httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] A critical .htaccess problem
Date Wed, 21 Jan 2009 13:19:00 GMT
On Wed, Jan 21, 2009 at 1:07 AM, J. Bakshi <joydeep@infoservices.in> wrote:
> Brian Mearns wrote:
>>
>> Let's start with the obvious question first: how are you trying to
>> access SVN outside the LAN? You've configured your repos location to
>> only require SSL for certain methods, and GET is not one of them. So
>> if your only issue is that you're able to browser your repos online
>> without SSL, then you need to get rid of the LimitExcept tag, and move
>> the SSLRequireSSL into the top level of the <Location /repos> tag.
>>
>> If that's not the issue (i.e., if you are also able to perform other
>> methods without SSL), try adding "Satisfy All" inside you <Location
>> /repos> tag (and possibly inside the LimitExcept tag). There is a
>> "Satisfy Any" in your htdocs config file which I assume is getting
>> inherited here, that could be causing you problems.
>>
>> Another note, the <Location> tag alone doesn't create a vhost, you
>> need to explicitly set that up if you want one. However, I'm going to
>> politely disagree with the previous comments: you don't /need/ to make
>> svn a separate vhost for it to work. Properly configured, you can use
>> the SSLRequireSSL directive to make sure it is only accessed via
>> HTTPS, without it being it's own Virtual Host.
>>
>> Somewhat off topic, it sounds like your primary server configuration
>> is in a .htaccess file under your DocumentRoot (htdocs). Is that
>> right? That can cause serious performance degradation because it's
>> going to have to searhc for and parse this file for every request. The
>> "preferred" way is to use an httpd.conf file which only get's parsed
>> once when the server starts. The .htaccess files should generally be
>> limited to just a few cases where things need to be overridden. Even
>> that isn't always necessary because Directory overrides can be used in
>> httpd.conf. The only real use I can think of for .htacess files is for
>> virtual hosts whose owners don't have access to the httpd.conf file.
>>
>> Any of that help?
>> -Brian
>>
>>
>
> Hello Brain,
>
> Thanks a lot for this in-depth know how.
>
> You are right as I don't like to allow browsing svn repos through HTTP.
> Your other assumption is also right that the .htaccess is somehow
> inherited. But .htaccess does not contain the primary server
> configuration. It is only demarcating the LAN from the Internet. I don't
> mind though if svn is accessable through http inside the LAN but the
> important point is even from the internet it is also accessable through
> HTTP. That's why I am looking a way so that I force the svn to allow
> only HTTPS. I have also placed the SSLRequireSSL inside <Location
> /repos> part but it had no effect i.e. still an internet user can access
> it through HTTP.
>
Did you try the "Satisfy All" directive in that Location?

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message