svn commit: r1910877 - /subversion/site/staging/faq.html

Sat, 08 Jul 2023 08:32:35 -0700 

Author: dsahlberg
Date: Sat Jul  8 15:32:30 2023
New Revision: 1910877

URL: http://svn.apache.org/viewvc?rev=1910877&view=rev
Log:
In site/staging:

* faq.html
  (#reverseproxy): Add a new section on how to put Subversion behind a reverse
    proxy.

See https://lists.apache.org/thread/j2c0kp4rmsw4rf9y4hw2zntxvd0hy051

The configuration example is my own work.



Modified:
    subversion/site/staging/faq.html

Modified: subversion/site/staging/faq.html
URL: 
http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1910877&r1=1910876&r2=1910877&view=diff
==============================================================================
--- subversion/site/staging/faq.html (original)
+++ subversion/site/staging/faq.html Sat Jul  8 15:32:30 2023
@@ -77,6 +77,7 @@ For older questions, see <a href="#depre
 <li><a href="#cvs2svn">How do I convert an existing CVS repository
     into a Subversion repository?</a></li>
     <li><a href="#proxy">What if I'm behind a proxy?</a></li>
+<li><a href="#reverseproxy">I need to put Subversion behind a reverse 
proxy</a></li>
 <li><a href="#paranoid">My admins don't want me to have a HTTP server for
     Subversion.  What can I do if I still want remote usage?</a></li> 
 <li><a href="#multi-proj">How do I manage several different projects
@@ -937,6 +938,93 @@ running <tt>svn --version</tt>.</p>
 
 </div>
 
+
+<div class="h3" id="reverseproxy">
+<h3>I need to put Subversion behind a reverse proxy
+  <a class="sectionlink" href="#proxy"
+    title="Link to this section">&para;</a>
+</h3>
+
+<p>A reverse proxy can be used if the Subversion server is not directly
+connected to the internet. It will forward HTTP/HTTPS traffic from a public
+facing server to the Subversion server, potentially removing HTTPS
+encryption. It can also be useful if several different HTTP servers must
+to be served on the same port.</p>
+
+<p>Subversion use a subset of the WebDAV/DeltaV protocol, see <a 
+href="#http-methods">this FAQ item</a> for the details. A custom
+As far as the proxy server is concerned, Subversion use plain WebDAV
+protocol. For the <tt>svn copy</tt> and <tt>svn move</tt> commands, an extra 
+HTTP_DESTINATION header is used, this must be rewritten separately.</p>
+
+<p>Detailed instructions are provided for a few different proxy servers, it
+should be fairly easy to copy the ideas from these examples.</p>
+
+<h4>Detailed instructions for Apache HTTPD</h4>
+
+<p>A very good walkthrough can be found at
+<a href="http://silmor.de/proxysvn.php";>http://silmor.de/proxysvn.php</a>.</p>
+
+<h4>Detailed instructions for Microsoft IIS</h4>
+
+<p>First download and install the URL Rewrite module from <a
+href="https://www.iis.net/downloads/microsoft/url-rewrite";>iis.net</a>. The
+example below has been tested with IIS 10 and URL Rewrite 2.1.<br/>
+Next configure URL Rewrite to allow the HTTP_DESTINATION server variable: In
+IIS Manager under URL Rewrite, in the right hand pane click View Server
+Variables and add HTTP_DESTINATION.<br/>
+Finally create a few rewrite rules:
+<ul>
+<li>"ToHttps", if you would like to ensure all Subversion traffic is
+encrypted, this send an HTTP redirect to the client if the request is sent
+unencrypted.</li>
+<li>"ProxyWithDestination", capturing all requests with the HTTP_DESTINATION
+server variable (ie. all <tt>svn copy</tt> and <tt>svn move</tt> requests).
+The HTTP_DESTINATION header is rewritten and the traffic is forwarded to the
+Subversion server.
+</li>
+<li>"ProxyRest", forwarding all other traffic to the Subversion server.</li>
+</ul>
+The example below can be copied into web.config. It assumes the Subversion
+server is running on port 81 on the same computer as IIS.</p>
+
+<pre>
+<system.webServer>
+ <rewrite>
+  <rules>
+   <clear />
+   <rule name="ToHttps" stopProcessing="true">
+    <match url="(.*)" />
+    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
+     <add input="{HTTPS}" pattern="^OFF$" />
+    </conditions>
+    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"/>
+   </rule>
+   <rule name="ProxyWithDestination" enabled="true" patternSyntax="ECMAScript" 
stopProcessing="true">
+    <match url="(.*)" />
+    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
+     <add input="{HTTP_DESTINATION}" pattern="https://(.*)"/>
+    </conditions>
+    <serverVariables>
+     <set name="HTTP_DESTINATION" value="http://{C:1}"; />
+    </serverVariables>
+    <action type="Rewrite" url="http://127.0.0.1:81/{R:0}"; 
logRewrittenUrl="true" />
+   </rule>
+   <rule name="ProxyRest" patternSyntax="ECMAScript" stopProcessing="true">
+    <match url="(.*)" negate="false" />
+    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
+    <action type="Rewrite" url="http://127.0.0.1:81/{R:0}"; 
logRewrittenUrl="true" />
+   </rule>
+  </rules>
+ </rewrite>
+ <security>
+  <requestFiltering allowDoubleEscaping="true" />
+ </security>
+</system.webServer></pre>
+</p>
+
+</div>
+
 
 <div class="h3" id="paranoid">
 <h3>My admins don't want me to have a HTTP server for

Reply via email to