Reverse Proxy Server 2: SVN3 over https: Difference between revisions
Upazixorys (talk | contribs) No edit summary |
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric) |
||
Line 1: | Line 1: | ||
{{Nav reverse proxy server}} | {{Nav reverse proxy server}} | ||
Line 13: | Line 12: | ||
If you have no already done so create a new server certificate for the proxy server as follows: | If you have no already done so create a new server certificate for the proxy server as follows: | ||
* Run server_a | * Run server_a | ||
* Left click tray icon select '''Advanced''' | * Left click tray icon select '''Advanced''' > '''Server certificate and key generator''' | ||
* Press Enter at all prompts | * Press Enter at all prompts | ||
This creates an new server certificate and key pair, in addition enables https in Apache's configuration file. | This creates an new server certificate and key pair, in addition enables https in Apache's configuration file. | ||
Line 25: | Line 24: | ||
Add the following code: | Add the following code: | ||
<pre> | |||
ProxyPass /svn/ http://localhost:83/svn/ | ProxyPass /svn/ http://localhost:83/svn/ | ||
<Location /svn/ > | |||
ProxyPassReverse /svn/ | ProxyPassReverse /svn/ | ||
<Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> | |||
Order Deny,Allow | Order Deny,Allow | ||
Allow from all | Allow from all | ||
Satisfy Any | Satisfy Any | ||
</Limit> | |||
</Location> | |||
</pre> | |||
The code is placed almost at the end of the file just above | The code is placed almost at the end of the file just above </VirtualHost> as shown below | ||
<pre> | |||
#== Most problems of broken clients are related to the HTTP | #== Most problems of broken clients are related to the HTTP | ||
# keep-alive facility. Disable keep-alive for those clients. | # keep-alive facility. Disable keep-alive for those clients. | ||
SetEnvIf User-Agent | SetEnvIf User-Agent ".*MSIE.*" \ | ||
nokeepalive ssl-unclean-shutdown \ | nokeepalive ssl-unclean-shutdown \ | ||
downgrade-1.0 force-response-1.0 | downgrade-1.0 force-response-1.0 | ||
ProxyPass /svn/ http://localhost:83/svn/ | ProxyPass /svn/ http://localhost:83/svn/ | ||
<Location /svn/ > | |||
ProxyPassReverse /svn/ | ProxyPassReverse /svn/ | ||
<Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> | |||
Order Deny,Allow | Order Deny,Allow | ||
Allow from all | Allow from all | ||
Satisfy Any | Satisfy Any | ||
</Limit> | |||
</Location> | |||
</VirtualHost> | |||
</pre> | |||
=== Test === | === Test === | ||
Line 61: | Line 60: | ||
* Start server_a | * Start server_a | ||
* Start server_c | * Start server_c | ||
* Type '''https:''' | * Type '''https:'''<nowiki>//localhost/svn/</nowiki>''' | ||
'''''Result'':''' Collection of Repositories page displayed, click the link '''myproject''' or whatever you named your repository and have a browse. | '''''Result'':''' Collection of Repositories page displayed, click the link '''myproject''' or whatever you named your repository and have a browse. | ||
Line 69: | Line 68: | ||
Using your client either '''copy''' or '''move''' a file within the repository you will receive a '''Bad Gateway''' error message e.g. | Using your client either '''copy''' or '''move''' a file within the repository you will receive a '''Bad Gateway''' error message e.g. | ||
<pre> | |||
Error: Error while performing action: COPY of ../perl/Run.bat: 502 Bad Gateway (https://localhost) | Error: Error while performing action: COPY of ../perl/Run.bat: 502 Bad Gateway (https://localhost) | ||
</pre> | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
Line 82: | Line 81: | ||
Interestingly mod_dav validates only the scheme and not host-name this makes the solution a one liner. | Interestingly mod_dav validates only the scheme and not host-name this makes the solution a one liner. | ||
Add this line | Add this line | ||
<pre> | |||
RequestHeader edit Destination ^https://(.*)$ http://$1 | RequestHeader edit Destination ^https://(.*)$ http://$1 | ||
</pre> | |||
It translates the destination header from '''https''' to '''http''' thus keeping DAV happy | It translates the destination header from '''https''' to '''http''' thus keeping DAV happy | ||
Edit file: C:\server_a\UniServer\usr\local\apache2\conf\ssl.conf add the line above location as shown below: | Edit file: C:\server_a\UniServer\usr\local\apache2\conf\ssl.conf add the line above location as shown below: | ||
<pre> | |||
RequestHeader edit Destination ^https://(.*)$ http://$1 | RequestHeader edit Destination ^https://(.*)$ http://$1 | ||
ProxyPass /svn/ http://localhost:83/svn/ | ProxyPass /svn/ http://localhost:83/svn/ | ||
<Location /svn/ > | |||
ProxyPassReverse /svn/ | ProxyPassReverse /svn/ | ||
<Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> | |||
Order Deny,Allow | Order Deny,Allow | ||
Allow from all | Allow from all | ||
Satisfy Any | Satisfy Any | ||
</Limit> | |||
</Location> | |||
</pre> | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
Line 106: | Line 105: | ||
* Start server_a | * Start server_a | ||
* Start server_c | * Start server_c | ||
* Type '''https:''' | * Type '''https:'''<nowiki>//localhost/svn/</nowiki>''' | ||
'''''Result'':''' Collection of Repositories page displayed, click the link '''myproject''' or whatever you named your repository and have a browse. | '''''Result'':''' Collection of Repositories page displayed, click the link '''myproject''' or whatever you named your repository and have a browse. | ||
Line 126: | Line 125: | ||
{| | {| | ||
|-valign= | |-valign="middle" | ||
| [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]] | | [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]] | ||
|} | |} | ||
[[Category: Uniform Server 5.0-Nano]] | [[Category: Uniform Server 5.0-Nano]] |
Latest revision as of 08:18, 24 November 2010
Reverse Proxy Server: Introduction | Basics | mod proxy html | mod proxy html 2 | SVN 1 | SVN 2 | SVN 3 | SVN 4 | Wiki | Deployment | IIS back-end server
|
|
Uniform Server 5.0-Nano Reverse Proxy. |
How to configure proxy server to run a subversion server over https.
On the previous page I covered how to proxy our SVN back-end server over http. As a prerequisite to securing SVN this page looks at how to proxy this SVN back-end server over https.
It also shows how to resolve Bad Gateway error message this is a consequence of going from https (front-end server) to http (back-end server).
I have assumed you are following this tutorial and have the test servers in place.
Server certificate
If you have no already done so create a new server certificate for the proxy server as follows:
- Run server_a
- Left click tray icon select Advanced > Server certificate and key generator
- Press Enter at all prompts
This creates an new server certificate and key pair, in addition enables https in Apache's configuration file.
Edit configuration file
Running SVN over https is similar to http and uses identical code; only difference is where that code is located.
Edit file C:\server_a\UniServer\usr\local\apache2\conf\ssl.conf
Add the following code:
ProxyPass /svn/ http://localhost:83/svn/ <Location /svn/ > ProxyPassReverse /svn/ <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> Order Deny,Allow Allow from all Satisfy Any </Limit> </Location>
The code is placed almost at the end of the file just above </VirtualHost> as shown below
#== Most problems of broken clients are related to the HTTP # keep-alive facility. Disable keep-alive for those clients. SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ProxyPass /svn/ http://localhost:83/svn/ <Location /svn/ > ProxyPassReverse /svn/ <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> Order Deny,Allow Allow from all Satisfy Any </Limit> </Location> </VirtualHost>
Test
Purpose of this test is to check configuration and demonstrate Bad Gateway error message.
- Start server_a
- Start server_c
- Type https://localhost/svn/
Result: Collection of Repositories page displayed, click the link myproject or whatever you named your repository and have a browse.
SVN client:
Use your SVN client, confirm you can checkout a working copy, make a few changes and confirm you can commit these to the repository.
Using your client either copy or move a file within the repository you will receive a Bad Gateway error message e.g.
Error: Error while performing action: COPY of ../perl/Run.bat: 502 Bad Gateway (https://localhost)
Headers
You will have noticed most subversion operations work through the proxy. However operations such as COPY or MOVE for both files and directories fail with error Bad Gateway.
Reason for this, DAV requests such as COPY and MOVE use header Destination information that contains the full target path of the operation. Since we are going from HTTPS to HTTP it looks as if the operation is for a different machine (server) that does not exist hence bad gateway error (it cannot find a back-end server https://).
Interestingly mod_dav validates only the scheme and not host-name this makes the solution a one liner. Add this line
RequestHeader edit Destination ^https://(.*)$ http://$1
It translates the destination header from https to http thus keeping DAV happy
Edit file: C:\server_a\UniServer\usr\local\apache2\conf\ssl.conf add the line above location as shown below:
RequestHeader edit Destination ^https://(.*)$ http://$1 ProxyPass /svn/ http://localhost:83/svn/ <Location /svn/ > ProxyPassReverse /svn/ <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> Order Deny,Allow Allow from all Satisfy Any </Limit> </Location>
Test 2
Repeat avove test.
- Start server_a
- Start server_c
- Type https://localhost/svn/
Result: Collection of Repositories page displayed, click the link myproject or whatever you named your repository and have a browse.
SVN client:
Use your SVN client, confirm you can checkout a working copy, make a few changes and confirm you can commit these to the repository.
Using your client either copy or move a file within the repository this time you will not receive a Bad Gateway error message e.g.
Summary
The above shows how to proxy an SVN server over https, there are no restrictions this allows all users access with the ability to manipulate repositories.
On the next page I cover restricting access.
Ric |