Apache + SVN Access Restrictions


Comments [0]

We had a situation where we needed to provide authenticated access to our SVN repo from most places, but needed anonymous read access from a select few IPs. Turns out this was harder to figure out than I expected. I thought this would have been a solved problem, but after a lot of Googling I couldn’t find any solutions. I’m documenting this here in case someone else runs up against this and needs a solution.

I initially tried using an Apache ‘If’ in the config to specify different SVN access files, but for some reason this didn’t work. I couldn’t get good information from debug, but it appeared the correct file was passed to AuthzSVN, however for the authenticated access we’d get a 403 Forbidden error after authenticating. Anonymous access worked. The two access files were the same except for one line: the anonymous file had

* = r

and the other had

* =

The Apache config for this attempt was:

<If "-R 'ip-address/bit-mask'">
  Satisfy Any
  AuthzSVNAccessFile /path/to/access-anon.conf
</If>
<Else>
  AuthzSVNAccessFile /path/to/access.conf
</Else>

Eventually we hit upon the idea of allowing anonymous access from specific IPs and authenticated access from all others. The access file needed the following:

[/]
$anonymous = r

The apache config we used in the end was:

<Location /repo/>
  DAV svn
  SVNParentPath /path/to/repo
  SVNListParentPath On
  AuthzSVNAccessFile /path/to/access.conf

  <If "-R 'ip-address/bit-mask'">
    <LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthName "Code Repository"
      AuthType Basic
      AuthBasicProvider ldap-auth
      require valid-user
    </LimitExcept>
  </If>
  <Else>
    # Require auth by all other IPs not excluded above
    AuthName "Code Repository"
    AuthType Basic
    AuthUserFile /path/to/passwd
    Require valid-user
  </Else>
</Location>

This allows the specified IP address(es) to make a non-authenticated request for read-only access. While any non-read requests requires authentication. For all other IPs, authentication is required for all requests.




Comments are closed.