Thanks for all the suggestions. Following up on one:
- Internal subversion server (call it internal.server) now responds on
both HTTP and HTTPS, and this handles authentication and permissions
- Public Apache server (call it external.server) is listening on port
9080 for proxy requests via HTTP only, the httpd.conf contains..
Listen ipaddress:9080 # or just listen 9080
...
<VirtualHost *:9080>
ProxyRequests On
ProxyVia On
NoCache *
#Allow https forwarding only
# AllowConnect 443
# Allow unrestricted access to internal.server
# Authentication, SSL etc done by that box
<Directory proxy:internal.server:443>
<Limit CONNECT>
Order allow,deny
Allow from all
</Limit>
<LimitExcept CONNECT>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
# Deny all else
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# </Directory>
</VirtualHost>
Now actually the above configuration isn't very tight (note several
lines commented out) - I have yet to work on the security (probably just
getting Order directives in right, er, order). But it lets through HTTPs
connections fine. Note also this server is Apache 1.3.x branch, there
may be slight differences for an Apache 2.x
Then finally in %appdata%\subversion\servers I have:
[groups]
internal_server = internal.server
[internal_server]
http-proxy-host = external.server
http-proxy-port = 9080
This works fine, and for any subversion command all the external web
server sees is:
192.168.80.70 - - [15/Dec/2003:15:43:14 +1300] "CONNECT
internal.server:443 HTTP/1.1" 200 -
.. The actual transactions are all seen by the internal server, although
I think the client IP address is getting masked (still logs by user name
though).
Coolness! Many thanks to Jens Jorgensen - this configuration does
appear to work. At least for the command-line client, for me. The
other two guys seem to be having trouble configuring this - but they did
start with TortoiseSVN, and now they've picked up their laptops and left
so I can't fix anything until tomorrow!
I also wonder about routing issues with the firewall masquerading IP
addresses and so forth: should work, but that's an area I need to check
out.
This solution doesn't strike me as perfect, although it does seem pretty
secure. It's certainly going to take the pressure off me to do
something perfect though (assuming I can get the other guys' machines to
work). I'll post fixed configuration when I'm finished.
-----Original Message-----
From: Walter Nicholls
Sent: Friday, 12 December 2003 3:16 p.m.
To: users@subversion.tigris.org
Subject: Reverse Proxy server success stories anyone?
Hi all,
Has anyone had any success setting up a proxy server in front of a
Subversion server?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Dec 15 05:08:02 2003