Authentication of sync user on write-through proxy.

Thu, 13 Jun 2013 01:46:48 -0700 

Hi all,

I've set up a write-through proxy for one of our studios and I'm getting Access 
Denied errors when the post-commit hook executes, or when running the sync 
command manually from the master. 

I'm using apache 2.2/mod_dav_svn 1.7.7 on Debian 6.0. The apache config for 
vhost "repo-slave.example.com" is as follows:

  # Primary configuration for local user access.
  <Location />
    Order allow,deny
    Allow from all

    DAV svn
    SVNPath "/var/svn-slave/repo"
    SVNMasterURI http://repo.example.com/proxy-master

    AuthType Basic
    AuthName "Test Repository (SLAVE)"
    AuthUserFile "/etc/apache2/auth/htpass"
    AuthzSVNAccessFile "/etc/apache2/auth/perms"
    Require valid-user
  </Location>

  # Sync access.
  <Location /repo-proxy-sync>
    DAV svn
    SVNPath "/var/svn-slave/repo"

    Order deny,allow
    # Allow connections from server VLAN only.
    Allow from 192.168.10.0/24

    AuthType Basic
    AuthName "Test Repository (SLAVE)"
    AuthUserFile "/etc/apache2/auth/sync-htpass"
    Require user syncuser
  </Location>


When executing the following from the master server 

        svnsync sync --non-interactive --no-auth-cache --sync-username syncuser 
\
        --sync-password <pass> http://repo-slave.example.com/repo-proxy-sync 
file:///var/svn/repo

I get: 

        svnsync: E175013: Unable to connect to a repository at URL 
'http://repo-slave.example.com/repo-proxy-sync'
        svnsync: E175013: Access to 
'http://repo-slave.example.com/repo-proxy-sync' forbidden

And this in the slave error log:

[Thu Jun 13 01:02:01 2013] [error] [client 192.168.10.10] Access denied: 
'syncuser' OPTIONS :/repo-proxy-sync

So it's 403ing; I think because it can't find 'syncuser' in 
/etc/apache2/auth/htpass. The problem only occurs when I have the Primary 
configured at the URI root <Location />. If I set them up on separate adjacent 
paths, it works; but according to the apache docs, I _should_ be able to 
override settings in nested Locations. (cf: 
http://httpd.apache.org/docs/current/sections.html#file-and-web) 

Is there a way I can get around this? I could change the Location directives, 
but I'd prefer the slave URIs to mirror the master URIs (and changing those 
would impact a lot of automated processes)

Thanks,

Terry.

Reply via email to