[osg-users] Subversion Installation Step-Step manual

Adrian Egli 3dhelp at gmail.com
Wed Oct 3 05:43:21 PDT 2007


WOW, i'll try out as soon as i have the server back :-)

/thanks
adrian

2007/10/3, Thibault Genessay <tibogens at gmail.com>:
>
> Hi Adrian
>
> Here's how I installed and configured apache for svn + dav + ssl on our
> SVN server. It has not been hacked so far, but who knows, my configuration
> might also be breakable. I'm not running svnserve at all, and got no problem
> accessing my repo from tortoise svn on windows, and the command line svn on
> linux.
>
> I use a Debian 4 box. The paths may change for another linux distribution
> but I guess the method remains the same. This tuto assumes that your box's
> URL is ' mybox.osg.com '
>
> 1) install apache2 and openssl if not already done. Also, install the SVN
> package for apache2 (on debian it is 'libapache2-svn')
> 2) make sure mod_dav and auth_basic modules are activated by looking into
> /etc/apache2/mods-enabled (if a symlink is present, the module is
> activated). By default basic_auth is. Use 'a2enmod' to activate the modules
> 'dav' and 'dav_svn'.
> 3) set up a virtual host for your HTTPS server. You can use the following
> file as a replacement for '/etc/apache2/sites-available/default'
>
> NameVirtualHost *:443
> <VirtualHost *:443>
>         ServerAdmin webmaster at osg.com
>
>         SSLEngine on
>         SSLCertificateFile /etc/apache2/ssl/server.crt
>         SSLCertificateKeyFile /etc/apache2/ssl/server.pem
>
>         ServerName mybox.osg.com
>
>         DocumentRoot /var/www/mysite/
>
>         <Directory />
>                 AuthType Basic
>                 Require valid-user
>                 AuthName "My site"
>                 AuthUserFile /etc/apache2/mysite.pwd
>                 Options FollowSymLinks
>                 AllowOverride None
>         </Directory>
>
>         # Subversion
>         <Location /svn>
>                 DAV svn
>                 SVNPath /var/svn/projects
>                 AuthType Basic
>                 AuthName "Subversion repository"
>                 AuthUserFile /etc/apache2/mysite- svn.pwd
>                 Require valid-user
>         </Location>
>         ErrorLog /var/log/apache2/error.log
>
>         # Possible values include: debug, info, notice, warn, error, crit,
>         # alert, emerg.
>         LogLevel warn
>
>         CustomLog /var/log/apache2/access.log combined
>         ServerSignature Off
>
> </VirtualHost>
>
> As you can see, we've assumed that several files and directories exist:
> - the website itself, located in /var/www/mysite/ (does not really *need*
> to exist, if you only need subversion)
> - the svn repository, located in /var/svn/projects
> - the /etc/apache2/ssl/server.crt and /etc/apache2/ssl/server.pem files,
> which constitute the SSL certificate
> - /etc/apache2/mysite.pwd and /etc/apache2/mysite-svn.pwd. Those are
> apache password files created with htpasswd. If the users that can access
> the web page are the same than the users that can use SVN, you can use the
> same file.
>
> 4) now create a self-signed RSA certificate (of course, if you have your
> own signed certificate, use it). This procedure is a very brief summary of
> what can be found on
> http://www.akadia.com/services/ssh_test_certificate.html
>
> cd /tmp
> # Create a private key
> openssl genrsa -des3 -out server.key 1024
> # Create a sign request
> openssl req -new -key server.key -out server.csr
> # Remove the password from the private key so that we don't type it each
> time apache starts
> cp server.key server.key.org
> openssl rsa -in server.key.org -out server.key
> # Sign the certificate using the request
> openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt
> # Install the stuff
> mkdir /etc/apache2/ssl
> cp server.crt server.pem /etc/apache/ssl
> chmod 400 /etc/apache2/ssl/*
>
> 5) Populate your HTTPS password file(s) by using 'htpasswd'. E.g. if you
> want 'bobby' and 'scotty' to access your repo, then you can do
> htpasswd -c /etc/apache2/mysite-svn.pwd bobby
> htpasswd /etc/apache2/mysite-svn.pwd scotty
>
> 6) make sure that your various passwords and certificates files are only
> readable by root
>
> 7) Restart apache and you're done
>
> I certainly have forgotten something so it won't work "as is" - it never
> does - but you've got the plan
>
> Note that this configuration allows for a very simple access scheme: the
> persons listed in your mysite-svn.pwd will be given read-write access. So
> the access is all or nothing. This might not be sufficient for your needs.
> If you need finer grained access control, have a look at the
> AuthzSVNAccessFile directive, e.g. adding
> AuthzSVNAccessFile /etc/apache2/dav_svn.authz
> in your <Location /svn> section will allow you to configure the r/w
> accesses with the dav_svn.authz file.
>
> Hope this helps !
>
> Cheers
>
> Thibault
>
> On 10/2/07, Adrian Egli <3dhelp at gmail.com> wrote:
>
> > hi
> >
> > we got yesterday night an really bad attack on our svn server. it's runs
> > under linux, and i am not a linux expert. so i would like to
> > run svn in an appache, and only if i work with it, the svn server should
> > be executed. is there out an expert who can help me
> > with an step by step manual.
> >
> > i used just the svnserve and may i did a huge misstake open the firewall
> > :-(
> >
> > many thanks
> >
> > /adegli
> >
> > --
> > ********************************************
> > Adrian Egli
> > _______________________________________________
> > osg-users mailing list
> > osg-users at lists.openscenegraph.org
> > http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org
> >
> >
> >
>
> _______________________________________________
> osg-users mailing list
> osg-users at lists.openscenegraph.org
> http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org
>
>


-- 
********************************************
Adrian Egli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openscenegraph.org/pipermail/osg-users-openscenegraph.org/attachments/20071003/8ace386b/attachment-0003.htm>


More information about the osg-users mailing list