httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] A critical .htaccess problem
Date Fri, 23 Jan 2009 13:39:49 GMT
On Wed, Jan 21, 2009 at 11:19 PM, J. Bakshi <joydeep@infoservices.in> wrote:
> Brian Mearns wrote:
>> On Wed, Jan 21, 2009 at 1:07 AM, J. Bakshi <joydeep@infoservices.in> wrote:
>>
>>> Brian Mearns wrote:
>>>
>>>> Let's start with the obvious question first: how are you trying to
>>>> access SVN outside the LAN? You've configured your repos location to
>>>> only require SSL for certain methods, and GET is not one of them. So
>>>> if your only issue is that you're able to browser your repos online
>>>> without SSL, then you need to get rid of the LimitExcept tag, and move
>>>> the SSLRequireSSL into the top level of the <Location /repos> tag.
>>>>
>>>> If that's not the issue (i.e., if you are also able to perform other
>>>> methods without SSL), try adding "Satisfy All" inside you <Location
>>>> /repos> tag (and possibly inside the LimitExcept tag). There is a
>>>> "Satisfy Any" in your htdocs config file which I assume is getting
>>>> inherited here, that could be causing you problems.
>>>>
>>>> Another note, the <Location> tag alone doesn't create a vhost, you
>>>> need to explicitly set that up if you want one. However, I'm going to
>>>> politely disagree with the previous comments: you don't /need/ to make
>>>> svn a separate vhost for it to work. Properly configured, you can use
>>>> the SSLRequireSSL directive to make sure it is only accessed via
>>>> HTTPS, without it being it's own Virtual Host.
>>>>
>>>> Somewhat off topic, it sounds like your primary server configuration
>>>> is in a .htaccess file under your DocumentRoot (htdocs). Is that
>>>> right? That can cause serious performance degradation because it's
>>>> going to have to searhc for and parse this file for every request. The
>>>> "preferred" way is to use an httpd.conf file which only get's parsed
>>>> once when the server starts. The .htaccess files should generally be
>>>> limited to just a few cases where things need to be overridden. Even
>>>> that isn't always necessary because Directory overrides can be used in
>>>> httpd.conf. The only real use I can think of for .htacess files is for
>>>> virtual hosts whose owners don't have access to the httpd.conf file.
>>>>
>>>> Any of that help?
>>>> -Brian
>>>>
>>>>
>>>>
>>> Hello Brain,
>>>
>>> Thanks a lot for this in-depth know how.
>>>
>>> You are right as I don't like to allow browsing svn repos through HTTP.
>>> Your other assumption is also right that the .htaccess is somehow
>>> inherited. But .htaccess does not contain the primary server
>>> configuration. It is only demarcating the LAN from the Internet. I don't
>>> mind though if svn is accessable through http inside the LAN but the
>>> important point is even from the internet it is also accessable through
>>> HTTP. That's why I am looking a way so that I force the svn to allow
>>> only HTTPS. I have also placed the SSLRequireSSL inside <Location
>>> /repos> part but it had no effect i.e. still an internet user can access
>>> it through HTTP.
>>>
>>>
>> Did you try the "Satisfy All" directive in that Location?
>>
>>
>
> No, there is no "Satisfy All" inside <Location /repos>

Ok, well try adding it then. If your Location is inheriting any auth
directives from another configuration, and you don't have a Satisfy
All, then a request will be approved if it satisfies ANY auth
requirement. Just as an example, if you have an "Allow from all"
somewhere, then no additional auth directives, like SSLRequireSLL,
will be effective without the "Satisfy All", because every request
will satisfy that one requirement.

-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message