Reverse Proxy Server 2: SVN4 Restricting access

From The Uniform Server Wiki
Jump to navigation Jump to search

 

Uniform Server 5.0-Nano
Reverse Proxy.

Restricting access to SVN back-end server.

Currently we have an SVN server accessible by our proxy server using either http or https. No restrictions are in place hence all users have the ability to manipulate repositories.

This page covers restricting access to the SVN server. I have assumed an open source project where we want users to have the ability to browse and download files. Only developers are allowed to change and update repositories access is via https allowing name password pairs to be encrypted.

Proxy Server

A user can currently access the subversion server through our proxy server using either http or https.

Both http and https allow the following methods through to the subversion server (back-end):
OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE

When a user uses an http connection we want to restrict repository access to browsing and downloading files.

To achieve this only the following methods are passed onto the SVN server for processing:
GET PROPFIND OPTIONS REPORT

Edit file: C:\server_a\UniServer\usr\local\apache2\conf\httpd.conf Change the Limit directive to LimitExcept as shown

ProxyPass /svn/ http://localhost:83/svn/
<Location /svn/ >
  ProxyPassReverse /svn/
   <LimitExcept GET PROPFIND OPTIONS REPORT>
     Order deny,allow
     Deny from all
   </LimitExcept>
</Location>

With the exceptions listed (GET PROPFIND OPTIONS REPORT) all other methods are denied.

Top

Test

Test the above configuration as follows:

  • Start server_a
  • Start server_c
  • Type http://localhost/svn/

Result: Collection of Repositories page displayed, click the link myproject or whatever you named your repository and have a browse.

SVN client:

Use your SVN client, confirm you can checkout a working copy, make a few changes and confirm you can not commit these to the repository.

Likewise using your client either copy or move a file within the repository again you will be prevented access.

That completes changes to the proxy server.

Top

SVN Back-end Server

With the above restrictions in place any method other than GET PROPFIND OPTIONS REPORT will be via https hence to restrict access basic authentication can be used. It’s easy to set up, data and name password pairs are encrypted over the Internet by the proxy server.

Password file

First we need a password file:

  • Create a new folder: C:\server_c\UniServer\htpasswd\svn
  • Inside this create a new file .htpasswd (copy an existing one and edit that)
  • Edit file .htpasswd and add name password pairs for example:
mike:root
john:123
fred:pas123

Top

Add authentication to location block

Password protecting repositories is straight forward inform Apache you want to use basic authentication. Instruct it where to find the password file target any write operation using LimitExcept and force a valid user.

Edit file C:\server_c\UniServer\usr\local\apache2\conf\httpd.conf

Change the location block (bottom of page) as shown below:

<location /svn>
 DAV svn
 SVNListParentPath on
 SVNParentPath C:/server_c/UniServer/svn

 AuthType Basic
 AuthName "Subversion repositories"
 AuthUserFile C:/server_c/UniServer/htpasswd/svn/.htpasswd

# For any operations other than these, require an authenticated user.
# Hence this block limits write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>

</location>
  • AuthType Basic - Type of authentication is basic
  • AuthName - Name displayed in a browsers challenge pop-up box
  • AuthUserFile - Path to the password file


  • <LimitExcept></LimitExcept> Separate Require valid-user and target write requests.
  • Require valid-user - Informs Apache all users must supply a name and password.

Top

Test 2

Test the above configuration as follows:

  • Start server_a
  • Start server_c
  • Type https://localhost/svn/

Result: Collection of Repositories page displayed, click the link myproject or whatever you named your repository and have a browse.

SVN client:

Use your SVN client, confirm you can checkout a working copy, make a few changes and confirm you can commit these to the repository.

Likewise using your client either copy or move a file within the repository again you will be able to perfom these tasks.

That completes changes to the proxy server.

Note 1: You will be challenged to accept the server certificate, do so if given the choice accept it on a temporary basis.

Note 2: At least one of the repository, write operation will challenge for a name and password. Once verified and accepted no further challenges will be issued for this session.

Top

Summary

That completes securing our back-end SVN server, intention was to show how relatively easy it is to set-up. With working code you can easily modify to meet any specic requirements.

Before looking at deployment thought it would be more realistic to have another back-end server such as a Wiki covered on the next page.

Top


Ric