svn + apache2
Many of my developers work from windows including myself. Creating secure access over ssh and svn (svn+ssh://)
using Zend studio and svn (subversion plugin for zend) was the initial idea, from a quick pass over subversion, but once svnserver was up and running and I tried it, this wasn’t as simple. There are several articles on integrating subversion, ssh and windows. None of the solutions looked simple or elegant. And wide open unsecured traffic was not acceptable.
I determined best practice pointed us to subversion access through web_dav_svn -> web_dav -> apache2 (https://). This brought authentication away from centralized auth and allowed fine grained control over the access granted via htpasswd and .htaccess files. It allowed us to restrict unsecured access and redirect http to https, and encrypt using SSL. It kept us from having to work ssh onto windows for each developer, instead we could have a simple eclipse/subclipse plugin access demonstrated and from that point they were able to customize on their own.
What I wanted was:
* untar subversion-1.6.6 and subversion-deps-1.6.6 in /apps/src (they layer over each other)
* first build and install the -deps apr and apr-util into /apps/local
* then build apache2 against /usr/local/apr and /usr/local/apr-util
* install apache2
* build and install serf
* remove serf, apr, and apr-util subdirectories and source code from within subversion-1.6.6
* build 1.6.6 against apxs in apache, without Berkeley DB, without neon, and specifying /usr/local/apr, /usr/local/apr-util, and /usr/local/serf
* install and test
process
* create subdirectory /apps/src, place all tarballs in this directory
* untar subversion & subversion-deps version 1.6.6 (these tar onto each other)
* cd subversion-1.6.6/apr
* ./configure –prefix=/usr/local/subversion/apr
* make && make install
* cd ../apr-util
* ./configure –prefix=/usr/local/subversion/apr-util –with-apr=/usr/local/subversion/apr
* make && make install
* cd ../neon
* ./configure –prefix=/usr/local/subversion/neon
*
* apache2: untar httpd-2.2.14
* ./configure –prefix=/usr/local/subversion/apache –enable-dav –enable-dav-fs –enable-dav-lock –enable-expires –enable-headers –enable-info –enable-logio –enable-proxy –enable-rewrite –enable-unique-id –with-apr=/usr/local/subversion/apr –with-apr-util=/usr/local/subversion/apr-util –enable-so –enable-mods-shared=all
* make && make install
This way apache2 builds against apr and apr-util compatible with subversion 1.6.6
and then build subversion against it as well..
* ln -s /apps/apache2_2.2.14 /apps/apache2
* compile and install serf
* ./configure –-prefix=/usr/local/subversion/serf –with-apr=/usr/local/subversion/apr –with-apr-util=/usr/local/subversion/apr-util
* make && make install
* remove serf, pr and apr-util from subversion
compile subversion
./configure –prefix=/apps/svn –with-ssl –with-libs=/usr/local/ssl –without-berkeley-db –with-apxs=/apps/apache2/bin/apxs –with-openssl=/usr/local/ssl –without-neon –with-serf=/usr/local/serf –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr-util
make && make install
test:
/usr/local/subversion/svn/bin/svnadmin create /usr/local/subversion/repository
chown subversion:subversion /usr/local/subversion
chown -Rv subversion.subversion /usr/local/subversion
root@dedicated[/bin] $
no core dump…
ONWARD to configure and test apache2 and subversion…
httpd.conf:
* change all references to apache2_2.2.14 to apache2 (makes the httpd.conf generic rather than subject to needing a migration after a point release upgrade…)
* change port 80 to a non-priveliged port (8080)
* check for
o LoadModule dav_module modules/mod_dav.so
o LoadModule dav_module modules/mod_dav.so
o LoadModule ssl_module modules/mod_ssl.so
* add in ServerName hostname.domain.com:8443 Some of the apache level sanity validation requires a statement of the local host.
* add in SSL stuff (this IS httpd from source – the default httpd.conf had the ssl-module load statement, but no explicit SSL configuration
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# =================================================
# SSL/TLS settings
# =================================================
Listen 0.0.0.0:8080
Listen 0.0.0.0:8443
SSLEngine on
#SSLOptions +StrictRequire
#<Directory />
# SSLRequireSSL
#</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLMutex file:/apps/apache2/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLSessionCache shm:/apps/apache2/logs/ssl_cache_shm
SSLSessionCacheTimeout 600
SSLPassPhraseDialog builtin
SSLCertificateFile /apps/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /apps/apache2/conf/ssl.key/server.key
SSLVerifyClient none
SSLProxyEngine off
<IfModule mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
* create ssl certificate (self-signed). I installed in /apps/apache2/conf/ssl.crt and ssl.key, naming the .crt and ,key files for the server hostname and then symbolically linking them to the generic “server.crt” and “server.key”.
* restart apache2 and test https://host:8443/ – you should get the “It works!” apache test page, thus validating the SSL certificate and setup from a browser level
*
* parent directory for svn
<Location /svn>
DAV svn
SVNParentPath /apps/repos
</Location>