You care about being compliant with various regulatory regimes that say you can’t ever remember private 172.16.x.x IP addresses and say them out loud (or write them down); and yet they will happily use Winzip to password protect a zip file with an easy to remember password (sometimes to maintain “compatibility” they use encryption that can be extracted by earlier versions).
If we cared about security, then we would be validating the clients certificate (and so you wouldn’t need to have a password based access to your mercurial repositories); and you would be installing a valid certificate onto your server, you know the type signed by a root CA like Verisign or Thawte and all that.
None of that matters, we have established that we only care that the traffic is encrypted. This secures apache with a self-signed certificate and builds on Mercurial/HTTP using password authentication. It’s basically just a list of things you could cut and paste, if you are using cut and paste, then do vanilla HTTP first.
First of all we need to generate some certificates, openssl is probably installed if it’s a standard CentOS 5.6 - there are other ways of generating certificates, but openssl is pretty quick and simple.
Once all that’s done you can create your SSL Virtual host.
Snap! you’re now able to clone the self same repository as last time, only use a HTTPS URL. Of course, you know that you’re using a self-signed certificate, and nothing will trust it by default…
Nevertheless, your traffic is now encrypted yet still insecure.