Re: [F8] Apache Mod_Security and SubVersion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2008-02-09 at 01:13 -0800, Michael Fleming wrote:
	On Fri, 08 Feb 2008 16:42:03 -0800 
	"Daniel B. Thurman" <dant@xxxxxxxxx> wrote:
	
	> 
	> To make a really long story short as possible, let's just say that I 
	> have been able to setup Apache, the Mod_Security, SSL and SubVersion
	> and I am able to access the subversion repository locally with the svn 
	> commands and the web-browser, but not remotely. 
	> 
	> The SSL certificates are installed in the /etc/httpd/conf directory 
	> and it work via the browser and the svn commands in the shell.
	> But doing this remotely with a web-browser or the following svn
	> command results in the server certificate not being passed to the
	> client at all. It appears to show some bogus certificate Issuer
	> nstead. as follows: 
	> 
	> + svn list <https://svn>.cdkkt.com 
	> 
	> Error validating server certificate for 
	> '<https://svn>.cdkkt.com:443': 
	> - The certificate is not issued by a trusted authority. Use the 
	> fingerprint to validate the certificate manually! 
	> - The certificate hostname does not match. 
	> Certificate information: 
	> - Hostname: <hostname>.cdkkt.com 
	> - Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008 
	> 01:13:54 GMT 
	> - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity, 
	> SomeState, -- 
	> - Fingerprint: 
	> 70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4 
	> (R)eject, accept (t)emporarily or accept (p)ermanently? t 
	> svn: PROPFIND request failed on '/' 
	> svn: PROPFIND of '/': 405 Method Not Allowed 
	> (<https://svn>.cdkkt.com) 
	> 
	> 
	> Below is the mod_security audit log file showing the results: 
	> ============================================================= 
	> /var/log/httpd/modsec_audit.log: 
	> Note: Client: 10.1.0.11. Server: 10.1.0.143 
	> ============================================================= 
	> --5b7f8e6b-A-- 
	> [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006 
	> 10.1.0.143 443 
	> --5b7f8e6b-B-- 
	> PROPFIND / HTTP/1.1 
	> Host: svn.cdkkt.com 
	> User-Agent: SVN/1.4.5 (r25188) neon/0.26.4 
	> Keep-Alive: 
	> Connection: TE, Keep-Alive 
	> TE: trailers 
	> Content-Length: 300 
	> Content-Type: text/xml 
	> Depth: 0 
	> Accept-Encoding: gzip, gzip 
	> 
	> --5b7f8e6b-C-- 
	> <?xml version="1.0" encoding="utf-8"?> 
	> <propfind xmlns="DAV:"> 
	> <prop> 
	> <version-controlled-configuration xmlns="DAV:"/><resourcetype 
	> xmlns="DAV:"/> 
	> <baseline-relative-path 
	> xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> 
	> <repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> 
	> </prop> 
	> </propfind> 
	> --5b7f8e6b-F-- 
	> HTTP/1.1 405 Method Not Allowed 
	> Allow: GET,HEAD,POST,OPTIONS,TRACE 
	> Content-Length: 315 
	> Connection: close 
	> Content-Type: text/html; charset=iso-8859-1 
	> 
	> --5b7f8e6b-H-- 
	> Message: Access allowed (phase 2). Pattern match "^(PROPFIND| 
	> PROPPATCH)$" at 
	> REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] 
	> Stopwatch: 1202516035101975 51173 (1957* 2642 -) 
	> Producer: ModSecurity v2.1.3 (Apache 2.x) 
	> Server: Apache/2.2.6 (Fedora) 
	> 
	> --5b7f8e6b-Z-- 
	> ============================================================= 
	> 
	
	As far as I can see mod_security explicitly allowed the PROPFIND 
	request per the modsec_audit.log entry above. Therefore I can't see this 
	being a mod_security issue :-).
	

Yes, I suspected that because I did turn off SecFilterEngine and saw
the same results. So it's "something else".

	I suspect that there's something in the subversion/mod_svn 
	configuration setup you have that's not working as you expect it to. If 
	you can post it perhaps myself and other list readers can debug it?
	
	Based on what you've given, these might be things to start looking at:
	
	- Is your certificate self-signed / private CA? You may wish to tweak 
	mod_ssl.conf to point to extra CA certificates / directory paths 
	- What values do you have for SVNPath / SVNParentPath? in your Apache 
	config?
	

1) My certificate is self-signed. Seems to work locally but not remotely.
2) I cannot find a mod_ssl.conf in my /etc/httpd directories anywhere.
Can you tell me where I can find it and what you might put into it?

3) The partital setup info is given below, but most is modeled with
that of the reference I give below:

I am following, almost to the letter: "Fedora 8 SVN + Trac + SSL Howto"
<http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,27.0.html>

NOTE: This is the ONLY reference where it *seems* that the mod_security
for svn is setup correctly as it the the only one I could get to work with svn
sans the other problems I am faced with. Some drawback to this article was
there was no explanation as how to setup your DNS so that your svn/trac
virtual servers can be reached "outside" localhost. But let's take this one
step at a time, and when we get the details resolved, we can write this all
up for others to use, given a couple of scenarios. 

I have actually tried the simple way - by using only the /etc/httpd/conf.d/
subversion.conf - but my problem is/was I could not get the mod_security
to work for several reasons:

1) Some sites call for: SecFilterSelective instead of SecRule. Seems on F8,
SecFilterSelective is not recognized, but SetRule is. Maybe this is due
to Apache version on F8.
2) Some sites only say at the end of each string: "allow"

The following has a LOT more than just "allow" and seem to work,
only I cannot decipher it, especially the part with "id;1,t,none"

/etc/httpd/modsecurity.d/modsecurity_crs_10_svn_ignores.conf
#==============================================================
SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(MKCOL)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
#==============================================================

There is a SSL link within the reference given above allows one to setup
a self-signed CA but there was nothing in it that describes how to allow the
svn.cdkkt.com to be "exported" so that remote clients can obtain the CA
and there are other problems as I identified above. 

Unlike the link mentioned above, I consolidated the 
/etc/httpd/conf.d/localdev.conf file into subversion.conf so that
I can try out the two different methods in the same file. The first
method is what is generally given from other sites and the second
method is the virtual host method given in the above mentioned link.

You can simply comment out either of the two methods given to see
the results.

/etc/httpd/conf.d/subversion.conf:
#==============================================================
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
#================================================================
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn". Each repository
# must be readable and writable by the 'apache' user. Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www. Use "restorecon -R /var/www/svn"
# to label the repositories if upgrading from a previous release.
#
# To create a new repository "http://localhost/repos/stuff"; using
# this configuration, run as root:
#
# # cd /var/www/svn
# # svnadmin create stuff 
# # chown -R apache.apache stuff
#================================================================

#===================vvvvvvvvvvvvvvvvvvvvvvv====================
# Simple Implementation
#==============================================================
# METHOD #1:
#===========
<Location /svn>
DAV svn
SVNPath /var/www/vhosts/svn/svn.cdkkt.com/
AuthType Basic
AuthName "linux.cdkkt.com"
AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd
AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz
Require valid-user
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined
ErrorLog /var/log/httpd/svn.cdkkt.com/error.log
<Directory "/var/www/vhosts/svn/svn.cdkkt.com">
Order allow,deny
Allow from 127.0.0 10.0.0
</Directory>
#===================^^^^^^^^^^^^^^^^^^^^^^^====================

#===================vvvvvvvvvvvvvvvvvvvvvvv====================
# Virtual Subversion and Trac
#==============================================================
# METHOD #2:
#===========
# 1) Add to /etc/host:
# 127.0.0.2 svn.<Domain>.<TLD>
# 127.0.0.3 trac.<Domain>.<TLD>
# 2) Add Apache SSL support
# See: /etc/httpd/conf/ssl.conf
# Update SSLCertificateFile and SSLCertificateKeyFile
# with Real CA or Self-Signed CA. Need server.crt and
# server.key, no-pass-phrase,
#==============================================================
#<VirtualHost 127.0.0.2:80>
# ServerName svn.cdkkt.com
# Redirect / <https://svn.cdkkt.com/>
#</VirtualHost>
#
#<VirtualHost 127.0.0.3:80>
# ServerName trac.cdkkt.com
# Redirect / <https://trac.cdkkt.com/>
#</VirtualHost>
#
#<VirtualHost 127.0.0.2:443>
# DocumentRoot "/var/www/vhosts/svn/svn.cdkkt.com"
# ServerName svn.cdkkt.com
# <Location />
# DAV svn
# SVNPath /var/www/vhosts/svn/svn.cdkkt.com
# AuthType Basic
# AuthName "svn.cdkkt.com"
# AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd
# AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz
# Require valid-user
# </Location>
# SSLEngine on
# SSLCertificateFile /etc/pki/tls/certs/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/server.key
# SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined
# ErrorLog /var/log/httpd/svn.cdkkt.com/error.log
# <Directory "/var/www/vhosts/svn/svn.cdkkt.com">
# Order allow,deny
# Allow from 127.0.0 10.0.0
# </Directory>
#</VirtualHost>
#
#<VirtualHost 127.0.0.3:443>
# ServerName trac.cdkkt.com
# DocumentRoot "/var/www/vhosts/trac/trac.cdkkt.com"
# Alias /trac/ /usr/share/trac/htdocs
# <Directory "/usr/share/trac/htdocs/">
# Options Indexes MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
# </Directory>
# <Location />
# SetHandler mod_python
# SetEnv PYTHON_EGG_CACHE "/tmp/eggs"
# PythonHandler trac.web.modpython_frontend
# PythonInterpreter main_interpreter
# PythonOption TracEnv "/var/www/vhosts/trac/trac.cdkkt.com/"
# PythonOption TracUriRoot /
# AuthType Basic
# AuthName "trac.cdkkt.com"
# AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd
# Require valid-user
# </Location>
# SSLEngine on
# SSLCertificateFile /etc/pki/tls/certs/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/server.key
# CustomLog /var/log/httpd/trac.cdkkt.com/access.log combined
# ErrorLog /var/log/httpd/trac.cdkkt.com/error.log
# <Directory "/var/www/vhosts/trac/trac.cdkkt.com">
# Order allow,deny
# Allow from 127.0.0 10.0.0
# </Directory>
#</VirtualHost>
#===================^^^^^^^^^^^^^^^^^^^^^^^====================

Now, anytime that you choose one method for another, you have to restart the
httpd daemon, but I noticed the following log when restarting httpd:

/var/log/httpd/error_log:
#==============================================================
[Tue Feb 12 14:06:56 2008] [notice] caught SIGTERM, shutting down
[Tue Feb 12 14:06:57 2008] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue Feb 12 14:06:57 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 12 14:06:58 2008] [notice] ModSecurity for Apache 2.1.3 configured - Apache/2.2.6 (Fedora)
[Tue Feb 12 14:06:59 2008] [notice] Digest: generating secret for digest authentication ...
[Tue Feb 12 14:06:59 2008] [notice] Digest: done
[Tue Feb 12 14:07:00 2008] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Tue Feb 12 14:07:00 2008] [notice] mod_python: using mutex_directory /tmp 
[Tue Feb 12 14:07:00 2008] [notice] Apache/2.2.6 (Unix) DAV/2 mod_auth_kerb/5.3 mod_auth_pgsql/2.0.3 mod_ssl/2.2.6 OpenSSL/0.9.8b Apache/2.2.0 (Fedora) PHP/5.2.4 mod_python/3.3.1 Python/2.5.1 SVN/1.4.4 mod_perl/2.0.3 Perl/v5.8.8 configured -- resuming normal operations
#==============================================================
Other than the bolded line, everything else seems ok.


#==============================================================
Using METHOD #2:
#==============================================================
1) Using FireFox, URL: htto://svn.cdkkt.com:

The certificate warning pops up, saying that svn.cdkkt.com is not the same as linux.cdkkt.com
but the signature is fine - I accepted this for now. Once accepted,

The Authorization request pops up, username and password is entered and then
the page comes up and says:

Revision 1: / 
*	branches/ <https://svn.cdkkt.com/branches/> 
*	tags/ <https://svn.cdkkt.com/tags/> 
*	trunk/ <https://svn.cdkkt.com/trunk/> 



Powered by Subversion <http://subversion.tigris.org/> version 1.4.4 (r25188).

At this point I can navigate 'trunk' all the way through to the last file.

2) Trac works as well.

3) Opening up a local Terminal window, I can type:
+ svn list <https://svn.cdkkt.com>
Error validating server certificate for '<https://svn.cdkkt.com:443>':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58
(R)eject, accept (t)emporarily or accept (p)ermanently? t
[POPUP ASKS FOR AUTHORIATION: username and password correctly entered]
branches/
tags/
trunk/

/var/log/httpd/svn.cdkkt.com/error_log
=========================================
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "Tii@8goBAI8AABKZZhEAAAAG <mailto:Tii@8goBAI8AABKZZhEAAAAG>"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tikh0AoBAI8AABKYZC8AAAAF"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Til0MgoBAI8AABKaZ64AAAAH"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TinGCwoBAI8AABKTWiEAAAAA"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TioXIwoBAI8AABKVXikAAAAC"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "TipcPgoBAI8AABKUXDkAAAAB"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiqlNwoBAI8AABKWYCEAAAAD"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tir2RQoBAI8AABKXYhYAAAAE"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Tis8ugoBAI8AABKZZhIAAAAG"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiuGIAoBAI8AABKYZDAAAAAF"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TivV6goBAI8AABKaZ68AAAAH"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "TiwerAoBAI8AABKTWiIAAAAA"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TizPvAoBAI8AABKVXioAAAAC"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Ti0gaAoBAI8AABKUXDoAAAAB"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti1omwoBAI8AABKWYCIAAAAD"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti2zlAoBAI8AABKXYhcAAAAE"]

However, notice that there is an '[error]' statement above
and I cannot understand what this means.

4) Opening a terminal window on another system, then issuing:
+ svn list <https://svn.cdkkt.com>
Error validating server certificate for '<https://svn.cdkkt.com:443>':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58
(R)eject, accept (t)emporarily or accept (p)ermanently? t
svn: PROPFIND request failed on '/' 
svn: PROPFIND of '/': 405 Method Not Allowed 
(<https://svn>.cdkkt.com) 

But the interesting thing here is, there is no log entry in
/var/log/httpd/svn.cdkkt.com/error_log file.

I tried the svn command on a windoes and another remote fedora
8 system. Strange.


#==============================================================
# Using METHOD #1: (NO VIRTUAL)
#==============================================================
5) Using Firefox and URL: https://linux.cdkkt.com/svn <https://linux.cdkkt.com> results:
Looks good. Looks like (1) above

6) Using local system command line in a terminal window:
+ svn list <https://linux.cdkkt.com/svn>
Error validating server certificate for '<https://linux.cdkkt.com:443>':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58
(R)eject, accept (t)emporarily or accept (p)ermanently? t
Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com
Password for 'root': 
Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com
Username: dant
Password for 'dant': 
branches/
tags/
trunk/

Looks good. I can 'list' through the trunk all the way down to the single file.

7) Ok, now I want to check out a single file:
=============================
+ svn checkout <https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c>
svn: URL 'https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c' refers to a file, not a directory

/var/log/httpd/modsec_audit.log
==================================================
--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emUSHQoBAI8AABarWncAAAAB 127.0.0.2 42525 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Keep-Alive: 
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip

--2ae06c08-F--
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="linux.cdkkt.com"
Content-Length: 480
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2ae06c08-H--
Stopwatch: 1202859184296477 2360 (- - -)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emU4tgoBAI8AABatXNgAAAAD 127.0.0.2 42526 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Keep-Alive: 
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184306358 18126 (4436* 4828 15844)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emWbzgoBAI8AABavYB4AAAAF 127.0.0.2 42527 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 388
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184331726 11347 (4209* 4620 9387)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emXhJwoBAI8AABauYi4AAAAE 127.0.0.2 42528 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184349479 12331 (4224* 4596 10181)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emYpwwoBAI8AABawYuUAAAAG 127.0.0.2 42529 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184368067 17664 (4354* 4731 15507)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emaH6QoBAI8AABasY-AAAAAC 127.0.0.2 42530 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 388
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184392169 11759 (4314* 4739 9642)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] embPQQoBAI8AABaxZgoAAAAH 127.0.0.2 42531 127.0.0.2 443
--2ae06c08-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind>
--2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184410433 12269 (4276* 4653 10248)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--e1292529-A--
[12/Feb/2008:15:33:04 --0800] emcYOAoBAI8AABaqWCcAAAAA 127.0.0.2 42532 127.0.0.2 443
--e1292529-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--e1292529-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind>
--e1292529-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--e1292529-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184429112 17783 (4355* 4734 15503)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--e1292529-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emd2lgoBAI8AABarWngAAAAB 127.0.0.2 42533 127.0.0.2 443
--16284303-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind>
--16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 388
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184453270 11334 (4206* 4572 9371)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] eme8OQoBAI8AABatXNkAAAAD 127.0.0.2 42534 127.0.0.2 443
--16284303-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind>
--16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184471097 12251 (4221* 4688 10276)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emgFawoBAI8AABavYB8AAAAF 127.0.0.2 42535 127.0.0.2 443
--16284303-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind>
--16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184489835 17937 (4510* 4883 15644)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emhl2goBAI8AABauYi8AAAAE 127.0.0.2 42536 127.0.0.2 443
--16284303-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Label: 1
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind>
--16284303-F--
HTTP/1.1 207 Multi-Status
Vary: Label
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184514522 12606 (4270* 4634 10434)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emiwOAoBAI8AABawYuYAAAAG 127.0.0.2 42537 127.0.0.2 443
--16284303-B--
PROPFIND /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind>
--16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 738
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."]
Apache-Handler: dav-handler
Stopwatch: 1202859184533560 17668 (4325* 4731 15524)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--16284303-Z--
==================================================

--4282643b-A--
[12/Feb/2008:15:25:50 --0800] YINzxAoBAI8AABavYAwAAAAF 10.1.0.11 3755 10.1.0.143 443
--4282643b-B--
GET /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1
Host: linux
User-Agent: SVN/1.4.5 (r25188) neon/0.26.3
Connection: TE
TE: trailers
Accept-Encoding: gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--4282643b-F--
HTTP/1.1 400 Bad Request
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1

--4282643b-H--
Message: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"]
Action: Intercepted (phase 2)
Stopwatch: 1202858750079940 6090 (4008 4560 -)
Producer: ModSecurity v2.1.3 (Apache 2.x)
Server: Apache/2.2.6 (Fedora)

--4282643b-Z--

So what gives here? Why can I NOT checkout a single file?
Moving on...

8) Firefox, URL: https://linux.cdkkt.com, on a remote system.
Works. Same as: (1) above

9) Same as (6) above, but remotely
It works.

5) Same as (7) but remotely
Same error. Cannot checkout the file.

6) ECLIPSE:
a) Try adding URL: https://linux.cdkkt.com to Eclipse
Works.
b) Try to checkout the HelloWorld.c file
Fails:
Error opening the Editor. (Timeout error: <Date>)
Reason: java.lang.NullPointerException

I suspect for the same Mod_security error reason as (3) and (5) above.

So at this point, I METHOD #1 is able to remotely access the SVN repository as
opposed to METHOD #2. I think with METHOD #2, I could not get the
DNS to work so that svn.cdkkt.com can access the snv repository instead of
my website (www) as with trac.cdkkt.com, so neither svn nor trac is accessable
anywhere but locally. Finally, regardless of which method is used, I cannot
checkout a single file for editing.

Dan


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.20.4/1275 - Release Date: 2/12/2008 3:20 PM
 

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux