Subversion and mod Security
I was receiving some strange errors (HTTP error 501) while committing to my public subversion (http://svn.waltercedric.com), all my problems were related to mod security
This error 501 means most of the time that the client changed authentication halfway through the commit. That is, it started the commit by sending http requests with a Basic auth header of user1, and then a few requests later it sent a Basic auth header with a different user.
Yes but..
During commit in Eclipse, I was getting back the following error
Some of selected resources were not committed.
svn: Commit failed (details follow):
svn: PUT request failed on ‘/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml’
svn: PUT of ‘/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml’: 501 Method Not Implemented (http://svn.waltercedric.com)
But instead of blaming the Eclipse client, i went through the logs of Subversion
# vi /var/log/apache2/svn.waltercedric.com-error_log
This is where I discover that most of my issues were related to mod security.
ModSecurity is an open source web application firewall that runs as an Apache module
Solving this issue
Identifying offending rules and disabling them per virtual host.
from /var/log/apache2/svn.waltercedric.com-error_log, I saw the rule
[Thu May 14 12:37:40 2009] [error] [client 81.49.237.230] ModSecurity: Access denied with code 501 (phase 2). Match of "rx (?:^(?:application\\\\/x-www-form-urlencoded(?:;(?:\\\\s?charset\\\\s?=\\\\s?[\\\\w\\\\d\\\\-]{1,18})?)??$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/rules/modsecurity_crs_30_http_policy.conf"] [line "69"] [id "960010"] [msg "Request content type is not allowed by policy"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [hostname "svn.waltercedric.com"] [uri "/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml"] [unique_id "6tr1nFXWZtMAABlaPS0AAAAF"]
in /srv/www/vhosts/waltercedric.com/subdomains/svn/conf/vhost.conf add the following section, to switch off the rule specifically
<IfModule mod_security2.c>
<Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010
</Directory></IfModule>
Creating a new configuration rules files
But this is not enough, some keywords of Subversion are also filtered (PROPFIND, PROPPATCH, REPORT, OPTIONS, MKACTIVITY, CHECKOUT, PUT, DELETE, MERGE, MKCOL), so I create a new configuration files at
# vi /etc/apache2/conf.d/rules/modsecurity_crs_99_svn_ignores.conf
SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow
Since my /etc/apache2/conf.d/modsecurity2.conf load all files from there (Include /etc/apache2/conf.d/rules/*.conf)
This solution will allow HTTP requests to contains any of the above keyword. This may lead to a small windows of security issues in all other applications running on the server. Another solution is to add these new rules in the vhost.conf, so it look like
<IfModule mod_security2.c>
<Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow
</Directory></IfModule>
So only the sub domain http://svn.waltercedric.com wont trigger any mod security error.
