[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

how do I restrict access to Subversion/Apache repository?

Friends, now I've got customlog working for Debian's Apache2 I've been struggling with how to get Apache to restrict (read) access to the 
Subversion repositories (they already require a htpasswd
username-password combo) to particular IP addresses. I've tried my usual
trick

        <Directory /var/www/dir2protect>
        Order Deny,Allow
        deny from all
        allow from 130.101
        </Directory>

in each of /etc/apache2/apache2.conf
&  /etc/apache2/mods-available/dav_svn.conf
&  /etc/apache2/sites-available/default  but can't get it to work. For
this instance, the Subversion folder lives not in /var/www but
in /usr/local/SUBVERSION Here's the relevant part of
/etc/apache2/mods-available/dav_svn.conf:
<Location /svn>
DAV svn

SVNParentPath /usr/local/SUBVERSION
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
</Location>

I've tried both /svn and /usr/local/SUBVERSION for the 'Directory' to
deny IP access from but without avail.
Anybody else got this working for Subversion under Debian's Apache setup and care to help me out? 

Thanks, Michael



-------- Forwarded Message --------

From: michael <cs@networkingnewsletter.org.uk>
{}Subject: Re: how can I redirect Subversion/apache msgs to a new file
Date: Thu, 17 Jan 2008 17:41:11 +0000

On Thu, 2008-01-17 at 12:22 -0500, Kris Deugau wrote:

michael wrote:

Glad you've both got it working.


I'm afraid I have to add a "Works for me too!" to that;  I just added
SVN action logging to one vhost, checked out and committed to a test
repo; switched the working copy to an alternate vhost, and added action 
logging (to a different file) to that vhost.  No errors, action logs
showed up as they should.


I'm using a Debian dist of Apache2
which, if I understand correctly, doesn't use httpd.conf but for general stuff uses apache2.conf and for modules uses the relevant module conf 
file eg mods-available/dav_svn.conf


Mmmh.  Debian has introduced a very flexible configuration system for
Apache.  Packaged Apache modules put configuration fragments in
/etc/apache2/mods-available, but they're not used unless there's a
matching symlink in /etc/apache2/mods-enabled. A similar system is used 
for vhosts.

Unless you really want options to apply to all vhosts, it's probably
best to leave the fragments in mods-available alone, and add
configuration to the vhost fragments in /etc/apache2/sites-available.

I usually open any of these fragments using the mods-enabled/ or
sites-enabled/ path and the symlink, to make sure I'm actually editing a 
live file and not one that's disabled.

Run "a2enmod" and see what mods are actually loaded.  Then restart
Apache to make sure that's what's actually running.

Do you see any warnings in the main error log?
Are you able to use any repositories you've set up? From your original message it sounds like repository access is working, because otherwise 
it sounds like your configuration just isn't getting parsed.

[fiddles configs]  I think I may have found your problem, but I can't
explain *why* it's happening.  On two machines, with three vhosts, I
have SVN action logs enabled and working.  However, the CustomLog
directive is inside each individual vhost block; it's not "global" as 
you appear to be trying to do.  When I tried adding the CustomLog
directive in the same location as you're trying, I get the same result - 
log file is created, but nothing gets written to it.

Try adding the CustomLog to the vhost container for the vhost you're
trying to enable logging on - the "default" vhost should work OK if you 
don't have any others.  I'm not certain about this, however;  you may
have to define a vhost, or at least move all of your live SVN
configuration into the 000-default vhost configuration fragment.
(The /etc/apache2/mods-available/dav_svn.conf file is in fact completely 
commented out on the one machine;  all actual SVN configuration is in
the vhost definitions.  Aside from the other machine being CentOS and
using a different set of fragments it's the same story.)


### not sure why following does not work
### #MKB: turn on custom logs for easier reading
CustomLog /var/log/apache2/subversion.log "%t %u %{SVN-ACTION}e" env=SVN-ACTION 
LogFormat "%t %u %{SVN-ACTION}e" svn


The LogFormat line here isn't really doing anything useful for two
reasons: you've already given CustomLog the log format description, and 
you're defining the log format after the statement defining the log
file.  See
http://httpd.apache.org/docs/2.0/mod/mod_log_config.html#customlog.

-kgd



Okay, given this seems somewhat Debian-related (rather than subversion
only) I've added Debian-user to the cc list and also the
debian-admininstration lot in case they wish to use the info:

Kris, I've followed your example and
a) yes, dav_svn.conf is enabled

b) removed all Subversion-related CustomLog directives from
mods-available/dav_svn.conf

c) I've only the default virtual host:
	michael@ratty:/etc/apache2$ ls sites-available/
	default  default~
so have editted that to include the line
	CustomLog /var/log/apache2/subversion.log "%t %u %{SVN-ACTION}e"
env=SVN-ACTION
immediately after the line
	CustomLog /var/log/apache2/access.log combined
in the (only) VirtualHost present in that file.
Then reloading apache2 and doing an 'svn export' (on another machine) I 
do indeed get the required result:

michael@ratty:/var/log/apache2$ cat subversion.log
[17/Jan/2008:17:33:38 +0000] atmos_svn checkout-or-export '/'


Many thanks and I hope other Debian users find your help useful!

Michael



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Reply to: