TurnKey Linux Virtual Appliance Library

Configuring Subversion access via Apache on the Revision Control appliance

The following is the first guest blog post by Adrian Moya, a web developer and open source evangelist. He took first place in the TurnKey Development content, 2010. See more of Adrian's work on his website.

The TurnKey Revision Control appliance offers a quick version control server with 4 well known and tools for the job: Subversion, Git, Bazaar and Mercurial. Personally, I use it mostly for Subversion and Git. Although it's preconfigured with the most useful settings, I personally miss the possibility to access SVN using the http protocol (through Apache). In the following post I'll be explaning the procedure to add this feature:

1. Access the server via SSH (or via webshell in a browser https://server-ip:12320) and login as root using the password you setup when you installed the appliance. 

2. First we need to install the Apache module that provides SVN integration. Do so by executing the following commands:

apt-get update
apt-get install libapache2-svn

3. Next, we proceed by creating a file to store users and encrypted passwords to access the subversion repositories. The file will be created in /etc/subversion and we will call it svn-auth-file.

We'll use Apache's tool for creating users files called htpasswd. With the -cm option we create the file for the first time. Then to add aditional files we'll just use -m. The tool will ask us the password for the user twice.  We can check the generated file and it's content to see the list of users created.

htpasswd -cm /etc/subversion/svn-auth-file user1
htpasswd -m /etc/subversion/svn-auth-file user2

4. Now, let's edit the websvn site settings in Apache to add security using our newly created file. We edit the file /etc/apache2/conf.d/websvn and add 4 lines. The file should look as the following:

Alias /svn /usr/share/websvn
<Directory /usr/share/websvn>
  DirectoryIndex index.php
  Options FollowSymLinks
  Order allow,deny
  Allow from all
 AuthType Basic
 AuthName "Subversion repository"
 AuthUserFile /etc/subversion/svn-auth-file
 Require valid-user
</Directory>

5. We will configure Apache to access the repositories. For that, we create and edit the file /etc/apache2/conf.d/svnprivate with the following content: 

<Location /svn-private>
  DAV svn
  SVNParentPath /srv/repos/svn/
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /etc/subversion/svn-auth-file
  Require valid-user
</Location>

6. We proceed to reload Apache's settings so the changes take affect. We must also give apache ownership over the subversion repo files, found at /srv/repos/svn. 

service apache2 reload
chown -R www-data:www-data /srv/repos/svn/

7. We can already access our repositories, which you can try using your web browser and opening the url http://server-ip/svn-private/reponame. You'll get the standard Apache dialog asking for user and password. Input your credentials and you'll be able to browse the repository:

Adding Secure Access SSL (https)

If we try to make checkout using the svn client via https, we'll get the following error:

"Server certificate was missing commonName attribute in subject name"

The svn client needs, to be able to access using https to a repository, that the sever's certificate has the commonName attribute, wich is empty in the default certificate. So we need to create a new certificate which contains that atribute. We can do that with the following commands (I'll use a fqdn of svn.example.com as an example):

1. Install the openssl tools:

apt-get install openssl

2. We create the certificate key using the fqdn as the name (so we know that certificate belongs to that domain): 

openssl genrsa 4096 > /etc/ssl/private/svn.example.com.key

3. Generate the certificate, and be sure to put something in the value of attribute commonName when asked. You can put the fqdn there (svn.example.com).

openssl req -new -key /etc/ssl/private/svn.example.com.key -x509 -days 365 -out /etc/ssl/certs/svn.example.com.pem

4. Edit the file /etc/apache2/sites-available/default-ssl and set the certificate settings to use our just created certificate files. You'll have to modify the following lines:

SSLCertificateFile    /etc/ssl/certs/svn.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/svn.example.com.key

5. Disable and enable the default-ssl site so it picks up the changes, and tell apache to reload:

a2dissite default-ssl
a2ensite default-ssl
service apache2 reload

Now, the first time you access the repo via https, the client will alert us that the certificate is not from a trusted authority. Just accept the certificate permantly. The next time you try to access you'll be prompted the user name and password and you'll be able to obtain the code.

You can check this post in spanish here

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Comments

Liraz Siri's picture

Good point

That's a good point. We should take a look at that for the next version of the appliance.

Jeremy's picture

Good work Adrian

For my own current purposes it's not all that relevant, but it looks it would be very useful for others. Nicely written and easy to follow.

Good on you for stepping out and doing a guest blog post. Hope we hear more from you!

The OPTIONS requested returned invalid XML error

Hello.  Great post, easy to follow. I followed all the steps and am getting The OPTIONS request retured invalid XML in response: XML parser error at line1... when I try to access repo via TortoiseSVN.  Any ideas?

I have tried this process on twice, begining with a clean Turnkey install.

 

Thank you kindly.

Roman

Did you created a repo or are you trying to access the example?

Try first to stablish communicaction with the example repo (helloworld). Are you trying to access with http or https?

Give a bit more info about your case to see if we can help.

Repo works ok via browser

Hi. Sorry, forgot to mention (probably important). I can access the repo ok via browser https://server/svn/helloworld

It's only when I try to use https to 'Browse Repo' in TortoiseSVN, I get the error.

 

Thank you much for replying.

Roman

Sharing turnkey subversion folder from windows Workstation host

Hi all,

I am running this (turnkey subversion server) as a VM Workstation on a windows host.  I currently have a backup scheme that runs on the windows host, so I would like to have the host maintain the svn repository folders.  I understand this is not going to work via a samba share, but I was hoping to share the folder via Workstation and have it appear as a "native" file system on the client.  I tried installing VM ware tools, but am having a devil of a time (trying to find directory of C header files...) because the Turnkey client is skinnied down with no source code fat.

Soooo, before I knock myself out trying to get this to work, has anyone tried (and succeeded) in getting this (or something like it) to work?

thanks in advance,

Jordan

[edit] I just realized this was probably not posted in the correct forum - I appologize.  If an admin would relocate it, I'd appreciate it.

Solved

OK, I finally go this to work...

First I did this:

http://www.howtogeek.com/howto/ubuntu/how-to-share-folders-with-your-ubu...

Which led me to this (to install the tools on the client):

http://www.howtogeek.com/howto/ubuntu/install-vmware-tools-on-ubuntu-edg...

Then I soft-linked the mounted folder to /srv/repos/svn (removed the svn directory first)

And all is well with the world: I can perform my backups from my host and the client is using the folder to support svn.

Need Active Directory Authentication

This is a great How To and everything was very easy.  My problem now is I'm trying to get the authentication to go through my company's Windows Active Directory.  Has anyone done that?

Jeremy's picture

TBH I've never done it with the Revision Control app

But I have been successful in using AD authentication for a number of Linux apps. I would assume that you want some sort of LDAP module and/or plugin... I guess you'd use the Apache LDAP module?

SVN - LDAP auth

Using apache - ldap auth this should work

<Location "/svn/<repo>">
        DAV svn
        SVNPath /srv/repos/svn/<repo>
        SVNListParentPath On
        AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative on
        AuthName "<reponame>"
        AuthLDAPURL "ldap://<ldapserver>:389/DC=<OU1>,DC=<com>?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=binduser,DC=OU1,DC=com"
        AuthLDAPBindPassword password
        AuthzSVNAccessFile /srv/repos/svn/repo/conf/authz
        <LimitExcept GET PROPFIND OPTIONS REPORT>
        require valid-user
        allow from all
        </LimitExcept>
        Options FollowSymLinks
</Location>

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)