Setting Up Subversion for One or Multiple Projects
Deploying a secure and manageable Subversion installation that uses Apache 2.0 as a central authentication checkpoint and SSL for data integrity and confidentiality.
The history of versioning systems is quite extensive. They have proven to be
effective during the many stages of project development, from source code management to documentation and publishing. In
the Open Source community, the Concurrent Versioning System (CVS)
has become the standard in the development process, being an
essential tool to coordinate the efforts of tens to hundreds of
developers around the world.
After many years' worth of success stories, however, CVS has begun to show
problems, mostly related to security and to the lack of such important
features as atomic commits. Recently, many CVS-replacement candidates
have begun to appear on the scene. Some of them still are immature for
critical deployments, while others propose radically new approaches,
making them inadequate for a smooth migration.
Among this plethora of new players, Subversion is receiving the
attention of many open-source developers due to its robustness,
similarity to CVS and innovative architecture. Having recently marked its 1.0 version release, Subversion
is being used in many open-source projects, including SpamAssassin, the Linux 1394 FireWire support project and the SILO Sparc Boot
loader.
As with any new toy that comes into a system administrator's hands,
security is the first concern when dealing with Subversion. The good news is Subversion has been developed in
these hard times, in which few can be trusted. Subversion
takes the smart approach of coupling with the Apache Web Server and delegating many security functions to Apache. This approach
has many advantages:
- Apache is a mature and well understood platform for handling
security functionalities, such as authentication, access control,
confidentiality and so on. - Apache is monitored strictly for security bugs: response times to
a new vulnerability are very low. - Apache adopts many of the most recent standards, making it an
always current platform. - Apache often is present in the established network infrastructure, so there's
no need to open new network ports and adapt your firewall
accordingly. - Apache's flexibility in log management eases the task of
security auditing, which can be accomplished using well-known
tools.
In this article I deal with a complex Subversion repository
deployment and show how security concerns can be addressed from a
system administrator's point-of-view.
Environment Description and Requirements
Our task is to deploy a Subversion repository for our projects; it must
be accessible both from our internal network and the Internet. Our
organization already runs an Apache Web Server, so we will use it as our
gateway to the repository. Thus, the Subversion configuration must meet the following
requirements:
- We want to host multiple projects in the repository, grouped as
public and private. - We want our developers to have unlimited access the projects in
which they are involved from anywhere around the world. - We want other people to have read-only access to our public
projects.
Given these requirements, we must configure the Subversion server properly to
manage authentication, access control, data confidentiality
and integrity. But, in what form does the Subversion server come?
There's no unique answer to this question, but a common strategy is to build the
Subversion server as an Apache 2.0 shared module by extending
the built-in mod_dav.so Apache module. In such a configuration,
Apache takes care of many of the aforementioned security aspects,
so you don't need to learn another configuration language. Simply
adapt the familiar Apache configuration files to your new needs.
Even if Subversion requires Apache 2.0, this is a minor problem,
because you are not required to migrate your current Apache installation
to the 2.0 series. A simple and effective strategy consists of letting
the Apache 1.3 Web Server proxy any Subversion HTTP requests to the
Apache 2.0 Web Server. You can migrate your Apache 1.3 installation at
a later time or never migrate if you aren't forced to.
Figure 1 illustrates the environment with which we are working. Subversion clients
connect to the server from the Internet or from a trusted subnetwork.
Here the term "trusted" means passwords won't be sniffed either
because we trust users or because we adopted other countermeasures.
The HTTP request--possibly sent over a secure channel--enters the
server and contains DAV methods from the Delta-V extensions. Then,
Apache 1.3 proxies the request to the Apache 2.0 Web Server, which
begins the examination. The user issuing the request is authenticated
via plain HTTP authentication or through the use of client-side
certificates. Then, an access-control decision is taken and the access
control rules are enforced. Accepted requests are passed to the
Subversion module, which generates a response.
Figure 1. Our Subversion EnvironmentInstallation
Before installing Subversion, we need to install the Apache 2.0 Web
Server. So, download and unpack the source tarball and start the
configure script:
sackville httpd-2.0.49 # ./configure --enable-mods-shared=most
The command-line option enables most of the Apache modules,
building them as shared modules. You may need to fine tune the command-line
options to include (or exclude) more modules; for example, you
may need LDAP modules to authenticate against an LDAP server. To
install the Apache Web Server, issue a make && make install.
Next, grab the latest Subversion source tarball, unpack the sources and start the configure script:
sackville subversion-1.0.1 # ./configure
--with-apxs=/path/to/apache2/bin/apxs \
--with-ssl
The option -with-apxs may not be required if you installed Apache2 in
a default location. Likewise, the option -with-ssl is not needed if
you plan to install a server-only Subversion, because SSL support is
provided by Apache's built-in mod_ssl.so module. In addition you may
need to specify locations for your shared libraries. In particular,
many users seem to have trouble with the Berkeley DB libraries.
Carefully read the Subversion users' mailing list if you encounter
problems.
Issue make && make install to build and install mod_dav_svn.so
modules. If everything went well, you'll find mod_dav_svn.so among your
modules.
Configuration
The Subversion installation process should have created the proper
entries in your Apache configuration file to activate the
mod_dav_svn.so module. In addition, you should see entries for a
mod_authz_svn.so module; it's part of the access control machinery of
Subversion and we'll take a look at it later.
In our setup, Apache2 must reside side by side with Apache1, so we need
to tell Apache2 to listen to a port other than 80--assume it's the
8080 port. Because Apache2 is accessed through Apache1, you should
block that port in your firewall configuration or make Apache2 bind
to the loopback interface. The latter solution is better than the
former, because we don't need to rely on a firewall to drop incoming
connections from external hosts. You also should apply common security
tips to enhance Apache2 security, which I won't describe here. For
example, Apache with Subversion modules tends to be a little too
verbose in its error messages, showing version numbers for most
activated modules (SSL, DAV, Subversion and so on). Security purists
call this behaviour information leakage; to minimize it act on the
ServerTokens directive.
Now it's time to decide where the repository will live. We must answer
the following questions:
- Where in the Apache2 URL's space will our repository be
accessible? Because Apache2 is being used as a Subversion-only
server, we decide to have the server root be the root of our
repository. - Where in the server's filesystem is the repository physically located? We have no constraints here, so we choose /svn to
contain all the Subversion-related files. - Where in the external Apache1 URL's space will our repository live?
A common strategy is to put Subversion repositories in the
/svn directory.
The layout of the /svn directory thus is:
- /svn/conf: contains all the files needed for Apache2 and
Subversion to work, such as user authentication information,
access control policies and so on. - /svn/repository: contains two subdirectories for public
and private projects. Inside each subdirectory we create a
project using svnadmin's create command.
In the Apache2 httpd.conf file we add the following lines:
<IfModule mod_dav_svn.c> Include /svn/conf/mod_dav_svn.conf </IfModule>
Including the file /svn/conf/mod_dav_svn.conf, we centralize any
Subversion-related information in the same place, that is, the directory
/svn.
To proxy all the HTTP requests from Apache1 to Apache2, add the
following entry to your Apache1 configuration file:
Proxy /svn/ http://localhost:8080/
Default HTTP Policies
When defining the access control policy, we must distinguish plain HTTP
connections from HTTPS connections, because passwords are not protected
over a plain HTTP connection. In the following lines, we define the
default policy for HTTP connections. We add the following entries to the
/svn/conf/mod_dav_svn.conf file:
Include /svn/conf/public_default_policy.conf Include /svn/conf/private_default_policy.conf
Each *_default_policy.conf contains the default access control
policy for the corresponding project group. We want read-only HTTP
public access for public projects, so add the following lines to your
/svn/conf/public_default_policy.conf file:
<Location /public>
Dav svn # Tell Apache to use Subversion's own module
# for HTTP's Dav extensions.
SVNParentPath /svn/repository/public
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
</LimitExcept>
</Location>
This configuration denies access to any HTTP method except GET,
PROPFIND, OPTIONS and REPORT, which are used during a read-only
session. If you have a trusted subnet (assume 192.168.0.0/24) you want
to allow write access from, you may change the above configuration
snippet to:
<Location /public>
Dav svn
SVNParentPath /svn/repository/public
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
</LimitExcept>
</Location>
Notice, however, that if you don't add more access control rules to
restrict access, anyone connecting from the subnet 192.168.0.0/24 can
write to the repository. If you need strict user-based
access control, then I advise you not to use this default policy.
The access control policy for the private project group denies
access to anyone over an HTTP connection. The corresponding
configuration snippet you must put in your
/svn/conf/private_default_policy.conf is:
<Location /private>
Dav svn
SVNParentPath /svn/repository/private
Order deny,allow
Deny from all
</Location>
If you wish to allow access from the trusted subnet, use the
following:
<Location /private>
Dav svn
SVNParentPath /svn/repository/private
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
</Location>
Per-Project Configuration
To achieve greater granularity in the access control management, we
want to define separated policies for each project. The case in which
we have a trusted subnet will be analysed here because it's much more
involved. In this scenario we allow password-based authentication over
HTTP only from the trusted subnet. We specify the policy for each project in a separate file contained in
the /svn/conf/private and /svn/conf/public. To achieve this, add the
following lines to your /svn/conf/mod_dav_svn.conf file:
Include /svn/conf/policies/public/* Include /svn/conf/policies/private/*
Suppose we have foo and bar public projects. John and Bob are foo's
developers, while John and Mike are bar's developers. We want one
project's developers to have full access only to the project they
develop over HTTP from the trusted subnet. First of all, let's fill in
the users' password file:
sackville apache2 # bin/htpasswd -c /svn/conf/svnpasswd john ***** sackville apache2 # bin/htpasswd /svn/conf/svnpasswd bob ***** ....
Then, we create the users' group file: each project is associated with
a group whose name has the form (public|private)_projectname and
contains the users participating in the project:
public_foo: john bob public_bar: john mike
We save this file as /svn/conf/svngroups. The last operation consists
of associating a file in the /svn/conf/policies/public directory with a
project. foo's access control policy file is called
/svn/conf/policies/public/foo and contains the following lines:
<Location /public/foo>
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName "Public Subversion repository for project Foo"
AuthUserFile /svn/conf/svnpasswd
AuthGroupFile /svn/conf/svngroups
Require group public_foo
</LimitExcept>
</Location>
We could move AuthType, AuthUserFile and AuthGroupFile to the default
policy file to avoid replication of configuration entries. We had to
add the Satisfy directive to require users to authenticate from the
trusted subnet during a read/write session. So modify your
public_default_policy.conf file in this way:
<Location /public>
Dav svn
SVNParentPath /svn/repository/public
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
Satisfy all
</LimitExcept>
</Location>
The configuration for private projects is quite similar; we simply
discard any LimitExcept directive so the public_default_policy.conf
becomes:
<Location /private>
Dav svn
SVNParentPath /svn/repository/private
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
Satisfy all
</Location>
and the private project worldconquest's access control policy file is:
<Location /private/worldconquest>
AuthType Basic
AuthName "Private Subversion repository for project WorldConquest"
AuthUserFile /svn/conf/svnpasswd
AuthGroupFile /svn/conf/svngroups
Require group private_worldconquest
</Location>
HTTPS Configuration
Now it's time to consider HTTPS connections, which allow users around
the world to access the repository, granting password confidentiality
and data integrity over insecure channels such as the Internet. Apache
manages HTTPS in a separate virtual host space, which is set up using a
configuration like this one:
<VirtualHost _default_:443> ... </VirtualHost>
But which Apache are we talking about? External Apache1 or internal
Apache2 plus Subversion? Subversion clients using HTTPS can connect to the
external Apache1 Web server, of course, and try to establish secure
connections to it. So we must configure HTTPS for our external Apache1
Web server. There's no need for proxy requests to the internal Apache2
Web server to be delivered over a secure connection too, but because we
want to centralize access control policies in our Apache2 Web server,
we must provide a mechanism for Apache2 to discriminate proxy requests
coming from an external secure channel.
We use another port (assume 8081) to discriminate when an HTTP
request has been delivered to the Apache1 Web server using SSL. So
when an HTTP request hits Apache1 over SSL, it is proxied internally
in clear to port 8081, where Apache2 is listening. As usual, remember
to block incoming connections to port 8081 from external hosts or to
bind Apache2 to the loopback interface (or both).
In the Apache1 configuration file, add the following line to the SSL
virtual host directive:
Proxy /svn/ http://localhost:8081/
Now tell Apache2 to listen to port 8081, adding the following entry to
your httpd.conf file: Listen localhost:8081.
Now we must set up a virtual host environment for access through port
8081. The main difference with respect to HTTP connections is related
to source-based access control: using HTTPS connections we drop the
notion of trusted and untrusted subnet. HTTPS requests can arrive from
just anywhere.
Thus, the default policy files must include a VirtualHost directive for
the port 8081. Here's the one for public projects that we put in the
/svn/conf/public_default_policy.conf file:
<VirtualHost _default_:8081>
<Location /public>
Dav svn
SVNParentPath /svn/conf/repository/public
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
Satisfy all
</LimitExcept>
</Location>
Include /tmp/LJ/policies/public/*
</VirtualHost>
As usual, using the Satisfy clause allows us to write access only to
authenticated users. In addition, we recycled the per-project
configuration files (see the Include directive) because they do not
depend on the source-based access control policy, but we can specialize
them for another purpose if we need to. The default policy for private
projects is similar:
<VirtualHost _default_:8081>
<Location /private>
Dav svn
SVNParentPath /svn/conf/repository/private
Order allow,deny
Allow from all
Satisfy all
</Location>
Include /tmp/LJ/policies/private/*
</VirtualHost>
Per-Directory Configuration
In the configuration section I mentioned the mod_authz_svn.so module,
created and installed by the Subversion installation process. This
module allows us to define the access control policy on a directory basis,
thus increasing the level of granularity.
Why do we need a separate module to take care of directory-based access
control? Couldn't we use Apache configuration primitives? The
problem here is the URL passed to Apache to access a repository, which
is of the form:
/public/foo/!svn/act/b2a07a33-85d9-0310-857b-b13ae1b9c55b
As we can see, only the project path and name is visible: the project's
accessed directory is hidden in the numeric code. Thus, we cannot
directly apply Apache Location-based access control primitives. The
solution consists of delegating directory access control to the
mod_authz_svn.so module, which is able to parse the numeric code and
identify the accessed directory.
The mod_authz_svn.so's access control policy is specified in a
plain-text file with a simple syntax. Here's the one we use
for our public projects (/svn/conf/policies/public_svn_authz):
[groups] foo = john, bob bar = john, mike [/] * = r [foo:/] @foo = rw [foo:/branch/john] bob = r [foo:/branch/bob] john = r [bar:/] @bar = rw
We first define the groups of users we want to specify the policy for,
then we list the access control rules. The one under the [/] section
specifies that any user can read the content of any project. For
each project (for example [foo:/]) we specify a global access control
policy, specifying it for the inner directories. There's
no need to specify an access control rule for user john in the
/branch/john directory, because it's inherited from the one in the upper-level
directory.
In addition, we had to specify again the different groups'
composition. We should avoid replication of such configuration
directives as a good security practice. This problem is solved simply
by removing any AuthGroupFile directive from the project configuration
files and changing the related Require directive to a Require
valid-user one, thus delegating group management to the
mod_authz_svn.so module.
At this point all that remains is to add the directive AuthzSVNAccessFile to
the default policy files in order to tell Apache that we intend to use the
mod_authz_svn.so module as an access control facility. To do so, we must specify its
configuration file. Here's the one for public projects:
<Location /public>
Dav svn
SVNParentPath /tmp/LJ/svn/repository/public
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy all
</LimitExcept>
AuthzSVNAccessFile /tmp/LJ/svn/conf/public_svn_authz
</Location>
<VirtualHost _default_:8081>
<Location /public>
Dav svn
SVNParentPath /tmp/LJ/svn/repository/public
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Deny from all
Satisfy all
</LimitExcept>
AuthzSVNAccessFile /tmp/LJ/svn/conf/public_svn_authz
</Location>
Include /tmp/LJ/svn/conf/policies/public/*
</VirtualHost>
You may ask why we didn't use the mod_authz_svn.so module before. If we
hadn't any trusted subnets, we could throw away most of the Apache
access control machinery and rely solely on the mod_authz_svn.so, even
if this is true only from Subversion 1.0.1. But because mod_authz_svn.so's
access control strategy is user-based when in the scenario with a
trusted subnet, we need a mix of source-based access control and
user-based access control.
______________________
This week 5 lucky Members will receive a copy of The Official Ubuntu Server Book by Benjamin Mako Hill and Linux Journal's very own Kyle Rankin. No entry necessary. Check back here early next week to find out who the lucky Online Members are.
Comments
502 Bad gateway error could
502 Bad gateway error could be solved by adding in your httpd.conf,
RequestHeader edit Destination ^https http early
Source:
5. Enable DAV to work with Apache running HTTP through SSL...
http://httpd.apache.org/docs/2.2/mod/mod_headers.html
web based administration
If you're after a simple approach that has a web-based administration on the top, you may want to check out Atlassian Crowd.
permisions
Getting the svn permissions just right for my security has been a real pain. Anyone else have good solutions to work with svn security?
Problem with per-directory
I read the svn-book, but isn´t clear the paths when the Subversion is on windows. Another thing is that in your article the users are defined into Apache but in svn-book them are defined into a plain text, at least as far as I undertood. Right now I have a problem because I don't know how to write the path of the directory inside svn_authz file (repo:c:/path...) or ( repo:/c:/path...) or (repo:c:\path...) or (repo:c/path... and variants). By the other hand when I use the Apache users file nobody can access, and message "FORBIDDEN You don't have permission to access..." appear, after the first try, but if is the plain text users file as svn-book then nobody can access but after three tries or pushing cancel button then the message "Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required." appear. Multiple paths on svnsecur were used with the same results if the Require valid-user is set. If I use only the Apache users file everything works fine, but isn't I need.
My configuration is:
svnusers.conf //this is the plain text user file
ehenao = pass_of_ehenao
oalvarez = pass_of_oalvarez
aperilla = pass_of_aperilla
marcelas = pass_of_marcelas
arodriguez = pass_of_marcelas
fcarrascal = pass_of_fcarrascal
svnsecur.conf
[groups]
developers = ehenao,oalvarez,aperilla,marcelas
document = arodriguez,fcarrascal
all = @developers,@document
[Delphirep:C:/SVNRepositorio/Delphirep]
@developers = rw
[Delphirep:/Delphirep/doc]
@document = rw
@developers = r
[cursorep:/C:\SVNRepositorio\Cursorep]
@todos = rw
and in httpd.conf
DAV svn
SVNParentPath C:\SVNRepositorio
AuthzSVNAccessFile C:\Archiv~1\Collab~1\httpd\conf\svnsecur.conf
AuthType Basic
AuthName "Repositorio PCT"
AuthUserFile C:\Archiv~1\Collab~1\httpd\conf\svnusers.conf
#AuthUserFile C:\Archiv~1\Collab~1\httpd\conf\svnusers.http.conf
Require valid-user
svnusers.http.conf is the file generated with htpasswd.
what I'm missing or overlooked?
MKACTIVITY - 403 Forbidden Error
Hi,
First off thanks for the great article. I followed the steps described and am able to see my repository and even checkout a test project from the same via HTTP.One difference here was that in public_default_policy.conf instead of "SVNParenPath /path/to/repo/public", I had to use "SVNPath /path/to/repo/public". Only then did I start seeing my projects.
Problems start when I try committing anything to that test project. I keep getting this particular error
svn: MKACTIVITY of '/public/!svn/act/505453b1-b22f-0410-b2eb-ca2e1334eb90': 403 Forbidden (http://localhost)
I see that you have printed a similar line in your article but the difference here is that for you it was "/public//svn..." but in my case it comes up as "/public/svn.." without the project name! Any ideas why that is happening?
Please let me know if you can find anything.
- Dinesh.
Just a correct.. its
Just a correction.. its "public/_project_name_/svn.." the angle brackets were discarded by the engine.
- Dinesh.
Subversion Multi-Site
Interesting article - you should take a look at active/active replication for geographic distribution of Subversion - http://www.wandisco.com
Suggestion: mod_macro
A nice thing to use for real complex setups with a lot of projects is mod_macro which we use over at the hosted-projects.com Subversion hosting service. It allows to re-use SVN configuration directives by simply adding a line like:
Use SVNRepositories Project1
Care to post it somewhere?
Care to post it somewhere?
Re: Setting Up Subversion for One or Multiple Projects
First, I would like to say the article is very informative. However there are some inaccuracies (wrong paths, typos, missing paths) in the suggested configuration examples. It seems as though the author did not bother to actually test the configurations he suggests on a clean installation Linux with a default Apache 1.x installation; this is in-excusable.
I am running Slackware-current and I have setup the Apache 1.3.31 to ProxyPass to the Apache 2.0.50 server, as described in the article however I am having trouble with the Proxying.
I can do the following (at the local command prompt):
svn checkout http://localhost:8080/public/svn/myrepository/trunk
and it checks out fine.
However if I then do:
svn checkout http://mypublicname.com/svn/public/myrepository/trunk
then I get the following error:
svn: PROPFIND request failed on '/public/myrepository/!svn/vcc/default'
svn: '/public/myrepository/!svn/vcc/default' path not found
Does anyone know if this is an issue with the proxying or maybe an issue with the svn client stripping '/svn/' on subsequent PROPFIND requests?
Here is my Proxy statements in my /etc/apache/httpd.conf file:
ProxyRequests Off
ProxyPass /svn/ http://localhost:8080/
Here is what I have configured in my /usr/local/svn/conf/public_default_policy.conf file:
Location /public
Dav svn
SVNParentPath /usr/local/svn/repository/public
/Location
same path to proxy
To have proxy working properly you have to use the SAME path in both server.e.g.
ProxyPass /svn/ http://localhost:8080/svn/
VERY IMPORANT: same path to proxy
THIS IS A VERY IMPORTANT CONFIGURATION STEP!!!
If you wish to proxy all SVN/WebDAV requests correctly from Apache1 to Apache2, IT IS VERY IMPORTANT that the paths are the SAME in the ProxyPass, for example:
ProxyPass /svn/ http://localhost:8080/svn/I spent 5h without any clue why I was getting PROPFIND error, and finally I made SVN to work behind a reverse proxy just by using the same path!!!!!
Re: Setting Up Subversion for One or Multiple Projects
Just a wild guess, but don't you need a ProxyPassReverse in addition ?!?
in-excusable?
remember what you paid for the information ...
Remember what I paid for the
Remember what I paid for the info? About as much as I paid for the OS! Dear-oh-deary me...
Re: in-excusable?
If a computer technie writes a free tutorial with their real name and it is discovered that the tutorial is highly inaccurate, then only their reputation suffers for writing such garbage. Getting upset and posting you're disappointment is a good way to expose the incompetence of the writer of the tutorial. Just because the tutorial is free of charge does not protect the author from negative feedback from the readers.
Re: in-excusable?
I hope you're not suggesting that visiting linuxjournal.com for information is a waste of time, because it contains information for free.
By the way, I found a solution to the issue.
Re: in-excusable?
Btw I forgot to mention in my previous post that the proxies work through my web browers but are having the same issues as above in the svn checkout:
In browser: http://localhost/svn/proj1 correctly points to the Apache 2 server and my repository
svn co http://localhost/svn/proj1 proj1 produces the same error as above
svn co http://localhost:8800/proj1 proj1 works
Re: in-excusable?
Can you please post a solution as I am having the same issues (with both http and https requests).
Also I have given up trying to use the public and private setup (all my repositories are now stored in /svn/repository/proj1 /svn/repository/proj2 etc.. and I have indiviudal conf files. This is because no matter what I tried the public/private directories kept getting a 403 forbidden error - anyone know the solution to this as well?
Re: Setting Up Subversion for One or Multiple Projects
Nice tutorial, might have saved some time setting up our Subversion hosting service over at wush.net :)
svn: COPY of foo: 502 Bad Gateway ()
Does anyone else experience this problem when trying to use tags and branches?
svn copy trunk/ https://svn.example.com/public/project/tags/foo
svn: Commit failed (details follow):
svn: COPY of foo: 502 Bad Gateway (https://svn.example.com)
svn: COPY of foo: 502 Bad Gateway ()
Note: this can only happen with HTTPS
The explanation:
It seems there is no standard solution to this problem. Greg Stein has refused to implement a workaround in the Apache module: the problem happens because the hardware (reverse proxy, SSL accelerator or whatever decrypts the HTTPS) doesn't do correctly his job. It modifies the URL in the request but not in the "Destination" header of the DAV "COPY" requests (these DAV requests are issued from the SVN client when you do either a "copy" or "move"). Then when the svn server checks the parameters, it finds something incorrect. The position of Greg is understandable as it's not a problem caused by Apache or by SVN. The way we've fixed it here has required implementing a script inside the ssl accelerator, in order to also modify the "Destination" header in the DAV "COPY" requests to our SVN server. This solution works perfect, we've almost forgotten it's in place. If you can't do it in your reverse proxy, it's also possible to do it with a PERL script installed inside Apache (using mod_perl and the directives SetHandler and PerlHeaderParserHandler in the apache configuration file). If both these can't be done in your environment, your last resort will be to activate the ssl connection between the reverse proxy and Apache (but this wasn't possible here).
For reference:
http://svn.haxx.se/users/archive-2006-03/0549.shtml
http://svn.haxx.se/users/archive-2003-08/0780.shtml
One possible solution (using mod_perl):
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=96866
Cheers.
Jean-Pol.
Re: svn: COPY of foo: 502 Bad Gateway ()
I think the problem is that Apache processes the proxy URL translation before it decrypts the HTTPS request. Since the to-URL of the COPY is in the encrypted body of the request, it never gets translated.
I haven't verified this but I'm pretty sure that's what's breaking you
Re: svn: COPY of foo: 502 Bad Gateway ()
Oh, just found it:
"Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol"
if you are using virtual host, then that is most likely what is causing it.
You can, but...
You can use SSL with named virtual hosts, but all of the clients connecting will get errors when checking the SSL certificate. All they need to do is ignore the errors (which you usually do for selfed CA certs anyway).
bcl
Re: svn: COPY of foo: 502 Bad Gateway ()
I also get this problem.
I don't know what causes it but it seems to only happen with https and copying or moving (which is just a fancy copy) a file. It also use to work but then stopped, but I don't know what has changed in between.
Invalid command 'Proxy'
For my Apache 1.3.31 "Proxy" is an unknown directive. Could you provide more information, how to enable this directive or do you meant the Redirect directive?
Proxy /svn/ http://localhost:8080/
vs.
Redirect /svn/ http://localhost:8080/
"Invalid command 'Proxy', perhaps mis-spelled or defined by a module not included in the server configuration"
Re: Invalid command 'Proxy'
You have to make sure that proxy_module is loaded. Look for
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so
in the file /etc/apache/modules.conf
Look up your Apache-dokumentation for more information.
Regards, Bj
Re: Invalid command 'Proxy'
Would you please check your documentation? There is no command Proxy!
http://httpd.apache.org/docs/mod/mod_proxy.html
Regards, Kai
Re: Invalid command 'Proxy'
It was a typing mistake. The correct Apache directive is:
ProxyPass
Sorry.
Cristiano
Re: Setting Up Subversion for One or Multiple Projects
Although this in itself is interesting, how about indicating which parts (to an apache newbie) are not relevant if you are working with a pure Apache 2 setup?
Re: Setting Up Subversion for One or Multiple Projects
Since all the information about athentication and access control is centralized in the Apache 2.0 server, the setup described in the article works as standalone too. The only change refers to SSL connections, which should be handled directly by Apache 2.0 through the SSL module.
Why two levels of apache?
What was the reason for using two levels of apache?
It appears that the first apache just proxies everything
to the second.
Is it because you don't think apache 2.0 is secure enough
to be facing a public network? Or is there a subtler reason
that I'm just missing.
Re: Why two levels of apache?
I'd expect it's because Apache 2.0's mod_ssl is not complete. It has an outstanding bug that prevents POST from working in conjunction with per directory/location SSL configuration. I've no idea how mod_ssl 2 would interact with DAV's other request types, either.
Re: Why two levels of apache?
Mod SSL is fine with DAV requests - they're just http, after all.
Re: Why two levels of apache?
Just a hunch as I'm still experimenting but I've found that trying to add the svn modules on top of an already working apache2 setup (PHP,SSL,mod_auth_mysql) just ends up being a mess that I can't get to work. I'm pretty well resigned to having to split up svn access, like this article, just to have mod_auth_mysql work in both environments.
Re: Why two levels of apache?
When compiled as an Apache module, Subversion requires Apache 2.0 while many production servers are based on the 1.3 series.
The migration from the 1.3 series to 2.0 series may not be the best choice for those installations: if you feel confident (from a security point-of-view) in your existing setup, you may not want to migrate to just enable Subversion.
If such situations, if you still want to use Subversion as an Apache module, the proxy solution is a good compromise.
Re: Why two levels of apache?
Probably because most people with a public web server are already using Apache 1.3, and won't want to make more work for themselves by having to change that if it's working OK.
Very easy installation of apache subversion active directory
Everyone is facing the problem of integration of apache/Subversion with Active directory. I found the document with complete package and it takes only 5-10 mins to install. You can also use the same and if any problem, Logon to http://forum.opensourcedevelopment.net, It is really very good.
Path is http://opensourcedevelopment.net/text-tutorials/apache-subversion-active-directory.html
Post new comment