问题
I have connected an USB network adapter on the Visual SVN server and configured a public ip on it. Now, the repositories are accessible though an https link over the Internet to everyone who knows about the link.
I want to allow the SVN access only from our US office (I have the public ip of US office). People from any other location or public ip should not be able to access the SVN. The VisualSVN server is setup on a Windows 10 machine. IS this possible on Windows? If yes, can someone please tell me how.
回答1:
First of all, you can adjust Windows Firewall rules to deny certain clients to access VisualSVN Server based on their IP address. This is the approach we at VisualSVN suggest at the moment.
On the server computer, follow these steps:
In the Control Panel, click System and Security and then click Windows Firewall.
Click Advanced settings.
In the list of inbound Firewall rules locate VisualSVN Server (TCP-In) rule and double click it.
Select Scope tab.
Specify IP address under Remote IP Address. The Firewall rule is configured to "Allow the connection" by default. Therefore, this list contains the IP addresses allowed to access VisualSVN Server. Unlisted IPs are not allowed to access VisualSVN Server. You can adjust this behavior on General tab in Action section.
For more information about editing Windows Firewall rules, please read the TechNet article "Add or Edit Firewall Rule".
Regarding the suggestion by @LazyBadger: indeed, is possible to implement IP-based restrictions via modifying httpd-custom.conf file, however we strongly discourage to take this approach. VisualSVN Server has SVNPathAuthz short_circuit option enabled, which dramatically improves
authorization performance. The option has a limitation, though: server
configuration mustn't rely on other authorization modules such as
authz_host_module (which is responsible for IP-based checks),
otherwise you will encounter unexpected behavior with authorization.
On the other hand, if you disable short_circuit you will definitely
notice performance degradation when running authorization-intensive
operations against you repositories (such as running svn log, svn checkout, svn export etc or running a graphical repository browser
such as the one TortoiseSVN client provides).
So the recommended way to apply such IP-based restrictions is to use firewall settings.
回答2:
- VisualSVN Server is Apache behind the scene - all tasks, not related to SVN directly, are managed by Apache and it's possibilities
- You have to use Apache's Access Control in form like
Order deny,allow Deny from all Allow from us.ip.address
- You have to check, if
mod_authz_hostfor the above trick is enabled (re-readLoadModulesection in httpd.conf) - Don't touch main httpd.conf with your modification (it will be lost on update server), add your customization into
%VISUALSVN_SERVER%conf\httpd-custom.conffile
来源:https://stackoverflow.com/questions/34847448/how-to-restrict-in-visualsvn-server-access-only-to-some-specific-public-ips