HOWTO Apache2 with subversion SVN and DAV
出自Gentoo Linux Wiki
|
|
|
主程序 模块
Addons & Tunnels Tips 配置 其它
|
| edit |
[编辑] 介绍
这篇文档解释了如果在 Apache2 上加入 subversion 和 DAV 支持。
查看如何使用 subversion CLI 客户端和服务器的信息请看 HOWTO Subversion
[编辑] 启用 DAV 和 SVN
让 Apache2 启动是使用 DAV 和 SVN 模块。为了使用验证功能,您可能需要 SSL。把下面的一行添加到已有的 APACHE2_OPTS 所在行的下方。
| 文件: /etc/conf.d/apache2 |
APACHE2_OPTS="$APACHE2_OPTS -D DEFAULT_VHOST -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D SSL -D SSL_DEFAULT_VHOST" |
[编辑] 为 apache 建立版本控制仓库
Apache 需要有版本控制库文件夹的读写(rw)访问权限。可以有两种办法来实现。
- 更改仓库的拥有者和所在用户组
- 更改仓库的拥有者
chown apache:apache /var/svn/repos/test -R
- 更改仓库的拥有者
- 把 apache 加入到 svnusers 用户组
- 建立 svnusers 用户组
groupadd svnusers - 把 apache 加入到这个组
usermod -G apache,svnusers apache - 更改仓库的所在用户组
chgrp svnusers /var/svn/repos/test -R - 给这个组添加写入权限
chmod g+w /var/svn/repos/test -R
- 建立 svnusers 用户组
[编辑] 初始化配置
subversion 提供了/etc/apache2/modules.d/47_mod_dav_svn.conf 文件 (如果使用了 apache2 use flag) 和一些可用的配置。
<Location /svn> DAV svn
指示 apache 把包含 /svn 开始的 URL 交给 DAV provider 处理(Dav svn 行).
如果你只要支持一个版本控制仓库,您可以使用下面的语句设置路径
SVNPath /var/svn/repos
然而可以设置它支持多个仓库
SVNParentPath /var/svn/repos
现在 SVNParentPath 目录下的所有项目都被当做 subversion 仓库对待。
[编辑] 权限验证
[编辑] 基本
好,现在Apache 已经可以和 subversion 一起运行了。然而任何人都可以访问仓库而且我们不希望这样。
Following lines in /etc/apache2/modules.d/47_mod_dav_svn.conf
(old style configuration: /etc/apache2/conf/modules.d/47_mod_dav_svn.conf) enable authentication
| 文件: /etc/apache2/modules.d/47_mod_dav_svn.conf |
AuthType Basic AuthName "Subversion repository" AuthUserFile /var/svn/conf/svnusers Require valid-user Authtype Basic sends password almost in plaintext and is not secure. To prevent this, you need to enable access only through ssl using the directive SSLRequireSSL |
NOTE: You will have to have SSL enabled in order for this directive to work. To enable SSL, define the use of SSL for apache2 at startup as noted above.
OPTIONAL: In order to restrict access to only SSL it's not enough to add SSLRequireSSL to 47_mod_dav_svn.conf. Each configuration directive from 47_mod_dav_svn.conf must be moved inside the virtual host directive for XX_mod_ssl_default-vhost.conf. You also need to change the number of the file so that it loads after mod_dav (all the files in /etc/apache2/conf/modules.d are loaded alphabetic order).
If you change to only SSL you need to add this line to XX_mod_ssl_default-vhost.conf in order to make it work. see (http://www.mail-archive.com/dev@httpd.apache.org/msg14702.html)
BrowserMatch "SVN" redirect-carefully
File /var/svn/conf/svnusers contains username and encrypted password pairs.
To add user and password do it with htpasswd2 command.
First you need to create user-password storage file
htpasswd2 -c /var/svn/conf/svnusers newuser1
and then add other users
htpasswd2 /var/svn/conf/svnusers newuser2
[编辑] PAM Based
If managing two separate password files is too tedious for you, try using mod_auth_pam, which uses PAM to handle authentication. If you haven't already, emerge mod_auth_pam.
Note: Be aware that by using mod_auth_pam has security implications; the 'apache' user will have read access to /etc/shadow. It's possible that if apache were compromised, /etc/shadow could be read, and a password-cracking program employed against it.
After emerging mod_auth_pam, it's necessary to make a few changes (as root) to your configuration files. For starters, apache needs to be able to read from /etc/shadow:
# groupadd shadow # gpasswd -a apache shadow # chgrp shadow /etc/shadow # chmod g+r /etc/shadow
Note: Pay attention! If you have a webserver and you run it with the same apache these settings potentially let to your users to read shadow passwords file and it is really dangerous
Next, edit the following:
| 文件: /etc/apache2/conf/modules.d/47_mod_dav_svn.conf |
|
Within the <location /svn> tag, add: <IfModule mod_auth_sys_group.c> AuthPAM_Enabled on AuthType Basic AuthName "Subversion Repository" SSLRequireSSL Require group subversion </IfModule> Note: Unlike the 'basic' configuration above, make sure you don't have the line AuthUserFile /var/svn/conf/svnusers It is possible to fall back to the 'basic' authentication listed above should PAM somehow fail; look in /etc/apache2/modules.d/10_mod_auth_pam.conf for details. SSLRequireSSL |
You'll also want to activate mod_auth_pam:
| 文件: /etc/conf.d/apache2 |
|
add -D AUTH_PAM to APACHE2_OPTS |
[编辑] Authorization
If basic authentication is not enough for you, you can enhance basic authentication by means of access control lists. Notice that you have done authentication already and are now going to allow/restrict access on a per user bases. This is done by a special file. The SVNAccessFile:
AuthzSVNAccessFile /var/svn/conf/svnpolicy
Above directive enables the ACL for accessing subversion repositories with apache.
You can define authorization rules in this file in form of
[repos-name:path] sections and pairs of user names and access rights options, which can be r, w or empty. For example:
[test:/trunk] testuser1 = rw testuser2 = * = r
allows testuser1 to write to the repository (commit, copy, ...),
testuser2 has no access to repository, whereas any other user (wildcard *) can read repository (checkout).
In order for the AuthzSVNAccessFile directive to work, you will need to enable it in /etc/conf.d/apache2:
APACHE2_OPTS="... -D SVN_AUTHZ"
A few notes on setting access policies. Watch spacing - if you're using a single repository, or even if you're not, nothing in the brackets should have any spacing. For a single repository, you don't need to set the repository name - just the path relative to the SVNPath directive. For example:
[/trunk/bobsproject] * = r [/trunk/bobsproject/hidden] * =
There can be spacing on the permissions files, just not in the brackets for the file directories.
[编辑] Active Directory/LDAP
Follow these directions if you would like to get your SVN site to authenticate via LDAP or "Captive" Directory.
In /etc/conf.d/apache2 add -D LDAP and -D AUTH_LDAP
APACHE2_OPTS="-D SSL -D PHP4 -D DAV -D DAV_FS -D SVN -D DAV_SVN -D LDAP -D AUTH_LDAP"
and here's my working apache config for CraptiveDirectory:
(you'll have to modify your ldap search path for your directory)
<IfDefine SVN> <Location /svn/repo> DAV svn SVNPath /var/svn/repo AuthType Basic Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all AuthName "Authorize Me" AuthLDAPURL ldap://domain.com:389/OU=IT,OU=MainOffice,OU=Locations,OU=Corporate,DC=domainname,DC=com?samAccountName?sub?(objectCategory=person) AuthLDAPBindDN "CN=webuser,OU=Resources,OU=Corporate,OU=AOM,DC=domain,DC=com" AuthLDAPBindPassword xxxxxxxxxxx Require valid-user </Location> </IfDefine>
To enable only specific user access:
<Location "/useraccess"> AuthName "user permissions" require user larry bill sam </Location>
For group-level permissions, stick this in the directory block:
<Location "/group"> AuthName "group permissions" require group cn=Group,cn=Users,dc=domainname,dc=com </Location>
If you're having problems building your LDAP queries, run this command on your Windows global catalog server:
ldifde -f mydomain.ldif -s 127.0.0.1
It will dump the entire ldap directory to a file.
[编辑] Pretty formatting
You can browse latest revision your repository using your favourite browser. Unfortunately you will notice that it does not look very nice. To change this add
SVNIndexXSLT /svnindex.xsl
directive inside <Location /svn> tag and provide xml stylesheet for transformations. If you are not very familiar with xml, decompress the xsl and css files shipped with subversion in /usr/share/doc/subversion-<VERSION>/ directory.
Some browsers (notably Opera) will just show a blank page instead of the XSL. You can get around this by preprocessing the XSL through xsltproc, rendering the XSL into html for non-XSL-enabled browsers. To do this, install xsltproc:
emerge libxslt
And then add the following to your apache2 config:
BrowserMatch "Opera" xsltfilter
ExtFilterDefine xslt mode=output enableenv=xsltfilter \
intype=text/xml outtype=text/html \
cmd="/usr/bin/xsltproc /var/www/svnindex.xsl -"
Additionally, add the following directives inside the <Location /svn> tag:
SetOutputFilter xslt AddDefaultCharset utf-8
