Can SVN be installed into a segregated network (intra/inter)?

In some environments, you may need to allow access to a repository from multiple domains of trust. These normally fall into intranet (trusted hosts) and internet (untrusted hosts) domains. If security requirements do not allow direct access to a SVN repository, there are various methods that can be used, depending on the level of security needed.

If the primary server is located in a trusted domain, and users are authenticating against an SVN repository accessed over webDAV via Apache, use one of the following network setup options:
  1. Firewall - Allow access only to port 443 on SVN server. Primary server must serve all clients.
  2. mod_proxy - Configure additional bastille host that is accessible from the untrusted domain. Allow access from bastille host to primary server through firewall on 443. Configure bastille as a webdav transparent write-through proxy server to primary sever.
  3. Mirror Repository - If only read-only access is required, configure as option 2, and use svn sync. Does not escalate write privileges to primary server if bastion host is compromised.
  4. Read Only San Lun - It is possible to install SVN in a segregated or high-security network environment, with the following assumptions: Primary server is located in trusted domain; Users are authenticating against the repository; SVN is accessed over webDAV via Apache. There are multiple options depending on the necessary network security:
    1. Firewall - Allow access only to port 443 on SVN server. In this case the primary server must serve all clients, and configuration is as for a single SVN host.
    2. Public Facing Proxy Server - Configure additional bastion host that is accessible from the untrusted domain. Allow access from bastion host to primary server through firewall on 443. Configure bastion as a webdav transparent write-through proxy server to primary sever.
      Note: For more information see Subversion 1.5 WebDAV Write-Thru Proxies.
    3. Mirror Repository - If just read-only access is needed, use the mirror repository functionality of SVN. Configure as option 2, and use svnsync. Does not escalate write privileges to primary server if bastion host is compromised. for more information see below.
Parent topic: Subversion concepts and terms
Related information
Mirroring Repositories with svnsync

Questions? Comments? Talk to other TeamForge users and CollabNet engineers.

Copyright 2009 CollabNet Corporation | Site Feedback | Terms of Use | Privacy Policy | Copyright and Trademark