Author: dsahlberg Date: Mon Jul 10 07:32:51 2023 New Revision: 1910908 URL: http://svn.apache.org/viewvc?rev=1910908&view=rev Log: In site/publish: Merge 1902723,1910824-1910900 from site/staging
* docs/community-guide/releasing.part.html (#before-release-pristine-tools): Remove one release process variation that doesn't work anymore * faq.html (#reverseproxy): New section (many different sections): Removed or updated dead links Modified: subversion/site/publish/ (props changed) subversion/site/publish/docs/community-guide/releasing.part.html subversion/site/publish/faq.html Propchange: subversion/site/publish/ ------------------------------------------------------------------------------ Merged /subversion/site/staging:r1902723,1910824-1910900 Modified: subversion/site/publish/docs/community-guide/releasing.part.html URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/community-guide/releasing.part.html?rev=1910908&r1=1910907&r2=1910908&view=diff ============================================================================== --- subversion/site/publish/docs/community-guide/releasing.part.html (original) +++ subversion/site/publish/docs/community-guide/releasing.part.html Mon Jul 10 07:32:51 2023 @@ -827,8 +827,7 @@ time pass.</p> the release. The details of the rolling process are automated by the <a href="https://svn.apache.org/repos/asf/subversion/trunk/tools/dist/release.py">release.py</a> helper script. To run this script, you'll need a Subversion trunk working -copy (or a shallow trunk working copy containing the <tt>tools/dist</tt> and -<tt>build/generator</tt> directories). Run <tt>release.py -h</tt> to get a +copy. Run <tt>release.py -h</tt> to get a list of available subcommands.</p> <p>Before you can actually roll the archives, you need to Modified: subversion/site/publish/faq.html URL: http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1910908&r1=1910907&r2=1910908&view=diff ============================================================================== --- subversion/site/publish/faq.html (original) +++ subversion/site/publish/faq.html Mon Jul 10 07:32:51 2023 @@ -77,6 +77,7 @@ For older questions, see <a href="#depre <li><a href="#cvs2svn">How do I convert an existing CVS repository into a Subversion repository?</a></li> <li><a href="#proxy">What if I'm behind a proxy?</a></li> +<li><a href="#reverseproxy">I need to put Subversion behind a reverse proxy</a></li> <li><a href="#paranoid">My admins don't want me to have a HTTP server for Subversion. What can I do if I still want remote usage?</a></li> <li><a href="#multi-proj">How do I manage several different projects @@ -938,6 +939,142 @@ running <tt>svn --version</tt>.</p> </div> +<div class="h3" id="reverseproxy"> +<h3>I need to put Subversion behind a reverse proxy + <a class="sectionlink" href="#proxy" + title="Link to this section">¶</a> +</h3> + +<p>A reverse proxy can be used if the Subversion server is not directly +connected to the internet. It will forward HTTP/HTTPS traffic from a public +facing server to the Subversion server, potentially removing HTTPS +encryption. It can also be useful if several different HTTP servers must +be served on the same port.</p> + +<p>Subversion uses a subset of the WebDAV/DeltaV protocol; see <a +href="#http-methods">this FAQ item</a> for the details. +As far as the proxy server is concerned, Subversion uses plain WebDAV +protocol. For the <tt>svn copy</tt> and <tt>svn move</tt> commands, an extra +HTTP_DESTINATION header is used; this must be rewritten separately.</p> + +<p>Detailed instructions are provided for a few different proxy servers. It +should be fairly easy to copy the ideas from these examples.</p> + +<h4>Detailed instructions for Apache HTTPD</h4> + +<p>The information below is based on an article written by Konrad Rosenbaum, +originally found on <a href="http://silmor.de/proxysvn.php" +>http://silmor.de/proxysvn.php</a>. Copied with permission.</p> + +<p>The proxy side of Apache requires mod_proxy to work. In many Linux +distributions there are ready-made configuration files that can be activated, +otherwise insert this configuration in httpd.conf:</p> + +<pre> +#load the module +LoadModule proxy_module modules/mod_proxy.so +#per default disallow all requests (for security) +ProxyRequests Off +<Proxy *> + Order deny,allow + Deny from all +</Proxy> +ProxyVia On +</pre> + +<p>In the VirtualHost directive for the proxying virtual host, configure +requests for your subversion directory (we'll assume it is called svn) to be +relayed to the real subversion server:</p> + +<pre> +ProxyPass /svn/ http://realsvnserver/svn/ +<Location /svn/> + ProxyPassReverse /svn/ http://realsvnserver/svn/ + <Limit OPTIONS PROPFIND GET REPORT MKACTIVITY PROPPATCH PUT CHECKOUT + MKCOL MOVE COPY DELETE LOCK UNLOCK MERGE> + Order Deny,Allow + Allow from all + Satisfy Any + </Limit> + + RewriteCond %{HTTP:Destination} .+/(svn/.*$) + RewriteRule ^/svn/.* - [E=MyDestination:http://realsvnserver/%1,PT] + RequestHeader set Destination %{MyDestination}e env=MyDestination +</Location> +</pre> + +<p>The ProxyPass directive tells Apache to redirect requests below /svn to +the subversion-Apache (http://realsvnserver/svn). The ProxyPassReverse +directive tells it to alter the request headers (Location, Content-Location, +and URI) to match the target server — depending on your version of Apache and +its configuration you may need to leave out either /svn/ or +http://realsvnserver/svn/. If possible the same path should be used on both +servers (otherwise DAV might make trouble). The Limit directive tells Apache +to let all DAV requests from all clients (Allow) through and let the real +subversion server handle authentication (Satisfy). The Rewrite rules +update the HTTP_DESTINATION header to the correct server/protocol.</p> + +<h4>Detailed instructions for Microsoft IIS</h4> + +<p>First download and install the URL Rewrite module from <a +href="https://www.iis.net/downloads/microsoft/url-rewrite">iis.net</a>. The +example below has been tested with IIS 10 and URL Rewrite 2.1.<br/> +Next configure URL Rewrite to allow the HTTP_DESTINATION server variable: In +IIS Manager under URL Rewrite, in the right hand pane click View Server +Variables and add HTTP_DESTINATION.<br/> +Finally create a few rewrite rules: +<ul> +<li>"ToHttps", if you would like to ensure all Subversion traffic is +encrypted, this sends an HTTP redirect to the client if the request is sent +unencrypted.</li> +<li>"ProxyWithDestination", capturing all requests with the HTTP_DESTINATION +server variable (ie. all <tt>svn copy</tt> and <tt>svn move</tt> requests). +The HTTP_DESTINATION header is rewritten and the traffic is forwarded to the +Subversion server. +</li> +<li>"ProxyRest", forwarding all other traffic to the Subversion server.</li> +</ul> +The example below can be copied into web.config. It assumes the Subversion +server is running on port 81 on the same computer as IIS.</p> + +<pre> +<system.webServer> + <rewrite> + <rules> + <clear /> + <rule name="ToHttps" stopProcessing="true"> + <match url="(.*)" /> + <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> + <add input="{HTTPS}" pattern="^OFF$" /> + </conditions> + <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"/> + </rule> + <rule name="ProxyWithDestination" enabled="true" patternSyntax="ECMAScript" stopProcessing="true"> + <match url="(.*)" /> + <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> + <add input="{HTTP_DESTINATION}" pattern="https://(.*)"/> + </conditions> + <serverVariables> + <set name="HTTP_DESTINATION" value="http://{C:1}" /> + </serverVariables> + <action type="Rewrite" url="http://127.0.0.1:81/{R:0}" logRewrittenUrl="true" /> + </rule> + <rule name="ProxyRest" patternSyntax="ECMAScript" stopProcessing="true"> + <match url="(.*)" negate="false" /> + <conditions logicalGrouping="MatchAll" trackAllCaptures="false" /> + <action type="Rewrite" url="http://127.0.0.1:81/{R:0}" logRewrittenUrl="true" /> + </rule> + </rules> + </rewrite> + <security> + <requestFiltering allowDoubleEscaping="true" /> + </security> +</system.webServer> +</pre> + +</div> + + <div class="h3" id="paranoid"> <h3>My admins don't want me to have a HTTP server for Subversion. What can I do if I still want remote usage? @@ -2062,13 +2199,7 @@ OpenSSH keys and <b><tt>pageant</tt></b> <p>Setting up <tt>ssh-agent</tt> is outside the scope of this document, but a <a href="https://www.google.com/search?hl=en&lr=&ie=UTF-8&q=%22ssh-agent%22" ->Google search for "ssh-agent"</a> will quickly get you answers. Or -if you're <i>really</i> impatient, try this one:</p> - -<pre> - <a href="http://mah.everybody.org/docs/ssh" - >http://mah.everybody.org/docs/ssh</a> -</pre> +>Google search for "ssh-agent"</a> will quickly get you answers.</p> </div> @@ -2642,23 +2773,13 @@ divergent branch, while still incorporat upstream source. This is commonly called a <em>vendor branch</em> (the term long predates Subversion), and the techniques for maintaining one in Subversion are <a -href="https://svnbook.red-bean.com/en/1.4/svn-book.html#svn.advanced.vendorbr" +href="https://svnbook.red-bean.com/en/1.7/svn-book.html#svn.advanced.vendorbr" >described here</a>.</p> <p>If the vendor code is hosted in a remote Subversion repository, then you can use <a href="https://github.com/francois/piston">Piston</a> to manage your copy of the vendor's code.</p> -<p>As a last resort, if using <tt>svn_load_dirs.pl</tt> is taking too -much time or you're looking for the lazy solution, see also Jon -Stevens' step-by-step explanation at <a -href="https://lookfirst.com/2007/11/subversion-vendor-branches-howto.html" ->Subversion Vendor Branches Howto</a>. This solution does not make -use of the space saving features in the Subversion backend when you -copy new code over old code; in this solution, each import of a vendor -code gets an entire new copy and there is no space savings for -identical files.</p> - </div> <div class="h3" id="undo"> @@ -4379,7 +4500,7 @@ to 1.9+ servers.</p> title="Link to this section">¶</a> </h3> -<p>See Poul-Henning Kamp's post to freebsd-hackers: <a href="https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/misc.html#BIKESHED-PAINTING">https://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/misc.html#BIKESHED-PAINTING</a>. +<p>See Poul-Henning Kamp's post to freebsd-hackers: <a href="https://docs.freebsd.org/en/books/faq/#bikeshed-painting">https://docs.freebsd.org/en/books/faq/#bikeshed-painting</a>. </p> </div> @@ -4471,12 +4592,12 @@ scoring lower and more risky vunerabilit calculated by determining the metrics of the vunerability and then calculating the score based on those metrics. If you want to understand how a score was determined you would need the vector and an understanding of the -<a href="https://www.first.org/cvss/specification-document#8-CVSS-v3-0-Equations" +<a href="https://www.first.org/cvss/specification-document#CVSS-v3-1-Equations" >formula as specified by the standard</a>. </p> <p>The vector is an -<a href="https://www.first.org/cvss/specification-document#6-Vector-String" +<a href="https://www.first.org/cvss/specification-document#Vector-String" >abbreviated description</a> of the metrics that apply to the vulnerability. </p>