Mercurial Over Https

My guide on making Mercurial server left us with http as a protocol of choice. This might be ok in local network but https would be more comfortable choice. This post starts with already running Mercurial server on Ubuntu.

Apache does come with https module which has to be enabled:

$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Before restarting Apache we need to create few things (key, certificate signing request, certificate) and easiest way is to create it ourself (write whatever you want for organization details):

$ openssl genrsa -out https.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
......++++++
e is 65537 (0x10001)

$ openssl req -new -key https.key -out https.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ openssl x509 -req -days 36500 -in https.csr -signkey https.key -out https.crt
Signature ok
subject=...
Getting Private key

Once keys are created we must enter following lines in "/etc/apache2/sites-available/hg" (I left other stuff for clarity):

NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /srv/hg/cgi-bin
<Directory "/srv/hg/cgi-bin/">
SetHandler cgi-script
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/hg.log
<Location />
AuthType Basic
AuthName "Mercurial"
AuthUserFile /srv/hg/.htpasswd
Require valid-user
</Location>
RewriteEngine on
RewriteRule (.*) /srv/hg/cgi-bin/hgweb.cgi/$1
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /srv/hg/https.crt
SSLCertificateKeyFile /srv/hg/https.key
</VirtualHost>

With this we are ready for restart:

$ /etc/init.d/apache2 restart
* Restarting web server apache2
[warn] NameVirtualHost *:80 has no VirtualHosts
... waiting [warn] NameVirtualHost *:80 has no VirtualHosts

After these changes Mercurial is listening ONLY on https. Since we made self-signed certificate, browser will complain about verification, but that is quite normal.

P.S. To use both http and https, read some more.

Leave a Reply

Your email address will not be published. Required fields are marked *