Apache v2.2 and Subversion v1.4 - A minimal mod-dav-svn configuration
Howto install Apache v2.2, with Subversion v1.4, mod-dav-svn, ssl, and RepoStyle, on CentOS v5.2
The default Apache httpd configuration is large and complicated. The configuration presented here is a cut down configuration, with all other features disabled and removed. The resulting configuration should be understandable, easy to audit, and might be secure. This configuration is intended for a the single use of exposing a subversion repository.
For simplicity, the configuration disables the use of the 'conf.d' configuration include directory. The configuration uses SSL/TLS to maintain confidentiality of passwords and source in the repository. RepoStyle is used to provide a style sheet.
Install the Appache http and the modules:
# yum install httpd mod_dav_svn mod_ssl
As per the redbook recommendation, disabling svnserve so that there is a single method of access to the database files would be a good idea.
Filesystem layout
The files and directories are configured in the following locations:+- /
+- etc
| +- httpd
| +- conf
| +- httpd.conf
| +- svnauthz
| +- svnpasswd
|
+- var
| +- www
| +- html
| +- index.html
| +- repos-web [see RepoStyle]
+- srv
+- subversion
+- config [this is the SVN repository]
+- conf
+- db
+- ...
Trade-offs
The Apache configuration is a series of trade offs. I was unable to get things exactly as I wanted. The first priorty for me was getting the URL's as a wanted, without an extra path element at the front. However I was unable to get 'SVNListParentPath' feature to work. Adding a trailing slash ('/') to the location didn't seem to help. In the end, the easiest way around this was to use single repositories (using the 'SVNPath' directive), and a static index.html file to reference them.
To access the RepStyle XSLT style sheets, the strategy above allows easy access, without having to put the style sheets into one of the repositories. Apache didn't seem to allow the RepoStyle files to take precedence over the DAV location directives. Putting the files into the repository would required setting the SVN mime type keyword on the individual files.
RepoStyle
RepoStyle provides a style sheet for the index and repository.
/etc/httpd/conf/httpd.conf
The following httpd configuration file is used:
ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule dir_module modules/mod_dir.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
TypesConfig /etc/mime.types
MIMEMagicFile conf/magic
User svn
Group svn
Listen 443
ServerAdmin webmaster@lucidsolutions.co.nz
UseCanonicalName Off
ServerName svn.lucidsolutions.co.nz
DocumentRoot "/var/www/html"
DirectoryIndex index.html
SSLEngine On
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Location /config/>
DAV svn
# SVNParentPath /srv/subversion
SVNPath /srv/subversion/config
AuthzSVNAccessFile /etc/httpd/conf/svnauthz
SVNListParentPath on
SVNIndexXSLT "/repos-web/view/repos.xsl"
# Require SSL connection for password protection.
SSLRequireSSL
AuthType Basic
AuthName "Ecru Subversion"
AuthUserFile /etc/httpd/conf/svnpasswd
Require valid-user
</Location>
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION
Top level index.html
Given that the 'SVNListParentPath' support is not used, create a small top level index.html file to allow users to navigate to the repositories. This needs to be edited manually, given the names of the repository. The file is '/var/www/html/index.html':
<html>
<head>
<title>Subversion server</title>
</head>
<body>
<h2>Repositories</h2>
<ul>
<li><a href="config">config</a></li>
</ul>
</body>
</html>
User management
Use htpasswd to add user accounts, using md5 to encrypt the password. The 'c' option creates a new file (only use for the first user).
# htpasswd -cm /etc/httpd/conf/svnpasswd greg New password: Re-type new password:
Add the user to the 'svnauthz' file to allow access.
[config:/] greg = rw
Tips
The following are simple issues that may arise:
- ensure selinux is configured correctly, or disabled. If the svn repositories are outside the normal apache directory structure then selinux will cause 'Permission denied' errors.
- to get the 'SVNListParentPath' directive to work, ensure the svn dav '<Location ...>' directive has a trailing slash
References
- http://httpd.apache.org/docs/2.2/programs/htpasswd.html
- http://svnbook.red-bean.com/en/1.1/ch06s04.html
- http://www.reposstyle.com/
- http://dag.wieers.com/rpm/packages/subversion/
- http://apt.sw.be/redhat/el5/en/x86_64/dag/RPMS/
Appendices
yum installation
# yum install httpd mod_dav_svn mod_ssl Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: mod_dav_svn x86_64 1.4.2-2.el5 base 70 k mod_ssl x86_64 1:2.2.3-11.el5_1.centos.3 base 85 k Installing for dependencies: distcache x86_64 1.4.5-14.1 base 121 k httpd x86_64 2.2.3-11.el5_1.centos.3 base 1.1 M mailcap noarch 2.1.23-1.fc6 base 14 k Transaction Summary ============================================================================= Install 5 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.4 M Is this ok [y/N]:
Mod-dav-svn sample configuration
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so # # Example configuration to enable HTTP access for a directory # containing Subversion repositories, "/var/www/svn". Each repository # must be readable and writable by the 'apache' user. Note that if # SELinux is enabled, the repositories must be labelled with a context # which httpd can write to; this will happen by default for # directories created in /var/www. Use "restorecon -R /var/www/svn" # to label the repositories if upgrading from a previous release. # # # To create a new repository "http://localhost/repos/stuff" using # this configuration, run as root: # # # cd /var/www/svn # # svnadmin create stuff # # chown -R apache.apache stuff # #<Location /repos> # DAV svn # SVNParentPath /var/www/svn # # # Limit write permission to list of valid users. # <LimitExcept GET PROPFIND OPTIONS REPORT> # # Require SSL connection for password protection. # # SSLRequireSSL # # AuthType Basic # AuthName "Authorization Realm" # AuthUserFile /path/to/passwdfile # Require valid-user # </LimitExcept> #</Location>
