potential) solution, please let me know?

Dan
Daniel B. Thurman
16 years ago
Permalink
...
Oh! DRAT!! I have noted that when using http://[...], the
SSL certificate is not being requested, so you appear to be correct.

So far, I have not been successful with any of the suggestions offered
so far. If anyone has a (potential) solution, please let me know?

Dan
Daniel B. Thurman
16 years ago
Permalink
...
Sigh, I tested http://[...] and it appears that SSL certification is not
being requested, so it appears that you are correct.

I will keep trying. If anyone has a (potential) solution, please let me
know?

Dan
Patrick W. Barnes
16 years ago
Permalink
Post by Daniel B. Thurman
DRAT! TYPO!
<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>
<VirtualHost host.domain.com:443>
[...]
</VirtualHost>
Now, that's better ;)
Keep in mind that having Apache proxy non-HTTPS queries will mean that the
link from the client to the server will NOT be SSL-protected. Traffic from the
SVN client to your server will be in the clear.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/dd8c3ff6/attachment-0001.bin
Daniel B. Thurman
16 years ago
Permalink
...
DRAT! TYPO!

Should be:

<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:443>
[...]
</VirtualHost>

My mistake was the 2nd VirtualHost clause where 80 should be 443:

Now, that's better ;)
Dan
Mike Wright
16 years ago
Permalink
Post by Daniel B. Thurman
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.
Is it possible to do?
Here's an idea.

Create a one line file http://host.example.com/index.html

<meta http-equiv="refresh"
content="0;url=https://host.example.com/svn/svn1" />
Daniel B. Thurman
16 years ago
Permalink
Post by Mike Wright
Post by Daniel B. Thurman
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.
Is it possible to do?
Here's an idea.
Create a one line file http://host.example.com/index.html
<meta http-equiv="refresh"
content="0;url=https://host.example.com/svn/svn1" />
Thanks, but It does not prompt for an SSL certificate. It appears
the same as the Proxy code with no SSL activated, ie passwords
are in the clear.
Daniel B. Thurman
16 years ago
Permalink
Post by Mike Wright
Post by Daniel B. Thurman
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.
Is it possible to do?
Here's an idea.
Create a one line file http://host.example.com/index.html
<meta http-equiv="refresh"
content="0;url=https://host.example.com/svn/svn1" />
Thanks, but It does not prompt for an SSL certificate. It appears
the same as the Proxy code with no SSL activated, ie passwords
are in the clear.
Daniel B. Thurman
16 years ago
Permalink
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.

Is it possible to do?

Here is what I have in my subversion.conf file:
=======================================
<VirtualHost host.domain.com:80>
ServerName host.domain.com
RequestHeader edit Destination ^http https early
#Redirect / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:443>
[...]
</VirtualHost>
=======================================

Using the following works:
$ svn list https://host.domain.com/svn/svn1
branches/
tags/
trunk/

But using the following with either RequestHeader or Redirect fails:
$ svn list http://host.domain.com/svn/svn1
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 405 Method Not Allowed
(http://host.domain.com)

Is there a way to make this work?

Dan
Patrick W. Barnes
16 years ago
Permalink
...
<VirtualHost host.domain.com:80>
ServerName host.domain.com
...
RewriteEngine On
RewriteRule ^/$ https://host.domain.com/ [R,L]
RewriteRule ^/(.*) https://host.domain.com/$1 [R,L]
</VirtualHost>

Note the second rewrite rule, which allows anything not simply pointing at the
root location to also be redirected, maintaining the rest of the URL.
--
Patrick "The N-Man" Barnes
nman64 at n-man.com

http://n-man.com/

LinkedIn:
http://linkedin.com/in/nman64

Have I been helpful? Rate my assistance!
http://rate.affero.net/nman64/

All messages cryptographically signed:
http://en.wikipedia.org/wiki/OpenPGP
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090510/ee6dec11/attachment-0001.bin
Craig White
16 years ago
Permalink
...
----
try...

RedirectPermanent /svn/ https://host.domain.com/svn

Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Daniel B. Thurman
16 years ago
Permalink
...
After much digging on the Internet, I found the solution I wanted:

<VirtualHost host.domain.com:80>
ServerName host.domain.com
CustomLog /svn/Admin/logs/access.log combined
ErrorLog /svn/Admin/logs/error.log
SSLProxyEngine on
ProxyPass / https://host.domain.com/
ProxyPassReverse / https://host.domain.com/
</VirtualHost>

<VirtualHost host.domain.com:80>
[...]
</VirtualHost>

Dan
Mike Wright
16 years ago
Permalink
Post by Daniel B. Thurman
I am trying to solve one last problem with my
Apache/SVN/SSL with http to http redirection.
Is it possible to do?
Here's an idea.

Create a one line file http://host.example.com/index.html

<meta http-equiv="refresh"
content="0;url=https://host.example.com/svn/svn1" />
Loading...