301 with mod_dav / https
Hi, it has been frustrating for me trying to set up my public available web server to serve a svn repository also. I do not understand at all, what happens, please help. I am able to navigate with FF to https://devel.example.com/svn/test/ and see the "powered by Subversion version 1.6.6 (r40053)" When I try to svn import . https://devel.example.com/svn/test/ -m "initial structure" --username=valid I am asked for my password and I get access. The response I get is: "svn: Das Projektarchiv wurde permanent nach "https://devel.example.com/svn/test/« verschoben; bitte umplatzieren" which means something like "The project archive has been permanently moved to please relocate". My apache log shows this: x.x.x.x - valid [12/Jan/2011:12:32:52 +0100] "OPTIONS /svn/test HTTP/1.1" 301 484 "-" "SVN/1.6.9 (r901367) neon/0.28.4". I have read about the 301 error in the FAQ. I think the reason mentioned there is not my problem. My box runs on Ubuntu 10.04 LTS. This is my Virtual Host setup: ServerName devel.example.com ServerAdmin webmas...@example.com DocumentRoot /var/www/devel.example.com SSLEngine on SSLCertificateFile/etc/ssl/example.com.key Order deny,allow Deny from all Alias /pm "/var/www/devel.example.com/mypmtool" AllowOverride All Order allow,deny Deny from all Satisfy all Options -Indexes Order deny,allow Deny from all satisfy any AuthType digest AuthUserFile /var/www/devel.example.com/.pwdigest_pm AuthName "Project_X" require valid-user Alias /svn "/home/svn" AllowOverride all DAV svn SVNParentPath /home/svn SVNListParentPath on AuthzSVNAccessFile /etc/apache2/dav_svn.authz Order deny,allow deny from all satisfy any AuthType Digest AuthUserFile /etc/apache2/pwdigest_svn AuthName "Project_X" Require valid-user Any help apreciated. Thanks -fuz
Re: 301 with mod_dav / https
> Remove the lines: > >Alias /svn "/home/svn" > >AllowOverride all > > > Apache is confused because you have told it you want it to serve /svn as > static files located in /home/svn (the Alias directive and the /home/svn> section) and also that you want it to serve /svn as a collection > of Subversion repositories (the block); use only one or the > other, depending on what you want (probably you want the > block only). > > Ryan, one shot, one hit. I am impressed. Thanks so much for your help. -fuz
Re: 301 with mod_dav / https
Original-Nachricht > Le 12/01/2011 15:05, fuzzy_4711 a écrit : >>> Remove the lines: >>> >>> Alias /svn "/home/svn" >>> >>> AllowOverride all >>> >>> >>> Apache is confused because you have told it you want it to serve >>> /svn as static files located in /home/svn (the Alias directive and >>> the section) and also that you want it to >>> serve /svn as a collection of Subversion repositories (the>> /svn> block); use only one or the other, depending on what you want >>> (probably you want the block only). >>> >>> >> Ryan, >> one shot, one hit. I am impressed. >> Thanks so much for your help. >> >> -fuz > unfortunalty that doesn't solve my case, I'am still facing the "301" pb > There is no directive in my case, here's what I have: > > Alias /disi /var/svn/disi > > DAV svn > SVNParentPath /var/svn/disi > AuthzSVNAccessFile /var/svn/disi/access > #File based user auth > AuthType Basic > AuthName "TMSP: Login with user id" > AuthBasicProvider file ldap > AuthUserFile /var/svn/disi/pass > #AuthzUserAuthoritative off > AuthLDAPURL > "ldap://ldap.int-evry.fr:389/ou=People,dc=int_evry,dc=fr?uid?sub?(objectClass=*)" > AuthzLDAPAuthoritative Off > Require valid-user > > > what's wrong here ? > thanks. > Ryan would suggest you to remove the line "Alias /disi /var/svn/disi" Give it a try and let us know. -fuz
Re: 301 with mod_dav / https
> On Jan 12, 2011, at 08:12, Jehan PROCACCIA wrote: >>> Ryan Schmidt wrote: Remove the lines: Alias /svn "/home/svn" AllowOverride all Apache is confused because you have told it you want it to serve /svn as static files located in /home/svn (the Alias directive and the>>> /home/svn> section) and also that you want it to serve /svn as a collection of Subversion repositories (the block); use only one or the other, depending on what you want (probably you want the block only). >> unfortunalty that doesn't solve my case, I'am still facing the "301" pb >> There is no directive in my case, here's what I have: >> >> Alias /disi /var/svn/disi >> >>DAV svn >>SVNParentPath /var/svn/disi > [snip] > > The Directory block wasn't the problem; it was merely unnecessary. The > problem is the Alias directive. Remove the line: > > Alias /disi /var/svn/disi > > > > How could I know what you would suggest :-) Sometimes this is fun and sometimes this is frustrating. I am not new to this, but I was searching for hours before I asked and didnt get it running. I hate that... -fuz
Re: 301 with mod_dav / https
> Do apache needs to have RW on /var/svn/disi/* ? > for now it is user svn only Yup, you got it. Put your apache user into group svn. And give those rights recursive to your repository directory. drwxrwsr-x 7 apache svn . repository/ -fuz
Re: 301 with mod_dav / https
> Unfortunately, this is a long-standing security problem. It means that > other non-suexec or user id "Apache" tools, such as Perl or PHP based > modules, now have direct write access to your repository, now have > arbitrary write access to the repository. In particular, they can > directly do "rm -rf $repodir/", and you have no way in your Subversion > configuration from stopping them. > > It's unsuitable for a shared environment where, for examples, private > users have access to run CGI or PHP in $HOME/public_html/ and you > don't completely trust their intent or competence. > > A somewhat safer means is to put both the svn user, and the apache > user, in a netgroup or other group that actually owns the database of > the repository, and leave all the configurations and hook scripts > owned and with permissions set to avoid write-access for the "apache" > user. > > An even safer one that is a pain to set up is to run a separate httpd > with a separate httpd.conf under the svn uid, slap it on a different > interface or different port with its own logs and logrotate and other > setups, and if necessary run a proxy through your primary site to that > local port or IP address. That does involve funneling traffic through > your normal, up-front website, but lets you separate "apache" security > from "svn" user security. > > There are, sadly, as many ways to do this as there are admins. > Unfortunately, there are a lot of incompetent, and some merely > carelessly casual ways to do this. You've found that one of those > works, and the risks of it are yours to accept or reject. > Nico, thank you very much for your explaination on this. You are absolutetly right. For me this is not a problem since there are no private users located at my box. If so I completly understand your hint and I apreciate the time you took to give advice to us wannabees. I hope Jehann will review his strategy and settings according to your post which will make it in my wiki. Thanks -fuz
