mod_dontdothat is an Apache module that allows you to block specific types
of Subversion requests.  Specifically, it's designed to keep users from doing
things that are particularly hard on the server, like checking out the root
of the tree, or the tags or branches directories.  It works by sticking an
input filter in front of all REPORT requests and looking for dangerous types
of requests.  If it finds any, it returns a 403 Forbidden error.

You can compile and install it via apxs:

$ apxs -c \
       -I$PREFIX/include/subversion-1 \
       -L$PREFIX/lib -lsvn_subr-1 
       mod_dontdothat.c

$ apxs -i -n dontdothat mod_dontdothat.la

It is enabled via single httpd.conf directive, DontDoThatConfigFile:

<Location /svn>
  DAV svn
  SVNParentPath /path/to/repositories
  DontDoThatConfigFile /path/to/config.file
  DontDoThatDisallowReplay off
</Location>

The file you give to DontDoThatConfigFile is a Subversion configuration file
that contains the following sections.

[recursive-actions]
/*/trunk = allow
/ = deny
/* = deny
/*/tags = deny
/*/branches = deny
/*/* = deny
/*/*/tags = deny
/*/*/branches = deny

As you might guess, this defines a set of patterns that control what the
user is not allowed to do.  Anything with a 'deny' after it is denied, and
as a fallback mechanism anything with an 'allow' after it is special cased
to be allowed, even if it matches something that is denied.

Note that the wildcard portions of a rule only swallow a single directory,
so /* will match /foo, but not /foo/bar.  They also must be at the end of
a directory segment, so /foo* or /* are valid, but /*foo is not.

These rules are applied to any recursive action, which basically means any
Subversion command that goes through the update-report, like update, diff,
checkout, merge, etc.

The DontDoThatDisallowReplay option makes mod_dontdothat disallow
replay requests, which is on by default.