On Sat, 2008-02-09 at 01:13 -0800, Michael Fleming wrote: On Fri, 08 Feb 2008 16:42:03 -0800 "Daniel B. Thurman" <dant@xxxxxxxxx> wrote: > > To make a really long story short as possible, let's just say that I > have been able to setup Apache, the Mod_Security, SSL and SubVersion > and I am able to access the subversion repository locally with the svn > commands and the web-browser, but not remotely. > > The SSL certificates are installed in the /etc/httpd/conf directory > and it work via the browser and the svn commands in the shell. > But doing this remotely with a web-browser or the following svn > command results in the server certificate not being passed to the > client at all. It appears to show some bogus certificate Issuer > nstead. as follows: > > + svn list <https://svn>.cdkkt.com > > Error validating server certificate for > '<https://svn>.cdkkt.com:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > - The certificate hostname does not match. > Certificate information: > - Hostname: <hostname>.cdkkt.com > - Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008 > 01:13:54 GMT > - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity, > SomeState, -- > - Fingerprint: > 70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4 > (R)eject, accept (t)emporarily or accept (p)ermanently? t > svn: PROPFIND request failed on '/' > svn: PROPFIND of '/': 405 Method Not Allowed > (<https://svn>.cdkkt.com) > > > Below is the mod_security audit log file showing the results: > ============================================================= > /var/log/httpd/modsec_audit.log: > Note: Client: 10.1.0.11. Server: 10.1.0.143 > ============================================================= > --5b7f8e6b-A-- > [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006 > 10.1.0.143 443 > --5b7f8e6b-B-- > PROPFIND / HTTP/1.1 > Host: svn.cdkkt.com > User-Agent: SVN/1.4.5 (r25188) neon/0.26.4 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Content-Length: 300 > Content-Type: text/xml > Depth: 0 > Accept-Encoding: gzip, gzip > > --5b7f8e6b-C-- > <?xml version="1.0" encoding="utf-8"?> > <propfind xmlns="DAV:"> > <prop> > <version-controlled-configuration xmlns="DAV:"/><resourcetype > xmlns="DAV:"/> > <baseline-relative-path > xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> > <repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> > </prop> > </propfind> > --5b7f8e6b-F-- > HTTP/1.1 405 Method Not Allowed > Allow: GET,HEAD,POST,OPTIONS,TRACE > Content-Length: 315 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --5b7f8e6b-H-- > Message: Access allowed (phase 2). Pattern match "^(PROPFIND| > PROPPATCH)$" at > REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] > Stopwatch: 1202516035101975 51173 (1957* 2642 -) > Producer: ModSecurity v2.1.3 (Apache 2.x) > Server: Apache/2.2.6 (Fedora) > > --5b7f8e6b-Z-- > ============================================================= > As far as I can see mod_security explicitly allowed the PROPFIND request per the modsec_audit.log entry above. Therefore I can't see this being a mod_security issue :-). Yes, I suspected that because I did turn off SecFilterEngine and saw the same results. So it's "something else". I suspect that there's something in the subversion/mod_svn configuration setup you have that's not working as you expect it to. If you can post it perhaps myself and other list readers can debug it? Based on what you've given, these might be things to start looking at: - Is your certificate self-signed / private CA? You may wish to tweak mod_ssl.conf to point to extra CA certificates / directory paths - What values do you have for SVNPath / SVNParentPath? in your Apache config? 1) My certificate is self-signed. Seems to work locally but not remotely. 2) I cannot find a mod_ssl.conf in my /etc/httpd directories anywhere. Can you tell me where I can find it and what you might put into it? 3) The partital setup info is given below, but most is modeled with that of the reference I give below: I am following, almost to the letter: "Fedora 8 SVN + Trac + SSL Howto" <http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,27.0.html> NOTE: This is the ONLY reference where it *seems* that the mod_security for svn is setup correctly as it the the only one I could get to work with svn sans the other problems I am faced with. Some drawback to this article was there was no explanation as how to setup your DNS so that your svn/trac virtual servers can be reached "outside" localhost. But let's take this one step at a time, and when we get the details resolved, we can write this all up for others to use, given a couple of scenarios. I have actually tried the simple way - by using only the /etc/httpd/conf.d/ subversion.conf - but my problem is/was I could not get the mod_security to work for several reasons: 1) Some sites call for: SecFilterSelective instead of SecRule. Seems on F8, SecFilterSelective is not recognized, but SetRule is. Maybe this is due to Apache version on F8. 2) Some sites only say at the end of each string: "allow" The following has a LOT more than just "allow" and seem to work, only I cannot decipher it, especially the part with "id;1,t,none" /etc/httpd/modsecurity.d/modsecurity_crs_10_svn_ignores.conf #============================================================== SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" SecRule REQUEST_METHOD "^(MKCOL)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" #============================================================== There is a SSL link within the reference given above allows one to setup a self-signed CA but there was nothing in it that describes how to allow the svn.cdkkt.com to be "exported" so that remote clients can obtain the CA and there are other problems as I identified above. Unlike the link mentioned above, I consolidated the /etc/httpd/conf.d/localdev.conf file into subversion.conf so that I can try out the two different methods in the same file. The first method is what is generally given from other sites and the second method is the virtual host method given in the above mentioned link. You can simply comment out either of the two methods given to see the results. /etc/httpd/conf.d/subversion.conf: #============================================================== LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so #================================================================ # Example configuration to enable HTTP access for a directory # containing Subversion repositories, "/var/www/svn". Each repository # must be readable and writable by the 'apache' user. Note that if # SELinux is enabled, the repositories must be labelled with a context # which httpd can write to; this will happen by default for # directories created in /var/www. Use "restorecon -R /var/www/svn" # to label the repositories if upgrading from a previous release. # # To create a new repository "http://localhost/repos/stuff"; using # this configuration, run as root: # # # cd /var/www/svn # # svnadmin create stuff # # chown -R apache.apache stuff #================================================================ #===================vvvvvvvvvvvvvvvvvvvvvvv==================== # Simple Implementation #============================================================== # METHOD #1: #=========== <Location /svn> DAV svn SVNPath /var/www/vhosts/svn/svn.cdkkt.com/ AuthType Basic AuthName "linux.cdkkt.com" AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz Require valid-user </Location> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined ErrorLog /var/log/httpd/svn.cdkkt.com/error.log <Directory "/var/www/vhosts/svn/svn.cdkkt.com"> Order allow,deny Allow from 127.0.0 10.0.0 </Directory> #===================^^^^^^^^^^^^^^^^^^^^^^^==================== #===================vvvvvvvvvvvvvvvvvvvvvvv==================== # Virtual Subversion and Trac #============================================================== # METHOD #2: #=========== # 1) Add to /etc/host: # 127.0.0.2 svn.<Domain>.<TLD> # 127.0.0.3 trac.<Domain>.<TLD> # 2) Add Apache SSL support # See: /etc/httpd/conf/ssl.conf # Update SSLCertificateFile and SSLCertificateKeyFile # with Real CA or Self-Signed CA. Need server.crt and # server.key, no-pass-phrase, #============================================================== #<VirtualHost 127.0.0.2:80> # ServerName svn.cdkkt.com # Redirect / <https://svn.cdkkt.com/> #</VirtualHost> # #<VirtualHost 127.0.0.3:80> # ServerName trac.cdkkt.com # Redirect / <https://trac.cdkkt.com/> #</VirtualHost> # #<VirtualHost 127.0.0.2:443> # DocumentRoot "/var/www/vhosts/svn/svn.cdkkt.com" # ServerName svn.cdkkt.com # <Location /> # DAV svn # SVNPath /var/www/vhosts/svn/svn.cdkkt.com # AuthType Basic # AuthName "svn.cdkkt.com" # AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd # AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz # Require valid-user # </Location> # SSLEngine on # SSLCertificateFile /etc/pki/tls/certs/server.crt # SSLCertificateKeyFile /etc/pki/tls/private/server.key # SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown # CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined # ErrorLog /var/log/httpd/svn.cdkkt.com/error.log # <Directory "/var/www/vhosts/svn/svn.cdkkt.com"> # Order allow,deny # Allow from 127.0.0 10.0.0 # </Directory> #</VirtualHost> # #<VirtualHost 127.0.0.3:443> # ServerName trac.cdkkt.com # DocumentRoot "/var/www/vhosts/trac/trac.cdkkt.com" # Alias /trac/ /usr/share/trac/htdocs # <Directory "/usr/share/trac/htdocs/"> # Options Indexes MultiViews # AllowOverride None # Order allow,deny # Allow from all # </Directory> # <Location /> # SetHandler mod_python # SetEnv PYTHON_EGG_CACHE "/tmp/eggs" # PythonHandler trac.web.modpython_frontend # PythonInterpreter main_interpreter # PythonOption TracEnv "/var/www/vhosts/trac/trac.cdkkt.com/" # PythonOption TracUriRoot / # AuthType Basic # AuthName "trac.cdkkt.com" # AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd # Require valid-user # </Location> # SSLEngine on # SSLCertificateFile /etc/pki/tls/certs/server.crt # SSLCertificateKeyFile /etc/pki/tls/private/server.key # CustomLog /var/log/httpd/trac.cdkkt.com/access.log combined # ErrorLog /var/log/httpd/trac.cdkkt.com/error.log # <Directory "/var/www/vhosts/trac/trac.cdkkt.com"> # Order allow,deny # Allow from 127.0.0 10.0.0 # </Directory> #</VirtualHost> #===================^^^^^^^^^^^^^^^^^^^^^^^==================== Now, anytime that you choose one method for another, you have to restart the httpd daemon, but I noticed the following log when restarting httpd: /var/log/httpd/error_log: #============================================================== [Tue Feb 12 14:06:56 2008] [notice] caught SIGTERM, shutting down [Tue Feb 12 14:06:57 2008] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Feb 12 14:06:57 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Feb 12 14:06:58 2008] [notice] ModSecurity for Apache 2.1.3 configured - Apache/2.2.6 (Fedora) [Tue Feb 12 14:06:59 2008] [notice] Digest: generating secret for digest authentication ... [Tue Feb 12 14:06:59 2008] [notice] Digest: done [Tue Feb 12 14:07:00 2008] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Tue Feb 12 14:07:00 2008] [notice] mod_python: using mutex_directory /tmp [Tue Feb 12 14:07:00 2008] [notice] Apache/2.2.6 (Unix) DAV/2 mod_auth_kerb/5.3 mod_auth_pgsql/2.0.3 mod_ssl/2.2.6 OpenSSL/0.9.8b Apache/2.2.0 (Fedora) PHP/5.2.4 mod_python/3.3.1 Python/2.5.1 SVN/1.4.4 mod_perl/2.0.3 Perl/v5.8.8 configured -- resuming normal operations #============================================================== Other than the bolded line, everything else seems ok. #============================================================== Using METHOD #2: #============================================================== 1) Using FireFox, URL: htto://svn.cdkkt.com: The certificate warning pops up, saying that svn.cdkkt.com is not the same as linux.cdkkt.com but the signature is fine - I accepted this for now. Once accepted, The Authorization request pops up, username and password is entered and then the page comes up and says: Revision 1: / * branches/ <https://svn.cdkkt.com/branches/> * tags/ <https://svn.cdkkt.com/tags/> * trunk/ <https://svn.cdkkt.com/trunk/> Powered by Subversion <http://subversion.tigris.org/> version 1.4.4 (r25188). At this point I can navigate 'trunk' all the way through to the last file. 2) Trac works as well. 3) Opening up a local Terminal window, I can type: + svn list <https://svn.cdkkt.com> Error validating server certificate for '<https://svn.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information: - Hostname: linux.cdkkt.com - Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT - Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US - Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58 (R)eject, accept (t)emporarily or accept (p)ermanently? t [POPUP ASKS FOR AUTHORIATION: username and password correctly entered] branches/ tags/ trunk/ /var/log/httpd/svn.cdkkt.com/error_log ========================================= [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "Tii@8goBAI8AABKZZhEAAAAG <mailto:Tii@8goBAI8AABKZZhEAAAAG>"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tikh0AoBAI8AABKYZC8AAAAF"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Til0MgoBAI8AABKaZ64AAAAH"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TinGCwoBAI8AABKTWiEAAAAA"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TioXIwoBAI8AABKVXikAAAAC"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "TipcPgoBAI8AABKUXDkAAAAB"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiqlNwoBAI8AABKWYCEAAAAD"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tir2RQoBAI8AABKXYhYAAAAE"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Tis8ugoBAI8AABKZZhIAAAAG"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiuGIAoBAI8AABKYZDAAAAAF"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TivV6goBAI8AABKaZ68AAAAH"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "TiwerAoBAI8AABKTWiIAAAAA"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TizPvAoBAI8AABKVXioAAAAC"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Ti0gaAoBAI8AABKUXDoAAAAB"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti1omwoBAI8AABKWYCIAAAAD"] [Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti2zlAoBAI8AABKXYhcAAAAE"] However, notice that there is an '[error]' statement above and I cannot understand what this means. 4) Opening a terminal window on another system, then issuing: + svn list <https://svn.cdkkt.com> Error validating server certificate for '<https://svn.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information: - Hostname: linux.cdkkt.com - Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT - Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US - Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58 (R)eject, accept (t)emporarily or accept (p)ermanently? t svn: PROPFIND request failed on '/' svn: PROPFIND of '/': 405 Method Not Allowed (<https://svn>.cdkkt.com) But the interesting thing here is, there is no log entry in /var/log/httpd/svn.cdkkt.com/error_log file. I tried the svn command on a windoes and another remote fedora 8 system. Strange. #============================================================== # Using METHOD #1: (NO VIRTUAL) #============================================================== 5) Using Firefox and URL: https://linux.cdkkt.com/svn <https://linux.cdkkt.com> results: Looks good. Looks like (1) above 6) Using local system command line in a terminal window: + svn list <https://linux.cdkkt.com/svn> Error validating server certificate for '<https://linux.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: linux.cdkkt.com - Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT - Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US - Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58 (R)eject, accept (t)emporarily or accept (p)ermanently? t Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com Password for 'root': Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com Username: dant Password for 'dant': branches/ tags/ trunk/ Looks good. I can 'list' through the trunk all the way down to the single file. 7) Ok, now I want to check out a single file: ============================= + svn checkout <https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c> svn: URL 'https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c' refers to a file, not a directory /var/log/httpd/modsec_audit.log ================================================== --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emUSHQoBAI8AABarWncAAAAB 127.0.0.2 42525 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip --2ae06c08-F-- HTTP/1.1 401 Authorization Required WWW-Authenticate: Basic realm="linux.cdkkt.com" Content-Length: 480 Connection: close Content-Type: text/html; charset=iso-8859-1 --2ae06c08-H-- Stopwatch: 1202859184296477 2360 (- - -) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emU4tgoBAI8AABatXNgAAAAD 127.0.0.2 42526 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 728 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184306358 18126 (4436* 4828 15844) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emWbzgoBAI8AABavYB4AAAAF 127.0.0.2 42527 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/!svn/vcc/default HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 111 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 388 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184331726 11347 (4209* 4620 9387) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emXhJwoBAI8AABauYi4AAAAE 127.0.0.2 42528 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/!svn/bln/1 HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 148 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 439 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184349479 12331 (4224* 4596 10181) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emYpwwoBAI8AABawYuUAAAAG 127.0.0.2 42529 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 728 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184368067 17664 (4354* 4731 15507) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] emaH6QoBAI8AABasY-AAAAAC 127.0.0.2 42530 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/!svn/vcc/default HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 111 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 388 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184392169 11759 (4314* 4739 9642) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --2ae06c08-A-- [12/Feb/2008:15:33:04 --0800] embPQQoBAI8AABaxZgoAAAAH 127.0.0.2 42531 127.0.0.2 443 --2ae06c08-B-- PROPFIND /svn/!svn/bln/1 HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 148 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --2ae06c08-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --2ae06c08-F-- HTTP/1.1 207 Multi-Status Content-Length: 439 Connection: close Content-Type: text/xml; charset="utf-8" --2ae06c08-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184410433 12269 (4276* 4653 10248) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --2ae06c08-Z-- --e1292529-A-- [12/Feb/2008:15:33:04 --0800] emcYOAoBAI8AABaqWCcAAAAA 127.0.0.2 42532 127.0.0.2 443 --e1292529-B-- PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --e1292529-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --e1292529-F-- HTTP/1.1 207 Multi-Status Content-Length: 728 Connection: close Content-Type: text/xml; charset="utf-8" --e1292529-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184429112 17783 (4355* 4734 15503) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --e1292529-Z-- --16284303-A-- [12/Feb/2008:15:33:04 --0800] emd2lgoBAI8AABarWngAAAAB 127.0.0.2 42533 127.0.0.2 443 --16284303-B-- PROPFIND /svn/!svn/vcc/default HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 111 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --16284303-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind> --16284303-F-- HTTP/1.1 207 Multi-Status Content-Length: 388 Connection: close Content-Type: text/xml; charset="utf-8" --16284303-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184453270 11334 (4206* 4572 9371) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --16284303-Z-- --16284303-A-- [12/Feb/2008:15:33:04 --0800] eme8OQoBAI8AABatXNkAAAAD 127.0.0.2 42534 127.0.0.2 443 --16284303-B-- PROPFIND /svn/!svn/bln/1 HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 148 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --16284303-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --16284303-F-- HTTP/1.1 207 Multi-Status Content-Length: 439 Connection: close Content-Type: text/xml; charset="utf-8" --16284303-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184471097 12251 (4221* 4688 10276) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --16284303-Z-- --16284303-A-- [12/Feb/2008:15:33:04 --0800] emgFawoBAI8AABavYB8AAAAF 127.0.0.2 42535 127.0.0.2 443 --16284303-B-- PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --16284303-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --16284303-F-- HTTP/1.1 207 Multi-Status Content-Length: 728 Connection: close Content-Type: text/xml; charset="utf-8" --16284303-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184489835 17937 (4510* 4883 15644) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --16284303-Z-- --16284303-A-- [12/Feb/2008:15:33:04 --0800] emhl2goBAI8AABauYi8AAAAE 127.0.0.2 42536 127.0.0.2 443 --16284303-B-- PROPFIND /svn/!svn/vcc/default HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 148 Content-Type: text/xml Label: 1 Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --16284303-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --16284303-F-- HTTP/1.1 207 Multi-Status Vary: Label Content-Length: 439 Connection: close Content-Type: text/xml; charset="utf-8" --16284303-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184514522 12606 (4270* 4634 10434) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --16284303-Z-- --16284303-A-- [12/Feb/2008:15:33:04 --0800] emiwOAoBAI8AABawYuYAAAAG 127.0.0.2 42537 127.0.0.2 443 --16284303-B-- PROPFIND /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --16284303-C-- <?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --16284303-F-- HTTP/1.1 207 Multi-Status Content-Length: 738 Connection: close Content-Type: text/xml; charset="utf-8" --16284303-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler Stopwatch: 1202859184533560 17668 (4325* 4731 15524) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --16284303-Z-- ================================================== --4282643b-A-- [12/Feb/2008:15:25:50 --0800] YINzxAoBAI8AABavYAwAAAAF 10.1.0.11 3755 10.1.0.143 443 --4282643b-B-- GET /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: linux User-Agent: SVN/1.4.5 (r25188) neon/0.26.3 Connection: TE TE: trailers Accept-Encoding: gzip Authorization: Basic ZGFudDpmcmVlMmJlbWU= --4282643b-F-- HTTP/1.1 400 Bad Request Content-Length: 297 Connection: close Content-Type: text/html; charset=iso-8859-1 --4282643b-H-- Message: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] Action: Intercepted (phase 2) Stopwatch: 1202858750079940 6090 (4008 4560 -) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora) --4282643b-Z-- So what gives here? Why can I NOT checkout a single file? Moving on... 8) Firefox, URL: https://linux.cdkkt.com, on a remote system. Works. Same as: (1) above 9) Same as (6) above, but remotely It works. 5) Same as (7) but remotely Same error. Cannot checkout the file. 6) ECLIPSE: a) Try adding URL: https://linux.cdkkt.com to Eclipse Works. b) Try to checkout the HelloWorld.c file Fails: Error opening the Editor. (Timeout error: <Date>) Reason: java.lang.NullPointerException I suspect for the same Mod_security error reason as (3) and (5) above. So at this point, I METHOD #1 is able to remotely access the SVN repository as opposed to METHOD #2. I think with METHOD #2, I could not get the DNS to work so that svn.cdkkt.com can access the snv repository instead of my website (www) as with trac.cdkkt.com, so neither svn nor trac is accessable anywhere but locally. Finally, regardless of which method is used, I cannot checkout a single file for editing. Dan No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.4/1275 - Release Date: 2/12/2008 3:20 PM
