Jump to content


  • Content count

  • Joined

  • Last visited

  • Days Won


trx last won the day on December 21 2017

trx had the most liked content!

Community Reputation

1 Neutral

About trx

  • Rank

Profile Information

  • Gender

Recent Profile Visitors

1,143 profile views
  1. Sure A few small considerations before you start: I've only tested it for Ubuntu 16.04 LTS (but should work for any linux nginx and plasticSCM support) Try it out in testing environment first (as usual) Make sure you have an ssl certificate (a signed certificate from a ca is usually the better way than a self-signed, it can prevent a lot of annoying troubles) make sure you have the port you want to use open in your firewall (I forgot that so many times ) If your plastic server is on the same machine as nginx you need to of course choose another port than the one from the webadmin server (7178) If you have apache or any other webserver running on your machine you probably want to decide if nginx or apache listens to the standard ports (80,443 etc.) I dont have apache so i can't tell you, but there are a lot of instructions online how to do it. Just to make sure, the ssl communication is only between the user (browser) and the nginx server, nginx proxy passes to webadmin server via http. As long as both are on the same server its not huge security problem. NGINX (https://nginx.org/en/) So i don't want to go too deep into nginx as it would be a long story for itself but anyways a few small steps if you haven't set up nginx and ssl yet: if you haven't, Install nginx on your server (ubuntu: apt-get install nginx, any other see: https://nginx.org/en/linux_packages.html) for the basics: https://nginx.org/en/docs/beginners_guide.html (try out the basics first before you implement ssl to see if everything works) SSL configuration in nginx is a bit tricky: I used https://mozilla.github.io/server-side-tls/ssl-config-generator/ for the basic configuration you may have to prepare your ssl certificate for the use in nginx (your CA will usually provide instructions on how to do it) When you have set up nginx now comes the easy part: location / { proxy_pass http://localhost:7178; } will forward the incoming request to your local running plasticSCM webadmin gui. I have not set any header_set as it seems to work that way. my nginx configuration: server { listen 80 default_server; listen [::]:80 default_server; ## replace that with your incomcoming domain or ip server_name my.domain.name; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { ## I use here another port, as I already used the 443 port listen 443 ssl http2; listen [::]:443 ssl http2; ## replace that with your incomcoming domain or ip server_name my.domain.name; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate path/to/ssl-bundle.crt; ssl_certificate_key path/to/my_domain_name.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; #ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate path/to/ssl_trusted_cert_bundle.key; location / { proxy_pass http://localhost:7178; } ## This does not work yet as i can not set any base path in the plasticSCM webadmin server # # location /plastic { # proxy_pass http://localhost:7178; # } ## } I use a dedicated ssl port for the webadmin as i already use the 443 port for other services, and because you cannot set any base path in the webadmin server i cannot use any sub locations. If you use the standard 443 port I highly recommend you to use the http to https redirect (at the beginning of the file) to prevent any unsecured http connection on port 80. hope that helps best Fabian
  2. Okay! I was able to make it work I was trying to use a sub location (servername.com/plasticscm/) with the standard https port, but without the possibility to set a base path in the plastic webadmin it didn't work. Now I'm using a different port and it seems to work. thanks anyway
  3. Hi As far is I know the webadmin page cannot be accessed via https / ssl yet. As I'm currently running my plasticscm on an linux server with nginx handling all incoming requests (and requires ssl for all ports) i was trying to get access the webadmin via a proxy forwarding. (internally nginx connects normally in non-ssl way the webadmin-server) Unfortunately the webadmin server does not accept this somehow (get a 404). I assume the webadmin server blocks proxy requests but it could also be that my nginx config is not properly set up. Or do i have to wait until the webadmin supports ssl-certificates? best Fabian
  4. trx

    Connection Problem to Jira via SSL

    So i got it running now! Had to change two things: It seems, that it is not working with TLSv1.2 or TLSv1.1. I added TLSv1 to the ssl_protocols in nginx and I suddenly got a 404 error on connection (So I knew at least i got a connection to the server). The second part was that the hostname in the plasticSCM jira settings had a path after the port (https://xxx.xxxxx.xx:443/jira) so I moved the /jira to the REST URL (/jira/rest/api/2/). Seems like the path after the port is ignored or cut away. And voilĂ  it worked. Thanks again!
  5. trx

    Connection Problem to Jira via SSL

    Unfortunately it didn't work, but at least i get now an error: An existing connection was forcibly closed by the remote host. Could it be that is has something to do that as we have the jira server behind an nginx reverse proxy that has pretty straight security rules for ssl/tls connections (only allows TLSv1.2)? plastic20170807-15.log.txt
  6. trx

    Connection Problem to Jira via SSL

    Attached the file with header and json response best fabian jiraAPIStatus.txt
  7. trx

    Connection Problem to Jira via SSL

    Here you go: Thank you for the quick reply, best Fabian plastic20170804-15.log.txt jira.conf
  8. Hi! I try to establish a connection to Jira (self hosted) via an ssl connection via the 443 port I always get an error: Test Connection failed. Please Review the entered values. the plastic log only shows me these message: 2017-08-04 13:39:20,805 ERROR jiraextensionrest - Could not get the statuses from the JIRA server: The underlying connection was closed: An unexpected error occurred on a send. 2017-08-04 13:39:20,805 DEBUG jiraextensionrest - Stack trace: at System.Net.HttpWebRequest.GetResponse() at Codice.Client.IssueTracker.Jira.JiraRestClient.GetResponse(HttpWebRequest request) at Codice.Client.IssueTracker.Jira.JiraRestClient.GetStatuses() I'm pretty sure the host settings and rest of the settings are correct, as i can get access via the api through a browser or curl (also ssl). the host name goes something like this : https://my.jiraserverdomainname.com:443/jira plastic version: jira version: 7.3.2 Thank you Fabian
  9. Is there any news or time-frame when plasticSCM will support ubuntu 16.04 new apt-get version?
  10. Okay it worked and makes now also sense thanks! Btw is there a way to easy start/restart/ the osx plasticserver (like on linux/windows)? Im using the package installer. and yes I'm from the Birdly team Thanks!
  11. I am trying to run a PlastiSCM server on my OSX 10.11 (El Capitan) Laptop which syncs per ssl to my work server. Without ssl its no problem. When i try to access per ssl it shows an error in the sync replication view: 'Error: Only the server administrator can accept a certificate on the server' at the same time the console logs: 21.10.15 23:52:21.489 sandboxd[28676]: ([39948]) macplastic(39948) System Policy: deny file-write-create /usr/share/.mono maybe an problem with the rootless feature? Or i'm not capable of putting the certificate at the right place under OSX ^^ Thanks!