Trouble setting up SVN read/write proxy


#1

I’m having a very strange issue trying to follow the instructions for SVN access from here

I can create, check out, and commit to a brand new repository with no apparent problems. However, when I try to check out the repository later, I’m getting an error:

svn co https://bli@scm.vm.local.riorey.com/bli/example_svn
svn: E175002: Unexpected HTTP status 400 'Bad Request' on '/bli/example_svn/!svn/rvr/1/example_file'

From the apache virtualhost running mod_dav_svn:

==> /var/log/apache2/internal_svn_proxy_access.log <==
127.0.0.1 - - [24/May/2017:16:03:22 -0400] "GET /bli/example_svn/!svn/rvr/1/example_file HTTP/1.1" 400 347 "-" "SVN/1.9.5 (x86_64-pc-linux-gnu) serf/1.3.9"

==> /var/log/apache2/internal_svn_proxy_error.log <==
[Wed May 24 16:03:22.895809 2017] [core:debug] [pid 7155] vhost.c(794): [client 127.0.0.1:44156] AH02415: [strict] Invalid host name 'localhost:8090, scm.vm.local.riorey.com', problem near: :8090,
[Wed May 24 16:03:22.896424 2017] [core:debug] [pid 7155] vhost.c(889): [client 127.0.0.1:44156] AH00550: Client sent malformed Host header: localhost:8090, scm.vm.local.riorey.com
[Wed May 24 16:03:22.896492 2017] [core:debug] [pid 7155] protocol.c(1382): [client 127.0.0.1:44156] AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /bli/example_svn/!svn/rvr/1/example_file

The actual failing request:

GET /bli/example_svn/!svn/rvr/1/example_file HTTP/1.1
Host: localhost:8090
Transfer-Encoding: chunked
Connection: Keep-Alive
Accept: */*
X-Forwarded-Server: scm.vm.local.riorey.com
User-Agent: SVN/1.9.5 (x86_64-pc-linux-gnu) serf/1.3.9
X-Forwarded-Proto: https
Host: scm.vm.local.riorey.com
Accept-Encoding: gzip
X-Forwarded-Host: scm.vm.local.riorey.com
Via: 1.1 scm.vm.local.riorey.com
X-Forwarded-For: 192.168.60.208

For some reason it appears that rhodecode is sending two 'Host: ’ headers when proxying the request through to the SVN server. And this only happens for specific SVN operations, for example svn log works fine!

Has anyone seen some thing like this before? Is there a chance I’ve missed a part of the configuration somewhere?

Thanks in advance for any advice.
-Ben


#2

Hi,

We haven’t seen such case before.
Do you use only apache ? Or is there another http server in front .e.g nginx?

We don’t have any good ideas at this point… imho correct Host should be localhost, becuase this is only what should be allowed on Apache side for security reasons.


#3

I’m using apache in front of rhodecode, and plus a virtualhost only on localhost running mod_dav_svn as you mention for security reasons.


#4

What’s your apache config, did you checked out example apache config in documentation ?


#5

Yes, I’m using the example config from the documentation, just the paths are different for my system.

To try and rule out a mistake I made, I just tried out the Rhodecode OVA VM and I’m running into exactly the same problem with the stock VM:

svn co http://192.168.60.204/docs-svn
svn: E175002: Unexpected HTTP status 400 'Bad Request' on '/docs-svn/!svn/rvr/1/generate_ssl.txt'

In case it matters, I’m using the latest ubuntu svn client:

$ svn --version
svn, version 1.9.5 (r1770682)
   compiled Feb 13 2017, 14:27:30 on x86_64-pc-linux-gnu

Copyright (C) 2016 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /home/bli/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)

#6

Oh, and just to be specific, that VM is still running RhodeCode Enterprise Edition, version 4.6.1 as downloaded from the website.

My test server where I originally ran into this is running 4.7.2.


#7

Can you try with SVN 1.9.4 ? I believe there might be a problem on 1.9.4 which RhodeCode uses compared to 1.9.5


#8

I’ve tried with hand-compiled SVN versions 1.9.4 and 1.8.7. Exactly the same problem.

I also tried installing SVN on the rhodecode VM which gives version 1.9.3 and ran into exactly the same problem, so that should be reproducible in theory.

➜  ~ hostname
rhodecode-dev
➜  ~ svn --version
svn, version 1.9.3 (r1718519)
   compiled Mar 14 2016, 07:39:01 on x86_64-pc-linux-gnu

Copyright (C) 2015 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.8 (compiled with 1.3.8)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /home/rcdev/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)

➜  ~ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:12:05:bc brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.204/24 brd 192.168.60.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe12:5bc/64 scope link 
       valid_lft forever preferred_lft forever
➜  ~ svn co http://192.168.60.204/docs-svn
svn: E175002: Unexpected HTTP status 400 'Bad Request' on '/docs-svn/!svn/rvr/1/generate_ssl.txt'
➜  ~

#9

While I still can’t explain the root cause, this code change makes things work for me in the current version. Despite the fact that requests should be able to deal with the host header being set explicitly.

--- simplesvn.py	2017-05-24 14:30:49.662287666 -0400
+++ /opt/rhodecode/store/9q264m389m52myrgjanjivaab4192bva-python2.7-rhodecode-enterprise-ce-4.7.2/lib/python2.7/site-packages/rhodecode/lib/middleware/simplesvn.py	2017-05-31 12:49:35.197740648 -0400
@@ -83,6 +83,10 @@ class SimpleSvnApp(object):
         for key in environ:
             if not key.startswith('HTTP_'):
                 continue
+            
+            if key == 'HTTP_HOST':
+                continue
+
             new_key = key.split('_')
             new_key = [k.capitalize() for k in new_key[1:]]
             new_key = '-'.join(new_key)