F12/Subversion/httpd -- PROPFIND access denied [Solved]

Steven F. LeBrun steven at lebruns.com
Thu Dec 31 07:20:56 UTC 2009 


On 12/29/2009 08:01 PM, Steven F. LeBrun wrote:
> After upgrading to Fedora 12, I installed and tried to set up a 
> Subversion repository with mixed success.  I have worked out the bulk 
> of the issues but one still has me stumped.  Hopefully, someone on 
> this list knows the answer or can point me to a URL that does.
>
> The problem is that I cannot get Subversion to work with Apache 2.2.  
> Every time that I try to checkout the repository, I receive a 403 
> Forbidden Access error.  To make matters more frustrating, if I access 
> the repository using local access (file:///...) the command works.  It 
> is only when I try to use HTTP/WebDAV access 
> (http://localhost/svn/...) does the access problem occur.
>
> Things that I have tried:
>
> - SELinux enabled and disabled -- no difference.
>
> - Various permissions and ownerships.
>   -- The repository and Subversion directories are currently owned by 
> apache.apache.
>
> - Various settings in my subversion.conf file for httpd.
>   -- When the <LimitExcept> section is commented out, the failure 
> comes on the third
>       "PROPFIND /svn/Home/sfbooks/trunk  HTTP/1.1" request.  The first 
> two return 207
>       while the third one returns 403.  Using Wireshark, all three 
> requests are identical
>       barring numbers in the IP headers.
>   -- When the <LimitExcept> section is active, the failure comes on 
> the very first request,
>       "OPTIONS /svn/Home/sfbooks/trunk HTTP/1.1" request with a 403 
> response.
>   -- Both 403 responses contain the same reason: "You don't have 
> permission to access
>       /svn/Home/sfbooks/trunk\n on this server."
>
> Any suggestions will be appreciated.
>
> Setup:
>
> Root Subversion Directory:    /opt/Subversion
> Repository Parent Directory:  /opt/Subversion/repos
> Password File:                          
> /opt/Subversion/users/passwords (created using htpasswd)
> SVN Authz Config File:            
> /opt/Subversion/permissions/svnauthz.conf
>
> Repository:                               Home  (located at 
> /opt/Subversion/repos/Home)
> Project within Home Repo:     sfbooks/trunk
>
> Content of passwords:
>     steven:MD5PasswordHash
>
> Content of svnauthz.conf
>     [/]
>     steven=rw
>
> Content of conf.d/subversion.conf
>
>   LoadModule dav_svn_module     modules/mod_dav_svn.so
>   LoadModule authz_svn_module   modules/mod_authz_svn.so
>
>   Alias  /svn  /opt/Subversion/repos
>
> <Location /svn/>
>      # mod_dav Commands
>      DAV                  svn
>      DavDepthInfinity     on
>
>      # SVN Provider Commands
>      SVNParentPath        /opt/Subversion/repos
>
>      # authz_svn_module Commands
>      AuthzSVNAccessFile   /opt/Subversion/permissions/svnauthz.conf
>
>
> <LimitExcept GET PROPFIND OPTIONS REPORT>
>              # Authentication Commands
>              AuthType             Basic
>              AuthName             "Subversion Repository Login"
>              AuthUserFile         /opt/Subversion/users/passwords
>              Satisfy              Any
>              Require              valid-user
> </LimitExcept>
>
>      # <Limit GET PROPFIND OPTIONS REPORT>
>      #        Order   Allow,Deny
>      #        Allow   from All
>      # </Limit>
>
> </Location>
>
>
> -- 
>   Steven F. LeBrun
>
> Quote: /"Winter meant the coming of the lazy wind, which couldn't be 
> bothered to blow around people and blew right through them instead."/
>      -- Terry Pratchett, from /"Wyrd Sisters"/
>

After a lot of searching with google, forums, etc, no solution was found 
on the net.  There were a lot of forums/mailing lists that listed the 
same problem but no solutions were offered.  A lot of things were hinted 
at nobody had a general solution.

Most of the suggestions revolved around access permissions of the actual 
files in the repository and its path.  That did not affect my problem.

Two facts lead me to the final solution:
1)  "svn checkout file:///[repo path]  [sandbox path]" worked while
      "svn checkout http://localhost/[repo URI] [sandbox path]" did not.
      This lead me to believe that I had created my Subversion 
repository correctly and that
      the problem was probably with my Apache configuration or Linux 
filesystem access
      permissions.

2)  When I ran the checkout command using the http URL, the Apache 
access log showed
      multiple requests ran correctly before the 403 Forbidden 
occurred.  Plus, the request
      that received the 403 status was the third request for the same 
data.  The content of
      the all three requests were identical with the exception of IP 
headers (counters and
      times differ).

So what could be the problem that allowed the first two PROPFIND 
requests to succeed while rejecting the third identical request.

The answer:  mod_evasive (mod_evasive20.so in my case).

The evasive module is designed to stop denial of service attacks.  It 
works by tracking how many times the same request comes in from the same 
IP address in a configurable interval.  In the case of the default 
settings the threshold was set to 2 requests/IP Address/1 second 
interval.  This allowed the first two PROPFIND requests to the same path 
to succeed and the third request to fail with a 403 Forbidden error.

Increasing the threshold to 5 requests per second per IP address fixed 
my WebDav access to my Subversion repository while still providing DOS 
attack protection.


-- 
   Steven F. LeBrun

Quote: / "There are 10 types of people in this world, those that 
understand binary and those who don't." /

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20091231/5b649af5/attachment-0001.htm>

More information about the fedora-list mailing list