-3

I have a subversion server with a couple people working on a certain repository. I am adding a new user but for this new user, I only want him to have access to the SVN server from a "specific IP" only.

Even better if I can limit access by IP address not only specific to a certain user but also specific to a repository, per repository, but not necessary.

I did some reading and seems there's supposed to be some "LocationMatch" thing I can edit in SVN's httpd.conf or something to add a statement about deny from any and then allow from certain IPs but that would affect "all users" I think.

I guess I can clone the repo for this new user etc but I'd rather have them all work on the same "repo" so I don't have to then mergesync commits between repos.

htfree
  • 463
  • 4
  • 9
  • 21
  • usually nice to comment why you down-vote a question... – htfree Jul 14 '16 at 01:26
  • 1) There's no requirement or expectation that comments should come with down votes. 2) Downvotes without comment can be presumed to be for one of the reasons in the down-arrow hover text. – EEAA Jul 14 '16 at 02:18
  • 1
    well there was plenty research effort, and ongoing, one idea I'm having is hacking svn's apache config with multiple location directives, one with require otherusers and any ip and another with require mynew-user and limit to specific IP – htfree Jul 14 '16 at 02:27
  • Please stop posting non-constructive comments. If you would like, you can post your complaints on meta.SF. – EEAA Jul 15 '16 at 12:27
  • Sure, where can I post my complaints on "meta.SF" – htfree Jul 16 '16 at 21:09
  • meta.serverfault.com – EEAA Jul 16 '16 at 21:12
  • Thanks, since I've already solved this issue completely and works just the way I requested, its not urgent anymore. But I will try to give my constructive criticism when I have time on meta.serverfault.com, thanks. – htfree Jul 20 '16 at 22:27

2 Answers2

1

Unless the URL your user accesses is different in some way from that of other users access, there doesn't appear to be a way to block the access at the webserver / network level without impacting the other users. You are correct that configuring deny / allow would impact the website access for all users.

I did not find anything that indicates SVN supports internal network access configurations on a per user basis.

Some quick research brought up a few similar questions, and this interesting list of blacklisting options if you can find components of the individual users request to identify them https://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/

DCLacoste
  • 21
  • 4
  • thanks, I had already thought of hacking Subversion's httpd.conf for the location directives and maybe using some IF statements to detect REMOTE_USER which I hoped would be authbasic logged in user and then require certain IP for that, or as I replied to other poster above, but I can't even find the right place/conf-file to put such in collabnet svn edge :( – htfree Jul 14 '16 at 02:45
  • ah, seems I must paste svn-viewvc.conf into httpd.conf otherwise my changes get overwritten by collabnet edge. – htfree Jul 14 '16 at 02:52
  • solved it, works as expected now but was headache to get to a working config. – htfree Jul 15 '16 at 05:36
1

I figured should confirm as accepted answer what I already solved long ago. I've been using a combination of svn_access rules and svn_auth that solves the problem and works perfectly such that when accessing from certain IP addresses access is denied while access from other IP address is allowed. This configuration is done using svn/subversion configuration files. (I am using collabnet edge subversion but I see no reason this won't work on any subversion server that uses apache to serve the files.)

htfree
  • 463
  • 4
  • 9
  • 21
  • Hi! Can you please provide a little bit more details on the solution? I am using the same subversion from collabnet. Thank you! – AndrewG10i Sep 05 '19 at 12:57
  • im extremely busy and can't check now but i'll try remember come back and post some more details. I recall I used two different svn_auth_files, one of them for users on Internal Lan IPs the other for outside users – htfree Sep 06 '19 at 08:09
  • thank you! Meanwhile I have played with the apache settings and found the following solution. I have posted a question here: https://serverfault.com/questions/982132/apache-2-4-restrict-user-access-based-on-user-ip-combination-to-the-specific You are welcome to reply here or there. Thanks! – AndrewG10i Sep 06 '19 at 15:00
  • Yes I used similar Require IP directives from what I recall. only I used two diff htpassword/svn_auth files since wanted different rules on same repository depending on where user was connecting. im still fighting dependency hell compiling old rpm from source with no sleep, but let me know what more details you need and can try take look later if Im awake. – htfree Sep 07 '19 at 02:32
  • Okay, thank you for your comments. Basically for me that solution works fine, I just trying to re-confirm with community that provided configuration is explicit and no "holes" remains in it, as I still didn't find how several `` blocks work inside `` block. Thanks! – AndrewG10i Sep 07 '19 at 04:42
  • The configuration I have posted - doesn't work actually... :(( Thus I have tried another idea taken from your last comment: dynamically point to the svn_access_file in `httpd.conf`. In result I got it working with something like this: ` AuthzSVNAccessFile "/csvn/data/conf/svn_access_file_net_10_20_0_0" ` what basically overrides standard access file when request to the specific Location goes from the defined network. Looks like it works now fine... Any comments still welcome! ) – AndrewG10i Sep 07 '19 at 14:51