Many developers encounter this issue when trying to secure Subversion repositories hosted on Apache. The SSLCipherSuite directive you tried only specifies encryption strength - it doesn't enforce HTTPS. Here's why your current approach isn't working:
# This only sets cipher preferences, doesn't force SSL
SSLCipherSuite HIGH:MEDIUMFor Apache 2.4+, the cleanest solution is using SSLRequireSSL combined with a virtual host configuration:
<VirtualHost *:80>
ServerName svn.example.com
Redirect permanent / https://svn.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName svn.example.com
SSLEngine on
# Your SSL certificate directives here
<Location /svn/projectname>
DAV svn
SVNPath /var/repo/projectname
SSLRequireSSL
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-projectname
</Location>
</VirtualHost>If virtual host configuration isn't feasible, mod_rewrite does work reliably:
<Location /svn/projectname>
DAV svn
SVNPath /var/repo/projectname
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-projectname
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</Location>1. The 301 redirect is cacheable by browsers, so test with Incognito mode
2. Ensure mod_rewrite is loaded (a2enmod rewrite on Debian)
3. For SVN clients, they may need explicit https:// URLs
After making changes:
sudo apachectl configtest
sudo systemctl reload apache2Use curl to verify the redirect:
curl -I http://example.com/svn/projectnameWhen configuring SSL for SVN repositories using Apache's Location directive, many administrators encounter a common issue: the SSLCipherSuite directive alone doesn't enforce HTTPS. This happens because cipher configuration only affects encryption strength - not connection protocol enforcement.
The attempted solution:
SSLCipherSuite HIGH:MEDIUM
merely specifies which encryption algorithms to use, but doesn't redirect HTTP traffic to HTTPS. You need explicit redirection logic.
Here are three robust approaches to enforce HTTPS:
Method 1: Using SSLRequireSSL Directive
The cleanest solution for Location blocks:
<Location /svn/projectname>
SSLRequireSSL
DAV svn
SVNPath /var/repo/projectname
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-projectname
</Location>
This returns 403 Forbidden for HTTP requests, forcing clients to use HTTPS.
Method 2: mod_rewrite Solution
While you expressed concerns about mod_rewrite, here's a properly implemented version:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This does a permanent redirect (301) to HTTPS. Place it in your virtual host configuration or .htaccess.
Method 3: Virtual Host Separation
The most robust approach uses separate virtual hosts:
<VirtualHost *:80>
ServerName svn.example.com
Redirect permanent / https://svn.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName svn.example.com
SSLEngine on
# SSL certificate configuration here
<Location /svn/projectname>
DAV svn
SVNPath /var/repo/projectname
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-projectname
</Location>
</VirtualHost>
When implementing HTTPS enforcement:
- Always use 301 (permanent) redirects for SEO
- Include HSTS header for modern browsers:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" - Consider client compatibility - some older SVN clients may need specific cipher configurations
After implementation, verify with:
curl -I http://yourserver/svn/projectname
You should see either a 301 redirect or 403 status code, not 200.