Although I use IIS7 to host all my websites and stuff, I use Apache to provide access to my Subversion repositories and to host a Trac issue tracking system (they both have much better support for Apache than for IIS - sad from my viewpoint but true). When
the two IIS modules came out (ARR module and URL rewrite module) I thought it would allow me to nicely hide Apache "behind" IIS (domain dev.example.com should be handled by Apache, all other domains by IIS).
What I did:
1) I installed Apache on port 8080
2) I installed the two IIS modules mentioned above (ARR and URL rewriting)
3) I created a URL rewrite rule like this:
pattern to match: (.*)
condition: HTTP_HOST matches the pattern dev\.example\.com
action: rewrite to http://localhost:8080/{R:1} (append query string = true)
It was working quite nicely, in fact Trac was working without any problems (including authentication etc.) but unfortunately SVN did not always work. When I was trying to commit more files together, I was getting a message like this:
There are many things that could have gone wrong - IIS not handling the commit request correctly, Apache not handling the request correctly, a bug in SVN_DAV modude for Apache, bug in SVN itself, corrupted SVN repository etc. What I tried was to open an
8080 port on firewall and trying to send the commit request to Apache directly - guess what, it worked.
So there might be a couple of possible issues:
1)I have not configured IIS correctly - but for instance Trac (which is mostly simple HTTP GET or POST requests and responses) worked fine. SVN on the other hand uses HTTP verbs like PROPFIND, CHECKOUT etc. - is it possible that this is causing problems?
2) IIS+ARR is not supposed to support this scenario (reverse proxy for Apache)
3) Something else?
I would be really thankful if someone from the team could give me some hints what could be possibly wrong.
This is what probably caused "file not found" (404). When I look into Apache logs, there are no PUTs with a 404 status code so I guess this narrows it down to IIS. Do I need to install WebDAV support or somehow enable additional HTTP verbs somewhere? My
understanding is that URL rewriting + ARR happens _before_ any real processing on IIS side so I though this wasn't necessary...
I'm not too familiar with WebDAV (which is obviously what SVN is using) - is it safe to simply clear this list and allow all file extensions? Or is there a better way? (Somehow detect Subversion and disable request filtering just for SVN requests?)
Anyway, this has been a great find, I didn't know that some request filtering is in place implicitly! Many thanks,
a) Remove all the request-filtering restrictions that you need for your webdav app to work
b) request-filtering has functionality to allow to relax restrictions for webdav requests, to use it, you need to set applyToWebDAV="false" and have a module that runs before request-filtering (in OnPreBeginRequest or early in OnBeginRequest) and sets the
"DAV" server-variable to "1" for any requests that are webdav requests
Anil Ruia
Software Design Engineer
IIS Core Server
BorekBernard
15 Posts
Apache behind IIS7 using ARR
Sep 07, 2008 04:18 PM|LINK
Although I use IIS7 to host all my websites and stuff, I use Apache to provide access to my Subversion repositories and to host a Trac issue tracking system (they both have much better support for Apache than for IIS - sad from my viewpoint but true). When the two IIS modules came out (ARR module and URL rewrite module) I thought it would allow me to nicely hide Apache "behind" IIS (domain dev.example.com should be handled by Apache, all other domains by IIS).
What I did:
1) I installed Apache on port 8080
2) I installed the two IIS modules mentioned above (ARR and URL rewriting)
3) I created a URL rewrite rule like this:
pattern to match: (.*)
condition: HTTP_HOST matches the pattern dev\.example\.com
action: rewrite to http://localhost:8080/{R:1} (append query string = true)
It was working quite nicely, in fact Trac was working without any problems (including authentication etc.) but unfortunately SVN did not always work. When I was trying to commit more files together, I was getting a message like this:
Commit failed (details follow):
'/svn/!svn/wrk/296e0144-c11a-ee4b-8aee-d42f56739d47/trunk/AjaxDataServices/App_Data'
path not found
There are many things that could have gone wrong - IIS not handling the commit request correctly, Apache not handling the request correctly, a bug in SVN_DAV modude for Apache, bug in SVN itself, corrupted SVN repository etc. What I tried was to open an 8080 port on firewall and trying to send the commit request to Apache directly - guess what, it worked.
So there might be a couple of possible issues:
1)I have not configured IIS correctly - but for instance Trac (which is mostly simple HTTP GET or POST requests and responses) worked fine. SVN on the other hand uses HTTP verbs like PROPFIND, CHECKOUT etc. - is it possible that this is causing problems?
2) IIS+ARR is not supposed to support this scenario (reverse proxy for Apache)
3) Something else?
I would be really thankful if someone from the team could give me some hints what could be possibly wrong.
Many thanks,
Borek
anilr
2343 Posts
Microsoft
Re: Apache behind IIS7 using ARR
Sep 08, 2008 06:06 AM|LINK
You need to collect more information to figure out where the error is happening. Things that may help
Software Design Engineer
IIS Core Server
BorekBernard
15 Posts
Re: Apache behind IIS7 using ARR
Sep 08, 2008 07:08 AM|LINK
Found this line in IIS log:
(...) PUT /svn/!svn/wrk/6411a50c-eb92-584b-917b-159b940f1f21/trunk/1a-Snippets/SnippetEditor/App.xaml.cs - 80 - 89.102.109.201 SVN/1.5.2+(r32768)/TortoiseSVN-1.5.3.13783+neon/0.28.3 404 7 0 46
This is what probably caused "file not found" (404). When I look into Apache logs, there are no PUTs with a 404 status code so I guess this narrows it down to IIS. Do I need to install WebDAV support or somehow enable additional HTTP verbs somewhere? My understanding is that URL rewriting + ARR happens _before_ any real processing on IIS side so I though this wasn't necessary...
Thanks,
Borek
anilr
2343 Posts
Microsoft
Re: Apache behind IIS7 using ARR
Sep 08, 2008 04:28 PM|LINK
404.7 means that the request-filtering module rejected the file-extension for the request - what fo you have in you request-filtering config?
%windir%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/requestFiltering
Software Design Engineer
IIS Core Server
BorekBernard
15 Posts
Re: Apache behind IIS7 using ARR
Sep 09, 2008 07:51 PM|LINK
Anil, you're right! This is from my config:
<requestFiltering>
<fileExtensions allowUnlisted="true" applyToWebDAV="true">
<add fileExtension=".asax" allowed="false" />
<add fileExtension=".ascx" allowed="false" />
...
I'm not too familiar with WebDAV (which is obviously what SVN is using) - is it safe to simply clear this list and allow all file extensions? Or is there a better way? (Somehow detect Subversion and disable request filtering just for SVN requests?)
Anyway, this has been a great find, I didn't know that some request filtering is in place implicitly! Many thanks,
Borek
anilr
2343 Posts
Microsoft
Re: Apache behind IIS7 using ARR
Sep 11, 2008 06:13 PM|LINK
You have a couple of options
a) Remove all the request-filtering restrictions that you need for your webdav app to work
b) request-filtering has functionality to allow to relax restrictions for webdav requests, to use it, you need to set applyToWebDAV="false" and have a module that runs before request-filtering (in OnPreBeginRequest or early in OnBeginRequest) and sets the "DAV" server-variable to "1" for any requests that are webdav requests
Software Design Engineer
IIS Core Server