[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[TSVN] SVN ServerInstall website description : SSPI usage behind reverse proxy precision

From: Laurent PETIT <LPETIT_at_sqli.com>
Date: 2004-12-22 14:23:28 CET

Hello,

Please kindly find in the following mail some information concerning how to
put a reverse proxy in front of a Windows apache subversion hosting server,
while still being able to authentify users against their Windows LAN
account.

Indeed, I had a lot of trouble with finding the right configuration, and so
I thought it could be beneficial to send this information back to the
community.

I have installed subversion with Apache, on a Windows 2003 server, as
described on the page:
http://tortoisesvn.tigris.org/serverinstall.html

I have installed the sspi module, so that the server can authenticate users
against the domain controller.

Here was my apache2 subversion hosting servers's configuration :
<Location /svn>
    DAV svn
    SVNParentPath real_path_to_repositories_root
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain cpd-paris
    SSPIOfferBasic On

    AuthName "Subversion repositories"
    Require valid-user
</Location>

The problem arose when I recently decided to add a reverse proxy in front of
my apache server.
From the LAN, using a browser, I was not anymore able to authenticate
through the reverse proxy !

The solution I found was to upgrade the sspi module to the latest one in the
tortoisesvn site,
AND to put the following extra directive to my Location directive :
    SSPIBasicPreferred On

At this point, it was once again possible to authenticate the same way from
the LAN and from the Internet, directly to the reverse proxy.

The only drawback is that, from now on, every user has to authenticate via
basic http, and don't benefit anymore from the NTLM mechanism (from the
LAN).

I consider this not really important, compared to the fact that my users can
uniformly authentify themselves with their classic Windows account.

My 0.02 euros, 

-- 
Laurent Petit
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Wed Dec 22 15:06:40 2004

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.