You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Seth Daniel <su...@sethdaniel.org> on 2005/03/30 23:28:02 UTC

COPY causes 502 Bad Gateway through reverse proxy

Hello,

I have a setup where my subversion repository is hosted on a
local/private network and if someone is *outside* this network they can
make requests to the public reverse proxy.  

Both servers (subversion server and reverse proxy) are apache 2.0.53.
Connections to the reverse proxy are https.  The connection to the
internal subversion server is regular http.  Authentication is basic
auth and is handled by the internal subversion server.

In fact, this whole setup looks a lot like the setup described in this
e-mail that was previously sent to this list:

http://svn.haxx.se/users/archive-2005-03/0531.shtml

I also have the same problem as the author of that e-mail.  Basically,
when I commit changes that will involve a DAV COPY, they fail with a Bad
Gateway error.  Everything else appears to work.  In fact, I've been
using this setup for quite some time (around 2 years) and have never
noticed this problem.  Maybe I haven't done too many moves or copies or
perhaps it is an error introduced recently by either myself or apache or
subversion ...

The relevant log lines from the reverse proxy and from the subversion
server are located here:

http://sethd.org/wiki/SubversionProxyErrors

The subversion commands used to generate the above sequence were:

svn move wcfile newwcfile
svn commit


The relevant lines in the reverse proxy's configuration file:

<VirtualHost *:443>
  ServerName               dev.xxxxxx.com
  Options                  none

  # proxy to subversion
  ProxyRequests            off
  ProxyPass                /      http://dev.xxxxxx.com/
  ProxyPassReverse         /      http://dev.xxxxxx.com/
</VirtualHost>

Thanks for any help.

-- 
seth / @sethdaniel.org
When I was little, I went into a pet shop and they asked how big I'd get.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: COPY causes 502 Bad Gateway through reverse proxy

Posted by Seth Daniel <su...@sethdaniel.org>.

On Thu, Mar 31, 2005 at 01:48:40PM +0100, Dick Davies wrote:
> * Seth Daniel <su...@sethdaniel.org> [0329 00:29]:
> > Hello,
> > 
> > I have a setup where my subversion repository is hosted on a
> > local/private network and if someone is *outside* this network they can
> > make requests to the public reverse proxy.  
> > 
> > Both servers (subversion server and reverse proxy) are apache 2.0.53.
> > Connections to the reverse proxy are https.  The connection to the
> > internal subversion server is regular http.  Authentication is basic
> > auth and is handled by the internal subversion server.
> 
> That's your problem, I think. I haven't seen this with subversion, but I 
> did tunnelling to https:// webdav through stunnel on a mac (the finder
> doesn't support ssl, long story).
> 
> In a nutshell, DAV  moves and copys use fully qualified urls, so the copy
> is asking the server to move to https://yadadyada and it thinks that's a
> different server.
> It's not the request url (which your proxy would rewrite) but the
>  url which is passed in one of the headers
> (I forget which, think it's something like Destination:).
> If it was a relative url it would work. wonder why it's not?
> 
> for dav I used cadaver -debug to confirm, you might need tcpdump for svn.

I used tethereal and, indeed, the Destination header is for the external
address and not for the internal address.  

Thanks for your help.  I guess I'll need to setup my internal server to
deal with https too.  Hm.

-- 
seth / @sethdaniel.org
A is for Apple.
-- Hester Pryne

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: COPY causes 502 Bad Gateway through reverse proxy

Posted by Seth Daniel <su...@sethdaniel.org>.

On Thu, Mar 31, 2005 at 01:48:40PM +0100, Dick Davies wrote:
> * Seth Daniel <su...@sethdaniel.org> [0329 00:29]:
> > Hello,
> > 
> > I have a setup where my subversion repository is hosted on a
> > local/private network and if someone is *outside* this network they can
> > make requests to the public reverse proxy.  
> > 
> > Both servers (subversion server and reverse proxy) are apache 2.0.53.
> > Connections to the reverse proxy are https.  The connection to the
> > internal subversion server is regular http.  Authentication is basic
> > auth and is handled by the internal subversion server.
> 
> That's your problem, I think. 

[...snip...]

Like I replied earlier, you were exactly correct:
  http://svn.haxx.se/users/archive-2005-03/1460.shtml

You had a patch that you applied to Apache
  http://svn.haxx.se/users/archive-2005-03/1452.shtml  
  
I went ahead and wrote a very simple mod_perl2 handler that does much
the same thing.  It simply changes the scheme of the Destination header
from https to http.  For anyone who is interested here it is:

package ProxyDav;

use strict;

use Apache::RequestRec ();
use APR::Table ();
use URI;

use Apache::Const -compile => qw(OK);

sub handler {
	my $r = shift;

  my $method = $r->method();
	if ($method eq 'MOVE' || $method eq 'COPY') {
	  my $destination = $r->headers_in()->get('Destination');
		my $new_destination = URI->new($destination);
		$new_destination->scheme('http');
		$r->headers_in()->set('Destination', $new_destination);
	}
  return Apache::OK;
}

1;

__END__

<Location /svn>
  SetHandler               perl-script
  PerlHeaderParserHandler  ProxyDav
</Location>
  

-- 
seth / @sethdaniel.org
The world really isn't any worse.  It's just that the news coverage
is so much better.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: COPY causes 502 Bad Gateway through reverse proxy

Posted by Dick Davies <ra...@hellooperator.net>.

* Seth Daniel <su...@sethdaniel.org> [0329 00:29]:
> Hello,
> 
> I have a setup where my subversion repository is hosted on a
> local/private network and if someone is *outside* this network they can
> make requests to the public reverse proxy.  
> 
> Both servers (subversion server and reverse proxy) are apache 2.0.53.
> Connections to the reverse proxy are https.  The connection to the
> internal subversion server is regular http.  Authentication is basic
> auth and is handled by the internal subversion server.

That's your problem, I think. I haven't seen this with subversion, but I 
did tunnelling to https:// webdav through stunnel on a mac (the finder
doesn't support ssl, long story).

In a nutshell, DAV  moves and copys use fully qualified urls, so the copy
is asking the server to move to https://yadadyada and it thinks that's a
different server.
It's not the request url (which your proxy would rewrite) but the
 url which is passed in one of the headers
(I forget which, think it's something like Destination:).
If it was a relative url it would work. wonder why it's not?

for dav I used cadaver -debug to confirm, you might need tcpdump for svn.

If I'm right you have two options.

1. convert the internal serer to ssl.
2. hack the module. I just overrode the protocol after apache parsed the
destination header.

--- modules/dav/main/util.c.orig        Mon Oct 11 16:23:29 2004
+++ modules/dav/main/util.c     Tue Oct 12 13:59:56 2004
@@ -175,6 +175,9 @@
         return result;
     }
 
+    /*  force the scheme to be ssl */
+    comp.scheme = "https";
+
     /* the URI must be an absoluteURI (WEBDAV S9.3) */
     if (comp.scheme == NULL && must_be_absolute) {
         result.err.status = HTTP_BAD_REQUEST;


-- 
'With that big new contract, I've been able to make those government mandated
upgrades you've all been suing me about.'
		-- Prof. Farnsworth
Rasputin :: Jack of All Trades - Master of Nuns

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: COPY causes 502 Bad Gateway through reverse proxy

Posted by Madan U Sreenivasan <ma...@collab.net>.

On Thu, 2005-03-31 at 04:58, Seth Daniel wrote:
[...]
> I also have the same problem as the author of that e-mail.  Basically,
> when I commit changes that will involve a DAV COPY, they fail with a Bad
> Gateway error.  
I guess this is because of the non-availability of locking over dav...
Locking has now been implemented and is present in the current trunk of
the subversion development tree...
with this you should be able to write back to the subversion repository
through DAV.
[...]


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org