Subversion repositories can be accessed via https using the dav_svn module in Apache. You can use either basic or digest authentication, digest having the advantage of not sending the credentials in clear text over the network. But if you want to give access to some users who already have local accounts on the server (with full SSH access), and also to some users who don’t need access to the full server but only to this particular repository, then you have to use basic authentication. I think this is due to the way the auth_pam module works (the one that allows Apache to authenticate local accounts). You can redirect all http requests to the https page, but then the credentials get sent twice, once for the http page, and once for the https page. Not very helpful.
The solution is to put the repository access and authentication part of the configuration inside a VirtualHost *:443 block, and put the redirection inside a VirtualHost *:80 block. The configuration below works for me but can no doubt be simplified a bit more.
# VirtualHost for all non-https requests.
<VirtualHost *:80>
# Redirect all access to svn repositories to the https address.
RewriteEngine On
RewriteRule ^/svn/?(.*) https://%{HTTP_HOST}%{REQUEST_URI}
# Do not allow any access to the subversion repository.
# Possibly not useful for us, but for an actual folder (rather than DAV) this could be a good idea.
<Location /svn>
deny from all
</Location>
</VirtualHost>
<VirtualHost *:443>
# These lines are included elsewhere in another VirtualHost *:443 section, but apparently they need to be added here too.
SSLEngine on
SSLCertificateFile /etc/apache/ssl/myssl.crt
SSLCertificateKeyFile /etc/apache/ssl/myprivkey.pem
SSLCertificateChainFile /etc/apache/ssl/mychain.crt
# It seems the location can be set to whatever you like. The DAV module will create a sort of alias between the SVNPath and the Location.
<Location /svn/mysecurerepo>
# I have no idea why this must be included, but if it's missing, you will get an error:
# svn: Repository moved temporarily to 'http://myserver/svn'; please relocate
RewriteEngine on
# An extra precaution.
# This line will prevent non-https access but access will be blocked before any redirection takes place if used outside the *:443 VirtualHost block.
SSLRequireSSL
# Point to subversion repository.
DAV svn
SVNPath /home/subversion/mysecurerepo
# Use PAM authentication for local users, but also check against users in the htpasswd and group files.
AuthBasicAuthoritative Off
AuthPAM_Enabled on
AuthPAM_FallThrough on
# Or use digest, but then PAM authentication won't work.
AuthType Basic
AuthName "My secure subversion repository"
AuthUserFile /etc/apache2/htpasswd/mysecure.htpasswd
# It seems the group file can contain a mix of PAM and htpasswd user names.
AuthGroupFile /etc/apache2/htpasswd/groups
Require group mysecuregroup
</Location>
# Include more repositories here.
</VirtualHost>
Some ideas from Dirk-Willem’s post at Stack Overflow.
Other tips from the Apache wiki’s common misconfigurations page.