[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: some questions about setting up svn with Apache httpd

From: Christoph Anton Mitterer <cam_at_mathematica.scientia.net>
Date: 2005-05-10 22:04:37 CEST

Stephane Bortzmeyer wrote:

>>My first question: Is the communication already secure (e.g. agains
>>man in the middle attack) if I securely transmitt my servers SSL
>>certificate to all clients or is it required that the clients
>>authenticate themselves with an SSL certificate too (in order to get
>>secured and verified communication)?
>>
>>
>Define "secure". What do you fear? That the MIM poses as the server or
>as a client? SSL can protect both.
>
>
I need both. I need the same security that I'd get when encrypting and
signing emails e.g. with GnuPG.
I get encryption to hide my data from others, and verification (my
message is signed with my key, thus I can check if the data has been
modified by others).

>>2nd Question how do I properly set up my apache that it uses https and
>>ONLY https for svn
>>
>>
>
>Here is what I do, note the automatic redirection if someone does not
>use SSL and uses the port 80:
>
>
Good idea :-)

># Subversion
><VirtualHost 192.134.7.250:80>
>ServerName svn.generic-nic.net
>Redirect permanent / https://svn.generic-nic.net/
></VirtualHost>
>
><VirtualHost 192.134.7.250:443>
>ServerName svn.generic-nic.net
>SSLEnable
>...
>
>
In the meantime I found some other information including the following
directives:

|<VirtualHost *:443>

    ServerName svn.trilithium.net

    SSLEngine on
    SSLCertificateFile /path/to/certificate
    SSLCertificateKeyFile /path/to/keyfile
    SSLCertificateChainFile /path/to/ca-certificate

    <Location />
        DAV svn

        SSLRequireSSL

        SVNPath /path/to/repository
        SVNIndexXSLT /stylesheet/uri

        AuthType Basic
        AuthName "Subversion repository"
        AuthUserFile /path/to/htpasswd
        AuthGroupFile /path/to/htgroup
        AuthzSVNAccessFile /path/to/accessfile

        Satisfy any
        Require valid-user
    </Location>
</VirtualHost>|

First of all? Why is the <location> element within the <VirtualHost>?
And how do I properly all this SSL* directives? Should I place them
inside <Location>?
Afaik SSLRequireSSL means that a connection has to be SSL encoded. I
think I don't need the Satisfy directive but I don't completely
understand the first 4 SSL-directives.

>>1) "Normal" Password/User Authentication => How would my config files
>>look if I'd like to do that?
>>
>>
>
>Here is what I do, in the same <VirtualHost> (I use LDAP but the
>general idea is the same):
>
><Location />
> AuthType Basic
> AuthName "Subversion Repository"
> AuthLDAPURL ldap://ldap.eureg.org/ou=People,dc=eureg,dc=eu?uid?sub?(objectClass=*)
> require valid-user
></Location>
>
>
btw: Thanx for your help :)

Received on Tue May 10 22:07:41 2005

This is an archived mail posted to the Subversion Users mailing list.