[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion service records? (Was: Mapping repositories to ports)

From: Alec Kloss <alec.kloss_at_oracle.com>
Date: Thu, 30 Oct 2008 09:18:06 -0500

On 2008-10-30 15:11, Andreas Schweigstill wrote:
> Dear Alec!
>
[chop]
>
> Thank you for your thoughts but I don't understand how this is
> related to tho OP's requirement and my answer. I didn' talk about the
> different access methods like svn, http, ssl but instead about low-level
> stuff.
>
> Example:
>
> I have a SVN server running:
> svn://server:3690/repo1
> svn://server:3691/repo2
> svn://server:3692/repo3
>
> And a firewall with the following port redirection:
>
> *source* IP 192.168.1.0/24, destination IP firewall, port 3690
> --> server port 3690
>
> *source* IP 192.168.2.0/24, destination IP firewall, port 3690
> --> server port 3691
>
> *source* IP 192.168.3.0/24, destination IP firewall, port 3690
> --> server port 3692
>
> This way users from the first network are only able to access repo1,
> and so on. This enhanced security quite a lot because the access
> rules on the SVN server has to apply *AND* a matching firewall rule
> has to exist for a certain network/repository. This has nothing to
> do with rewriting access methods.
>
[chop]

I was thinking about elaborating a little, but decided brevity was
the soul of wit. :(

For your situation, if subversion supported SRV records, you'd use

svn://repo1.company.com/
svn://repo2.company.com/
svn://repo3.company.com/

for the URLs, and have service records like so:

_svn._svn.repo1.server IN SRV 10 10 3690 server
_svn._svn.repo2.server IN SRV 10 10 3691 server
_svn._svn.repo3.server IN SRV 10 10 3692 server

I think this would achieve your goal and you wouldn't have to
explain port numbers to people. It also lets you re-arrange port
numbers in the future without changing the URL to the repository.
Say repo2 becomes extremely large or extremely busy so you want to
move it onto a different server with more disk or a better internet
connection. You just change the DNS SRV record for it like so:

_svn._svn.repo2.server IN SRV 10 10 3690 superserver

Using SRV records like this does allow you to use split-horizon DNS
to adjust available access mechanisms based on client IP address.
You could have people inside your intranet use only svn protocol
access, and people outside use only a https protocol access for
example. I generally wouldn't recommend split-horizon to anyone,
but it it an option. 

-- 
Alec.Kloss_at_oracle.com			Oracle Middleware
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x432B9956

  • application/pgp-signature attachment: stored
Received on 2008-10-30 15:18:36 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.