After upgrading to Fedora 12, I installed and tried to set up a Subversion repository with mixed success. I have worked out the bulk of the issues but one still has me stumped. Hopefully, someone on this list knows the answer or can point me to a URL that does.
The problem is that I cannot get Subversion to work with Apache 2.2. Every time that I try to checkout the repository, I receive a 403 Forbidden Access error. To make matters more frustrating, if I access the repository using local access (file:///...) the command works. It is only when I try to use HTTP/WebDAV access (http://localhost/svn/...) does the access problem occur.
Things that I have tried:
- SELinux enabled and disabled -- no difference.
- Various permissions and ownerships. -- The repository and Subversion directories are currently owned by apache.apache.
- Various settings in my subversion.conf file for httpd. -- When the <LimitExcept> section is commented out, the failure comes on the third "PROPFIND /svn/Home/sfbooks/trunk HTTP/1.1" request. The first two return 207 while the third one returns 403. Using Wireshark, all three requests are identical barring numbers in the IP headers. -- When the <LimitExcept> section is active, the failure comes on the very first request, "OPTIONS /svn/Home/sfbooks/trunk HTTP/1.1" request with a 403 response. -- Both 403 responses contain the same reason: "You don't have permission to access /svn/Home/sfbooks/trunk\n on this server."
Any suggestions will be appreciated.
Setup:
Root Subversion Directory: /opt/Subversion Repository Parent Directory: /opt/Subversion/repos Password File: /opt/Subversion/users/passwords (created using htpasswd) SVN Authz Config File: /opt/Subversion/permissions/svnauthz.conf
Repository: Home (located at /opt/Subversion/repos/Home) Project within Home Repo: sfbooks/trunk
Content of passwords: steven:MD5PasswordHash
Content of svnauthz.conf [/] steven=rw
Content of conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
Alias /svn /opt/Subversion/repos
<Location /svn/> # mod_dav Commands DAV svn DavDepthInfinity on
# SVN Provider Commands SVNParentPath /opt/Subversion/repos
# authz_svn_module Commands AuthzSVNAccessFile /opt/Subversion/permissions/svnauthz.conf
<LimitExcept GET PROPFIND OPTIONS REPORT> # Authentication Commands AuthType Basic AuthName "Subversion Repository Login" AuthUserFile /opt/Subversion/users/passwords Satisfy Any Require valid-user </LimitExcept>
# <Limit GET PROPFIND OPTIONS REPORT> # Order Allow,Deny # Allow from All # </Limit>
</Location>
On 12/29/2009 08:01 PM, Steven F. LeBrun wrote:
After upgrading to Fedora 12, I installed and tried to set up a Subversion repository with mixed success. I have worked out the bulk of the issues but one still has me stumped. Hopefully, someone on this list knows the answer or can point me to a URL that does.
The problem is that I cannot get Subversion to work with Apache 2.2. Every time that I try to checkout the repository, I receive a 403 Forbidden Access error. To make matters more frustrating, if I access the repository using local access (file:///...) the command works. It is only when I try to use HTTP/WebDAV access (http://localhost/svn/...) does the access problem occur.
Things that I have tried:
SELinux enabled and disabled -- no difference.
Various permissions and ownerships. -- The repository and Subversion directories are currently owned by
apache.apache.
- Various settings in my subversion.conf file for httpd. -- When the <LimitExcept> section is commented out, the failure
comes on the third "PROPFIND /svn/Home/sfbooks/trunk HTTP/1.1" request. The first two return 207 while the third one returns 403. Using Wireshark, all three requests are identical barring numbers in the IP headers. -- When the <LimitExcept> section is active, the failure comes on the very first request, "OPTIONS /svn/Home/sfbooks/trunk HTTP/1.1" request with a 403 response. -- Both 403 responses contain the same reason: "You don't have permission to access /svn/Home/sfbooks/trunk\n on this server."
Any suggestions will be appreciated.
Setup:
Root Subversion Directory: /opt/Subversion Repository Parent Directory: /opt/Subversion/repos Password File: /opt/Subversion/users/passwords (created using htpasswd) SVN Authz Config File: /opt/Subversion/permissions/svnauthz.conf
Repository: Home (located at /opt/Subversion/repos/Home) Project within Home Repo: sfbooks/trunk
Content of passwords: steven:MD5PasswordHash
Content of svnauthz.conf [/] steven=rw
Content of conf.d/subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
Alias /svn /opt/Subversion/repos
<Location /svn/> # mod_dav Commands DAV svn DavDepthInfinity on
# SVN Provider Commands SVNParentPath /opt/Subversion/repos # authz_svn_module Commands AuthzSVNAccessFile /opt/Subversion/permissions/svnauthz.conf<LimitExcept GET PROPFIND OPTIONS REPORT> # Authentication Commands AuthType Basic AuthName "Subversion Repository Login" AuthUserFile /opt/Subversion/users/passwords Satisfy Any Require valid-user </LimitExcept>
# <Limit GET PROPFIND OPTIONS REPORT> # Order Allow,Deny # Allow from All # </Limit></Location>
-- Steven F. LeBrun
Quote: /"Winter meant the coming of the lazy wind, which couldn't be bothered to blow around people and blew right through them instead."/ -- Terry Pratchett, from /"Wyrd Sisters"/
After a lot of searching with google, forums, etc, no solution was found on the net. There were a lot of forums/mailing lists that listed the same problem but no solutions were offered. A lot of things were hinted at nobody had a general solution.
Most of the suggestions revolved around access permissions of the actual files in the repository and its path. That did not affect my problem.
Two facts lead me to the final solution: 1) "svn checkout file:///[repo path] [sandbox path]" worked while "svn checkout http://localhost/%5Brepo URI] [sandbox path]" did not. This lead me to believe that I had created my Subversion repository correctly and that the problem was probably with my Apache configuration or Linux filesystem access permissions.
2) When I ran the checkout command using the http URL, the Apache access log showed multiple requests ran correctly before the 403 Forbidden occurred. Plus, the request that received the 403 status was the third request for the same data. The content of the all three requests were identical with the exception of IP headers (counters and times differ).
So what could be the problem that allowed the first two PROPFIND requests to succeed while rejecting the third identical request.
The answer: mod_evasive (mod_evasive20.so in my case).
The evasive module is designed to stop denial of service attacks. It works by tracking how many times the same request comes in from the same IP address in a configurable interval. In the case of the default settings the threshold was set to 2 requests/IP Address/1 second interval. This allowed the first two PROPFIND requests to the same path to succeed and the third request to fail with a 403 Forbidden error.
Increasing the threshold to 5 requests per second per IP address fixed my WebDav access to my Subversion repository while still providing DOS attack protection.
On Thu, 2009-12-31 at 02:20 -0500, Steven F. LeBrun wrote:
The answer: mod_evasive (mod_evasive20.so in my case).
The evasive module is designed to stop denial of service attacks.
You have to wonder about that... (about it being designed to stop them, instead of create one). It doesn't sound sensibly configured, by default, according to your findings.
Though, is your application really making the *same* request that often, or similar requests. If it's making the exact same request, that doesn't sound like a good thing, in itself.
On 01/02/2010 05:07 AM, Tim wrote:
On Thu, 2009-12-31 at 02:20 -0500, Steven F. LeBrun wrote:
The answer: mod_evasive (mod_evasive20.so in my case).
The evasive module is designed to stop denial of service attacks.
You have to wonder about that... (about it being designed to stop them, instead of create one). It doesn't sound sensibly configured, by default, according to your findings.
Though, is your application really making the *same* request that often, or similar requests. If it's making the exact same request, that doesn't sound like a good thing, in itself.
Yes, I am sure that the application, svn (Subversion) in this case, is making three identical requests. The requests were captured using Wireshark so I was able to see all the bits sent and received. There are one or two different requests made between each of the identical ones.
Without examining the source code, I cannot say why svn makes the same three requests instead of making it once and caching the data.
-
Steven F. LeBrun -
Tim