httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] A critical .htaccess problem
Date Tue, 20 Jan 2009 13:36:53 GMT
On Mon, Jan 19, 2009 at 11:41 PM, J. Bakshi <joydeep@infoservices.in> wrote:
> Craig Huffstetler wrote:
>> Krist is correct - you need to make sure Subversion a Virtual Host.
>> I'm including a few instructions as I'm sure you're all set on
>> Subversion and Apache. If you're still having problems let us know.
>
> Hello Craig and Krist,
>
> Thanks for your guidance. Craig, the points you have mentioned here are
> already done from my side when configuring the svn with https:// and it
> had no problem to work with https://.  If some one still use http:// it
> denied the HTTP protocol which was exactly what I need.
>
> But the problem is to separate internet from LAN I added the following
> in my .htaccess in htdocs. It ask for authentication when accessed from
> internet but not from LAN
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> AuthType Basic
> AuthName "protected place"
> AuthUserFile /home/SVN/PASSWD
> Require valid-user
> Order allow,deny
> Allow from 192.168.1.0/24
> Satisfy any
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> After adding this config the svn allow http access too !!! and I want to
> deny http for svn.
>
> Krist, I already have the vhost for svn. here is the vhost config for
> svn once again
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
> <Location /repos>
> DAV svn
>
> AuthType Basic
>      AuthName "Authorization Realm"
>      AuthUserFile /home/SVN/PASSWD
>      Require valid-user
>      SVNParentPath /home/SVN
>
> #### Limit write permission to list of valid users.
>  <LimitExcept GET PROPFIND OPTIONS REPORT>
> #      # Require SSL connection for password protection.
> SSLRequireSSL
>
>      AuthType Basic
>      AuthName "Authorization Realm"
>      AuthUserFile /home/SVN/PASSWD
>      Require valid-user
>  </LimitExcept>
> </Location>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Please suggest what to do ?
> Thanks once again

Let's start with the obvious question first: how are you trying to
access SVN outside the LAN? You've configured your repos location to
only require SSL for certain methods, and GET is not one of them. So
if your only issue is that you're able to browser your repos online
without SSL, then you need to get rid of the LimitExcept tag, and move
the SSLRequireSSL into the top level of the <Location /repos> tag.

If that's not the issue (i.e., if you are also able to perform other
methods without SSL), try adding "Satisfy All" inside you <Location
/repos> tag (and possibly inside the LimitExcept tag). There is a
"Satisfy Any" in your htdocs config file which I assume is getting
inherited here, that could be causing you problems.

Another note, the <Location> tag alone doesn't create a vhost, you
need to explicitly set that up if you want one. However, I'm going to
politely disagree with the previous comments: you don't /need/ to make
svn a separate vhost for it to work. Properly configured, you can use
the SSLRequireSSL directive to make sure it is only accessed via
HTTPS, without it being it's own Virtual Host.

Somewhat off topic, it sounds like your primary server configuration
is in a .htaccess file under your DocumentRoot (htdocs). Is that
right? That can cause serious performance degradation because it's
going to have to searhc for and parse this file for every request. The
"preferred" way is to use an httpd.conf file which only get's parsed
once when the server starts. The .htaccess files should generally be
limited to just a few cases where things need to be overridden. Even
that isn't always necessary because Directory overrides can be used in
httpd.conf. The only real use I can think of for .htacess files is for
virtual hosts whose owners don't have access to the httpd.conf file.

Any of that help?
-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message