3

I have an SVN repository that is configured to use Basic authentication through Apache httpd to limit access to specified users. To support a continuous integration server (and other read-only services) running on the same server I would like to allow anonymous read access from localhost.

After going some research (i.e. Googling) I came up with trying the following Apache configuration:

<Location /svn>
   DAV svn
   SVNParentPath /var/svn

   AuthType Basic
   AuthName "SVN"
   AuthBasicProvider external
   AuthExternal pwauth

   #Only allow specified users to login to SVN
   require user UID1
   require user UID2
   require user UID3

   #Allow anonymous reads from localhost
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      Order allow,deny
      Allow from 127.0.0.1
   </LimitExcept>
</Location>

When I try to do an anonymous checkout from the local server I still get prompted for a password (in this case for the root user).

Any thoughts or suggestions as to what I might be doing wrong or how I should properly configure things to allow this?

My original attempt at configuring anonymous read access is based off of the information on this page.

Michael
  • 2,460
  • 3
  • 27
  • 47
  • Watch your Apache log to see what IP it thinks you're coming from. If IPv6 is enabled, you might need to add `Allow from ::1` – Michael Berkowski Feb 13 '12 at 15:27
  • The request in the ssl_access_log shows it coming from 127.0.0.1 as I specified: `127.0.0.1 - - [13/Feb/2012:10:38:40 -0500] "OPTIONS /svn/myRepo`. – Michael Feb 13 '12 at 15:40

6 Answers6

1

If you have multiple Require lines that by default it is RequireAny - only one rule needs to pass. So you can do it like this

   Require user UID1 UID2 UID3

   #Allow anonymous reads from localhost
   <LimitExcept GET PROPFIND OPTIONS REPORT>
     Require ip 127.0.0.1
   </LimitExcept>
AdamS
  • 209
  • 2
  • 8
1
  Satisfy Any
  require valid-user

work for me nicely (can checkout, can't commit)

Edit

My block, with relevant and irrelevant parts

<Location /svn/>
  DAV svn

  SVNListParentPath on
  SVNParentPath "D:/Repositories/"
  SVNIndexXSLT "/svnindex.xsl"

  SVNPathAuthz short_circuit

  SVNCacheTextDeltas off
  SVNCacheFullTexts off

  AuthName "VisualSVN Server"
  AuthType Basic
  AuthBasicProvider file
  AuthUserFile "D:/Repositories/htpasswd"
  AuthzSVNAccessFile "D:/Repositories/authz"

  Satisfy Any
  require valid-user

  # Add Expires/Cache-Control header explictly
  ExpiresActive on
  ExpiresDefault access
</Location>

if I skip Satisfy Any, I have to authenticate any request

Lazy Badger
  • 94,711
  • 9
  • 78
  • 110
  • Were you actually to get this to work where you could check out anonymously without specifying a user id? – Michael Feb 14 '12 at 02:11
  • @Michael - on [my local SVN](http://mayorat.ursinecorner.ru:8088/), you can try checkout-commit from any announced repo – Lazy Badger Feb 14 '12 at 07:29
  • Unfortunately I cannot try your URL from work (due to network security constraints). However I tried but I wasn't able to get what you describe to work for myself. How did you specify the `require valid-user` part in your config to limit the exception to read only? – Michael Feb 14 '12 at 14:24
  • @Michael - nothing special. I added my location into edit-part of answer (**full** location) – Lazy Badger Feb 14 '12 at 15:34
  • While that works (using the `AuthzSVNAccessFile`) it doesn't let me limit the anonymous connections only to coming from localhost. It looks like to do that I will have to go ahead and give in and create an account just for my CI server to use. Thanks for your help though! :) – Michael Feb 14 '12 at 19:50
  • @Michael - just an idea: two virtualhosts on different interfaces – Lazy Badger Feb 14 '12 at 20:11
0

Even I was not able to solve the anonymous access problem.

But instead of creating a new read only user, I got the integration (with redmine) to work by using the file based url. So instead of referring to http url (which require authentication), I am using file:///. This does not require authentication.

krishnakumarp
  • 8,967
  • 3
  • 49
  • 55
0

I think you're after Satisfy Any at the bottom of your Location block, which allows access if any of the Allow and Require directives match (as opposed to the default, which requires them all to match).

Documentation is here.

nickgrim
  • 5,387
  • 1
  • 22
  • 28
  • This didn't seem to work for me. It allowed me to check-out anonymously, but also check-in anonymously! – Michael Feb 13 '12 at 21:44
0

i dont think this is going to work the "require user" directive is active for the whole location block.

my first thought was to put the "require user" inside the limit block, this won't work because the limit block is active regardless from which ip you are requesting the data.

make a second directory called svn-localhost, map your svn root there a second time with only the limit block present.

C. Holzberger
  • 318
  • 2
  • 4
  • I thought of this too. Unfortunately our svn:externals will be broken using this method since they are all pointing to /svn which would require authentication. – Michael Feb 13 '12 at 20:36
  • hmmm, ok, what about this: Listen to 127.0.0.1 and your public ip seperately, then define 2 vhosts one for the public ip and one for the loopback one... the hard part of your question is how to seperate internal requests from external ones – C. Holzberger Feb 13 '12 at 23:17
0

I was never able to find a solution that would allow anonymous read access from localhost only and require authentication for both read and write from any remote system.

Ultimately I created a username/password for the application needing to authenticate.

This wasn't the ideal solution... but it should work fine.

Michael
  • 2,460
  • 3
  • 27
  • 47