Thanks for your replies.
The AuthUserFile IS outside the Documentroot. Maybe it looks a little bit
confusing, but it's a Plesk machine .. webroot starts at */httpsdocs (or
httpdocs for non-SSL). Sorry for not mentioning that.
So (for example):
Documentroot = /var/www/domainname/httpsdocs/
SVNParentPath = /var/www/domainname/httpsdocs/projects/
When using the location <Location /svn> config mentioned below .. i think
there are 2 options to make things more secure :
1- renaming SVNParentPath to '/var/www/domainname/httpsdocs/svn' to force
'Dav svn' to serve the files. I still think (i have read that also) that
there is no 'confusing part' here for Apache .. because there are no
overlapping <Location> directives. Or can a 'Location' path NEVER be a path
in Documentroot ??
2- placing SVNParentPath (and all files/repos below that) outside the
documentroot, make it Apache readable (and writable i guess ?).
Option 2 might be the best option, and i think i'm going for that ... but
can you guys tell me if option 1 will be secure enough also (that way the
files will be included in daily backup).
2006/1/17, Phil Endecott <firstname.lastname@example.org>:
> Sander wrote:
> > I had some repositories under my https-root ..
> > My Apache conf was:
> I assume DocumentRoot /var/www
> > <Location /svn>
> > DAV svn
> > SVNParentPath /var/www/domainname/httpsdocs/projects
> > AuthType Basic
> > AuthName "Subversion Repository Access"
> > AuthUserFile /var/www/domainname/private/.xsinfo
> > </Location>
> > This looks quite ok doesnt it ?
> No it doesn't look OK. You have put your AuthUserFile inside your
> DocumentRoot. This is at best bad practice and at worst a huge security
> hole; see http://httpd.apache.org/docs/2.0/mod/mod_auth.html and look at
> the "Security" box under "AuthUserFile".
> Your issue with your subversion repository is essentially the same.
> Don't put things under your DocumentRoot unless you want to serve them.
Received on Tue Jan 17 01:57:39 2006