如何在VisualSVN Server中将访问限制为仅对某些特定的公共IP
我已经在Visual SVN服务器上连接了USB网络适配器,并在其上配置了公共ip.现在,可以通过Internet上的https链接将存储库访问所有知道该链接的人.
I have connected an USB network adapter on the Visual SVN server and configured a public ip on it. Now, the repositories are accessible though an https link over the Internet to everyone who knows about the link.
我只允许从我们的美国办事处访问SVN(我拥有美国办事处的公共IP).来自任何其他位置或公共ip的人都不能访问SVN.在Windows 10计算机上安装了VisualSVN服务器.在Windows上可以吗?如果是,有人可以告诉我怎么做.
I want to allow the SVN access only from our US office (I have the public ip of US office). People from any other location or public ip should not be able to access the SVN. The VisualSVN server is setup on a Windows 10 machine. IS this possible on Windows? If yes, can someone please tell me how.
首先,您可以调整Windows防火墙规则,以拒绝某些客户端基于其IP地址访问VisualSVN Server.这是我们目前在VisualSVN中建议的方法.
First of all, you can adjust Windows Firewall rules to deny certain clients to access VisualSVN Server based on their IP address. This is the approach we at VisualSVN suggest at the moment.
在服务器计算机上,请按照下列步骤操作:
On the server computer, follow these steps:
-
在控制面板"中,单击系统和安全",然后单击"Windows防火墙".
In the Control Panel, click System and Security and then click Windows Firewall.
单击高级设置".
在入站防火墙规则列表中,找到 VisualSVN Server(TCP-In)规则,然后双击它.
In the list of inbound Firewall rules locate VisualSVN Server (TCP-In) rule and double click it.
选择范围"标签.
在远程IP地址"下指定IP地址.默认情况下,防火墙规则配置为允许连接".因此,此列表包含允许访问VisualSVN Server的IP地址.未列出的IP不允许访问VisualSVN Server.您可以在操作"部分的常规"选项卡上调整此行为.
Specify IP address under Remote IP Address. The Firewall rule is configured to "Allow the connection" by default. Therefore, this list contains the IP addresses allowed to access VisualSVN Server. Unlisted IPs are not allowed to access VisualSVN Server. You can adjust this behavior on General tab in Action section.
有关编辑Windows防火墙规则的更多信息,请阅读 TechNet文章添加或编辑防火墙规则" .
For more information about editing Windows Firewall rules, please read the TechNet article "Add or Edit Firewall Rule".
关于@LazyBadger的建议:确实可以通过修改httpd-custom.conf file来实现基于IP的限制,但是我们强烈不鼓励采用这种方法. VisualSVN Server启用了SVNPathAuthz short_circuit选项,这大大改善了
授权执行.但是,该选项有一个限制:服务器
配置不得依赖其他授权模块,例如
authz_host_module(负责基于IP的检查),
否则,您将在授权时遇到意外的行为.
Regarding the suggestion by @LazyBadger: indeed, is possible to implement IP-based restrictions via modifying httpd-custom.conf file, however we strongly discourage to take this approach. VisualSVN Server has SVNPathAuthz short_circuit option enabled, which dramatically improves
authorization performance. The option has a limitation, though: server
configuration mustn't rely on other authorization modules such as
authz_host_module (which is responsible for IP-based checks),
otherwise you will encounter unexpected behavior with authorization.
另一方面,如果禁用short_circuit,则肯定会
运行授权密集型时会发现性能下降
针对您的存储库的操作(例如运行svn log,svn checkout,svn export等或运行图形存储库浏览器
例如TortoiseSVN客户端提供的一个).
On the other hand, if you disable short_circuit you will definitely
notice performance degradation when running authorization-intensive
operations against you repositories (such as running svn log, svn checkout, svn export etc or running a graphical repository browser
such as the one TortoiseSVN client provides).
因此,建议应用此类基于IP的限制的方法是使用 防火墙设置.
So the recommended way to apply such IP-based restrictions is to use firewall settings.