[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache + SVN

From: Bruce Wilson <b-svn_at_toomuchblue.com>
Date: 2007-04-12 23:46:00 CEST

Thanks for the speedy reply, Ryan. I think maybe I skimmed too quick
over some of my points.

Ryan Schmidt wrote:
> On Apr 11, 2007, at 22:14, Bruce Wilson wrote:
>> * WebDAV should not be available to the bugzilla sites. Subversion
>> instance should not have access to modules specific to Bugzilla.
By this I mean that I would prefer the Bugzilla sites be using an
instance of Apache which does not even have the WebDAV module loaded. I
know I can enable WebDAV on a site-by-site basis, but I'd rather not
have it accessible to Bugzilla at all. I'm going for the "less is more"
configuration for each instance, to make each site's config as simple as
possible, to minimize the attack surface of each site, and to make sure
that (for example) dav can't be leveraged against Bugzilla to get to my
Postgresql server and parlay that into full control of my box.

>> * The Bugzilla sites should not have file permissions to the
>> Subversion repository.
Subversion requires Apache to have write access to the repository
directory. Bugzilla requires write access to several of its own
directories. Since the two Bugzilla sites are public-facing, linked
from multiple places and potentially turning up in search engines, I'm
uncomfortable having those sites running under a user who potentially
has access to the Subversion repository, holding private and proprietary
data. The only way I've seen to control this is to run one instance of
Apache as one user (perhaps "www-bugzilla") and another instance as
another user ("www-svn"), so I can assign different permissions to each
user.

>> * Configurations should not "bleed over" from one site to the other.
>> That is, if I grant/deny a permission on a path in the bugzilla site,
>> and that same path exists in Subversion, the permissions should not
>> carry over.
This may be more a case of my discomfort with Apache configurations.
Reading all the Apache examples and config files, it's not at all clear
to me how I can be sure that...
<Location />
    Dav svn
</Location>
...would not enable Dav for the root of all sites at once.

 From your reply, I guess I just need to get more familiar with nesting
directives. Overall, I'm just having trouble putting it all together.
Between my O'Reilly books on Apache and Subversion, reading the Apache
.conf file examples, and the httpd docs on the web, I have seen lots of
examples of how to do any specific X within either package - in
isolation. I'm looking for a more detailed explanation of how to use
certain features together.

As you've probably seen, there's a bajillion websites (and forum posts
and blog entries and columns...) that tell you how to switch Apache from
single-site to vhost, but that's about as far as they go. They don't
take it to the next step to show what a complex multi-vhost config looks
like, with SSL, with DAV on limited directories, with mod-rewrites to
force SSL, with custom access rules in specific paths, and so on and so
forth.

Of the places I've looked, the Subversion and Bugzilla install guides
seem to have the most comprehensive explanations. Apache docs are often
too general because they assume you'll know what options you'll need for
your site.

> I've never heard of Apache's "profiles" feature. I don't see any
> reason for you to run a second copy of Apache. Just use another vhost
> for your Subversion repository(ies).
Hmm, I guess this is a feature of the FreeBSD port of Apache. It
permits such things as "apachectl start profile1" to start an instance
with a specific set of configurations. "apachectl start" launches all
known profiles. I've seen references in other projects to using an
"apache-profile-like" configuration method, so I figured it was a pretty
widely known feature.

I'll follow up with the port maintainer to see if there's any help on
this feature.

As I explained above, I'm pretty sure I can't prevent the Bugzilla sites
from having write access to Subversion under a single instance of
Apache. If I have to run all the sites under one instance I will, but
what I know of this feature seems like a perfect fit for the
configuration I'm after.

> If all your vhosts use SSL, then you need a separate IP address for
> each vhost. (More specifically, you need one IP for each SSL vhost. If
> you have additional non-SSL vhosts, they can be name-based and can
> share an SSL vhost's IP, or use their own IP, as you wish.)
Yeah, I understand how name-based vhosts work. All three sites use SSL,
so I am forced to IP-based vhosts.

I'm sure someone must have written something with a bit more depth than
"You can host two sites! With the same IP! Without changing ports!
Here's how!", I just haven't found it yet.

If you think I'm better off asking on an Apache list, please let me know
- I don't want to be an annoyance if this isn't the right place for this.

---
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 12 23:46:48 2007

This is an archived mail posted to the Subversion Users mailing list.