You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by John Pye <jo...@anu.edu.au> on 2009/05/15 08:30:04 UTC
strange error with subversion: "client denied by server
configuration: /htdocs"
Hi all
We're having some strange errors with our Subversion server at the
moment in our open source project, ASCEND.
For *some* clients, we see errors like this:
jpye@ascend:~$ svn co
http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers test1
svn: PROPFIND request failed on '/ascend/!svn/vcc/default'
svn: PROPFIND of '/ascend/!svn/vcc/default': 403 Forbidden
(http://ascendsvn.cheme.cmu.edu)
which is accompanied by an error in the Apache logs:
[Fri May 15 04:20:58 2009] [error] [client 128.2.52.249] client denied
by server configuration: /htdocs
but for *other* clients, there is no error at all, and the command works
just fine.
Our host server is running Ubuntu Hardy, with subversion 1.4.6, all
standard Ubuntu packages. This error as above is seen on the same
server, but I have tested and the same command runs find on a Fedora 9
machine running the exact same version of the Subversion client. I also
have no problems on an Ubuntu Jaunty machine running 1.5.4.
When I access the subversion server using a web browser, it also all
works fine:
http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/
Any suggestions on how to troubleshoot this annoying bug?
Below is the relevant Apache configuration...
Cheers
JP
<VirtualHost *:80>
ServerAdmin john.pye@anu.edu.au
ServerName ascendsvn.cheme.cmu.edu
ErrorLog /var/log/apache2/svn-error.log
RedirectMatch ^/stats/?$
http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
RedirectMatch permanent ^/$ /ascend
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog /var/log/apache2/svn.log combined
ServerSignature On
<Location /ascend>
DAV svn
SVNPath /home/svn/ascend
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
# Uncomment the following line to enable Authz Authentication
# AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
--
Dr John Pye
Dept of Engineering
Australian National University
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2268258
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
FYI I found a workaround for this issue... move to the svnserve protocol
via inetd.
If anyone later works out the real solution, please let me know. Perhaps
something with file permissions in the svn directory tree.
Cheers
JP
Andrey Repin wrote:
>
> You addressing them through DAV_SVN in the end.
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2358662
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi Ryan
Ryan Schmidt wrote:
> On May 26, 2009, at 00:03, John Pye wrote:
>
>>>>> Hm. Try setting DocumentRoot /home/svn?
>>>>
>>>> That can't possibly be the solution.
>>>
>>> To me, it absolutely must.
>>
>> I note that most SVN configurations work fine with no DocumentRoot being
>> specified.
>> http://svnbook.red-bean.com/en/1.1/ch06s04.html
>
> Note that this is the ancient 1.1 version of the book. A newer 1.5
> version of the book exists.
Perhaps those guys could be persuaded to redirect to the newer book?
>> http://articles.techrepublic.com.com/5100-10878_11-5902186.html
>> http://www.debuntu.org/2006/05/20/54-how-to-subversion-svn-with-apache2-and-dav
>>
>>
>>
>> To quote the red bean book:
>>
>> For example, if your main DocumentRoot is /www, do not export a
>> Subversion repository in <Location /www/repos>. If a request comes in
>> for the URI /www/repos/foo.c, Apache won't know whether to look for a
>> file repos/foo.c in the DocumentRoot, or whether to delegate
>> *mod_dav_svn* to return foo.c from the Subversion repository.
>
> Is that passage really in the book too? I know it's in the FAQ. I have
> often lamented the fact that the author of that paragraph appears not
> to understand the difference between URL paths and disk paths. Clearly
> if DocumentRoot is /www then any URL path will be appended to /www to
> get its disk path. So a request for the URI /www/repos/foo.c might
> attempt to access the disk file /www/www/repos/foo.c. But it will not
> look for a disk file /www/repos/foo.c as the paragraph states.
It's a quote! Seems ridiculous to me that DocumentRoot should even enter
into a discussion on configuring a SVN-over-WebDAV server.
>>> The only way to cause "Client denied by server configuration" is to
>>> have
>>> implicit or explicit Deny rule applied to that client in one way or
>>> another.
>>
>> OK, so it's possible, but I'm still hunting for where this could be.
>> Unless it's in one of the /etc/apache2/mods-available files...
>>
>> Surely my configuration file overrides any such Allow/Deny rules, by
>> creating a whole new set?
>
> Well, if you have a global Allow or Deny rule set somewhere, then it
> applies globally.
I couldn't see any...
jpye@ascend:/etc/apache2$ sudo find . | sudo xargs grep "Deny"
./mods-enabled/status.conf: Deny from all
./sites-enabled/000-default: Deny from all
./apache2.conf: Deny from all
In apache2.conf, it's a rule for .ht* files.
In status.conf, it's a rule for the location /server-status
In default, it's a rule for directory /var/www and another for
/usr/lib/cgi-bin.
That's all the files being read as far as I can tell. Some others in
'sites-available' and 'mods-available' that shouldn't be read.
>
>>> Which leads to what i though: you have globally defined settings that
>>> affecting your virtualhost.
>>> Either Option -Indexes or Deny
>>
>> Surely I can override there here though? Surely I already have with the
>> settings previously provided? If not, how not?
>
> If there is a global Options directive elsewhere that is causing
> interference (I don't know that an Options directive can cause
> interference to Subversion), then you can define a new Options
> directive for the Subversion repository area to set the options back
> to defaults maybe.
I think I tried that, wasn't the solution.
>
>
>>> Hm. This is interesting. I've tried this same request on my repos.
>>>
>>> curl -iX PROPFIND -u user:pass http://svn.darkdragon/repos/trunk
>>> HTTP/1.1 403 Forbidden
>>> Date: Thu, 21 May 2009 12:14:29 GMT
>>> Server: Apache/2.2.11 (Win32) mod_auth_sspi/1.0.5 SVN/1.6.1
>>> PHP/5.2.2 DAV/2
>>> Content-Length: 227
>>> Content-Type: text/html; charset=ISO-8859-1
>>>
>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>> <html><head>
>>> <title>403 Forbidden</title>
>>> </head><body>
>>> <h1>Forbidden</h1>
>>> <p>PROPFIND requests with a Depth of "infinity" are not allowed for
>>> /repos/trunk.</p>
>>> </body></html>
>>>
>>> Client was running 1.6.1 too.
>>
>> OK, so you're getting the "Depth infinity" error as well... so a 403
>> error is a fundamental part of a fully operations SVN installation???
>
> I think he's trying to show, since the same error message occurs when
> he runs the command against his working repository, that the error
> message is inconsequential. I would imagine you need to add more
> parameters to the PROPFIND command in order to make Subversion return
> an intelligible result.
Point is that this was working most of the time, just failing sometimes.
>> An interesting thing, not sure if it's relevant. Today I attempted an
>> "svn up" on my *working* client, and I got the 403 error once, then got
>> a successful update the second time!
>>
>> john@thunder:~/ascend$ svn up
>> svn: Server sent unexpected return value (403 Forbidden) in response to
>> PROPFIND request for '/ascend/code/trunk'
>> john@thunder:~/ascend$ svn up
>> At revision 2280.
>>
>> How could that happen?
>
> More intermittent behavior, as if sometimes Apache is reaching for one
> resource (which is 403 forbidden) and sometimes it's reaching for a
> different one (which is your repository). I don't know if I have any
> other tricks to suggest for how to identify the conflicting directives
> in your config file.
I could even attempt the exact same query and sometimes it would fail
then try again and it would work. Something about local caching maybe?
Anyway, happily migrated to svnserve now. Hopefully it will be problem free.
Cheers
JP
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2358682
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Ryan Schmidt <su...@ryandesign.com>.
On May 26, 2009, at 00:03, John Pye wrote:
>>>> Hm. Try setting DocumentRoot /home/svn?
>>>
>>> That can't possibly be the solution.
>>
>> To me, it absolutely must.
>
> I note that most SVN configurations work fine with no DocumentRoot
> being
> specified.
> http://svnbook.red-bean.com/en/1.1/ch06s04.html
Note that this is the ancient 1.1 version of the book. A newer 1.5
version of the book exists.
> http://articles.techrepublic.com.com/5100-10878_11-5902186.html
> http://www.debuntu.org/2006/05/20/54-how-to-subversion-svn-with-
> apache2-and-dav
>
>
> To quote the red bean book:
>
> For example, if your main DocumentRoot is /www, do not export a
> Subversion repository in <Location /www/repos>. If a request comes in
> for the URI /www/repos/foo.c, Apache won't know whether to look for a
> file repos/foo.c in the DocumentRoot, or whether to delegate
> *mod_dav_svn* to return foo.c from the Subversion repository.
Is that passage really in the book too? I know it's in the FAQ. I
have often lamented the fact that the author of that paragraph
appears not to understand the difference between URL paths and disk
paths. Clearly if DocumentRoot is /www then any URL path will be
appended to /www to get its disk path. So a request for the URI /www/
repos/foo.c might attempt to access the disk file /www/www/repos/
foo.c. But it will not look for a disk file /www/repos/foo.c as the
paragraph states.
>> The only way to cause "Client denied by server configuration" is
>> to have
>> implicit or explicit Deny rule applied to that client in one way
>> or another.
>
> OK, so it's possible, but I'm still hunting for where this could be.
> Unless it's in one of the /etc/apache2/mods-available files...
>
> Surely my configuration file overrides any such Allow/Deny rules, by
> creating a whole new set?
Well, if you have a global Allow or Deny rule set somewhere, then it
applies globally.
>> Which leads to what i though: you have globally defined settings that
>> affecting your virtualhost.
>> Either Option -Indexes or Deny
>
> Surely I can override there here though? Surely I already have with
> the
> settings previously provided? If not, how not?
If there is a global Options directive elsewhere that is causing
interference (I don't know that an Options directive can cause
interference to Subversion), then you can define a new Options
directive for the Subversion repository area to set the options back
to defaults maybe.
>> Hm. This is interesting. I've tried this same request on my repos.
>>
>> curl -iX PROPFIND -u user:pass http://svn.darkdragon/repos/trunk
>> HTTP/1.1 403 Forbidden
>> Date: Thu, 21 May 2009 12:14:29 GMT
>> Server: Apache/2.2.11 (Win32) mod_auth_sspi/1.0.5 SVN/1.6.1 PHP/
>> 5.2.2 DAV/2
>> Content-Length: 227
>> Content-Type: text/html; charset=ISO-8859-1
>>
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <html><head>
>> <title>403 Forbidden</title>
>> </head><body>
>> <h1>Forbidden</h1>
>> <p>PROPFIND requests with a Depth of "infinity" are not allowed
>> for /repos/trunk.</p>
>> </body></html>
>>
>> Client was running 1.6.1 too.
>
> OK, so you're getting the "Depth infinity" error as well... so a 403
> error is a fundamental part of a fully operations SVN installation???
I think he's trying to show, since the same error message occurs when
he runs the command against his working repository, that the error
message is inconsequential. I would imagine you need to add more
parameters to the PROPFIND command in order to make Subversion return
an intelligible result.
> An interesting thing, not sure if it's relevant. Today I attempted an
> "svn up" on my *working* client, and I got the 403 error once, then
> got
> a successful update the second time!
>
> john@thunder:~/ascend$ svn up
> svn: Server sent unexpected return value (403 Forbidden) in
> response to
> PROPFIND request for '/ascend/code/trunk'
> john@thunder:~/ascend$ svn up
> At revision 2280.
>
> How could that happen?
More intermittent behavior, as if sometimes Apache is reaching for
one resource (which is 403 forbidden) and sometimes it's reaching for
a different one (which is your repository). I don't know if I have
any other tricks to suggest for how to identify the conflicting
directives in your config file.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2358669
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi all
Andrey Repin wrote:
> Greetings, John Pye!
>
>
>>>>>>> Looking at your VH definition... it's messy.
>>>>>>> Reduce the number of entities. Add next one only after you have the previous
>>>>>>> work "as expected".
>>>>>>> And put
>>>>>>>
>>>>>>> Order allow,deny
>>>>>>> Allow from all
>>>>>>>
>>>>>>> Before <Location> blocks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> You can't put Order or Allow statements outside either <Location> or
>>>>>> <Directory> tags, AIUI.
>>>>>>
>>>>>>
>>>>>>
>>>>> Still, it's messy.
>>>>>
>>>>> Try starting from
>>>>>
>>>>> <VirtualHost *:80>
>>>>> ServerAdmin john.pye@anu.edu.au
>>>>> ServerName ascendsvn.cheme.cmu.edu
>>>>>
>>>>> DocumentRoot /var/www/svn
>>>>>
>>>>> # Possible values include: debug, info, notice, warn, error, crit,
>>>>> # alert, emerg.
>>>>> LogLevel debug
>>>>> ErrorLog /var/log/apache2/svn-error.log
>>>>>
>>>>> RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
>>>>>
>>>>> #RedirectMatch permanent ^/$ /ascend
>>>>>
>>>>> CustomLog /var/log/apache2/svn.log combined
>>>>> ServerSignature On
>>>>>
>>>>> <Location />
>>>>> Order Allow,Deny
>>>>> Allow from all
>>>>> DAV svn
>>>>> SVNParentPath /home/svn
>>>>> </Location>
>>>>>
>>>>> </VirtualHost>
>>>>>
>>>>> And see how that would work.
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>> I tried this, I get exactly the same error message. svn-error.log
>>>> contains...
>>>>
>>>>
>>>
>>>
>>>> [Tue May 19 19:35:42 2009] [error] [client 128.2.52.249] client denied
>>>> by server configuration: /var/www/svn/ascend
>>>>
>>>>
>>>
>>>
>>>> This error is completely weird because it relates to
>>>> /var/www/svn/ascend, which doesn't exist and should NEVER be being
>>>> requested...
>>>>
>>>>
>>> Hm. Try setting
>>> DocumentRoot /home/svn
>>> ?
>>>
>>>
>
>
>> That can't possibly be the solution.
>>
>
> To me, it absolutely must.
>
I note that most SVN configurations work fine with no DocumentRoot being
specified.
http://svnbook.red-bean.com/en/1.1/ch06s04.html
http://articles.techrepublic.com.com/5100-10878_11-5902186.html
http://www.debuntu.org/2006/05/20/54-how-to-subversion-svn-with-apache2-and-dav
To quote the red bean book:
For example, if your main DocumentRoot is /www, do not export a
Subversion repository in <Location /www/repos>. If a request comes in
for the URI /www/repos/foo.c, Apache won't know whether to look for a
file repos/foo.c in the DocumentRoot, or whether to delegate
*mod_dav_svn* to return foo.c from the Subversion repository.
>
>> The directory structure of
>>
>
> Are irrelevant.
>
Disagree: specifing DocumentRoot is telling Apache that it can serve up
documents from within that file tree using the 'tail' of the URLs.
>> /home/svn in no way matches the paths that are being requested via the
>> URLs, so this is definitely not the solution.
>>
>
> You addressing them through DAV_SVN in the end.
>
Yes, which is why DocumentRoot should not be used and is irrelevant
here. In fact it breaks things.
>
>>>> I appreciate your general approach but as far as I can see we're not
>>>> touching the root cause of this problem yet.
>>>>
>>>>
>>> Well, two things I know may produce this result:
>>> Location/Directory block referencing the path requested and the general
>>> Allow/Deny rule over the "/" of filesystem.
>>> It's really hard to tell what is the case by looking only at the extracted
>>> part of Apache configuration.
>>>
>>>
>
>
>> I don't actually think that this is an Allow/Deny problem.
>>
>
> It is.
> The only way to cause "Client denied by server configuration" is to have
> implicit or explicit Deny rule applied to that client in one way or another.
>
OK, so it's possible, but I'm still hunting for where this could be.
Unless it's in one of the /etc/apache2/mods-available files...
Surely my configuration file overrides any such Allow/Deny rules, by
creating a whole new set?
>
>> The final error message from svn-error.log makes no sense, because the
>> 'ascendsvn' virtual host is obviously dealing with it, but DAV is
>> apparently not dealing with it, even though the URL seems to match.
>> Also, why is it a 403 error, rather than a 404 error, given that there
>> is no such directory /var/ww/svn/ascend.
>>
>
> Ask your CMS documentation...
>
My CMS? Content management system? I don't have one installed here.
[...]
>
>> If I remove the DocumentRoot directive then the machines that were
>> previously working continue to work, and the machines that were
>> previously broken go back to the same 403 error again.
>>
>
> Which leads to what i though: you have globally defined settings that
> affecting your virtualhost.
> Either Option -Indexes or Deny
>
Surely I can override there here though? Surely I already have with the
settings previously provided? If not, how not?
>
>> root@ascend:~# telnet ascendsvn.cheme.cmu.edu 80Trying 128.2.52.249...
>> Connected to ASCENDSERVER.cheme.cmu.edu.
>> Escape character is '^]'.
>> PROPFIND /ascend/code/trunk/solvers/ HTTP/1.1
>> Host: ascendsvn.cheme.cmu.edu
>> User-Agent: JohnPye
[...]
>> Any thoughts?
>>
>
> Hm. This is interesting. I've tried this same request on my repos.
>
> curl -iX PROPFIND -u user:pass http://svn.darkdragon/repos/trunk
> HTTP/1.1 403 Forbidden
> Date: Thu, 21 May 2009 12:14:29 GMT
> Server: Apache/2.2.11 (Win32) mod_auth_sspi/1.0.5 SVN/1.6.1 PHP/5.2.2 DAV/2
> Content-Length: 227
> Content-Type: text/html; charset=ISO-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>PROPFIND requests with a Depth of "infinity" are not allowed for /repos/trunk.</p>
> </body></html>
>
> Client was running 1.6.1 too.
>
OK, so you're getting the "Depth infinity" error as well... so a 403
error is a fundamental part of a fully operations SVN installation???
An interesting thing, not sure if it's relevant. Today I attempted an
"svn up" on my *working* client, and I got the 403 error once, then got
a successful update the second time!
john@thunder:~/ascend$ svn up
svn: Server sent unexpected return value (403 Forbidden) in response to
PROPFIND request for '/ascend/code/trunk'
john@thunder:~/ascend$ svn up
At revision 2280.
How could that happen?
Cheers
JP
--
Dr John Pye
Dept of Engineering
Australian National University
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2353682
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, John Pye!
>>>>>> Looking at your VH definition... it's messy.
>>>>>> Reduce the number of entities. Add next one only after you have the previous
>>>>>> work "as expected".
>>>>>> And put
>>>>>>
>>>>>> Order allow,deny
>>>>>> Allow from all
>>>>>>
>>>>>> Before <Location> blocks.
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>> You can't put Order or Allow statements outside either <Location> or
>>>>> <Directory> tags, AIUI.
>>>>>
>>>>>
>>>> Still, it's messy.
>>>>
>>>> Try starting from
>>>>
>>>> <VirtualHost *:80>
>>>> ServerAdmin john.pye@anu.edu.au
>>>> ServerName ascendsvn.cheme.cmu.edu
>>>>
>>>> DocumentRoot /var/www/svn
>>>>
>>>> # Possible values include: debug, info, notice, warn, error, crit,
>>>> # alert, emerg.
>>>> LogLevel debug
>>>> ErrorLog /var/log/apache2/svn-error.log
>>>>
>>>> RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
>>>>
>>>> #RedirectMatch permanent ^/$ /ascend
>>>>
>>>> CustomLog /var/log/apache2/svn.log combined
>>>> ServerSignature On
>>>>
>>>> <Location />
>>>> Order Allow,Deny
>>>> Allow from all
>>>> DAV svn
>>>> SVNParentPath /home/svn
>>>> </Location>
>>>>
>>>> </VirtualHost>
>>>>
>>>> And see how that would work.
>>>>
>>>>
>>
>>
>>> I tried this, I get exactly the same error message. svn-error.log
>>> contains...
>>>
>>
>>
>>> [Tue May 19 19:35:42 2009] [error] [client 128.2.52.249] client denied
>>> by server configuration: /var/www/svn/ascend
>>>
>>
>>
>>> This error is completely weird because it relates to
>>> /var/www/svn/ascend, which doesn't exist and should NEVER be being
>>> requested...
>>>
>>
>> Hm. Try setting
>> DocumentRoot /home/svn
>> ?
>>
> That can't possibly be the solution.
To me, it absolutely must.
> The directory structure of
Are irrelevant.
> /home/svn in no way matches the paths that are being requested via the
> URLs, so this is definitely not the solution.
You addressing them through DAV_SVN in the end.
>>> I appreciate your general approach but as far as I can see we're not
>>> touching the root cause of this problem yet.
>>>
>>
>> Well, two things I know may produce this result:
>> Location/Directory block referencing the path requested and the general
>> Allow/Deny rule over the "/" of filesystem.
>> It's really hard to tell what is the case by looking only at the extracted
>> part of Apache configuration.
>>
> I don't actually think that this is an Allow/Deny problem.
It is.
The only way to cause "Client denied by server configuration" is to have
implicit or explicit Deny rule applied to that client in one way or another.
> If I create the /var/www/svn/ascend/code/trunk/
> Let's focus on this PROPFIND request. The error message always relates
> to a PROPFIND request. Why is that request being issued? Is it possible
> some on some machines that request is not being issued, because of
> something that's been cached in the system? Or is the PROPFIND request
> being made successfully in some cases, and not in others.
> My request:
> root@ascend:~# svn co
> http://ascendsvn.cheme.cmu.edu/ascend/web/trunk/ascend_html test1
> svn: PROPFIND request failed on '/ascend/web/trunk/ascend_html'
> svn: PROPFIND of '/ascend/web/trunk/ascend_html': 403 Forbidden
> (http://ascendsvn.cheme.cmu.edu)
> Output to svn.log:
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 403 403 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
Was it with the configuration I suggested or you still trying to resolve your
issue without changing anything?
> Output to svn-error.log:
> [Wed May 20 23:02:23 2009] [error] [client 128.2.52.249] client denied
> by server configuration: /var/www/svn/ascend
> Everything seems to be going OK until the final request, which returns
> the "unauthorised" 403 response.
> I'm not clear why several very similar requests seem to be being made,
> eg "PROPFIND [...]/bln/2280" -- is that normal?
No. And the path /ascend/web/trunk/ascend_html is not normal either.
Look the conversation dump to reveal the real issue.
http://wireshark.org/
> The final error message from svn-error.log makes no sense, because the
> 'ascendsvn' virtual host is obviously dealing with it, but DAV is
> apparently not dealing with it, even though the URL seems to match.
> Also, why is it a 403 error, rather than a 404 error, given that there
> is no such directory /var/ww/svn/ascend.
Ask your CMS documentation...
> To try an keep SVN happy, I did an experiment:
> cd /var/www/svn
> mkdir -p ascend/code/trunk/solvers
> Now, this has a *very interesting result*:
> On all client machines (both the ones that were previously broken and
> the ones that were previously working) I get:
> svn co http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/ test23
> svn: Repository moved permanently to
> 'http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/'; please relocate
> (notice the pointless message: the URLs are equal)
I ran into this problem myself, and it's not strictly meaningless.
> If I remove the DocumentRoot directive then the machines that were
> previously working continue to work, and the machines that were
> previously broken go back to the same 403 error again.
Which leads to what i though: you have globally defined settings that
affecting your virtualhost.
Either Option -Indexes or Deny
> Then, I tried performing the PROPFIND request using telnet:
Mm... curl anyone? Much less typing.
> root@ascend:~# telnet ascendsvn.cheme.cmu.edu 80Trying 128.2.52.249...
> Connected to ASCENDSERVER.cheme.cmu.edu.
> Escape character is '^]'.
> PROPFIND /ascend/code/trunk/solvers/ HTTP/1.1
> Host: ascendsvn.cheme.cmu.edu
> User-Agent: JohnPye
> HTTP/1.1 403 Forbidden
> Date: Thu, 21 May 2009 03:21:15 GMT
> Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
> Content-Length: 417
> Content-Type: text/html; charset=ISO-8859-1
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>PROPFIND requests with a Depth of "infinity" are not allowed for /ascend/code/trunk/solvers/.</p>
> <hr />
> <address>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Server at ascendsvn.cheme.cmu.edu Port 80</address>
> </body></html>
> Isn't that exciting!
> Any thoughts?
Hm. This is interesting. I've tried this same request on my repos.
curl -iX PROPFIND -u user:pass http://svn.darkdragon/repos/trunk
HTTP/1.1 403 Forbidden
Date: Thu, 21 May 2009 12:14:29 GMT
Server: Apache/2.2.11 (Win32) mod_auth_sspi/1.0.5 SVN/1.6.1 PHP/5.2.2 DAV/2
Content-Length: 227
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>PROPFIND requests with a Depth of "infinity" are not allowed for /repos/trunk.</p>
</body></html>
Client was running 1.6.1 too.
At the same time, checkout was done without an issue.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 21.05.2009, <15:48>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2348174
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Ryan Schmidt <su...@ryandesign.com>.
On May 20, 2009, at 23:40, John Pye wrote:
>>>> DocumentRoot /var/www/svn
>>>> SVNParentPath /home/svn
>> Hm. Try setting
>> DocumentRoot /home/svn
>> ?
>
> That can't possibly be the solution. The directory structure of
> /home/svn in no way matches the paths that are being requested via the
> URLs, so this is definitely not the solution.
If SVNParentPath is /home/svn then the one value to which
DocumentRoot must absolutely not be set is /home/svn. That will
definitely cause the situation described in the FAQ to which I
referred earlier:
http://subversion.tigris.org/faq.html#http-301-error
The FAQ text has some factual errors but it describes this situation.
The reason I had referred you to this FAQ before was that although
the error you were experiencing before did not exactly match this
issue, the intermittent nature of the problem did, so I thought your
issue might have a similar cause.
> I don't actually think that this is an Allow/Deny problem.
>
> If I create the /var/www/svn/ascend/code/trunk/
Was there supposed to be more here?
> Let's focus on this PROPFIND request. The error message always relates
> to a PROPFIND request. Why is that request being issued? Is it
> possible
> some on some machines that request is not being issued, because of
> something that's been cached in the system? Or is the PROPFIND request
> being made successfully in some cases, and not in others.
I would have guessed all machines would always issue the request, but
observing your web server logs should tell you for sure.
> My request:
>
> root@ascend:~# svn co
> http://ascendsvn.cheme.cmu.edu/ascend/web/trunk/ascend_html test1
> svn: PROPFIND request failed on '/ascend/web/trunk/ascend_html'
> svn: PROPFIND of '/ascend/web/trunk/ascend_html': 403 Forbidden
> (http://ascendsvn.cheme.cmu.edu)
>
> Output to svn.log:
>
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6
> (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6
> (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6
> (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521)
> neon/0.27.2"
> 128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
> /ascend/web/trunk/ascend_html HTTP/1.1" 403 403 "-" "SVN/1.4.6
> (r28521)
> neon/0.27.2"
>
> Output to svn-error.log:
> [Wed May 20 23:02:23 2009] [error] [client 128.2.52.249] client denied
> by server configuration: /var/www/svn/ascend
>
> Everything seems to be going OK until the final request, which returns
> the "unauthorised" 403 response.
The problem seems to be that the final request is looking somehow
inside the DocumentRoot - see the svn-error.log entry.
> I'm not clear why several very similar requests seem to be being made,
> eg "PROPFIND [...]/bln/2280" -- is that normal?
Don't know.
> The final error message from svn-error.log makes no sense, because the
> 'ascendsvn' virtual host is obviously dealing with it, but DAV is
> apparently not dealing with it, even though the URL seems to match.
> Also, why is it a 403 error, rather than a 404 error, given that there
> is no such directory /var/ww/svn/ascend.
>
> To try an keep SVN happy, I did an experiment:
>
> cd /var/www/svn
> mkdir -p ascend/code/trunk/solvers
>
> Now, this has a *very interesting result*:
>
> On all client machines (both the ones that were previously broken and
> the ones that were previously working) I get:
>
> svn co http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/
> test23
> svn: Repository moved permanently to
> 'http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/'; please
> relocate
>
> (notice the pointless message: the URLs are equal)
Ok, now you have caused the situation described by the FAQ above,
which occurs when a directory in the DocumentRoot matches a thing
you're trying to check out. So you must not create the directory /var/
www/svn/ascend if /var/www/svn is your DocumentRoot and your
repositories are bound to <Location /ascend>.
> If I remove the DocumentRoot directive then the machines that were
> previously working continue to work, and the machines that were
> previously broken go back to the same 403 error again.
>
> Then, I tried performing the PROPFIND request using telnet:
>
> root@ascend:~# telnet ascendsvn.cheme.cmu.edu 80Trying 128.2.52.249...
> Connected to ASCENDSERVER.cheme.cmu.edu.
> Escape character is '^]'.
> PROPFIND /ascend/code/trunk/solvers/ HTTP/1.1
> Host: ascendsvn.cheme.cmu.edu
> User-Agent: JohnPye
>
> HTTP/1.1 403 Forbidden
> Date: Thu, 21 May 2009 03:21:15 GMT
> Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6
> with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
> Content-Length: 417
> Content-Type: text/html; charset=ISO-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>PROPFIND requests with a Depth of "infinity" are not allowed
> for /ascend/code/trunk/solvers/.</p>
> <hr />
> <address>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6
> with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Server at
> ascendsvn.cheme.cmu.edu Port 80</address>
> </body></html>
>
>
> Isn't that exciting!
>
> Any thoughts?
I had not heard of "PROPFIND requests with a Depth of "infinity" are
not allowed" before. Google only shows 6 results. One is:
http://lists.apple.com/archives/macos-x-server/2001/Oct/msg00621.html
It says you can add "DAVDepthInfinity On" to get around this.
However, I have never heard that mentioned on this list before, and
I've been reading the list for years, so I don't know why you would
be the only one seeing this issue.
My thought was still that you have some kind of Alias or similar
directive elsewhere in a global part of the Apache config that is
matching something about the URL(s) you're dealing with here. Have
you grepped *all* your Apache configuration files (the httpd.conf and
anything it includes) for things like "Alias" and "/ascend"?
Another possibility that occurred to me is to try serf instead of
neon on the client. It uses different HTTP methods to communicate
with the server. Perhaps serf would work, or at least it might give
different error messages that might help narrow down the problem. To
configure your client to use serf instead of neon, use http-library
in the Subversion config file. See:
http://svnbook.red-bean.com/en/1.5/svn.advanced.confarea.html
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2343743
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi all
Andrey Repin wrote:
> Greetings, John Pye!
>
>
>>>>> Looking at your VH definition... it's messy.
>>>>> Reduce the number of entities. Add next one only after you have the previous
>>>>> work "as expected".
>>>>> And put
>>>>>
>>>>> Order allow,deny
>>>>> Allow from all
>>>>>
>>>>> Before <Location> blocks.
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>> You can't put Order or Allow statements outside either <Location> or
>>>> <Directory> tags, AIUI.
>>>>
>>>>
>>> Still, it's messy.
>>>
>>> Try starting from
>>>
>>> <VirtualHost *:80>
>>> ServerAdmin john.pye@anu.edu.au
>>> ServerName ascendsvn.cheme.cmu.edu
>>>
>>> DocumentRoot /var/www/svn
>>>
>>> # Possible values include: debug, info, notice, warn, error, crit,
>>> # alert, emerg.
>>> LogLevel debug
>>> ErrorLog /var/log/apache2/svn-error.log
>>>
>>> RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
>>>
>>> #RedirectMatch permanent ^/$ /ascend
>>>
>>> CustomLog /var/log/apache2/svn.log combined
>>> ServerSignature On
>>>
>>> <Location />
>>> Order Allow,Deny
>>> Allow from all
>>> DAV svn
>>> SVNParentPath /home/svn
>>> </Location>
>>>
>>> </VirtualHost>
>>>
>>> And see how that would work.
>>>
>>>
>
>
>> I tried this, I get exactly the same error message. svn-error.log
>> contains...
>>
>
>
>> [Tue May 19 19:35:42 2009] [error] [client 128.2.52.249] client denied
>> by server configuration: /var/www/svn/ascend
>>
>
>
>> This error is completely weird because it relates to
>> /var/www/svn/ascend, which doesn't exist and should NEVER be being
>> requested...
>>
>
> Hm. Try setting
> DocumentRoot /home/svn
> ?
>
That can't possibly be the solution. The directory structure of
/home/svn in no way matches the paths that are being requested via the
URLs, so this is definitely not the solution.
>> I appreciate your general approach but as far as I can see we're not
>> touching the root cause of this problem yet.
>>
>
> Well, two things I know may produce this result:
> Location/Directory block referencing the path requested and the general
> Allow/Deny rule over the "/" of filesystem.
> It's really hard to tell what is the case by looking only at the extracted
> part of Apache configuration.
>
I don't actually think that this is an Allow/Deny problem.
If I create the /var/www/svn/ascend/code/trunk/
Let's focus on this PROPFIND request. The error message always relates
to a PROPFIND request. Why is that request being issued? Is it possible
some on some machines that request is not being issued, because of
something that's been cached in the system? Or is the PROPFIND request
being made successfully in some cases, and not in others.
My request:
root@ascend:~# svn co
http://ascendsvn.cheme.cmu.edu/ascend/web/trunk/ascend_html test1
svn: PROPFIND request failed on '/ascend/web/trunk/ascend_html'
svn: PROPFIND of '/ascend/web/trunk/ascend_html': 403 Forbidden
(http://ascendsvn.cheme.cmu.edu)
Output to svn.log:
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/web/trunk/ascend_html HTTP/1.1" 207 714 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/vcc/default HTTP/1.1" 207 397 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/!svn/bln/2280 HTTP/1.1" 207 454 "-" "SVN/1.4.6 (r28521) neon/0.27.2"
128.2.52.249 - - [20/May/2009:23:02:23 -0400] "PROPFIND
/ascend/web/trunk/ascend_html HTTP/1.1" 403 403 "-" "SVN/1.4.6 (r28521)
neon/0.27.2"
Output to svn-error.log:
[Wed May 20 23:02:23 2009] [error] [client 128.2.52.249] client denied
by server configuration: /var/www/svn/ascend
Everything seems to be going OK until the final request, which returns
the "unauthorised" 403 response.
I'm not clear why several very similar requests seem to be being made,
eg "PROPFIND [...]/bln/2280" -- is that normal?
The final error message from svn-error.log makes no sense, because the
'ascendsvn' virtual host is obviously dealing with it, but DAV is
apparently not dealing with it, even though the URL seems to match.
Also, why is it a 403 error, rather than a 404 error, given that there
is no such directory /var/ww/svn/ascend.
To try an keep SVN happy, I did an experiment:
cd /var/www/svn
mkdir -p ascend/code/trunk/solvers
Now, this has a *very interesting result*:
On all client machines (both the ones that were previously broken and
the ones that were previously working) I get:
svn co http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/ test23
svn: Repository moved permanently to
'http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/'; please relocate
(notice the pointless message: the URLs are equal)
If I remove the DocumentRoot directive then the machines that were
previously working continue to work, and the machines that were
previously broken go back to the same 403 error again.
Then, I tried performing the PROPFIND request using telnet:
root@ascend:~# telnet ascendsvn.cheme.cmu.edu 80Trying 128.2.52.249...
Connected to ASCENDSERVER.cheme.cmu.edu.
Escape character is '^]'.
PROPFIND /ascend/code/trunk/solvers/ HTTP/1.1
Host: ascendsvn.cheme.cmu.edu
User-Agent: JohnPye
HTTP/1.1 403 Forbidden
Date: Thu, 21 May 2009 03:21:15 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Content-Length: 417
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>PROPFIND requests with a Depth of "infinity" are not allowed for /ascend/code/trunk/solvers/.</p>
<hr />
<address>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Server at ascendsvn.cheme.cmu.edu Port 80</address>
</body></html>
Isn't that exciting!
Any thoughts?
>
>> And I am still baffled as to why I could see this problem on some
>> machines, but not on others. We need to understand what things can vary
>> from machine to machine to cause this problem to occur.
>>
>
> If you change your problematic machine IP to one which does not experience
> this problem, does it get to work?
>
The problem is not a straight-forward issue about IP address-based
limitations. For example, as user 'root' on the repository host machine,
I have a checked-out repository on which I can do an "svn up" and "svn
ci" with no problems, but as the same user, I can not check out a new
working copy using "svn co". If it's an IP-based thing, then it's only
some of the time.
Cheers
JP
--
Dr John Pye
Dept of Engineering
Australian National University
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2341989
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, John Pye!
>>>> Looking at your VH definition... it's messy.
>>>> Reduce the number of entities. Add next one only after you have the previous
>>>> work "as expected".
>>>> And put
>>>>
>>>> Order allow,deny
>>>> Allow from all
>>>>
>>>> Before <Location> blocks.
>>>>
>>>>
>>
>>
>>> You can't put Order or Allow statements outside either <Location> or
>>> <Directory> tags, AIUI.
>>>
>>
>> Still, it's messy.
>>
>> Try starting from
>>
>> <VirtualHost *:80>
>> ServerAdmin john.pye@anu.edu.au
>> ServerName ascendsvn.cheme.cmu.edu
>>
>> DocumentRoot /var/www/svn
>>
>> # Possible values include: debug, info, notice, warn, error, crit,
>> # alert, emerg.
>> LogLevel debug
>> ErrorLog /var/log/apache2/svn-error.log
>>
>> RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
>>
>> #RedirectMatch permanent ^/$ /ascend
>>
>> CustomLog /var/log/apache2/svn.log combined
>> ServerSignature On
>>
>> <Location />
>> Order Allow,Deny
>> Allow from all
>> DAV svn
>> SVNParentPath /home/svn
>> </Location>
>>
>> </VirtualHost>
>>
>> And see how that would work.
>>
> I tried this, I get exactly the same error message. svn-error.log
> contains...
> [Tue May 19 19:35:42 2009] [error] [client 128.2.52.249] client denied
> by server configuration: /var/www/svn/ascend
> This error is completely weird because it relates to
> /var/www/svn/ascend, which doesn't exist and should NEVER be being
> requested...
Hm. Try setting
DocumentRoot /home/svn
?
> I appreciate your general approach but as far as I can see we're not
> touching the root cause of this problem yet.
Well, two things I know may produce this result:
Location/Directory block referencing the path requested and the general
Allow/Deny rule over the "/" of filesystem.
It's really hard to tell what is the case by looking only at the extracted
part of Apache configuration.
> And I am still baffled as to why I could see this problem on some
> machines, but not on others. We need to understand what things can vary
> from machine to machine to cause this problem to occur.
If you change your problematic machine IP to one which does not experience
this problem, does it get to work?
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 20.05.2009, <22:02>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2333455
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi Andrey
Andrey Repin wrote:
> Greetings, John Pye!
>
>
>>> Looking at your VH definition... it's messy.
>>> Reduce the number of entities. Add next one only after you have the previous
>>> work "as expected".
>>> And put
>>>
>>> Order allow,deny
>>> Allow from all
>>>
>>> Before <Location> blocks.
>>>
>>>
>
>
>> You can't put Order or Allow statements outside either <Location> or
>> <Directory> tags, AIUI.
>>
>
> Still, it's messy.
>
> Try starting from
>
> <VirtualHost *:80>
> ServerAdmin john.pye@anu.edu.au
> ServerName ascendsvn.cheme.cmu.edu
>
> DocumentRoot /var/www/svn
>
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel debug
> ErrorLog /var/log/apache2/svn-error.log
>
> RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
>
> #RedirectMatch permanent ^/$ /ascend
>
> CustomLog /var/log/apache2/svn.log combined
> ServerSignature On
>
> <Location />
> Order Allow,Deny
> Allow from all
> DAV svn
> SVNParentPath /home/svn
> </Location>
>
> </VirtualHost>
>
> And see how that would work.
>
I tried this, I get exactly the same error message. svn-error.log
contains...
[Tue May 19 19:35:42 2009] [error] [client 128.2.52.249] client denied
by server configuration: /var/www/svn/ascend
This error is completely weird because it relates to
/var/www/svn/ascend, which doesn't exist and should NEVER be being
requested...
> Add new sections only when privious works stable (in this way, it will NOT
> work without additional mumbo-jumbo. Why? Look my posts in archive)
>
I appreciate your general approach but as far as I can see we're not
touching the root cause of this problem yet.
And I am still baffled as to why I could see this problem on some
machines, but not on others. We need to understand what things can vary
from machine to machine to cause this problem to occur.
Cheers
JP
--
Dr John Pye
Dept of Engineering
Australian National University
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2325966
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, John Pye!
>> Looking at your VH definition... it's messy.
>> Reduce the number of entities. Add next one only after you have the previous
>> work "as expected".
>> And put
>>
>> Order allow,deny
>> Allow from all
>>
>> Before <Location> blocks.
>>
> You can't put Order or Allow statements outside either <Location> or
> <Directory> tags, AIUI.
Still, it's messy.
Try starting from
<VirtualHost *:80>
ServerAdmin john.pye@anu.edu.au
ServerName ascendsvn.cheme.cmu.edu
DocumentRoot /var/www/svn
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
ErrorLog /var/log/apache2/svn-error.log
RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
#RedirectMatch permanent ^/$ /ascend
CustomLog /var/log/apache2/svn.log combined
ServerSignature On
<Location />
Order Allow,Deny
Allow from all
DAV svn
SVNParentPath /home/svn
</Location>
</VirtualHost>
And see how that would work.
Add new sections only when privious works stable (in this way, it will NOT
work without additional mumbo-jumbo. Why? Look my posts in archive)
> As far as I can tell rearranging as you suggest does not solve the problem.
> And anyway... this does address the fact that what I have is working
> perfectly for some clients (both svn co as well as svn up) but not for
> others...
I'm pretty much convinced you DO have Order or Deny directive affecting your
setup for those specific users somewhere in config.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 20.05.2009, <0:43>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2319037
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi all
Andrey Repin wrote:
> Looking at your VH definition... it's messy.
> Reduce the number of entities. Add next one only after you have the previous
> work "as expected".
> And put
>
> Order allow,deny
> Allow from all
>
> Before <Location> blocks.
>
You can't put Order or Allow statements outside either <Location> or
<Directory> tags, AIUI.
As far as I can tell rearranging as you suggest does not solve the problem.
And anyway... this does address the fact that what I have is working
perfectly for some clients (both svn co as well as svn up) but not for
others...
Cheers
JP
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2311857
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, John Pye!
>> Look for Allow/Deny directives in httpd.conf prior Virtualhost
>> definition, or
>> add one
>> Allow from all
>> to your Subversion virtualhost.
>>
> I tried adding Allow/Deny directives, but this doesn't seem to fix the
> problem either.
Looking at your VH definition... it's messy.
Reduce the number of entities. Add next one only after you have the previous
work "as expected".
And put
Order allow,deny
Allow from all
Before <Location> blocks.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 19.05.2009, <13:31>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2309816
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi all,
Andrey Repin wrote:
> Look for Allow/Deny directives in httpd.conf prior Virtualhost
> definition, or
> add one
> Allow from all
> to your Subversion virtualhost.
>
I tried adding Allow/Deny directives, but this doesn't seem to fix the
problem either.
jpye@ascend:~$ svn co
http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers/ test21
svn: PROPFIND request failed on '/ascend/code/trunk/solvers'
svn: PROPFIND of '/ascend/code/trunk/solvers': 403 Forbidden
(http://ascendsvn.cheme.cmu.edu)
And in my /var/log/apache2/svn-error.log:
[Mon May 18 20:39:47 2009] [error] [client 128.2.52.249] client denied
by server configuration: /var/www/svn/ascend
My questions are:
1. Have I done the 'Allow from all' thing correctly? (see below)
2. Why does this only fail for *SOME* clients, not for all of them?
Does the PROPFIND request (which is failing) get issued only
sometimes, not always? What is the PROPFIND looking for?
3. How am I getting a 403 error here if I haven't placed any access
restrictions in place?
4. Why does the 403 error result in a message about a subdirectory of
DocumentRoot (/var/www/svn/ascend), rather than an error about
files within /home/svn (/home/svn/ascend)?
5. Why does everything work fine when I view from a web browser eg
firefox but not when I access with subversion clients from *some*
machines.
6. Could it be that I should switch to using /var/svn instead of
/home/svn?
7. Problems have only appeared with this recently... why would that be?
8. We recently did some fairly major "svn mv" operations... could
they cause this kind of problem?
I think that the key to this problem is understanding why it fails only
on SOME machines AND NOT ALL.
Any more suggestions?
Below is my current /etc/apache2/sites-available/svn, which I have
changed to use SVNParentPath, but with no change to the error message:
Cheers
JP
-----
<VirtualHost *:80>
ServerAdmin john.pye@anu.edu.au
ServerName ascendsvn.cheme.cmu.edu
DocumentRoot /var/www/svn
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
ErrorLog /var/log/apache2/svn-error.log
RedirectMatch ^/stats/?$ http://ascend.cheme.cmu.edu/awstats/awstats.pl?config=ascendsvn.cheme.cmu.edu
#RedirectMatch permanent ^/$ /ascend
CustomLog /var/log/apache2/svn.log combined
ServerSignature On
<Location />
DAV svn
SVNParentPath /home/svn
Order Allow,Deny
Allow from all
</Location>
<Location /ascend>
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
# Uncomment the following line to enable Authz Authentication
# AuthzSVNAccessFile /etc/apache2/dav_svn.authz
# The following three lines allow anonymous read, but make
# committers authenticate themselves.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
<Location /private>
DAV svn
SVNPath /home/svn/private
AuthType "Basic"
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
Require valid-user
</Location>
</VirtualHost>
-----
--
Dr John Pye
Dept of Engineering
Australian National University
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2305146
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, John Pye!
>>> For *some* clients, we see errors like this:
>>>
>>> jpye@ascend:~$ svn co
>>> http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers test1
>>> svn: PROPFIND request failed on '/ascend/!svn/vcc/default'
>>> svn: PROPFIND of '/ascend/!svn/vcc/default': 403 Forbidden
>>> (http://ascendsvn.cheme.cmu.edu)
>>>
>>> which is accompanied by an error in the Apache logs:
>>>
>>> [Fri May 15 04:20:58 2009] [error] [client 128.2.52.249] client denied
>>> by server configuration: /htdocs
>>>
>>> but for *other* clients, there is no error at all, and the command works
>>> just fine.
>>>
>>
>> What is the DocumentRoot in effect for this VirtualHost? Since one
>> isn't defined in the VirtualHost, what is the server's global
>> DocumentRoot?
> There was none, or it was some sort of default value. I set it manually
> to /var/www/svn, and created that folder and made sure it was
> world-readable (owner root.root, chmod 755). Then I tried the "svn co"
> again, and this time my svn-error.log (as mentioned in the previous
> Apache config) now shows the following:
> [Mon May 18 04:04:24 2009] [error] [client 128.2.52.249] client denied
> by server configuration: /var/www/svn/ascend
> This confirms that it the HTTP request is being processed by the correct
> <VirtualHost> but also that something strange is happening; the
> <Location /ascend> for our ASCEND subversion repository is not being
> activated for this particular case, EVEN THOUGH when I do it from
> anotehr machine, IT IS, and the request in that case works fine, as
> expected.
Look for Allow/Deny directives in httpd.conf prior Virtualhost definition, or
add one
Allow from all
to your Subversion virtualhost.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 18.05.2009, <17:38>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2299928
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by John Pye <jo...@anu.edu.au>.
Hi Ryan
Ryan Schmidt wrote:
> On May 15, 2009, at 03:30, John Pye wrote:
>
>>
>> For *some* clients, we see errors like this:
>>
>> jpye@ascend:~$ svn co
>> http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers test1
>> svn: PROPFIND request failed on '/ascend/!svn/vcc/default'
>> svn: PROPFIND of '/ascend/!svn/vcc/default': 403 Forbidden
>> (http://ascendsvn.cheme.cmu.edu)
>>
>> which is accompanied by an error in the Apache logs:
>>
>> [Fri May 15 04:20:58 2009] [error] [client 128.2.52.249] client denied
>> by server configuration: /htdocs
>>
>> but for *other* clients, there is no error at all, and the command works
>> just fine.
>>
>
> What is the DocumentRoot in effect for this VirtualHost? Since one
> isn't defined in the VirtualHost, what is the server's global
> DocumentRoot?
There was none, or it was some sort of default value. I set it manually
to /var/www/svn, and created that folder and made sure it was
world-readable (owner root.root, chmod 755). Then I tried the "svn co"
again, and this time my svn-error.log (as mentioned in the previous
Apache config) now shows the following:
[Mon May 18 04:04:24 2009] [error] [client 128.2.52.249] client denied
by server configuration: /var/www/svn/ascend
This confirms that it the HTTP request is being processed by the correct
<VirtualHost> but also that something strange is happening; the
<Location /ascend> for our ASCEND subversion repository is not being
activated for this particular case, EVEN THOUGH when I do it from
anotehr machine, IT IS, and the request in that case works fine, as
expected.
>
> My thought is that you may be experiencing some variant of this issue,
> wherein your svn path inadvertently overlaps with some path inside the
> DocumentRoot -- or possibly with some global Alias, RedirectMatch,
> RewriteRule or similar directive.
>
> http://subversion.tigris.org/faq.html#http-301-error
>
> Try setting the DocumentRoot to something useful inside the
> VirtualHost, for example to /var/empty or some other empty directory,
> to rule out any conflicts with the server's global DocumentRoot. If
> that doesn't help, examine your server's global Alias, RedirectMatch,
> RewriteRule and similar directives for possible conflicts with the
> path you're trying to check out from svn.
I set DocumentRoot as suggested, but this doesn't solve the error, it
just translates us over to another error message with, presumably, the
same root cause.
I'm on Ubuntu, so I used "a2dissite" to disable all other virtual host
configurations for my server, and I still saw exactly the same problem.
There is a big list of Modules enabled on my system, perhaps I should
try disabling some of these selectively? Which ones would I need to
server SVN over HTTP (not HTTPS)?
root@ascend:/etc/apache2# ls mods-enabled/
alias.conf authn_file.load authz_host.load autoindex.load dav_svn.conf
dir.load mime.load negotiation.load rewrite.load ssl.conf status.load
alias.load authz_default.load authz_user.load cgi.load dav_svn.load
env.load mod-evasive.load php5.conf setenvif.conf ssl.load
auth_basic.load authz_groupfile.load autoindex.conf dav.load dir.conf
mime.conf negotiation.conf php5.load setenvif.load status.conf
Turning off all the other sites should have dealt with the issues of
global Alias or other rules causing problems.
The only other thing that occurs to me is that we have our repository
located in our server in /home/svn, which is perhaps non-standard; could
it be that some special handling of the /home directory be tripping the
error? You would have seen that issue elsewhere though, presumably, if
this were possible?
Cheers
JP
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2297803
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: strange error with subversion: "client denied by server
configuration: /htdocs"
Posted by Ryan Schmidt <su...@ryandesign.com>.
On May 15, 2009, at 03:30, John Pye wrote:
> We're having some strange errors with our Subversion server at the
> moment in our open source project, ASCEND.
>
> For *some* clients, we see errors like this:
>
> jpye@ascend:~$ svn co
> http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/solvers test1
> svn: PROPFIND request failed on '/ascend/!svn/vcc/default'
> svn: PROPFIND of '/ascend/!svn/vcc/default': 403 Forbidden
> (http://ascendsvn.cheme.cmu.edu)
>
> which is accompanied by an error in the Apache logs:
>
> [Fri May 15 04:20:58 2009] [error] [client 128.2.52.249] client denied
> by server configuration: /htdocs
>
> but for *other* clients, there is no error at all, and the command
> works
> just fine.
>
> Our host server is running Ubuntu Hardy, with subversion 1.4.6, all
> standard Ubuntu packages. This error as above is seen on the same
> server, but I have tested and the same command runs find on a Fedora 9
> machine running the exact same version of the Subversion client. I
> also
> have no problems on an Ubuntu Jaunty machine running 1.5.4.
>
> When I access the subversion server using a web browser, it also all
> works fine:
> http://ascendsvn.cheme.cmu.edu/ascend/code/trunk/
>
> Any suggestions on how to troubleshoot this annoying bug?
>
> Below is the relevant Apache configuration...
>
> Cheers
> JP
>
>
> <VirtualHost *:80>
> ServerAdmin john.pye@anu.edu.au
> ServerName ascendsvn.cheme.cmu.edu
>
> ErrorLog /var/log/apache2/svn-error.log
>
> RedirectMatch ^/stats/?$
> http://ascend.cheme.cmu.edu/awstats/awstats.pl?
> config=ascendsvn.cheme.cmu.edu
>
> RedirectMatch permanent ^/$ /ascend
>
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel debug
>
> CustomLog /var/log/apache2/svn.log combined
> ServerSignature On
>
> <Location /ascend>
>
> DAV svn
> SVNPath /home/svn/ascend
>
> AuthType Basic
> AuthName "Subversion Repository"
> AuthUserFile /etc/apache2/dav_svn.passwd
>
> # Uncomment the following line to enable Authz Authentication
> # AuthzSVNAccessFile /etc/apache2/dav_svn.authz
>
> # The following three lines allow anonymous read, but make
> # committers authenticate themselves.
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Require valid-user
> </LimitExcept>
>
> </Location>
What is the DocumentRoot in effect for this VirtualHost? Since one
isn't defined in the VirtualHost, what is the server's global
DocumentRoot?
My thought is that you may be experiencing some variant of this
issue, wherein your svn path inadvertently overlaps with some path
inside the DocumentRoot -- or possibly with some global Alias,
RedirectMatch, RewriteRule or similar directive.
http://subversion.tigris.org/faq.html#http-301-error
Try setting the DocumentRoot to something useful inside the
VirtualHost, for example to /var/empty or some other empty directory,
to rule out any conflicts with the server's global DocumentRoot. If
that doesn't help, examine your server's global Alias, RedirectMatch,
RewriteRule and similar directives for possible conflicts with the
path you're trying to check out from svn.
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2268803
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].