6

I cannot figure out how to disable authentication for the .well-known directory.

Things behave as expected when I remove the SVN specific directives (DAV, SVNPath, AuthzSVNAccessFile).

<VirtualHost *:443> ServerName www.example.com DocumentRoot "C:/www.example.com" ServerAdmin [email protected] SSLEngine On SSLCertificateFile "C:/Apache2/conf/ssl/www.example.com.crt" SSLCertificateKeyFile "C:/Apache2/conf/ssl/www.example.com.key" <Location /> DAV svn SVNPath "C:/svnrepo" SSLRequireSSL AuthName "www.example.com" AuthType Basic AuthUserFile "conf/svn/svn-users.txt" AuthGroupFile "conf/svn/svn-groups.txt" AuthzSVNAccessFile "conf/svn/svn-access.txt" Require valid-user </Location> <Location "/.well-known"> Satisfy Any Allow from all Require all granted # Apache 2.4 only #AuthType None </Location> </VirtualHost>

Edit: It would also work if I didn't have overlapping paths. E.g. using /svn and /.well-known. Unfortunately that is not something I can change easily now.

Improve this question
1
  • The LetsEncrypt probe to /.well-known/ uses HTTP (80) not HTTPS (443). If you want the SVN on HTTPS-only, as your config suggests, no overlap is needed. That said, per your selfanswer this is now moot. Commented Feb 16, 2019 at 20:36

3 Answers 3

Reset to default
3

You can check apache Directory option. Bellow is a configuration example:

 <Directory /home/html/.well-known/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory>
Improve this answer
2

in your webroot, create a file .htaccess with the following content:

Options +Indexes <IfModule mod_rewrite.c> RewriteRule "/\.|^\.(?!well-known/)" - [F] </IfModule>

You need to enable ModRewrite for this to work.

Improve this answer
2

Just FYI: I eventually decided to bite the bullet and change the path to my svn repo to https://svn.domain.com/repo (instead of using the root).

After so many complications with various systems and frameworks, I decided to follow this pattern for pretty much all hosted applications, namely to always use

  • subdomain
  • application context path

e.g. https://subdomain.domain.com/context

This keeps all options open in the future for introducing load balancing, multiple applications below the same domain, multiple applications on the same server etc. And the configurations typically work because there will not be any overlapping paths.

Of course it was painful to switch the svn repo path in all clients.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.