You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Alec Kloss <al...@oracle.com> on 2008/10/30 13:57:04 UTC
Re: Subversion service records? (Was: Mapping repositories to ports)
Oops... forgot to group reply...
I have a personal pet peeve with using part of the URL to determine
access method. I have a repository which is accessable via svn,
svn+ssh, http, and https. Depending on who I'm talking to, I get
URLs using any of these protocols which I may not prefer. It
results in a lot of manual rewriting of URLs which, for someone not
familiar with my repository, is unlikely to be obvious. Say I send
someone a URL like svn://repo.company.com/svn/trunk but they want
or need to use http instead---say they're behind a firewall that
requires use of an http proxy that won't let you connect to
non-http ports, or their client doesn't support the authentication
mechanism my svn repo supports. How are they supposed to know that
they can rewrite the URL? I have to explain it to them. Grr.
Wouldn't it be better to use service records in DNS to resolve all
viable protocols that can be used to access a repository. The
client can then attempt to autoselect, or prompt the user to select
one mechanism. I'm thinking of records something like this:
_svn._http.repo.company.com IN SRV 10 10 80 repo.company.com
_svn._https.repo.company.com IN SRV 10 10 443 repo.company.com
_svn._svn.repo.company.com IN SRV 10 10 3690 repo.company.com
_svn._svn_ssh.repo.company.com IN SRV 10 10 22 repo.company.com
I'd then always use svn://repo.company.com/svn/trunk URLs to the
repository, but each client would have the option to switch to
http, https, or svn+ssh based on the users preference,
autodetection of available access, or the priority in the service
records themselves.
Thoughts?
--
Oracle Confidential Information
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Re: Subversion service records? (Was: Mapping repositories to ports)
Posted by Andreas Schweigstill <an...@schweigstill.de>.
Hello!
Alec Kloss schrieb:
> I think this would achieve your goal and you wouldn't have to
> explain port numbers to people.
I don't have to explain port numbers to people. The port mapping
only occurs between firewall and SVN server(s); the users don't
have a clue that non-standard ports will be used. Even the target
IP addresses could be remapped by the firewall rules.
> Say repo2 becomes extremely large or extremely busy so you want to
> move it onto a different server with more disk or a better internet
> connection. You just change the DNS SRV record for it like so:
>
> _svn._svn.repo2.server IN SRV 10 10 3690 superserver
In my case I would just change the port redirection rule on the
firewall.
> Using SRV records like this does allow you to use split-horizon DNS
> to adjust available access mechanisms based on client IP address.
> You could have people inside your intranet use only svn protocol
> access, and people outside use only a https protocol access for
> example. I generally wouldn't recommend split-horizon to anyone,
> but it it an option.
Using SRV records doesn't mean that the servers/repositories are
protected from malicious users. This has to be done by a firewall,
so the firewall could also do the port redirections.
And there is also another problem with SRV records: the DNS server
has to support it, and the administrator must have a possibility
to set such records. For my company the DNS server is neither hosted
on my server or on my ISP's server; it is hosted on a completely
location, and I am able to create just host and MX records, nothing
else.
With best regards
Andreas Schweigstill
--
Dipl.-Phys. Andreas Schweigstill
Schweigstill IT | Embedded Systems
Schauenburgerstraße 116, D-24118 Kiel, Germany
Phone: (+49) 431 5606-435, Fax: (+49) 431 5606-436
Mobile: (+49) 171 6921973, Web: http://www.schweigstill.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion service records? (Was: Mapping repositories to ports)
Posted by Alec Kloss <al...@oracle.com>.
On 2008-10-30 15:11, Andreas Schweigstill wrote:
> Dear Alec!
>
[chop]
>
> Thank you for your thoughts but I don't understand how this is
> related to tho OP's requirement and my answer. I didn' talk about the
> different access methods like svn, http, ssl but instead about low-level
> stuff.
>
> Example:
>
> I have a SVN server running:
> svn://server:3690/repo1
> svn://server:3691/repo2
> svn://server:3692/repo3
>
> And a firewall with the following port redirection:
>
> *source* IP 192.168.1.0/24, destination IP firewall, port 3690
> --> server port 3690
>
> *source* IP 192.168.2.0/24, destination IP firewall, port 3690
> --> server port 3691
>
> *source* IP 192.168.3.0/24, destination IP firewall, port 3690
> --> server port 3692
>
> This way users from the first network are only able to access repo1,
> and so on. This enhanced security quite a lot because the access
> rules on the SVN server has to apply *AND* a matching firewall rule
> has to exist for a certain network/repository. This has nothing to
> do with rewriting access methods.
>
[chop]
I was thinking about elaborating a little, but decided brevity was
the soul of wit. :(
For your situation, if subversion supported SRV records, you'd use
svn://repo1.company.com/
svn://repo2.company.com/
svn://repo3.company.com/
for the URLs, and have service records like so:
_svn._svn.repo1.server IN SRV 10 10 3690 server
_svn._svn.repo2.server IN SRV 10 10 3691 server
_svn._svn.repo3.server IN SRV 10 10 3692 server
I think this would achieve your goal and you wouldn't have to
explain port numbers to people. It also lets you re-arrange port
numbers in the future without changing the URL to the repository.
Say repo2 becomes extremely large or extremely busy so you want to
move it onto a different server with more disk or a better internet
connection. You just change the DNS SRV record for it like so:
_svn._svn.repo2.server IN SRV 10 10 3690 superserver
Using SRV records like this does allow you to use split-horizon DNS
to adjust available access mechanisms based on client IP address.
You could have people inside your intranet use only svn protocol
access, and people outside use only a https protocol access for
example. I generally wouldn't recommend split-horizon to anyone,
but it it an option.
--
Alec.Kloss@oracle.com Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956
Re: Subversion service records? (Was: Mapping repositories to ports)
Posted by Andreas Schweigstill <an...@schweigstill.de>.
Dear Alec!
Alec Kloss schrieb:
> Wouldn't it be better to use service records in DNS to resolve all
> viable protocols that can be used to access a repository. The
> client can then attempt to autoselect, or prompt the user to select
> one mechanism. I'm thinking of records something like this:
Thank you for your thoughts but I don't understand how this is
related to tho OP's requirement and my answer. I didn' talk about the
different access methods like svn, http, ssl but instead about low-level
stuff.
Example:
I have a SVN server running:
svn://server:3690/repo1
svn://server:3691/repo2
svn://server:3692/repo3
And a firewall with the following port redirection:
*source* IP 192.168.1.0/24, destination IP firewall, port 3690
--> server port 3690
*source* IP 192.168.2.0/24, destination IP firewall, port 3690
--> server port 3691
*source* IP 192.168.3.0/24, destination IP firewall, port 3690
--> server port 3692
This way users from the first network are only able to access repo1,
and so on. This enhanced security quite a lot because the access
rules on the SVN server has to apply *AND* a matching firewall rule
has to exist for a certain network/repository. This has nothing to
do with rewriting access methods.
With best regards
Andreas Schweigstill
--
Dipl.-Phys. Andreas Schweigstill
Schweigstill IT | Embedded Systems
Schauenburgerstraße 116, D-24118 Kiel, Germany
Phone: (+49) 431 5606-435, Fax: (+49) 431 5606-436
Mobile: (+49) 171 6921973, Web: http://www.schweigstill.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org