You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Danny MacMillan <fl...@nekulturny.org> on 2006/04/11 16:49:19 UTC
mod_dav_svn : scheme changes from https to http after authentication
Hi,
I have a Subversion 1.3.0 repository being served up by Apache 2.0 on a
FreeBSD 6.0-RELEASE-p6 machine. All software was installed from ports.
I have made the repository available only through SSL, and only to
authenticated users. I am experiencing strange behaviour when viewing
the repository using a web browser.
If I browse to the repository at the following URL:
https://dev.example.com/projectname/svn
I am prompted for credentials. So far so good. When I actually supply
those credentials, though, the address bar changes to contain the
following URL:
http://dev.example.com/projectname/svn/
Since I have 'SSLRequireSSL' in my apache config, this results in a
403 - Forbidden http response.
If I instead browse to the following URL (in a new browser instance):
https://dev.example.com/projectname/svn/
I am prompted for credentials, and when I authenticate it works as
expected. The only difference between the working and the non-working
URLs is the trailing slash.
My biggest concern here is that I have supplied credentials to an SSL
encrypted site, but it looks like it is redirecting to an unencrypted
site and it could be (and probably is) sending my credentials in the
clear. Why is it doing this?
Here are the relevant portions of my apache config. If something else
is relevant and I didn't supply it, please let me know:
<Location /projectname/svn>
DAV svn
# "/projectname/svn" URL will map to a repository /devroot/projectname/svn
SVNPath /devroot/projectname/svn
# Style the output.
SVNIndexXSLT "/svnindex.xsl"
# Connections must be made through SSL.
SSLRequireSSL
# Only authenticated users can use the repository.
Require valid-user
# How do we authenticate them?
AuthType Basic
AuthName "Secure Subversion Repository"
AuthUserFile /usr/devroot/projectname/_common/auth/authentication
# What are they authorized to do?
AuthzSVNAccessFile /devroot/projectname/_common/auth/authorization
</Location>
<VirtualHost 192.168.1.251:443>
# General setup for the virtual host
ServerName dev.example.com
ServerAdmin webmaster@example.com
DocumentRoot /usr/local/www/data
ErrorLog /var/log/dev.example.com-error_log
CustomLog /var/log/dev.example.com-access_log common
</VirtualHost>
In the above, /devroot is a symbolic link to /usr/devroot (shouldn't
matter though).
Thanks,
--
Danny MacMillan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: mod_dav_svn : scheme changes from https to http after authentication
Posted by Kalin KOZHUHAROV <ka...@thinrope.net>.
Danny MacMillan wrote:
> Hi,
>
> I have a Subversion 1.3.0 repository being served up by Apache 2.0 on a
> FreeBSD 6.0-RELEASE-p6 machine. All software was installed from ports.
> I have made the repository available only through SSL, and only to
> authenticated users. I am experiencing strange behaviour when viewing
> the repository using a web browser.
>
> If I browse to the repository at the following URL:
>
> https://dev.example.com/projectname/svn
>
> I am prompted for credentials. So far so good. When I actually supply
> those credentials, though, the address bar changes to contain the
> following URL:
>
> http://dev.example.com/projectname/svn/
>
> Since I have 'SSLRequireSSL' in my apache config, this results in a
> 403 - Forbidden http response.
>
> If I instead browse to the following URL (in a new browser instance):
>
> https://dev.example.com/projectname/svn/
>
> I am prompted for credentials, and when I authenticate it works as
> expected. The only difference between the working and the non-working
> URLs is the trailing slash.
Yup, here comes the problem :-)
> My biggest concern here is that I have supplied credentials to an SSL
> encrypted site, but it looks like it is redirecting to an unencrypted
> site and it could be (and probably is) sending my credentials in the
> clear. Why is it doing this?
>
> Here are the relevant portions of my apache config. If something else
> is relevant and I didn't supply it, please let me know:
>
> <Location /projectname/svn>
> DAV svn
>
> # "/projectname/svn" URL will map to a repository /devroot/projectname/svn
> SVNPath /devroot/projectname/svn
>
> # Style the output.
> SVNIndexXSLT "/svnindex.xsl"
>
> # Connections must be made through SSL.
> SSLRequireSSL
>
> # Only authenticated users can use the repository.
> Require valid-user
>
> # How do we authenticate them?
> AuthType Basic
> AuthName "Secure Subversion Repository"
> AuthUserFile /usr/devroot/projectname/_common/auth/authentication
>
> # What are they authorized to do?
> AuthzSVNAccessFile /devroot/projectname/_common/auth/authorization
> </Location>
>
> <VirtualHost 192.168.1.251:443>
>
> # General setup for the virtual host
> ServerName dev.example.com
> ServerAdmin webmaster@example.com
> DocumentRoot /usr/local/www/data
> ErrorLog /var/log/dev.example.com-error_log
> CustomLog /var/log/dev.example.com-access_log common
>
> </VirtualHost>
>
> In the above, /devroot is a symbolic link to /usr/devroot (shouldn't
> matter though).
Try without the symlink first, it is a 1 minute test.
I guess part of the "irrelevant" apachec onfig is mangling the trailing slash.
Look for RewriteRule in your config file, then in the mod_rewrite documentation
and the Rewrite guide.
Just today I spent one day fighting my way with mod_rewrite - it is a mess :-)
Kalin.
--
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org