My guide on making Mercurial server left us with http as a protocol of choice. This might be ok in local network but https would be more comfortable choice. This post starts with already running Mercurial server on Ubuntu.
Apache does come with https module which has to be enabled:
$ sudo a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration!
Before restarting Apache we need to create few things (key, certificate signing request, certificate) and easiest way is to create it ourself (write whatever you want for organization details):
$ openssl genrsa -out https.key 1024 Generating RSA private key, 1024 bit long modulus ..........++++++ ......++++++ e is 65537 (0x10001) $ openssl req -new -key https.key -out https.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) : Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : $ openssl x509 -req -days 36500 -in https.csr -signkey https.key -out https.crt Signature ok subject=... Getting Private key
Once keys are created we must enter following lines in “/etc/apache2/sites-available/hg” (I left other stuff for clarity):
NameVirtualHost * <VirtualHost *> ServerAdmin webmaster@localhost DocumentRoot /srv/hg/cgi-bin <Directory "/srv/hg/cgi-bin/"> SetHandler cgi-script AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/hg.log <Location /> AuthType Basic AuthName "Mercurial" AuthUserFile /srv/hg/.htpasswd Require valid-user </Location> RewriteEngine on RewriteRule (.*) /srv/hg/cgi-bin/hgweb.cgi/$1 SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /srv/hg/https.crt SSLCertificateKeyFile /srv/hg/https.key </VirtualHost>
With this we are ready for restart:
$ /etc/init.d/apache2 restart * Restarting web server apache2 [warn] NameVirtualHost *:80 has no VirtualHosts ... waiting [warn] NameVirtualHost *:80 has no VirtualHosts
After these changes Mercurial is listening ONLY on https. Since we made self-signed certificate, browser will complain about verification, but that is quite normal.
P.S. To use both http and https, read some more.