Rexiology::Work

Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box...

Ok, after a full installation of Subversion on my server, here is the complete installation steps for reference.

Some readings:

• Apache Httpd installation on Windows 2003 Server , Rex Tang
• Multiple SVN repositories for Windows using Apache , Rob Gonda
• Subversion Book Chapter 6

Software to install upon this writing:

• Apache Httpd 2.0.55, win32 msi installer without ssl support
• OpenSSL 0.9.8a for ApacheHttpd 2.0.55
• Subversion 1.3.0
• TortoiseSVN 1.3.2.5840

Installation Steps:

1. Install Apache Httpd package on Windows 2003 Server.

Remember to get a port or a ip for Httpd and prevent it from conflict to original IIS 6 on the box.

2. Install OpenSSL for Apache Httpd package.

Follow the steps provided in my post or Rob Gonda's post listed above.

3. Install Subversion and TortoiseSVN

Follow Rob Gonda's first installation post, but skip the svnservice part to install svnserv as a windows service. it's not necessary since we are going to let Httpd host the repository access.

4. edit httpd.conf

for httpd.conf , some blocks need to take a look: (example here used the dedicated ip 10.0.0.1 with port 80 and port 443 for apache httpd and dns record svn.server1.abc.com , www.server1.abc.com , www2.server1.abc.com , server1.abc.com all point to 10.0.0.1)

# Place the right server root
ServerRoot "C:/Program Files/Apache Group/Apache2"

# Listen to the right ip and port
Listen 10.0.0.1:80

# Load the proper modules for use
LoadModule auth_module modules/mod_auth.so
LoadModule dav_module modules/mod_dav.so
# ----------- SSL module
LoadModule ssl_module modules/mod_ssl.so
LoadModule deflate_module modules/mod_deflate.so
# ----------- Subversion module
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

# admin email
ServerAdmin admin@abc.com

# main site server name
ServerName server1.abc.com:80

# main document root
DocumentRoot "d:/apachewebs"

# main doc root access rules
<Directory "d:/apachewebs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

# index file name
DirectoryIndex index.html index.html.var index.htm

# Bring in additional module-specific configurations, for ssl config
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

# open virtual host to host other apache sites
# with different hostname, for future php / mysql application use
NameVirtualHost 10.0.0.1:80

# Main site
<VirtualHost 10.0.0.1:80>
    ServerName server1.abc.com # the dns name to map to this virtual host
    ServerAdmin admin@abc.com
    DocumentRoot d:/apachewebs/server1.abc.com.web
    ErrorLog logs/server1.abc.com.web-error_log
    CustomLog logs/server1.abc.com.web-access_log common

    # subversion settings for this virtual host
    # will be access via http://server1.abc.com/svn/repo1/
    # for a paticular repository "repo1" under the svn parent path.
    # it's the root svn folder and will contain repositories under it
    <Location /svn >
        DAV svn
        SVNParentPath "f:/svnrepo" # the root svn folder

        # authentication
        AuthName "server1.abc.com Subversion Authentication"
        AuthType Basic # just use basic auth
       
        # authorization
        AuthzSVNAccessFile "d:/subversion-settings/dev1-authz"
        AuthUserFile "d:/subversion-settings/dev1-passwd"
        Require valid-user # every access must auth
    </Location>
   
</VirtualHost>

# some website with html/php files
<VirtualHost 10.0.0.1:80>
    ServerName www.server1.abc.com
    ServerAdmin admin@abc.com
    DocumentRoot d:/apachewebs/www.server1.abc.com.web
    ErrorLog logs/www.server1.abc.com.web-error_log
    CustomLog logs/www.server1.abc.com.web-access_log common
</VirtualHost>

# some other normal website with different dns name and virtual host
<VirtualHost 10.0.0.1:80>
    ServerName www2.server1.abc.com
    ServerAdmin admin@abc.com
    DocumentRoot d:/apachewebs/www2.server1.abc.com.web
    ErrorLog logs/www2.server1.abc.com.web-error_log
    CustomLog logs/www2.server1.abc.com.web-access_log common
</VirtualHost>

# a virtual host for subversion access
<VirtualHost 10.0.0.1:80>
    # noticed that this is a dedicate dns name for subversion
    ServerName svn.server1.abc.com
    ServerAdmin admin@abc.com
    # ignore and comment out folder
    # DocumentRoot d:/apachewebs/svn.server1.abc.com.web
    ErrorLog logs/svn.server1.abc.com.web-error_log
    CustomLog logs/svn.server1.abc.com.web-access_log common

    # map the DAV to the root
    # so that for a repository "repo1" the path will be
    # http://svn.server1.abc.com/repo1/
    <Location / >
        DAV svn
        SVNParentPath "f:/svnrepo"

        # authentication
        AuthName "server1.abc.com Subversion Authentication"
        AuthType Basic
       
        # authorization
        AuthzSVNAccessFile "d:/subversion-settings/dev1-authz"
        AuthUserFile "d:/subversion-settings/dev1-passwd"
        Require valid-user
    </Location>

</VirtualHost>

5. edit ssl.conf

for ssl.conf , it to listen to port 443 for a ip and define virtual host for a dns name to host svn dirctory as well as some normal files. since apache only got 1 ip for this ssl connection, only 1 ssl dns name and virtual host can be defined here. the setting block providing below is only the modified parts regards to ssl.conf file provided by download OpenSSL zip file.

# Listen to 443 port
Listen 10.0.0.1:443

# define virtual host
<VirtualHost 10.0.0.1:443>

#   General setup for the virtual host
DocumentRoot "d:/apachewebs/server1.abc.com.web"
ServerName server1.abc.com:443
ServerAdmin admin@abc.com
ErrorLog logs/error_log
TransferLog logs/access_log

    # only https://server1.abc.com/svn belongs to DAV svn
    # for a repository "repo1" , the access path via SSL is
    # https://server1.abc.com/svn/repo1/
    <Location /svn >
        DAV svn
        SVNParentPath "f:/svnrepo"

        # authentication
        AuthName "server1.abc.com Subversion Authentication"
        AuthType Basic
       
        # authorization
        AuthzSVNAccessFile "d:/subversion-settings/dev1-authz"
        AuthUserFile "d:/subversion-settings/dev1-passwd"
        Require valid-user
    </Location>

SSLEngine on
# the folder path to put the key file
# relative to Apache root foldder
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
</VirtualHost>                                 

6. for self made SSL certificate files (server.crt and server.key above)

refer to this post . unzip the OpenSSL package and go to the bin directory. 3 main steps and command line using openssl.exe to get the 2 files.

d:\openssl bin folder> openssl req -config openssl.cnf -new -out server.csr
d:\openssl bin folder> openssl rsa -in privkey.pem -out server.key
d:\openssl bin folder> openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Create an Apache/conf/ssl directory and move server.key and server.crt into it (the one provided above). 

7. for subversion authentication and authorization files (dev1-authz and dev1-passwd files above)

refer to subversion book chapter 6 for more information about this section.

dev1-authz content:

[groups]
# "developer1" and "developer2" are login name
# defined in "dev1-passwd" file
# "dev1group" is group name
dev1group = developer1 , developer2

# repo1 repository root ("/") settings
[repo1:/]
#allow read write access for the developer1
developer1 = rw
# not allow access for all others
* =

# repo2 repository root ("/") settings
[repo2:/]
#allow read write access for the developer2
developer2 = rw
# not allow access for all others
* =

# repo3 repository root ("/") settings
[repo3:/]
#allow read write access for the group
@dev1group = rw
# allow read access for all others
* = r

dev1-passwd file can use htpasswd.exe file to generated MD5 encrypted password file for use here. or simply just use notepad to write plan text file like this:

developer1:passwd-for-developer1
developer2:passwd-for-developer2

8. that's all set! just re-start Apache Httpd and use TortoiseSVN to test aceessing self-made repositories.

at the server, open a cmd.exe , using svnadmin.exe to create some repository.

c:\> svnadmin create f:\svnrepo\repo1
c:\> svnadmin create f:\svnrepo\repo2
c:\> svnadmin create f:\svnrepo\repo3

then just use TortoiseSVN to browse / checkout / import some files to those repository. some url can use by above settings, both SSL way and not SSL ways.

http://server1.abc.com/svn/repo1/ with developer1 login access, non-ssl way
http://svn.server1.abc.com/repo2/ with only developer2 login access non-ssl way.
https://server1.abc.com/svn/repo3/ with both developer1 and developer2 login , using ssl.

repo1 to repo3 in above urls can just change in any urls to access each repository in any url way above. however, due to use basic auth here, it's strongly recommanded using ssl way to access the repositories to prevent network sniffer of the http traffic to easily get the passwords.

it's also possible to use sspi authentication with subversion and httpd, refer the post here or other links provided in Rob Gonda's ports.

That's all I got to let my subversion running on a windows 2003 server box with ssl support and basic authentication. I didn't use SSPI since I am not using Windows AD Domain to manage my developer accounts. if AD is used for developer accounts, then SSPI will be a better auth way to go.

Technorati Tags: apache , httpd, openssl, subversion