## ## $Id: .htaccess 220 2005-06-16 19:14:35Z mks $ ## Copyright 2004,2005 - Michael Sinz ## AuthUserFile /home/subversion/authentication/passwords AuthName "MKSoft Insurrection Repository" AuthType Basic ## We want the index.cgi to handle the directory by default... DirectoryIndex index.cgi ## Note that I list each file specifically such that ## there is less chance of running a CGI that was not ## placed here on purpose. Also, there is nothing that ## requires that the CGI scripts end in ".cgi" - I ## am just doing that to make it easy to see where the ## CGIs are vs non-CGIs. This is most noticeable in the ## CGIs that deal with log processing, etc. ## The main index file is generally available and will ## show only elements that are available without login. SetHandler cgi-script ## The *.template files are not to be served directly ## so exclude them here Deny from all ## These CGIs require a login in order to validate the ## user's specific access rights - we can not just check ## if the user as access to the repository via the ## above method. SetHandler cgi-script require valid-user ## This is a CGI just to fill in some information into ## the template. It is only called from the index template ## and thus really is just a site-specific thing. I ## use it to make the project page work for both ## the local test server and the public servers. SetHandler cgi-script ## These CGIs can be used without login depending on ## the repository being requested in the path extra ## and the access rights defined. We let the Subversion ## mod_authz_svn take care of the path check before ## we proxy to here. We then just validate in these ## scripts that we have been proxied. SetHandler cgi-script ## For some browsers, XSLT support is either not working ## correctly or not working at all. What this CGI does ## is to generate the SVN Index base page as HTML and then ## let the browser and JavaScript via XMLHttp do the ## real work. This works in conjunction with the ## rewrite rule below that does the user agent checking. SetHandler cgi-script ## You need to have mod-rewrite enabled in apache RewriteEngine On ## Since we depend on HTTP_HOST being a reasonable value ## in some of the other request, we first filter all ## requests through here. Basically, we check that ## the HTTP_HOST is reasonable and if not, fail the ## request right here, right now. ## First we check if the host name has a slash in it. ## Then we check that the host name has a matching .GIF image. ## Note that the HTTP_HOST may have the port number ## on it, so the file name may need to have to be in both ## forms. ## This is how we then configure what host name or names ## we want to support here. If it has a GIF file ## then it is a valid host. If not, out you go... RewriteCond %{HTTP_HOST} "^.*/.*$" [OR] RewriteCond /home/subversion/www/%{HTTP_HOST}.gif !-f RewriteRule ^(.*)$ [G,L] ## Some custom logo processing based on the host that ## we are acting as. We know it exists otherwise ## the above safety check rule would have caught us. ## Note that we do this internally (PT) such that ## the user does not know this exists. RewriteRule ^Logo.gif "/%{HTTP_HOST}.gif" [PT,L] ## Simple rule to support having intex.html and project.html ## actually be cgi scripts. RewriteRule ^(index|project).html$ /$1.cgi [PT,L] ## We use a local proxy operation such that we can ## publicly expose only the normal Subversion paths ## with the only difference being CGI query strings. ## We also depend on the rewrites to provide the ## full path to the repository. Thus, all of the ## ^svn/ bits would need to contain the prefix path ## from this directory into the base of the repositories. ## Note that we also require proxy support to ## make this work reasonably transparently. A ## redirect would have worked but then would not get ## the benefit of the authentication from mod_authz_svn ## that was already done. The CGIs try to notice this ## proxy behavior and when proxied to via this mechanism ## do not do their own authentication. ## ## Note that we only look at GET access methods. ## All other methods are reserver for mod_dav_svn. ## ## This is one of the reasons the HTTP_HOST needs ## to be filtered - otherwise these rules could ## be used to jump elsewhere on the net by providing ## incorrect HTTP_HOST values. ## ## NOTE - Currently a bug in Apache/mod_rewrite ## has bugs with certain characters in the URL. ## http://issues.apache.org/bugzilla/show_bug.cgi?id=34602 ## ## The rewrite/proxy we do here specifically tries to get ## around this problem by putting the URI into a CGI parameter ## and not the path_info and then doing some re-parsing with ## the understanding that the Path parameter is always the ## last parameter before the end of the URI. Ugly but it works... RewriteCond %{REQUEST_METHOD} GET [OR] RewriteCond %{REQUEST_METHOD} POST RewriteCond %{QUERY_STRING} Insurrection=(admin|atom|bandwidth|blame|diff|dump|get|log|rss) RewriteRule ^svn(/.*)$ "http://%{HTTP_HOST}/%1.cgi?%{QUERY_STRING}&Path=$1" [P,L] #RewriteRule ^svn/(.*)$ "http://%{HTTP_HOST}/%1.cgi/$1" [P,L] ## What a trick - to get the broken browsers to work. ## Now the need XMLHttp, but the don't need the XSLT ## to work. ## ## Note that the XSLT of Safari is almost working but ## not quite. So it is listed here. ## ## What we do here is proxy the request to a simple ## CGI the makes the base HTML framework and kicks off ## a client side script that does the rest. ## ## Note that if someone expressly wants XML, the ## XMLHttp=1 attribute is needed. This is used by the ## XMLHttp object in the JavaScript to make sure that ## it does get the XML version even when the browser ## does not support XML/XSLT. ## ## Note that we would like to have the real XSLT working ## as there are some things that are not available ## without it *and* the bandwidth and server load are ## much lower. The good thing is that the top two ## browser technologies do work correctly enough to ## not need this hack. That ends up covering 98% of ## all wed users. (That is Mozilla/Firefox and IE) ## ## Again, with the same hack to make this work the way I want... RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} !XMLHttp=1 RewriteCond %{HTTP_USER_AGENT} Opera [OR] RewriteCond %{HTTP_USER_AGENT} Safari [OR] RewriteCond %{HTTP_USER_AGENT} Konqueror RewriteRule ^svn(/.*/)$ "http://%{HTTP_HOST}/broken_xslt.cgi?&Path=$1" [P,L] #RewriteRule ^svn/(.*/)$ "http://%{HTTP_HOST}/broken_xslt.cgi/$1" [P,L]