Re: [F8] Apache Mod_Security and SubVersion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 08 Feb 2008 16:42:03 -0800
"Daniel B. Thurman" <dant@xxxxxxxxx> wrote:

> 
> To make a really long story short  as possible, let's just say that I
> have
> been able to setup Apache, the Mod_Security, SSL and SubVersion and
> I  am able to access the subversion repository locally with the svn
> commands and the web-browser, but not remotely.
> 
> The SSL certificates are installed in the /etc/httpd/conf directory
> and it
> work via the browser and the svn commands in the shell. But doing this
> remotely with a web-browser or the following svn command results in
> the server certificate not being passed to the client at all.  It
> appears to show
> some bogus certificate Issuer instead. as follows:
> 
> +  svn list https://svn.<domain>.com
> 
> Error validating server certificate for
> 'https://svn.<domain>.com:443':
>  - The certificate is not issued by a trusted authority. Use the
> fingerprint to
>     validate the certificate manually!
>  - The certificate hostname does not match. 
> Certificate information:
>  - Hostname: <hostname>.<domain>.com
>  - Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008
> 01:13:54 GMT
>  - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
> SomeState, --
>  - Fingerprint:
> 70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4
> (R)eject, accept (t)emporarily or accept (p)ermanently? t
> svn: PROPFIND request failed on '/'
> svn: PROPFIND of '/': 405 Method Not Allowed
> (https://svn.<domain>.com)
> 
> 
> Below is the mod_security audit log file showing the results:
> =============================================================
> /var/log/httpd/modsec_audit.log:
> Note: Client: 10.1.0.11. Server: 10.1.0.143
> =============================================================
> --5b7f8e6b-A--
> [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006
> 10.1.0.143 443
> --5b7f8e6b-B--
> PROPFIND / HTTP/1.1
> Host: svn.<domain>.com
> User-Agent: SVN/1.4.5 (r25188) neon/0.26.4
> Keep-Alive: 
> Connection: TE, Keep-Alive
> TE: trailers
> Content-Length: 300
> Content-Type: text/xml
> Depth: 0
> Accept-Encoding: gzip, gzip
> 
> --5b7f8e6b-C--
> <?xml version="1.0" encoding="utf-8"?>
> <propfind xmlns="DAV:">
> <prop>
> <version-controlled-configuration xmlns="DAV:"/><resourcetype
> xmlns="DAV:"/>
> <baseline-relative-path
> xmlns="http://subversion.tigris.org/xmlns/dav/"/>
> <repository-uuid xmlns="http://subversion.tigris.org/xmlns/dav/"/>
> </prop>
> </propfind>
> --5b7f8e6b-F--
> HTTP/1.1 405 Method Not Allowed
> Allow: GET,HEAD,POST,OPTIONS,TRACE
> Content-Length: 315
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 
> --5b7f8e6b-H--
> Message: Access allowed (phase 2). Pattern match "^(PROPFIND|
> PROPPATCH)$" at
>     REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
> Stopwatch: 1202516035101975 51173 (1957* 2642 -)
> Producer: ModSecurity v2.1.3 (Apache 2.x)
> Server: Apache/2.2.6 (Fedora)
> 
> --5b7f8e6b-Z--
> =============================================================
> 

As far as I can see mod_security explicitly allowed the PROPFIND
request per the modsec_audit.log entry above. Therefore I can't see this
being a mod_security issue :-).

I suspect that there's something in the subversion/mod_svn
configuration setup you have that's not working as you expect it to. If
you can post it perhaps myself and other list readers can debug it?

Based on what you've given, these might be things to start looking at:

- Is your certificate self-signed / private CA? You may wish to tweak
mod_ssl.conf to point to extra CA certificates / directory paths
- What values do you have for SVNPath / SVNParentPath? in your Apache
config?

Michael Fleming
(mod_security RPM maintainer for Fedora and EPEL :-))

-- 
Michael Fleming <mfleming@xxxxxxxxxxxxxxxx>
Be master of mind rather than mastered by mind.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux