ToDo: Mercurial Repository

[a'moaca']

I would prefer a link to download the CA cert, which I can then install for all my browsers/SCMs/whatever as needed.

- a'moaca'

[Mac_Fife]

I'd agree that there's generally less hassle doing that. For most browsers, it's probably a lot easier to explain that process, than the "on the fly" method.

[JWPlatt]

Did I break the repo?

[rarified]

I'll play Devil's Advocate here, just to test the argument that HTTPS is a necessity: If using a secure connection is going to cause complications, then how greatly concerned should we (or other users) be concerned about sending authentication details in the clear? We don't do this for the forums or wiki, and nor do many other sites. The repos are maybe a little more sensitive than forums, but surely the only really unrecoverable damage, should an account be compromised, would be if someone got enough access to completely wipe a repo?

It's a fine question, one I asked myself a couple of times as I went through the setup.

If it were just my content, I wouldn't worry about it; as long as I let visitors know that usernames and passwords were less secure.

But since the foundry is holding other peoples content, I felt held to a higher standard. I am still open to avoiding the whole SSL scene, but it should be a decision by all the invested parties, not just myself by fiat.

That was the factor I used in deciding to go ahead with HTTPS.

[Reverting back is not a big issue at all; comment out an include directive in the apache config file and it's done]

_R

[rarified]

Did I break the repo?

Why would you say that? I just did an 'hg verify' and everything checked out correctly. File permissions for the web interface seem OK.

I'll catch up on other messages and then look closer.

_R

[JWPlatt]

Why would you say that?

I should have said "JIRA" instead of "repo." All was frozen - JIRA, repo, everything - not long after I got done. And it works now, shortly after your post. I'll assume you found something, or the quantum effect of your presence - a common effect I often encounter - fixed things through a Heisenberg corallary of observation.

[rarified]

I didn't do anything, but I wonder; fisheye would have been periodically polling CWE to catalog changes, and you did check in a few changes.

I'll look in a little while at the JIRA logs. Looks like HTTPS redirection is a bit flaky with fisheye right now -- JIRA can access FE, but going to FE directly hangs. Looks like a loop with interaction between Redirect ..., Alias ..., and ProxyPass{,Reverse} involved.

_R

[JWPlatt]

I found Fisheye seemed to be dropping all CSS when I tried to view source through the JIRA menus.


https is a bother, but:

Regarding https and the question of using it only for logons, I found this:

http://confluence.atlassian.com/pages/v ... =158106208 (How do I use HTTPS for login only?)

Which led me here:

http://jira.atlassian.com/browse/CONF-18120 (Unable to use HTTPS for login only) which explains why Atlassian won't implement logon-only https:

...The main customer feedback we have received on this issue primarily revolves around the use case of customers who wish to protect their LDAP credentials, but aren't as concerned about session hijacking. Unfortunately, this is a misconception of the security provided by using HTTPS for login only. If the "remember me" functionality is used - it is possible that anyone can intercept network traffic (after login) and can decrypt the users credentials. This is due to the way that the "remember me" functionality works.

It is due to this and all the additional reasons around the support of HTTPS for login only that we will not be implementing this feature.

Something Sherif Mansour did not mention was wireless. A lot of people still think in the wired domain when they assume you practically have to work for an ISP to get easy access to sniff traffic somewhere between client and server. Wireless, now pervasive, is the security killer. Anyone can do it anywhere.

[rarified]

I found Fisheye seemed to be dropping all CSS when I tried to view source through the JIRA menus.

Try now. I've removed some optimizations that had Apache itself serving static fisheye content directly, which I think is where the Alias loop occurred. Now fisheye will serve everything FE related. Seemed to work smoothly from my end.

_R

[JWPlatt]

THAT's the ticket! Much more pretty.