On Mon, 2002-09-09 at 11:17, Scott Lamb wrote:
>
> You've gotta keep security in mind when you do it, though. It's common
> to have dynamic content stuff running stuff as the Apache user. If you
> have virtual hosting, this means users can do whatever they want to your
> Subversion repository, since it must be writable by the Apache user. Or,
> in your specific case, if there are exploitable bugs in the dynamic
> stuff you are running. There are several things you can do:
It is for these security reasons that I am running a separate Apache 2.0
process for my Subversion server on port 8000, and proxying to it from
my default Apache 1.3 server on port 443 (I'm running with SSL). It
might be more complicated than most people would care for, and it
requires mod_proxy and mod_rewrite, but I thought I'd mention it.
Here's how it's done:
First, set up Apache 2.0, without SSL, on port 8000 (or whatever port
you want) just as the docs specify. Verify that this works as you would
expect.
Now for the fun part. You will need to tell your main apache server to
proxy requests for your subversion repositories to your subversion
apache server. Say you have a repository at /myproject on the
subversion apache server. Add the following to your main
# turn on the rewrite engine
RewriteEngine on
# redirect any request without a trailing slash for myproject to one
# with a trailing slash
RewriteRule ^/myproject$ /myproject/ [R=permanent,L]
# proxy all requests for /myproject/* to my subversion server
RewriteRule ^/myproject/(.*)$ http://localhost:8000/myproject/$1 [P,L]
This allows me to run the subversion apache server as a user that only
has access to the subversion repositories, and my main apache server
with no access to the repository at all.
I hope this makes sense.
Woogie
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 9 17:59:32 2002