[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Connection forcibly closed problem

From: David Chapman <dcchapman_at_earthlink.net>
Date: Mon, 30 Jun 2008 15:15:52 -0700

Mcgee, Mark wrote:
>
> I've set up a subversion repository (1.4.6 + apache) on a windows 2003
> machine, running webdav on apache (2.0.63) on port 8080, configured
> with basic authentication.
>
> I set up my router to route incoming traffic on port 8080 to my apache
> server.
>
> This seems to work fine on my local intranet, but I can't perform
> repository operations like checkout over the internet. I can browse
> the repository over the internet with a web browser no problem though,
> but not with the TortoiseSVN repo-browser.
>
> The error message I get is "OPTIONS of '<my url>': could not read
> stats line: An existing connection was forcibly closed by the remote
> host". This is an http url, not https. I've browsed all sorts of
> forums for this message, but I haven't managed to find anything of use.
>
> I'm not sure if I should be focussing my attention on my NetGear 834
> firewall/router/ADSL modem or on the Apache config side of things.
> I'm thinking it's a router problem, but I haven't a clue what to try.
>
> I'd appreciate some help on this.
>

If you can reach the repository from inside the firewall, it's most
likely the router. I have a Netopia router, and this is what I had to
do to make my Web sites (and eventually my Subversion repository)
visible to the Internet:

1) set "Allow Server Hosting"
2) enable NAT and configure one machine to act as the DMZ host for
incoming services
3) enable HTTP, HTTPS, and SSH services

Step 1) allows some incoming connections (i.e. connections initiated
from outside). Step 2) redirects those incoming services to a specific
host (make sure you have your machine configured to have a fixed IP on
your intranet; don't let the router assign an address every time you
boot up). Step 3 selects the ports to open to outside access. You
probably won't need any more than these three specified, and if you
don't need to login or provide file upload capability, keep SSH off.

I want to provide shell access so that I can login to my Linux compute
server in addition to committing files to the repository. Shell access
goes to a non-privileged account on the DMZ host, and from there I can
login to the other machines. The Subversion repository itself is on a
separate host on its own subnet behind the DMZ host, and I use virtual
hosting to redirect Subversion accesses to it. Thus even if the DMZ
machine is compromised, the hacker needs at least one more password to
get root access, and completely different passwords to reach my
proprietary data. Even as I write these words, someone is trying to
break in. He won't succeed...

Ideally all of my machines would be on subnets behind the DMZ host, but
Windows networking seems not to run across subnets (the laptop, coming
in on WiFi, would always be on the DMZ subnet because of the router).
There's probably a way to fix this but I have real work to do. :-)

-- 
    David Chapman         dcchapman_at_earthlink.net
    Chapman Consulting -- San Jose, CA
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-01 00:16:09 CEST

This is an archived mail posted to the Subversion Users mailing list.