What is considered best practice for sharing or allowing users from the internet that are not company related to have access to trac and svn?
Should it be on a DMZ, should it be internal with some form of SSH connection or using an https?
If you were to do it and be paranoid of security what should be the best practice list assuming basic firewall on the WAN, should the server be on its own leg on the network like a perimeter zone (away from internal users too, double firewalled).
thanks in advance.
assuming you are paranoid indeed [ aka overkill scenario ]:
if limiting access to #1 to explicitly list ip ranges is not an option - consider some form of gatekeeper - again - to avoid blind attacks.
at the proxy level - consider using:
depends what your budget is.
try with a firewall in front allowing only https access and with two way ssl on apache side of things.
If I were doing it, I'd put trac on a box outside the main corporate firewall but put in firewall rules on it to block access to anything but ssh (for me) and http (for everyone else).
Another option might be to ask yourself: should we be hosting this at all? Would it work better at sourceforge or savannah.{non}gnu.org or github ?
Standard server with https access only is pretty secure solution with limited number of open ports, etc.
Paranoid configuration could be VPN (for example openvpn) access for users outside of company. Trac and svn would only be accessible from your private network and from VPN. User access to VPN would be secured by certificates issued by you. And of course no other server and internal network would be accessible from VPN.
This solution is of course only possible if the set of people from outside of company is pretty stable and not too big. If number of those users and specific people change then the first soultion with https access and good setup firewall is rally the only one (and used by a lot of people and companies).