Subversion with mod_security

Wayne — Tue, 06 Mar 2007 23:35:02 +0000

I ran into a bit of an issue while setting up a new subversion server today. On that box we’re running mod_security on all vhosts to add another layer of security to our web apps. I got everything configured with the the security, but when I was testing, I kept getting 403 errors when I attempted to get the files in anything other than a web browser.

After scratching my head for a while, I looked at the Apache logs, and noticed that mod_rewrite was causing the issue with lines like this:

[Tue Mar 06 13:46:46 2007] [error] [client xxx.xxx.xxx.xxx] mod_security: Access denied with code 403. Pattern match “!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)” at HEADER(“Content-Type”) [severity "EMERGENCY"] [hostname "svn.example.com"] [uri "/test"]

I stumbled on Charl van Niekerk’s entry on this. One of the comments suggested that the following is the bare minimum to run mod_security on a vhost running subversion:

SecFilterSelective REQUEST_METHOD “^(PROPFIND|PROPPATCH)$” allow
SecFilterSelective REQUEST_METHOD “^(REPORT|OPTIONS)$” allow
SecFilterSelective REQUEST_METHOD “^(MKACTIVITY|CHECKOUT)$” allow
SecFilterSelective REQUEST_METHOD “^(PUT|DELETE|MERGE)$” allow

This should be in the first directives in your mod_security call:

# Enable ModSecurity
SecFilterEngine On

# Allow SVN requests
SecFilterSelective REQUEST_METHOD “^(PROPFIND|PROPPATCH)$” allow
SecFilterSelective REQUEST_METHOD “^(REPORT|OPTIONS)$” allow
SecFilterSelective REQUEST_METHOD “^(MKACTIVITY|CHECKOUT)$” allow
SecFilterSelective REQUEST_METHOD “^(PUT|DELETE|MERGE)$” allow

…
# rest of your directives

If you run a Subversion repository and have run into this issue, these security filters should help!

LiquidFoot » Subversion

Subversion with mod_security