You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Jeff Stuart <js...@computer-city.net> on 2002/09/09 15:07:57 UTC

Using Subversion's apache server for more than Subversion

Ok, next stupid question. :D

The httpd that I create that will house the repository for SVN can that be 
used for normal web hosting?  IE the machine I'm thinking of using for the 
repository will also be used for big brother monitoring, etc... IE just a 
devel/utility server.  So I'd LOVE to have the one httpd proc handle both SVN 
requests and NORMAL requests.  Is this possible/doable/advisable?

--
Jeff Stuart
jstuart@computer-city.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Greg Stein <gs...@lyra.org>.

On Mon, Sep 09, 2002 at 07:58:46PM +0200, Daniele Nicolodi wrote:
> On Mon, Sep 09, 2002 at 11:58:53AM -0400, Mike Wohlgemuth wrote:
>...
> > # turn on the rewrite engine
> > RewriteEngine on
>...
> <Location />
>         ServerName svn.grinta.net
>         ProxyRequests Off
>         NoCache *
>         ProxyPass /svn http://192.168.2.10/svn/
> </Location>
> 				
> in this config 192.168.2.10 is a dedicated internal SVN server but you
> can also specify http://localhost:8000/svn if you want.

Yup. ProxyPass is a *much* cleaner solution. It should also be faster and
more flexible than the rewrite-based approach.

Note that we don't have our caching headers set up properly yet, but once we
do, you *will* be able to cache the responses. And quite well, actually.
Thus, you'll most likely be able to remove the NoCache directive. It means
that your front-end server can offload a good chunk of work from your
backend SVN server. (and I seriously doubt that rewrite can do this)

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Daniele Nicolodi <da...@grinta.net>.

On Mon, Sep 09, 2002 at 11:58:53AM -0400, Mike Wohlgemuth wrote:

> Now for the fun part.  You will need to tell your main apache server to
> proxy requests for your subversion repositories to your subversion
> apache server.  Say you have a repository at /myproject on the
> subversion apache server.  Add the following to your main 
> 
> # turn on the rewrite engine
> RewriteEngine on
> 
> # redirect any request without a trailing slash for myproject to one 
> # with a trailing slash
> RewriteRule ^/myproject$ /myproject/ [R=permanent,L]
> 
> # proxy all requests for /myproject/* to my subversion server
> RewriteRule ^/myproject/(.*)$  http://localhost:8000/myproject/$1  [P,L]
> 
> This allows me to run the subversion apache server as a user that only
> has access to the subversion repositories, and my main apache server
> with no access to the repository at all.

I do the same in a imho cleaner way:

<VirtualHost 212.41.206.101 192.168.1.1>
        ServerName svn.grinta.net
        ProxyRequests Off
        NoCache *
        ProxyPass / http://192.168.2.10/svn/
</VirtualHost>

for create a virtual host, but you can use also a location:

<Location />
        ServerName svn.grinta.net
        ProxyRequests Off
        NoCache *
        ProxyPass /svn http://192.168.2.10/svn/
</Location>
				
in this config 192.168.2.10 is a dedicated internal SVN server but you
can also specify http://localhost:8000/svn if you want.

Ciao
-- 
Daniele
		    --- http://www.grinta.net ---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Mike Wohlgemuth <mj...@woogie.net>.

On Mon, 2002-09-09 at 11:17, Scott Lamb wrote:
> 
> You've gotta keep security in mind when you do it, though. It's common 
> to have dynamic content stuff running stuff as the Apache user. If you 
> have virtual hosting, this means users can do whatever they want to your 
> Subversion repository, since it must be writable by the Apache user. Or, 
> in your specific case, if there are exploitable bugs in the dynamic 
> stuff you are running. There are several things you can do:

It is for these security reasons that I am running a separate Apache 2.0
process for my Subversion server on port 8000, and proxying to it from
my default Apache 1.3 server on port 443 (I'm running with SSL).  It
might be more complicated than most people would care for, and it
requires mod_proxy and mod_rewrite, but I thought I'd mention it. 
Here's how it's done:

First, set up Apache 2.0, without SSL, on port 8000 (or whatever port
you want) just as the docs specify.  Verify that this works as you would
expect.

Now for the fun part.  You will need to tell your main apache server to
proxy requests for your subversion repositories to your subversion
apache server.  Say you have a repository at /myproject on the
subversion apache server.  Add the following to your main 

# turn on the rewrite engine
RewriteEngine on

# redirect any request without a trailing slash for myproject to one 
# with a trailing slash
RewriteRule ^/myproject$ /myproject/ [R=permanent,L]

# proxy all requests for /myproject/* to my subversion server
RewriteRule ^/myproject/(.*)$  http://localhost:8000/myproject/$1  [P,L]

This allows me to run the subversion apache server as a user that only
has access to the subversion repositories, and my main apache server
with no access to the repository at all.

I hope this makes sense.

Woogie

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Scott Lamb <sl...@slamb.org>.

Jeff Stuart wrote:
> Ok, next stupid question. :D
> 
> The httpd that I create that will house the repository for SVN can that be 
> used for normal web hosting?  IE the machine I'm thinking of using for the 
> repository will also be used for big brother monitoring, etc... IE just a 
> devel/utility server.  So I'd LOVE to have the one httpd proc handle both SVN 
> requests and NORMAL requests.  Is this possible/doable/advisable?

Yeah. I do this. Subversion just wants a <Location> somewhere within 
your Apache config.

You've gotta keep security in mind when you do it, though. It's common 
to have dynamic content stuff running stuff as the Apache user. If you 
have virtual hosting, this means users can do whatever they want to your 
Subversion repository, since it must be writable by the Apache user. Or, 
in your specific case, if there are exploitable bugs in the dynamic 
stuff you are running. There are several things you can do:

- CGIs: enable suexec
- mod_perl, mod_python, mod_snake, mod_ruby: ???
There's a perchild MPM in Apache to help this problem, but it's 
experimental.
- mod_php: enable safe_mode (needs a patch, I can send it to you)
- Java servlets: run as a different user than Apache and/or use the 
JVM's security constraints.

-- 
Scott Lamb

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Jeff Stuart <js...@computer-city.net>.

That probably would have saved at least one of my answers. LOL.  But it did 
bring up some interesting discussions about httpd.  However, to be honest, I 
still would have asked about having to use latest CVS of httpd.  

And until AFTER reading the INSTALL, did I realize that I CAN browse the 
repository via normal HTTP requests.  If I had known that before, then I 
would have wandered over to read INSTALL. :D  It would be a good FAQ IMHO as 
Branko points out.   

On Tuesday 10 September 2002 04:13 am, Branko Čibej wrote:
> Jeff Stuart wrote:
> >AHH I see .. a number of questions I have are answered in the INSTALL doc
> >which I JUST finished downloading and extracting. :D  Again, since this is
> > a utility/devel server, security isn't as much of a concern...
>
> Why don't we just point people at the _online_ install at
>
>     http://svn.collab.net/repos/svn/trunk/INSTALL
>
> and tell them to read that before downloading any tarballs? I sort of
> feel we'll get a lot less questions that are already answered there. Not
> trying to criticise Jeff here.

-- 
Jeff Stuart
jstuart@computer-city.net

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Branko Čibej <br...@xbc.nu>.

Jeff Stuart wrote:

>AHH I see .. a number of questions I have are answered in the INSTALL doc 
>which I JUST finished downloading and extracting. :D  Again, since this is a 
>utility/devel server, security isn't as much of a concern...
>  
>

Why don't we just point people at the _online_ install at

    http://svn.collab.net/repos/svn/trunk/INSTALL

and tell them to read that before downloading any tarballs? I sort of 
feel we'll get a lot less questions that are already answered there. Not 
trying to criticise Jeff here.

-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Jeff Stuart <js...@computer-city.net>.

On Monday 09 September 2002 11:15 am, Ben Collins-Sussman wrote:
> Jeff Stuart <js...@computer-city.net> writes:
> > Ok, next stupid question. :D
> >
> > The httpd that I create that will house the repository for SVN can
> > that be used for normal web hosting?  IE the machine I'm thinking of
> > using for the repository will also be used for big brother
> > monitoring, etc... IE just a devel/utility server.  So I'd LOVE to
> > have the one httpd proc handle both SVN requests and NORMAL
> > requests.  Is this possible/doable/advisable?
>
> Absolutely, why not?  mod_dav_svn is "just another" apache module,
> activated by a certain directive within a <Location>; it doesn't need
> to own the whole web server!

AHH I see .. a number of questions I have are answered in the INSTALL doc 
which I JUST finished downloading and extracting. :D  Again, since this is a 
utility/devel server, security isn't as much of a concern...

Thx for the answers everyone!

-- 
Jeff Stuart
jstuart@computer-city.net


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by Ben Collins-Sussman <su...@collab.net>.

Jeff Stuart <js...@computer-city.net> writes:

> Ok, next stupid question. :D
> 
> The httpd that I create that will house the repository for SVN can
> that be used for normal web hosting?  IE the machine I'm thinking of
> using for the repository will also be used for big brother
> monitoring, etc... IE just a devel/utility server.  So I'd LOVE to
> have the one httpd proc handle both SVN requests and NORMAL
> requests.  Is this possible/doable/advisable?

Absolutely, why not?  mod_dav_svn is "just another" apache module,
activated by a certain directive within a <Location>; it doesn't need
to own the whole web server!



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Using Subversion's apache server for more than Subversion

Posted by cm...@collab.net.

Jeff Stuart <js...@computer-city.net> writes:

> Ok, next stupid question. :D

Normally, I would say, "There's no such thing as a stupid question..."
.
.
.
Note that I haven't yet said that. :-D

> The httpd that I create that will house the repository for SVN can
> that be used for normal web hosting?  IE the machine I'm thinking of
> using for the repository will also be used for big brother
> monitoring, etc... IE just a devel/utility server.  So I'd LOVE to
> have the one httpd proc handle both SVN requests and NORMAL
> requests.  Is this possible/doable/advisable?

Yeah, dude, Subversion isn't quite *so* painful to setup that we
require our own httpd-2.0 process.  Just mind your ownership and
permissions, and your httpd-2.0 process can be all things that your port
80 needs.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org