Author: dsahlberg
Date: Sat Jul 8 15:32:30 2023
New Revision: 1910877
URL: http://svn.apache.org/viewvc?rev=1910877&view=rev
Log:
In site/staging:
* faq.html
(#reverseproxy): Add a new section on how to put Subversion behind a reverse
proxy.
See https://lists.apache.org/thread/j2c0kp4rmsw4rf9y4hw2zntxvd0hy051
The configuration example is my own work.
Modified:
subversion/site/staging/faq.html
Modified: subversion/site/staging/faq.html
URL:
http://svn.apache.org/viewvc/subversion/site/staging/faq.html?rev=1910877&r1=1910876&r2=1910877&view=diff
==============================================================================
--- subversion/site/staging/faq.html (original)
+++ subversion/site/staging/faq.html Sat Jul 8 15:32:30 2023
@@ -77,6 +77,7 @@ For older questions, see <a href="#depre
<li><a href="#cvs2svn">How do I convert an existing CVS repository
into a Subversion repository?</a></li>
<li><a href="#proxy">What if I'm behind a proxy?</a></li>
+<li><a href="#reverseproxy">I need to put Subversion behind a reverse
proxy</a></li>
<li><a href="#paranoid">My admins don't want me to have a HTTP server for
Subversion. What can I do if I still want remote usage?</a></li>
<li><a href="#multi-proj">How do I manage several different projects
@@ -937,6 +938,93 @@ running <tt>svn --version</tt>.</p>
</div>
+
+<div class="h3" id="reverseproxy">
+<h3>I need to put Subversion behind a reverse proxy
+ <a class="sectionlink" href="#proxy"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>A reverse proxy can be used if the Subversion server is not directly
+connected to the internet. It will forward HTTP/HTTPS traffic from a public
+facing server to the Subversion server, potentially removing HTTPS
+encryption. It can also be useful if several different HTTP servers must
+to be served on the same port.</p>
+
+<p>Subversion use a subset of the WebDAV/DeltaV protocol, see <a
+href="#http-methods">this FAQ item</a> for the details. A custom
+As far as the proxy server is concerned, Subversion use plain WebDAV
+protocol. For the <tt>svn copy</tt> and <tt>svn move</tt> commands, an extra
+HTTP_DESTINATION header is used, this must be rewritten separately.</p>
+
+<p>Detailed instructions are provided for a few different proxy servers, it
+should be fairly easy to copy the ideas from these examples.</p>
+
+<h4>Detailed instructions for Apache HTTPD</h4>
+
+<p>A very good walkthrough can be found at
+<a href="http://silmor.de/proxysvn.php";>http://silmor.de/proxysvn.php</a>.</p>
+
+<h4>Detailed instructions for Microsoft IIS</h4>
+
+<p>First download and install the URL Rewrite module from <a
+href="https://www.iis.net/downloads/microsoft/url-rewrite";>iis.net</a>. The
+example below has been tested with IIS 10 and URL Rewrite 2.1.<br/>
+Next configure URL Rewrite to allow the HTTP_DESTINATION server variable: In
+IIS Manager under URL Rewrite, in the right hand pane click View Server
+Variables and add HTTP_DESTINATION.<br/>
+Finally create a few rewrite rules:
+<ul>
+<li>"ToHttps", if you would like to ensure all Subversion traffic is
+encrypted, this send an HTTP redirect to the client if the request is sent
+unencrypted.</li>
+<li>"ProxyWithDestination", capturing all requests with the HTTP_DESTINATION
+server variable (ie. all <tt>svn copy</tt> and <tt>svn move</tt> requests).
+The HTTP_DESTINATION header is rewritten and the traffic is forwarded to the
+Subversion server.
+</li>
+<li>"ProxyRest", forwarding all other traffic to the Subversion server.</li>
+</ul>
+The example below can be copied into web.config. It assumes the Subversion
+server is running on port 81 on the same computer as IIS.</p>
+
+<pre>
+<system.webServer>
+ <rewrite>
+ <rules>
+ <clear />
+ <rule name="ToHttps" stopProcessing="true">
+ <match url="(.*)" />
+ <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
+ <add input="{HTTPS}" pattern="^OFF$" />
+ </conditions>
+ <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"/>
+ </rule>
+ <rule name="ProxyWithDestination" enabled="true" patternSyntax="ECMAScript"
stopProcessing="true">
+ <match url="(.*)" />
+ <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
+ <add input="{HTTP_DESTINATION}" pattern="https://(.*)"/>
+ </conditions>
+ <serverVariables>
+ <set name="HTTP_DESTINATION" value="http://{C:1}"; />
+ </serverVariables>
+ <action type="Rewrite" url="http://127.0.0.1:81/{R:0}";
logRewrittenUrl="true" />
+ </rule>
+ <rule name="ProxyRest" patternSyntax="ECMAScript" stopProcessing="true">
+ <match url="(.*)" negate="false" />
+ <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
+ <action type="Rewrite" url="http://127.0.0.1:81/{R:0}";
logRewrittenUrl="true" />
+ </rule>
+ </rules>
+ </rewrite>
+ <security>
+ <requestFiltering allowDoubleEscaping="true" />
+ </security>
+</system.webServer></pre>
+</p>
+
+</div>
+
<div class="h3" id="paranoid">
<h3>My admins don't want me to have a HTTP server for
