Feature #2579
closed
Configure SSL schema for "private" actions.
0%
Description
Right now I have my entire Redmine installation hosted on an SSL-enabled vhost in Apache2. I have a mod_rewrite rule for anything on port 80 to redirect to the SSL-enabled vhost. This is largely overkill, but I wanted to protect any page with private information. Enumerating all the possible URLs for this and drafting mod_rewrite rules is a lengthy and error-prone process.
What I would like to see is a project setting for enabling SSL for "private" actions. Private here meaning user privacy and not a language-level construct. All this option would do is enable the creation of SSL links for these actions or internally redirect to the same URL with the HTTPS schema. The SSL portion would still be handled at the web server level.
For whatever it's worth, that's what I thought the "Protocol" setting would do when I first started with Redmine. It wasn't until later that I realized it was for email links.
Related issues
Updated by Go MAEDA over 7 years ago
- Related to Feature #24763: Force SSL when Setting.protocol is "https" added
Updated by Holger Just about 2 months ago
- Status changed from New to Closed
- Resolution set to Wont fix
All actions are private in the end (or none are) as session information is transmitted along with the data and attackers who can intercept the data could also intercept active sessions.
As such, it is currently best practice to use and enforce https for all of Redmine. Increased resource consumption for TLS is usually not an issue in the current times.
Updated by Kevin Menard about 2 months ago
Holger Just wrote in #note-2:
All actions are private in the end (or none are) as session information is transmitted along with the data and attackers who can intercept the data could also intercept active sessions.
As such, it is currently best practice to use and enforce https for all of Redmine. Increased resource consumption for TLS is usually not an issue in the current times.
Thanks. It's been a while, but I believe this issue predated Redmine's option for enforcing HTTPS. I agree that everything should be SSL now. It was fashionable at the time to use non-SSL for things like unauthenticated issue displays (IIRC, for search engine indexing). I'm happy we've finally embraced SSL universally.