I would like to setup SCM-Manager over HTTPS. I have made an installation on a Debian. I use SCM-Manager with a local IP and over HTTP. Nginx is the proxy and transform the request into HTTPS.
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 https://repo.mydomain.org;
proxy_set_header X-Forwarded-Proto https;
include /etc/nginx/proxy.conf;
Here is the SCM configuration :
<base-url>https://repo.mydomain.org/</base-url>
server-config.xml => <Set name="contextPath">/scm</Set>
=> <Set name="forwarded">true</Set>
=> <SystemProperty name="jetty.host" default="127.0.0.1" />
Everything works fine, but I have a mistake when I want to see a diff or file. The URL to get content stills on HTTP instead of HTTPS. Here is the output from the different browsers (Firefox, Chrome, IE):
From Chrome:
Mixed Content: The page at 'https://repo.mydomain.org/#contentPanel;BQPsols4p3;null;trunk/init.php;content' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://repo.mydomain.org/api/rest/repositories/BQPsols4p3/content/?path=trunk/init.php&_dc=1470349149784'. This request has been blocked; the content must be served over HTTPS.
Why does the system try to get the data over HTTP instead of HTTPS?
Another small mistke is that the software try to get this language scripts, but they don't exist on the server.
/resources/moment/lang/fr.js
/resources/extjs/i18n/ext-lang-fr.js
/resources/js/i18n/fr.js
/resources/moment/lang/fr.js
/resources/extjs/i18n/ext-lang-fr.js
/resources/js/i18n/fr.js
How to remove theses 404?
EDIT
Here is the complete configuration of Nginx :
user www-data;
#worker_processes auto;
worker_processes 4;
worker_rlimit_nofile 20480;
pid /run/nginx.pid;
events {
worker_connections 8192;
use epoll;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile off;
tcp_nopush off;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
client_body_timeout 60s;
client_header_timeout 60s;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_comp_level 1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
ssl off;
upstream scm {
server 127.0.0.1:8080;
}
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# Virtual Host Configs
##
server {
listen 80 default;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|mov|swf|dcr)$ {
root /home/www/public_html;
access_log off;
expires 30d;
}
location / {
root /home/www/public_html;
}
location ~ /\.ht {
deny all;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
include /etc/nginx/sites-enabled/*;
}
Site enabled (lastest config test) :
server {
listen 80;
server_name repv.mydomain.org;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name repv.mydomain.org;
#access_log /var/log/nginx/host.access.log main;
error_log /var/log/nginx/error.log;
ssl on;
ssl_certificate /home/ssl/letsencrypt/live/repv.mydomain.org/fullchain.pem;
ssl_certificate_key /home/ssl/letsencrypt/live/repv.mydomain.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/ssl/letsencrypt/live/repv.mydomain.org/fullchain.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /home/ssl/private/dhparams.pem;
location / {
rewrite ^([^.]*[^/])$ http://$host$1/ permanent;
proxy_pass http://scm;
include /etc/nginx/proxy.conf;
proxy_redirect http://scm https://repv.mydomain.org;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ctx "";
}
}
And the proxy.conf :
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_hide_header X-Powered-By;
client_max_body_size 20m;
client_body_buffer_size 1024k;
send_timeout 90;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_buffering on;
proxy_http_version 1.1;
EDIT 2
I have tried to switch to HTTP. But I have the same problem. When I want to view a file or a diff, I have the message "The resource could not be found". The reason is that the called ajax ressource return a 404 error with no content.
Example: "http://repo.mydomain.org/api/rest/repositories/BQPsols4p3/content/?path=trunk/init.php&revision=30&_dc=1472061397498" returns a 404... ; and the same for raw view "http://repo.mydomain.org/api/rest/repositories/BQPsols4p3/content/?path=trunk/init.php&revision=30" returns a 404.
Can you help me to find the problem?
Thank you for your help,
Stéphane
I found the way to have all the stack working.
First, I have removed the line from Nginx:
rewrite ^([^.]*[^/])$ http://$host$1/ permanent;
Next, I have changed the rights on my SVN files '/home/local/svn' with a 'chown -Rc scm:scm /home/local/svn'.
And finally, as I migrate from an old SVN server 1.6, I have activated the Pre 1.6 option in SCM Manager (don't forget to reboot your server).
All works fine for now!
Hope this can be helpful for someone :)