<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<br>
On 12/29/2009 08:01 PM, Steven F. LeBrun wrote:
<blockquote cite="mid:4B3AA678.6050304@lebruns.com" type="cite">
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
After upgrading to Fedora 12, I installed and tried to set up a
Subversion repository with mixed success. I have worked out the bulk
of the issues but one still has me stumped. Hopefully, someone on this
list knows the answer or can point me to a URL that does.<br>
<br>
The problem is that I cannot get Subversion to work with Apache 2.2.
Every time that I try to checkout the repository, I receive a 403
Forbidden Access error. To make matters more frustrating, if I access
the repository using local access (<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="file:///">file:///</a>...) the
command works. It
is only when I try to use HTTP/WebDAV access (<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://localhost/svn/">http://localhost/svn/</a>...)
does
the access problem occur.<br>
<br>
Things that I have tried:<br>
<br>
- SELinux enabled and disabled -- no difference.<br>
<br>
- Various permissions and ownerships.<br>
-- The repository and Subversion directories are currently owned by
apache.apache.<br>
<br>
- Various settings in my subversion.conf file for httpd. <br>
-- When the <LimitExcept> section is commented out, the failure
comes on the third<br>
"PROPFIND /svn/Home/sfbooks/trunk HTTP/1.1" request. The first
two return 207 <br>
while the third one returns 403. Using Wireshark, all three
requests are identical<br>
barring numbers in the IP headers.<br>
-- When the <LimitExcept> section is active, the failure comes
on the very first request,<br>
"OPTIONS /svn/Home/sfbooks/trunk HTTP/1.1" request with a 403
response.<br>
-- Both 403 responses contain the same reason: "You don't have
permission to access<br>
/svn/Home/sfbooks/trunk\n on this server."<br>
<br>
Any suggestions will be appreciated.<br>
<br>
Setup:<br>
<br>
Root Subversion Directory: /opt/Subversion<br>
Repository Parent Directory: /opt/Subversion/repos<br>
Password File: /opt/Subversion/users/passwords
(created using htpasswd)<br>
SVN Authz Config File:
/opt/Subversion/permissions/svnauthz.conf<br>
<br>
Repository: Home (located at
/opt/Subversion/repos/Home)<br>
Project within Home Repo: sfbooks/trunk<br>
<br>
Content of passwords:<br>
steven:MD5PasswordHash<br>
<br>
Content of svnauthz.conf<br>
[/]<br>
steven=rw<br>
<br>
Content of conf.d/subversion.conf<br>
<br>
LoadModule dav_svn_module modules/mod_dav_svn.so<br>
LoadModule authz_svn_module modules/mod_authz_svn.so<br>
<br>
Alias /svn /opt/Subversion/repos<br>
<br>
<Location /svn/><br>
# mod_dav Commands<br>
DAV svn<br>
DavDepthInfinity on<br>
<br>
# SVN Provider Commands<br>
SVNParentPath /opt/Subversion/repos<br>
<br>
# authz_svn_module Commands<br>
AuthzSVNAccessFile /opt/Subversion/permissions/svnauthz.conf<br>
<br>
<br>
<LimitExcept GET PROPFIND OPTIONS REPORT><br>
# Authentication Commands<br>
AuthType Basic<br>
AuthName "Subversion Repository Login"<br>
AuthUserFile /opt/Subversion/users/passwords<br>
Satisfy Any<br>
Require valid-user<br>
</LimitExcept><br>
<br>
# <Limit GET PROPFIND OPTIONS REPORT><br>
# Order Allow,Deny<br>
# Allow from All<br>
# </Limit><br>
<br>
</Location><br>
<br>
<br>
<div class="moz-signature">-- <br>
<div> Steven F. LeBrun<br>
<p>
Quote: <em>"Winter meant the coming of the lazy wind, which couldn't
be
bothered to blow around people and blew right through them instead."</em><br>
-- Terry Pratchett, from <em>"Wyrd Sisters"</em></p>
</div>
</div>
</blockquote>
<div class="moz-signature"><font color="#000000"><br>
After a lot of searching with google, forums, etc, no solution was
found on the net. There were a lot of forums/mailing lists that listed
the same problem but no solutions were offered. A lot of things were
hinted at nobody had a general solution.<br>
<br>
Most of the suggestions revolved around access permissions of the
actual files in the repository and its path. That did not affect my
problem.<br>
<br>
Two facts lead me to the final solution:<br>
1) "svn checkout <a class="moz-txt-link-freetext" href="file:///">file:///</a>[repo path] [sandbox path]" worked while<br>
"svn checkout <a class="moz-txt-link-freetext" href="http://localhost/">http://localhost/</a>[repo URI] [sandbox path]" did not.<br>
This lead me to believe that I had created my Subversion
repository correctly and that<br>
the problem was probably with my Apache configuration or Linux
filesystem access<br>
permissions.<br>
<br>
2) When I ran the checkout command using the http URL, the Apache
access log showed <br>
multiple requests ran correctly before the 403 Forbidden
occurred. Plus, the request<br>
that received the 403 status was the third request for the same
data. The content of<br>
the all three requests were identical with the exception of IP
headers (counters and <br>
times differ).<br>
<br>
So what could be the problem that allowed the first two PROPFIND
requests to succeed while rejecting the third identical request.<br>
<br>
The answer: mod_evasive (mod_evasive20.so in my case).<br>
<br>
The evasive module is designed to stop denial of service attacks. It
works by tracking how many times the same request comes in from the
same IP address in a configurable interval. In the case of the default
settings the threshold was set to 2 requests/IP Address/1 second
interval. This allowed the first two PROPFIND requests to the same
path to succeed and the third request to fail with a 403 Forbidden
error.<br>
<br>
Increasing the threshold to 5 requests per second per IP address fixed
my WebDav access to my Subversion repository while still providing DOS
attack protection.<br>
<br>
<br>
</font>-- <br>
<div> Steven F. LeBrun<br>
<p>
Quote: <em>
"There are 10 types of people in this world, those that understand
binary and those who don't."
</em><br>
</p>
</div>
</div>
</body>
</html>