httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Bakshi" <joyd...@infoservices.in>
Subject Re: [users@httpd] A critical .htaccess problem
Date Wed, 21 Jan 2009 06:07:38 GMT
Brian Mearns wrote:
> On Mon, Jan 19, 2009 at 11:41 PM, J. Bakshi <joydeep@infoservices.in> wrote:
>   
>> Craig Huffstetler wrote:
>>     
>>> Krist is correct - you need to make sure Subversion a Virtual Host.
>>> I'm including a few instructions as I'm sure you're all set on
>>> Subversion and Apache. If you're still having problems let us know.
>>>       
>> Hello Craig and Krist,
>>
>> Thanks for your guidance. Craig, the points you have mentioned here are
>> already done from my side when configuring the svn with https:// and it
>> had no problem to work with https://.  If some one still use http:// it
>> denied the HTTP protocol which was exactly what I need.
>>
>> But the problem is to separate internet from LAN I added the following
>> in my .htaccess in htdocs. It ask for authentication when accessed from
>> internet but not from LAN
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~
>> AuthType Basic
>> AuthName "protected place"
>> AuthUserFile /home/SVN/PASSWD
>> Require valid-user
>> Order allow,deny
>> Allow from 192.168.1.0/24
>> Satisfy any
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> After adding this config the svn allow http access too !!! and I want to
>> deny http for svn.
>>
>> Krist, I already have the vhost for svn. here is the vhost config for
>> svn once again
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
>> <Location /repos>
>> DAV svn
>>
>> AuthType Basic
>>      AuthName "Authorization Realm"
>>      AuthUserFile /home/SVN/PASSWD
>>      Require valid-user
>>      SVNParentPath /home/SVN
>>
>> #### Limit write permission to list of valid users.
>>  <LimitExcept GET PROPFIND OPTIONS REPORT>
>> #      # Require SSL connection for password protection.
>> SSLRequireSSL
>>
>>      AuthType Basic
>>      AuthName "Authorization Realm"
>>      AuthUserFile /home/SVN/PASSWD
>>      Require valid-user
>>  </LimitExcept>
>> </Location>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Please suggest what to do ?
>> Thanks once again
>>     
>
> Let's start with the obvious question first: how are you trying to
> access SVN outside the LAN? You've configured your repos location to
> only require SSL for certain methods, and GET is not one of them. So
> if your only issue is that you're able to browser your repos online
> without SSL, then you need to get rid of the LimitExcept tag, and move
> the SSLRequireSSL into the top level of the <Location /repos> tag.
>
> If that's not the issue (i.e., if you are also able to perform other
> methods without SSL), try adding "Satisfy All" inside you <Location
> /repos> tag (and possibly inside the LimitExcept tag). There is a
> "Satisfy Any" in your htdocs config file which I assume is getting
> inherited here, that could be causing you problems.
>
> Another note, the <Location> tag alone doesn't create a vhost, you
> need to explicitly set that up if you want one. However, I'm going to
> politely disagree with the previous comments: you don't /need/ to make
> svn a separate vhost for it to work. Properly configured, you can use
> the SSLRequireSSL directive to make sure it is only accessed via
> HTTPS, without it being it's own Virtual Host.
>
> Somewhat off topic, it sounds like your primary server configuration
> is in a .htaccess file under your DocumentRoot (htdocs). Is that
> right? That can cause serious performance degradation because it's
> going to have to searhc for and parse this file for every request. The
> "preferred" way is to use an httpd.conf file which only get's parsed
> once when the server starts. The .htaccess files should generally be
> limited to just a few cases where things need to be overridden. Even
> that isn't always necessary because Directory overrides can be used in
> httpd.conf. The only real use I can think of for .htacess files is for
> virtual hosts whose owners don't have access to the httpd.conf file.
>
> Any of that help?
> -Brian
>
>   

Hello Brain,

Thanks a lot for this in-depth know how.

You are right as I don't like to allow browsing svn repos through HTTP.
Your other assumption is also right that the .htaccess is somehow
inherited. But .htaccess does not contain the primary server
configuration. It is only demarcating the LAN from the Internet. I don't
mind though if svn is accessable through http inside the LAN but the
important point is even from the internet it is also accessable through
HTTP. That's why I am looking a way so that I force the svn to allow
only HTTPS. I have also placed the SSLRequireSSL inside <Location
/repos> part but it had no effect i.e. still an internet user can access
it through HTTP.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message