[osg-users] Subversion Installation Step-Step manual

Thibault Genessay tibogens at gmail.com
Wed Oct 3 05:25:58 PDT 2007


Hi Adrian

Here's how I installed and configured apache for svn + dav + ssl on our SVN
server. It has not been hacked so far, but who knows, my configuration might
also be breakable. I'm not running svnserve at all, and got no problem
accessing my repo from tortoise svn on windows, and the command line svn on
linux.

I use a Debian 4 box. The paths may change for another linux distribution
but I guess the method remains the same. This tuto assumes that your box's
URL is 'mybox.osg.com '

1) install apache2 and openssl if not already done. Also, install the SVN
package for apache2 (on debian it is 'libapache2-svn')
2) make sure mod_dav and auth_basic modules are activated by looking into
/etc/apache2/mods-enabled (if a symlink is present, the module is
activated). By default basic_auth is. Use 'a2enmod' to activate the modules
'dav' and 'dav_svn'.
3) set up a virtual host for your HTTPS server. You can use the following
file as a replacement for '/etc/apache2/sites-available/default'

NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin webmaster at osg.com

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.pem

        ServerName mybox.osg.com

        DocumentRoot /var/www/mysite/

        <Directory />
                AuthType Basic
                Require valid-user
                AuthName "My site"
                AuthUserFile /etc/apache2/mysite.pwd
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        # Subversion
        <Location /svn>
                DAV svn
                SVNPath /var/svn/projects
                AuthType Basic
                AuthName "Subversion repository"
                AuthUserFile /etc/apache2/mysite- svn.pwd
                Require valid-user
        </Location>
        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature Off

</VirtualHost>

As you can see, we've assumed that several files and directories exist:
- the website itself, located in /var/www/mysite/ (does not really *need* to
exist, if you only need subversion)
- the svn repository, located in /var/svn/projects
- the /etc/apache2/ssl/server.crt and /etc/apache2/ssl/server.pem files,
which constitute the SSL certificate
- /etc/apache2/mysite.pwd and /etc/apache2/mysite-svn.pwd. Those are apache
password files created with htpasswd. If the users that can access the web
page are the same than the users that can use SVN, you can use the same
file.

4) now create a self-signed RSA certificate (of course, if you have your own
signed certificate, use it). This procedure is a very brief summary of what
can be found on http://www.akadia.com/services/ssh_test_certificate.html

cd /tmp
# Create a private key
openssl genrsa -des3 -out server.key 1024
# Create a sign request
openssl req -new -key server.key -out server.csr
# Remove the password from the private key so that we don't type it each
time apache starts
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
# Sign the certificate using the request
openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt
# Install the stuff
mkdir /etc/apache2/ssl
cp server.crt server.pem /etc/apache/ssl
chmod 400 /etc/apache2/ssl/*

5) Populate your HTTPS password file(s) by using 'htpasswd'. E.g. if you
want 'bobby' and 'scotty' to access your repo, then you can do
htpasswd -c /etc/apache2/mysite-svn.pwd bobby
htpasswd /etc/apache2/mysite-svn.pwd scotty

6) make sure that your various passwords and certificates files are only
readable by root

7) Restart apache and you're done

I certainly have forgotten something so it won't work "as is" - it never
does - but you've got the plan

Note that this configuration allows for a very simple access scheme: the
persons listed in your mysite-svn.pwd will be given read-write access. So
the access is all or nothing. This might not be sufficient for your needs.
If you need finer grained access control, have a look at the
AuthzSVNAccessFile directive, e.g. adding
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
in your <Location /svn> section will allow you to configure the r/w accesses
with the dav_svn.authz file.

Hope this helps !

Cheers

Thibault

On 10/2/07, Adrian Egli <3dhelp at gmail.com> wrote:
>
> hi
>
> we got yesterday night an really bad attack on our svn server. it's runs
> under linux, and i am not a linux expert. so i would like to
> run svn in an appache, and only if i work with it, the svn server should
> be executed. is there out an expert who can help me
> with an step by step manual.
>
> i used just the svnserve and may i did a huge misstake open the firewall
> :-(
>
> many thanks
>
> /adegli
>
> --
> ********************************************
> Adrian Egli
> _______________________________________________
> osg-users mailing list
> osg-users at lists.openscenegraph.org
> http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openscenegraph.org/pipermail/osg-users-openscenegraph.org/attachments/20071003/e545c7ff/attachment-0003.htm>


More information about the osg-users mailing list