Wednesday, February 16, 2011

Serving Multiple SVN Repositories with Apache

Here are our requirements:
  • SVN web server FQDN: scm1 ; scm1.dev.local
  • SVN is served via SSL only
  • Repositories access url: https://scm1/svn/project1, https://scm1.dev.local/svn/project2
  • Access: public
  • Policies: /var/lib/svn/conf/policies
  • Root: /var/lib/svn/repos
Before we proceed please see:
  • Apache with SSL (see here)
  • Revision control with subversion (see here). You can skip settings related to security permissions, etc since the authentication/authorization will be managed by apache.
Once you get this done:
  1. Install apache svn module:
    apt-get -y install libapache2-svn
    
  2. Create base directory structure and establish security permissions:
    mkdir -p /var/lib/svn/{repos,conf/policies}
    chown -R root:www-data /var/lib/svn
    chmod -R g+rws,o= /var/lib/svn/repos
    find /var/lib/svn/repos -type d | xargs chmod g+x
    
  3. Here is our site definition (file /etc/apache2/sites-available/scm1)
    NameVirtualHost *:443
    
    <VirtualHost *:80>
            ServerName scm1.dev.local
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
            ServerName scm1
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/svn-access.log combined
    
            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/scm1-cert.pem
            SSLCertificateKeyFile /etc/ssl/private/scm1-key.pem
    
            Include /var/lib/svn/conf/default_policy.conf
            Include /var/lib/svn/conf/policies/*.conf
    </VirtualHost>
    <VirtualHost *:443>
            ServerName scm1.dev.local
            DocumentRoot /var/www/
    
            ErrorLog ${APACHE_LOG_DIR}/error.log
            LogLevel warn
            CustomLog ${APACHE_LOG_DIR}/svn-access.log combined
    
            SSLEngine on
            SSLCertificateFile /etc/ssl/certs/scm1.dev.local-cert.pem
            SSLCertificateKeyFile /etc/ssl/private/scm1.dev.local-key.pem
    
            # Disables all protocols other than TLS v1.0 and SSL v3.0
            SSLProtocol -all +TLSv1 +SSLv3
            # Use only HIGH and MEDIUM security cipher suites
            SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
    
            Include /var/lib/svn/conf/default_policy.conf
            Include /var/lib/svn/conf/policies/*.conf
    </VirtualHost>
    </IfModule>
    
  4. Here is our default policy (file /var/lib/svn/conf/default_policy.conf):
    <Location /svn/>
            Dav svn
            SVNParentPath /var/lib/svn/repos
    
            SVNListParentPath On
            SVNAutoVersioning On
    
            <LimitExcept GET PROPFIND OPTIONS REPORT>
                Order deny,allow
                Deny from all
                Allow from 192.168.10.0/24
            </LimitExcept>
    </Location>
    
  5. Reload apache so changes take place:
    /etc/init.d/apache2 reload
    
You should be able access all repositories located below /var/lib/svn/repos. Visit https://scm1/svn/project1. If you are using own certificate authority here is a way to eliminate a warning message that you will see while working with svn. Ensure the following line in file .subversion/servers:
[global]
ssl-authority-files = /etc/ssl/certs/cacert.pem
Read more here.

No comments :

Post a Comment