Apache SVN: Access to repository forbidden via client, HTTP is okay?

Question

SVN on my webserver seems to have broken after I made some changes. It's configured to be part of one HTTPS virtual host, not universally accessible. My SVN clients give the error 'access to (repo) forbidden,' but if I go through the web interface (SVNListParentPath is on), everything works properly, using the same URL. I can even access the files through the browser. When I use a client, I notice my Apache log indicates the client is trying to access '/var/www/mysite/svn', when my SVN repositories are located under '/home/svn'. I got a redirect page once, when troubleshooting using Elinks, so could this mean my server's using some kind of redirect that's failing for the SVN clients? The rest of the site works properly over SSL, it's just SVN that doesn't work. Thanks.

Here's my Apache config for this site:

#mydomain.co.uk
NameVirtualHost *:443
<VirtualHost *:80>
    ServerAdmin me@mydomain.co.uk
ServerName mydomain.co.uk
    DocumentRoot /var/www/mydomain
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/www/mydomain>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            Allow from all
    </Directory>

<Directory /usr/share/ampache>
    RewriteEngine On
            RewriteCond %{HTTPS} off
            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

<Directory /var/www/mydomain/opendocman>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Directory>

<Directory /var/www/mydomain/44kg>
            Options Indexes FollowSymLinks MultiViews
            Order deny,allow
            Deny from all
            Allow from 192.168.1
    </Directory>

<Directory /var/www/mydomain/69td>
    Options Indexes FollowSymLinks MultiViews
    Order deny,allow
    Deny from all
    Allow from 192.168.1 127.0.0.1 localhost
    SCGIHandler on
    SCGIServer 127.0.0.1:5000
</Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>

ErrorDocument 404 /fourohfour.html

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>

<VirtualHost *:443>
ServerAdmin me@mydomain.co.uk
ServerName mydomain.co.uk
DocumentRoot /var/www/mydomain/
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /var/www/mydomain/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory /var/www/mydomain/44kg>
    Order deny,allow
    Deny from all
</Directory>

<Location /svn>
  DAV svn
  SVNParentPath /home/svn
  SVNListParentPath on
  AuthType Basic
  AuthName "Excalibur SVN Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  Require valid-user
</Location>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/QPR/qpr.pem
SSLCertificateKeyFile /etc/ssl/certs/QPR/ca.key
</VirtualHost>

#SquirrelMail
<VirtualHost *:443>
ServerName webmail.mydomain.co.uk
DocumentRoot /usr/share/squirrelmail
SSLEngine on
SSLCertificateFile /etc/ssl/certs/QPR/qpr.pem
SSLCertificateKeyFile /etc/ssl/certs/QPR/ca.key
</VirtualHost>

The last time things worked was before I added the webmail, but disabling it does not bring SVN back. I didn't get to actually see the redirect page - it gave me just enough time to spot it was a 302 redirect before it happened, and I haven't been able to reproduce it. Through a browser, all my repositories are available at https://mydomain.co.uk/svn/(repository), but the same URL in the clients just gives this error in both SVN CLI and Dreamweaver:

Pegasus:Uni Gargravarr$ svn update
svn: access to '/svn/Uni' forbidden

Can you provide the exact error that your SVN client's getting, the exact original and new URLs from the redirect, and the rest of your Apache config for this vhost? — Shane Madden, Jan 22 '12 at 22:23
Huh. Anything useful in the Apache error log? And can you verify that the responses that the client applications are getting is a `403` response code? — Shane Madden, Jan 23 '12 at 01:31
@ShaneMadden This is the only error I seem to get: `[Sun Jan 22 22:07:52 2012] [error] [client (internal IP)] client denied by server configuration: /var/www/mydomain/svn` I have no way to know if the clients are receiving 403, but again, going trough the browser for the URL, everything is fine. *shrug* — Gargravarr, Jan 23 '12 at 14:43
Very strange that this would occur only on the SVN clients, but it seems like a simple deny from the access rules - try adding `Order deny,allow` and `Allow from all` to the `` block. — Shane Madden, Jan 23 '12 at 15:59
@ShaneMadden Your help so far has been brilliant, but this is maddening! Explicitly specifying 'Allow from' made no difference. Something very fishy is going on here, I might just have to roll my configuration back :( — Gargravarr, Jan 23 '12 at 19:11
Huh, that's no good. This is definitely fishy - one more idea would be to crank up the `LogLevel` up to `debug` to see if that shakes out any more useful information.. — Shane Madden, Jan 23 '12 at 19:16
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/2283/discussion-between-gargravarr-and-shane-madden) — Gargravarr, Jan 23 '12 at 20:22

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

Got it.
I completely forgot I'd installed 'mod-evasive' into Apache recently. Disabling it brought SVN back up instantly. Turns out there's a known bug in Debian with mod-evasive and mod-dav-svn. Exactly as per this question here:

Problems with apache svn server (403 Forbidden)
Stupidly, I read this question before posting, too. Guess I skipped the end post.

TL;DR: Mod-evasive and Apache2/SVN don't get along :)

edited Apr 13 '17 at 12:14

Community

1

answered Jan 23 '12 at 22:43

Gargravarr

473
5
13

Ohhh! You just saved my day! It's 3:39 AM here and last 3 hours i've been trying to figure this out! Cheers! – loostro Jul 04 '13 at 01:39

Apache SVN: Access to repository forbidden via client, HTTP is okay?

1 Answers1