mod_dav_svn : scheme changes from https to http after authentication

From: Danny MacMillan <flowers~subversion.tigris.org~users_at_nekulturny.org>
Date: 2006-04-11 18:49:19 CEST

Hi,

I have a Subversion 1.3.0 repository being served up by Apache 2.0 on a
FreeBSD 6.0-RELEASE-p6 machine. All software was installed from ports.
I have made the repository available only through SSL, and only to
authenticated users. I am experiencing strange behaviour when viewing
the repository using a web browser.

If I browse to the repository at the following URL:

https://dev.example.com/projectname/svn

I am prompted for credentials. So far so good. When I actually supply
those credentials, though, the address bar changes to contain the
following URL:

http://dev.example.com/projectname/svn/

Since I have 'SSLRequireSSL' in my apache config, this results in a
403 - Forbidden http response.

If I instead browse to the following URL (in a new browser instance):

https://dev.example.com/projectname/svn/

I am prompted for credentials, and when I authenticate it works as
expected. The only difference between the working and the non-working
URLs is the trailing slash.

My biggest concern here is that I have supplied credentials to an SSL
encrypted site, but it looks like it is redirecting to an unencrypted
site and it could be (and probably is) sending my credentials in the
clear. Why is it doing this?

Here are the relevant portions of my apache config. If something else
is relevant and I didn't supply it, please let me know:

<Location /projectname/svn>
  DAV svn

  # "/projectname/svn" URL will map to a repository /devroot/projectname/svn
  SVNPath /devroot/projectname/svn

  # Style the output.
  SVNIndexXSLT "/svnindex.xsl"

  # Connections must be made through SSL.
  SSLRequireSSL

  # Only authenticated users can use the repository.
  Require valid-user

  # How do we authenticate them?
  AuthType Basic
  AuthName "Secure Subversion Repository"
  AuthUserFile /usr/devroot/projectname/_common/auth/authentication

  # What are they authorized to do?
  AuthzSVNAccessFile /devroot/projectname/_common/auth/authorization
</Location>

<VirtualHost 192.168.1.251:443>

  # General setup for the virtual host
  ServerName dev.example.com
  ServerAdmin webmaster@example.com
  DocumentRoot /usr/local/www/data
  ErrorLog /var/log/dev.example.com-error_log
  CustomLog /var/log/dev.example.com-access_log common

</VirtualHost>

In the above, /devroot is a symbolic link to /usr/devroot (shouldn't
matter though).

Thanks,

-- 
Danny MacMillan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Tue Apr 11 18:51:17 2006

This message: [ Message body ]
Next message: Gavin Roberts: "Cobalt Qube 3 Pro - Installation"
Previous message: Célio Cidral Junior: "Re: new idea: authz regex path matching"
Next in thread: Kalin KOZHUHAROV: "Re: mod_dav_svn : scheme changes from https to http after authentication"
Reply: Kalin KOZHUHAROV: "Re: mod_dav_svn : scheme changes from https to http after authentication"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]