Apache + SVN Access Restrictions
We had a situation where we needed to provide authenticated access to our SVN repo from most places, but needed anonymous read access from a select few IPs. Turns out this was harder to figure out than I expected. I thought this would have been a solved problem, but after a lot of Googling I couldn’t find any solutions. I’m documenting this here in case someone else runs up against this and needs a solution.
I initially tried using an Apache ‘If’ in the config to specify different SVN access files, but for some reason this didn’t work. I couldn’t get good information from debug, but it appeared the correct file was passed to AuthzSVN, however for the authenticated access we’d get a 403 Forbidden error after authenticating. Anonymous access worked. The two access files were the same except for one line: the anonymous file had
* = r
and the other had
The Apache config for this attempt was:
<If "-R 'ip-address/bit-mask'"> Satisfy Any AuthzSVNAccessFile /path/to/access-anon.conf </If> <Else> AuthzSVNAccessFile /path/to/access.conf </Else>
Eventually we hit upon the idea of allowing anonymous access from specific IPs and authenticated access from all others. The access file needed the following:
[/] $anonymous = r
The apache config we used in the end was:
<Location /repo/> DAV svn SVNParentPath /path/to/repo SVNListParentPath On AuthzSVNAccessFile /path/to/access.conf <If "-R 'ip-address/bit-mask'"> <LimitExcept GET PROPFIND OPTIONS REPORT> AuthName "Code Repository" AuthType Basic AuthBasicProvider ldap-auth require valid-user </LimitExcept> </If> <Else> # Require auth by all other IPs not excluded above AuthName "Code Repository" AuthType Basic AuthUserFile /path/to/passwd Require valid-user </Else> </Location>
This allows the specified IP address(es) to make a non-authenticated request for read-only access. While any non-read requests requires authentication. For all other IPs, authentication is required for all requests.