Hello,

I'm looking for a configuration that allows the combining of two
<Location> sections, which overlap. We have a running subversion server,
which is located at the root of the web server:

<Location />
DAV svn
SVNParentPath /home/subversion/repos
AuthzSVNAccessFile svn-access-file

SSLRequireSSL
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository (LDAP password)"
AuthLDAPUrl ldap://....

# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user
</Location>

Now, I want to add the application WebSVN:

<Location "/websvn">

Order allow,deny
Allow from all

SSLRequireSSL

AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository (LDAP password)"
AuthLDAPUrl ldap://....
AuthzLDAPAuthoritative off

# try anonymous access first, resort to real
# authentication if necessary.
#Satisfy Any
Require valid-user
</Location>

<Directory /var/www/svnserv01/htdocs>
Options Multiviews

Order allow,deny
Allow from all
</Directory>

Alias /websvn-2.3.0/ /opt/websvn-2.3.0/

<Directory /opt/websvn-2.3.0/templates>
Order allow,deny
Allow from all
</Directory>

If defining this in an own <VirtualHost> section, both is working. Now I
want to combine both in a single <VirtualHost> section. But the
<Location /> section for Subversion is catching all requests. Is it
possible, to define an exception for the path /websvn?

Negation within the pattern of <Location> or <LocationMatch> seems to be
impossible (like <LocationMatch "!/websvn">). As mod_rewrite does allow
this, I carried out some tests with it, but without success until now.

Is there a solution for my desired setup?

Ingo


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

> Negation within the pattern of <Location> or <LocationMatch> seems to be
> impossible (like <LocationMatch "!/websvn">). As mod_rewrite does allow
> this, I carried out some tests with it, but without success until now.

you have to do the negation in PCRE -- see "negative lookahead"

--
Eric Covener
covener [at] gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

Hello,

Am 23.03.2010 13:34, schrieb Eric Covener:
>> Negation within the pattern of <Location> or <LocationMatch> seems to be
>> impossible (like <LocationMatch "!/websvn">).
>
> you have to do the negation in PCRE -- see "negative lookahead"

Do you mean something like this?

<Location "/websvn">
WebSVN stuff
</Location>

<LocationMatch "/(?!websvn)">
subversion stuff
</LocationMatch>

Unfortunately this does not work, too.

I did never use negative lookahead within regular expressions before.
Maybe I misunderstood the correct syntax. But I tested this pattern with
python and it seems to work there.

Ingo

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

On Tue, Mar 23, 2010 at 12:00 PM, <rog7993 [at] web.de> wrote:
> Hello,
>
> Am 23.03.2010 13:34, schrieb Eric Covener:
>>> Negation within the pattern of <Location> or <LocationMatch> seems to b=
e
>>> impossible (like <LocationMatch "!/websvn">).
>>
>> you have to do the negation in PCRE -- see "negative lookahead"
>
> Do you mean something like this?
>
> <Location "/websvn">
> =A0 WebSVN stuff
> </Location>
>
> <LocationMatch "/(?!websvn)">
> =A0 subversion stuff
> </LocationMatch>
>

I thought you only wanted one section, note the order of
precedence/evaluatuion in the manual for the different containers,
which I believe is the opposite of the order you listed them. If
they're totally independent, you could two exclusive LocationMatch
directives.


--
Eric Covener
covener [at] gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

Am 23.03.2010 17:03, schrieb Eric Covener:
>> <Location "/websvn">
>> WebSVN stuff
>> </Location>
>>
>> <LocationMatch "/(?!websvn)">
>> subversion stuff
>> </LocationMatch>

> I thought you only wanted one section, note the order of
> precedence/evaluatuion in the manual for the different containers,
> which I believe is the opposite of the order you listed them. If
> they're totally independent, you could two exclusive LocationMatch
> directives.

As the regex patterns of these <Location> sections are disjunct, the
order of the sections should not matter. Nevertheless I tried changing
the order. The behavior is the same as before.

Ingo


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

On Tue, Mar 23, 2010 at 12:33 PM, <rog7993 [at] web.de> wrote:
> Am 23.03.2010 17:03, schrieb Eric Covener:
>>> <Location "/websvn">
>>> =A0 WebSVN stuff
>>> </Location>
>>>
>>> <LocationMatch "/(?!websvn)">
>>> =A0 subversion stuff
>>> </LocationMatch>
>
>> I thought you only wanted one section, note the order of
>> precedence/evaluatuion in the manual for the different containers,
>> which I believe is the opposite of the order you listed them. =A0If
>> they're totally independent, you could two exclusive LocationMatch
>> directives.
>
> As the regex patterns of these <Location> sections are disjunct, the
> order of the sections should not matter. Nevertheless I tried changing
> the order. The behavior is the same as before.
>

Going back to OP, what part of the outter location did you think was
bleeding in? Did you just need to reset to satisfy all?

What's the current behavior and how does it differ from what you expect?

--
Eric Covener
covener [at] gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

On Tue, Mar 23, 2010 at 12:38:43PM -0400, Eric Covener wrote:
> On Tue, Mar 23, 2010 at 12:33 PM, <rog7993 [at] web.de> wrote:
> >>> <Location "/websvn">
> >>> WebSVN stuff
> >>> </Location>
> >>>
> >>> <LocationMatch "/(?!websvn)">
> >>> subversion stuff
> >>> </LocationMatch>

Possibly this configuration does not work because of a bug in Apache,
mod_dav or mod_dav_svn in the handling of "complex" regular expressions
within <LocationMatch> directives. I found this five years old bug
description:

https://issues.apache.org/bugzilla/show_bug.cgi?id=35077

I don't know whether this was fixed in newer Apache versions in the
meantime. But this bug is still open.

> Going back to OP, what part of the outter location did you think was
> bleeding in? Did you just need to reset to satisfy all?

No. Mainly I want to deactivate "DAV". I didn't posted it until now.
But this configuration doesn't work, too:

<Location />
# Subversion stuff
DAV svn
...
</Location>

<Location /websvn>
# WebSVN stuff
DAV off
...
</Location>

I found an other solution. Requests to WebSVN (/websvn) will be handled
directly by the SSL-VirtualHost, all other requests (subversion
repositories) will be proxied to another VirtualHost. See above. But I'm
not happy with this solution, because it reduces the subversion
performance significantly.

<VirtualHost *:80>
ServerName svnserv01....
ServerAlias localhost

RequestHeader edit Destination ^https http early

LogLevel Warn

<Location />
DAV svn
SVNParentPath /home/subversion/repos

AuthzSVNAccessFile svn-access-file

SSLRequireSSL

AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository (LDAP password)"
AuthLDAPUrl ...

# try anonymous access first, resort to real
# authentication if necessary.
Satisfy Any
Require valid-user
</Location>
</VirtualHost>

<VirtualHost *:443>
ServerName svnserv01...
DocumentRoot /var/www/svnserv01/htdocs

Alias /websvn-2.3.0/ /opt/websvn-2.3.0/

RewriteEngine On

RewriteCond %{REQUEST_URI} !^/websvn.*
RewriteRule (.*) http://localhost$1 [P]

LogLevel warn

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCACertificateFile ...

<Directory /var/www/svnserv01/htdocs>
Options Multiviews SymLinksIfOwnerMatch

Order allow,deny
Allow from all
</Directory>

<Directory /opt/websvn-2.3.0/templates>
Order allow,deny
Allow from all
</Directory>

<Location "/websvn">
Order allow,deny
Allow from all

SSLRequireSSL

AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository (LDAP password)"
AuthLDAPUrl ...
AuthzLDAPAuthoritative off

# try anonymous access first, resort to real
# authentication if necessary.
#Satisfy Any
Require valid-user
</Location>

<Location />
Order allow,deny
Allow from all
</Location>

</VirtualHost>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org