I'm migrating from Visual SVN on a Windows machine to SVN served via Apache on a Linux machine. So far mostly successfully. I can access the repositories via svn on the command line from multiple machines and browse the repository contents if I put in the full URL of an individual repository into a web browser. It also properly requires authentication.
When I go to the root directory (/svn) in the browser, however, I'm getting an empty listing of repositories. I have found a lot of posts across the internet on the situation where the listing is blocked, i.e. you get an HTTP 403 instead of a listing, but that is not my case. I'm getting a list - it just happens to be empty. That shows in the browser as a well-formed page with nothing between the <ul></ul> tags that would have the contents, and it shows in the Apache logs as a successful (HTTP 200) response given.
So the question is why this happens and how to fix it?
Configuration:
<VirtualHost *:80>
ServerName svn.example.com
Alias /svn /var/lib/svn
<Location /svn>
DAV svn
SVNParentPath "/var/lib/svn/"
SVNListParentPath On
AuthType Basic
AuthName "My Software Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
</Location>
RedirectMatch ^/$ /svn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
There are multiple virtual hosts on this machine. I've shown just the section for the SVN host.
This is the HTML returned when I navigate to svn.example.com/svn in a browser (after authenticating):
<html><head><title>Collection of Repositories</title></head>
<body>
<h2>Collection of Repositories</h2>
<ul>
</ul>
<hr noshade><em>Powered by Apache Subversion version 1.9.5 (r1770682).</em>
</body></html>
Prior to adding the SVNListParentPath on section, I would received instead an HTTP 403, and, to emphasize, that's the case that I see most often addressed here and elsewhere. But that is not my case.
Removing the line Alias /svn /var/lib/svn seems to have fixed the problem without causing any new issues.
I found this by accident dealing with a "redirect cycle", which is addressed by one of the answers to this other question that is otherwise unrelated: What is the cause of "svn: E195019: Redirect cycle detected for URL"?
Related
I remember reading a while ago how it's possible for someone to access your computers filesystem from the website. I want to know how to do it, so I can test and prevent it from happening.
Running Apache 2.4 on Windows via XAMPP
My virtualhost is set up like so:
<VirtualHost *:80>
ServerName local.scrap
DocumentRoot "D:/Dropbox/www/scrap/public_html/"
<Directory "D:/Dropbox/www/scrap/">
Order allow,deny
Allow from all
Require all granted
</Directory>
ErrorLog "D:/Dropbox/www/scrap/logs/error.log"
</VirtualHost>
There is an index2.html in scrap/ and index.html in scrap/public_html/
hosts is set up to be 127.0.0.1 local.scrap
If I type the URL http://local.scrap/ I get index.html.
If I type the URL http://local.scrap/../index2.html it gets redirected to http://local.scrap/index2.html
Why is the ../ URL getting redirected to the DocumentRoot path?
Often times a non-malicious user-agent will resolve ../ in the URL before it ever contacts the server. But even without that, webservers are designe to not allow that kind of directory traversal outside of context roots.
You'd need to test with telnet/netcat/s_client to be sure.
If there's a directory traversal or LFI vulnerability in the website application code then this might indeed be possible.
Also, some webservers have directory traversal vulnerabilities. However, the current version of Apache has no known weaknesses in this respect.
I have a dedicated server, running Apache, with several virtual hosts, each with it's own domain. Subversion is setup to use WebDAV, via Apache and an SSL cert. The SSL cert is setup only for one of these domains.
I want to only be able to access the svn repos via the domain which has the SSL cert.
My problem, is that I can also access the repos via my other domains, and even though the SVN authentication is working regardless, I want to restrict to a single domain.
How would I go about configuring this scenario?
If you'll define SVN-Location inside virtualhost (name-based virtusl-hosts used), you'll see repositories only in this host
Dirty (partially ugly) sample
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName svn
<Location />
DAV svn
SVNParentPath /svn/repositories
SVNListParentPath on
AuthType Basic
AuthName "Subversion"
AuthUserFile svn-auth-file
Require valid-user
</Location>
</VirtualHost>
For repository REPO, only http://svn/REPO URL will show conent of repository, for any other virtualhost /REPO in URL must give "Path not found" (if real directory REPO doesn't exist, but - anyway - this is not access to repository)
I'm having a hell of a time setting up a web2py server in a way that allows me to access the admin and appadmin interfaces from anywhere other than localhost, which is a requirement for me because the web2py server is hosted in a cloud location without a browser or X server. I understand that to access web2py's admin or appadmin interfaces from outside localhost that I must use SSL/HTTPS.
The web2py documentation seems to declare two different ways to do this. First, from the general web2py startup tutorial:
The administrative interface, admin, is only accessible from localhost
unless you run web2py behind Apache with mod_proxy. If admin detects a
proxy, the session cookie is set to secure and admin login does not
work unless the communication between the client and the proxy goes
over HTTPS
This lead me to search the web for how to setup web2py behind and apache which lead me to the web2py deployment recipes page, where it describes setting up web2py behind apache using mod_wsgi instead of mod_proxy. These are the instructions I'm currently following exactly, with the exception of updating the /etc/apache2/sites-available/web2py file to apache2.4 syntax and modifying the ServerName directive's value to "foo.bar.com" (omitted: the domain name of cloud box containing the server, this is replaced with foo.bar.com throughout this question).
However, when I get to the
When you restart Apache, it should pass all the requests to web2py without going through the Rocket wsgiserver.
part of the that web2py+apache+mod_wsgi tutorial, apache does not appear to be passing anything to web2py for me. I went ahead and moved the wsgihandler.py file as the next step in the tutorial describes, and here's my current state:
If I browse to foo.bar.com:80 from another machine, I get the Apache2 Ubuntu Default Page (the "It works!" page).
If I browse to foo.bar.com:8000 (web2py port), I the web2py server's default interface, but with no access to admin or appadmin because of the unsecure channel.
If I try to browse to foo.bar.com:443, I get the generic "Index of /" apache server
page. On this page "/" contains one directory link "html", which
is a link to the Apache2 Ubuntu Default Page (the "It works!" page).
Other information:
I have an untouched instance of web2py installed at /home/www-data/web2py except that I've moved /home/www-data/web2py/handlers/wsgihandler.py to /home/www-data/web2py/wsgihandler.py
The contents of my /etc/apache2/site-available/ directory are:
000-default.conf (not touched by me)
default-ssl.conf (not touched by me)
web2py (created by me)
I've manually started up web2py with python ~/web2py/web2py.py --ip 10.7.166.27 (that's the IP for foo.bar.com (real domain name omitted))
apache2 is running as user www-data
The server OS is Ubuntu Server 14.04 x64
This is my /etc/apache2/sites-available/web2py file:
<VirtualHost *:80>
ServerName foo.bar.com
WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}
WSGIProcessGroup web2py
WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py
<Directory /home/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>
<Location /admin>
Require all denied
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Require all denied
</LocationMatch>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
<VirtualHost *:443>
ServerName foo.bar.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
WSGIProcessGroup web2py
WSGIScriptAlias / /users/www-data/web2py/wsgihandler.py
<Directory /users/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Require all granted
</Directory>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
Alright! I found my stupid mistake while writing this up. I had never bothered to properly configure apache itself:
/etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-available/default-ssl.conf were why I was seeing what I was seeing when browsing to foo.bar.com:80 and foo.bar.com:443 respectively.
apache2.4 seems to require the .conf on configuration files, I didn't have that so I renamed /etc/apache2/sites-available/web2py to /etc/apache2/sites-available/web2py.conf
I didn't have a symlink to /etc/apache2/sites-available/web2py at /etc/apache2/sites-enabled/web2py, so I made one.
So, as of now:
When I browse to foo.bar.com:80 I get the same Apache2 Ubuntu Default Page, BUT
When I browse to foo.bar.com:80/web2py I get an internal server error which the apache logs tell me is a python import error from wsgihandler.py, which means the apache<->mod_wsgi<->web2py link is up and running
When I browse to foo.bar.com:443/web2py I get Chrome's yellow screen complaining about my self-signed certificate and after clicking through I get a permissions-denied page, presumably because of something I haven't set up yet in web2py/SSL
This means my original question is answered, but I might come back here and comment/edit if I get stumped again getting SSL to work.
I am trying to set up an SVN server on a Linux server, but I am facing the issue in setting up the server:
Below is the configuration I did:
<Location /svn>
DAV svn
SVNParentPath /home/subver/public_html/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>
When I try to checkout from my local machine I am getting this error:
Redirect cycle detected for URL 'http:///svn'
Never place repositories physically under ordinary web-root - it's extremely bad and insecure and error-full idea
SVNParentPath /home/subver/public_html/svn + <Location /svn> is your problem. If public_html is web-root of "just Apache" (and it seems so) you have real subdirectory /svn, which you try to redefine with "virtual" Location under the same path and get permanent redirect between these two locations: real and virtual, as expected by any good Apache-admin
Move repositories outside web-space (YOU MUST DO IT), change SVNParentPath accordingly to new location.
Lame and lazy solution, source of future big headache - use another path, than /svn, for Location container
I have a problem continue to burn my head from two days.
I setup a SVN on my centos6.3 hosted on a dedicated server. I'm used to deploy SVN with web_dav but that time it's not gonna work as expected.
Actually the repository work throughout the web-brwoser, but impossible to make it work by command line or any tools, I get
svn co http://xxx.xxx.xxx.xxx/svn
Authentication realm: <http://xxx.xxx.xxx.xxx:80> Authorization Realm
Password for 'xxxxxx':
svn: E175002: PROPFIND of '/svn': Could not read status line: Operation timed out (http://xxx.xxx.xxx.xxx)
even I succeed to get the Authentication prompt and Apache access_log show
xxx.xxx.xxx.xxx - Atheryl [16/Feb/2014:06:09:33 -0500] "OPTIONS /svn HTTP/1.1" 200 183 "-" "SVN/1.7.10 neon/0.29.6"
I tried from other machine/os/location in the world ...
My httpd.conf have just the servername modified and here is my subversion.conf
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn>
DAV svn
SVNPath /var/www/svn/repos
AuthType Basic
AuthName "Authorization Realm"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
I did, as well during installation
chkconfig --level 235 httpd on
I did contact the support of this server for another reason (Two domain name pointing to my IP address, they changed my server addresses so now logs are clear.)
If anyone have any tip for me, thank you.
Edit :
DocumentRoot "/var/www/html"
It seems you have ordinary connection timeout and redirect-loop (timeout can be result of loop)
Where you have defined web-root in Apache? Is it (haphazardly) /var/www/ (check DocumentRoot directive in main-host container)? If my assumption is correct, your config is exclusively bad - you have real physical localtion /svn under web-root, logical Location /svn (overlapped physical) and repositories as ordinary trees, accessible by Apache (it's terrible incorrect and absolutely insecure)
Move tree /var/www/svn/repos/ into any other location in host outside web-root, edit SVNPath accordinly. As result you must have /some/path/to/repo (single repo at this path, because SVNPath used) in config and directory /var/www/svn/ must not exist in your FS
chkconfig will not find any errors, because your config is syntactically correct, but contain logical error(s)