|
 
I was receiving some strange errors (HTTP error 501) while committing to my public subversion (http://svn.waltercedric.com), all my problems were related to mod security This error 501 means most of the time that the client changed authentication halfway through the commit. That is, it started the commit by sending http requests with a Basic auth header of user1, and then a few requests later it sent a Basic auth header with a different user. Yes but..
During commit in Eclipse, I was getting back the following error 
Some of selected resources were not committed.
svn: Commit failed (details follow):
svn: PUT request failed on '/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml'
svn: PUT of '/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml': 501 Method Not Implemented (http://svn.waltercedric.com) But instead of blaming the Eclipse client, i went through the logs of Subversion # vi /var/log/apache2/svn.waltercedric.com-error_log This is where I discover that most of my issues were related to mod security. ModSecurity is an open source web application firewall that runs as an Apache module Solving this issue Identifying offending rules and disabling them per virtual host. from /var/log/apache2/svn.waltercedric.com-error_log, I saw the rule [Thu May 14 12:37:40 2009] [error] [client 81.49.237.230] ModSecurity: Access denied with code 501 (phase 2). Match of "rx (?:^(?:application\\\\/x-www-form-urlencoded(?:;(?:\\\\s?charset\\\\s?=\\\\s?[\\\\w\\\\d\\\\-]{1,18})?)??$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/rules/modsecurity_crs_30_http_policy.conf"] [line "69"] [id "960010"] [msg "Request content type is not allowed by policy"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [hostname "svn.waltercedric.com"] [uri "/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml"] [unique_id "6tr1nFXWZtMAABlaPS0AAAAF"] in /srv/www/vhosts/waltercedric.com/subdomains/svn/conf/vhost.conf add the following section, to switch off the rule specifically <IfModule mod_security2.c> <Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010
</Directory> </IfModule> Creating a new configuration rules files But this is not enough, some keywords of Subversion are also filtered (PROPFIND, PROPPATCH, REPORT, OPTIONS, MKACTIVITY, CHECKOUT, PUT, DELETE, MERGE, MKCOL), so I create a new configuration files at # vi /etc/apache2/conf.d/rules/modsecurity_crs_99_svn_ignores.conf SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow Since my /etc/apache2/conf.d/modsecurity2.conf load all files from there (Include /etc/apache2/conf.d/rules/*.conf)
This solution will allow HTTP requests to contains any of the above keyword. This may lead to a small windows of security issues in all other applications running on the server. Another solution is to add these new rules in the vhost.conf, so it look like <IfModule mod_security2.c> <Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010 SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow
</Directory> </IfModule> So only the sub domain http://svn.waltercedric.com wont trigger any mod security error.
Related Posts
-
Munin the monitoring tool surveys all your computers and remembers what it saw. It presents all the information in graphs through a web interface. Its emphasis is on plug and play capabilities. After completing a installation a high number of monitoring plugins will be playing with no more effort. Using Munin you can easily monitor the
506 days ago
-
From http://www.mysqlperformanceblog.com Percona XtraDB includes all of InnoDB’s ACID-compliant design and advanced MVCC architecture, and adds features, more tunability, more metrics, more scalability on many cores, and better memory usage. We choose features and fixes based on customer requests and on our best judgment of real-world n
561 days ago
-
I really like this small Firefox extension Smushit as it allow to quickly check if all my images are optimized for the best size and thus speed of rendering. But wait IE/Opera/Chrome can still use this bookmarlet :-) to optimize the images found on any web page! From http://www.smushit.com/ Image optimization is an art that not many people mas
588 days ago
-
From WikiPedia Inline linking (also known as hotlinking, leeching, piggy-backing, direct linking, offsite image grabs and bandwidth theft) is the use of a linked object, often an image, from one site into a web page belonging to a second site. The second site is said to have an inline link to the site where the object is located. This is no
610 days ago
-
ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. from http://www.mo
613 days ago
-
A lot of people have tried numerous times to download files from my download section without success, the error message was always the same Unrecoverable error "PCLZIP_ERR_BAD_FORMAT (-10)" Also, Some tried to unpack the zip file locally using stuffit/Winrar/7Zip and get an error suggesting that the archive is damaged. Onl
748 days ago
-
The acronym LAMP refers to a solution stack of software, usually free and open source software, used to run dynamic Web sites or servers. It stand for: Linux, for the operating system; Apache, the Web server; MySQL, the database management system (or database server);
886 days ago
-
This module controls the setting of the Expires
HTTP header and the max-age directive of the
Cache-Control HTTP header in server responses. The
expiration date can set to be relative to either the time the
source file was last modified, or to the time of the client
access.
These HTTP headers are an instruction to the client about the
d
1070 days ago
-
Create a new RSA key
# openssl genrsa -des3 -out server.key 1024
Give a very lengthy key, and save it somewhere in a PGP file or TrueCrypt volumeCreate a non encrypted version for Apache
# openssl rsa -in server.key -out server.key.unsecure
Prepare the mark inquiry
# openssl req -new -key server.key -out server.csr
Attention enter the host fr
1161 days ago
-
MediaWiki do not like server running PHP as fastcgi...But there is a always a workaround: ;-)1. create a file .htaccess in the root folder of your Wiki
RewriteEngine OnRewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^(.*)$ /wiki/index.php?title=$1 [L,QSA]2. open the file LocalSettings.php and activate ugly URLs#
1284 days ago
relatedArticles
|
Tags
Module Jetbrains Teamcity for Joomla!