Select Page

Subversion and mod Security

Subversion and mod Security

plesk.logo subversion_logo384x332

I was receiving some strange errors (HTTP error 501) while committing to my public subversion (http://svn.waltercedric.com), all my problems were related to mod security

This error 501 means most of the time that the client changed authentication halfway through the commit. That is, it started the commit by sending http requests with a Basic auth header of user1, and then a few requests later it sent a Basic auth header with a different user.

Yes but..

During commit in Eclipse, I was getting back the following error

svn.error.501 

Some of selected resources were not committed.
svn: Commit failed (details follow):
svn: PUT request failed on ‘/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml’
svn: PUT of ‘/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml’: 501 Method Not Implemented (
http://svn.waltercedric.com)

But instead of blaming the Eclipse client, i went through the logs of Subversion

# vi /var/log/apache2/svn.waltercedric.com-error_log

This is where I discover that most of my issues were related to mod security.

ModSecurity is an open source web application firewall that runs as an Apache module

 

Solving this issue

Identifying offending rules and disabling them per virtual host.

from /var/log/apache2/svn.waltercedric.com-error_log, I saw the rule

[Thu May 14 12:37:40 2009] [error] [client 81.49.237.230] ModSecurity: Access denied with code 501 (phase 2). Match of "rx (?:^(?:application\\\\/x-www-form-urlencoded(?:;(?:\\\\s?charset\\\\s?=\\\\s?[\\\\w\\\\d\\\\-]{1,18})?)??$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/apache2/conf.d/rules/modsecurity_crs_30_http_policy.conf"] [line "69"] [id "960010"] [msg "Request content type is not allowed by policy"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [hostname "svn.waltercedric.com"] [uri "/joomla/!svn/wrk/0fe0b23e-2101-0010-9594-fd4f2e3d467d/trunk/joomla16/pom.xml"] [unique_id "6tr1nFXWZtMAABlaPS0AAAAF"]

in /srv/www/vhosts/waltercedric.com/subdomains/svn/conf/vhost.conf add the following section, to switch off the rule specifically

<IfModule mod_security2.c>

<Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off  <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010
</Directory>

</IfModule>

Creating a new configuration rules files

But this is not enough, some keywords of Subversion are also filtered (PROPFIND, PROPPATCH, REPORT, OPTIONS, MKACTIVITY, CHECKOUT, PUT, DELETE, MERGE, MKCOL), so I create a new configuration files at

# vi /etc/apache2/conf.d/rules/modsecurity_crs_99_svn_ignores.conf

SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow

Since my /etc/apache2/conf.d/modsecurity2.conf load all files from there (Include /etc/apache2/conf.d/rules/*.conf)

This solution will allow HTTP requests to contains any of the above keyword. This may lead to a small windows of security issues in all other applications running on the server. Another solution is to add these new rules in the vhost.conf, so it look like

<IfModule mod_security2.c>

<Directory /srv/www/vhosts/waltercedric.com/subdomains/svn/httpdocs>
# SecRuleEngine Off  <- dont switch off mod security totally, way too unsecure
SecRuleRemoveByID 960010

SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
SecRule REQUEST_METHOD "^(MKCOL)$" allow
</Directory>

</IfModule>

So only the sub domain http://svn.waltercedric.com  wont trigger any mod security error.

About The Author

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories