Configuring Subversion access via Apache on the Revision Control appliance

The following is the first guest blog post by Adrian Moya, a web developer and open source evangelist. He took first place in the TurnKey Development content, 2010. See more of Adrian's work on his website.

The TurnKey Revision Control appliance offers a quick version control server with 4 well known and tools for the job: Subversion, Git, Bazaar and Mercurial. Personally, I use it mostly for Subversion and Git. Although it's preconfigured with the most useful settings, I personally miss the possibility to access SVN using the http protocol (through Apache). In the following post I'll be explaning the procedure to add this feature:

1. Access the server via SSH (or via webshell in a browser https://server-ip:12320) and login as root using the password you setup when you installed the appliance. 

2. First we need to install the Apache module that provides SVN integration. Do so by executing the following commands:

apt-get update
apt-get install libapache2-svn

3. Next, we proceed by creating a file to store users and encrypted passwords to access the subversion repositories. The file will be created in /etc/subversion and we will call it svn-auth-file.

We'll use Apache's tool for creating users files called htpasswd. With the -cm option we create the file for the first time. Then to add aditional files we'll just use -m. The tool will ask us the password for the user twice.  We can check the generated file and it's content to see the list of users created.

htpasswd -cm /etc/subversion/svn-auth-file user1
htpasswd -m /etc/subversion/svn-auth-file user2

4. Now, let's edit the websvn site settings in Apache to add security using our newly created file. We edit the file /etc/apache2/conf.d/websvn and add 4 lines. The file should look as the following:

Alias /svn /usr/share/websvn
<Directory /usr/share/websvn>
  DirectoryIndex index.php
  Options FollowSymLinks
  Order allow,deny
  Allow from all
 AuthType Basic
 AuthName "Subversion repository"
 AuthUserFile /etc/subversion/svn-auth-file
 Require valid-user
</Directory>

5. We will configure Apache to access the repositories. For that, we create and edit the file /etc/apache2/conf.d/svnprivate with the following content: 

<Location /svn-private>
  DAV svn
  SVNParentPath /srv/repos/svn/
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /etc/subversion/svn-auth-file
  Require valid-user
</Location>

6. We proceed to reload Apache's settings so the changes take affect. We must also give apache ownership over the subversion repo files, found at /srv/repos/svn. 

service apache2 reload
chown -R www-data:www-data /srv/repos/svn/

7. We can already access our repositories, which you can try using your web browser and opening the url http://server-ip/svn-private/reponame. You'll get the standard Apache dialog asking for user and password. Input your credentials and you'll be able to browse the repository:

Adding Secure Access SSL (https)

If we try to make checkout using the svn client via https, we'll get the following error:

"Server certificate was missing commonName attribute in subject name"

The svn client needs, to be able to access using https to a repository, that the sever's certificate has the commonName attribute, wich is empty in the default certificate. So we need to create a new certificate which contains that atribute. We can do that with the following commands (I'll use a fqdn of svn.example.com as an example):

1. Install the openssl tools:

apt-get install openssl

2. We create the certificate key using the fqdn as the name (so we know that certificate belongs to that domain): 

openssl genrsa 4096 > /etc/ssl/private/svn.example.com.key

3. Generate the certificate, and be sure to put something in the value of attribute commonName when asked. You can put the fqdn there (svn.example.com).

openssl req -new -key /etc/ssl/private/svn.example.com.key -x509 -days 365 -out /etc/ssl/certs/svn.example.com.pem

4. Edit the file /etc/apache2/sites-available/default-ssl and set the certificate settings to use our just created certificate files. You'll have to modify the following lines:

SSLCertificateFile    /etc/ssl/certs/svn.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/svn.example.com.key

5. Disable and enable the default-ssl site so it picks up the changes, and tell apache to reload:

a2dissite default-ssl
a2ensite default-ssl
service apache2 reload

Now, the first time you access the repo via https, the client will alert us that the certificate is not from a trusted authority. Just accept the certificate permantly. The next time you try to access you'll be prompted the user name and password and you'll be able to obtain the code.

You can check this post in spanish here

Comments

Jeremiah's picture

Nice job.  Your instructions are very clear.  I wonder if it would make sense to have this capability built into the appliance in the first place.

Liraz Siri's picture

That's a good point. We should take a look at that for the next version of the appliance.

Jeremy Davis's picture

For my own current purposes it's not all that relevant, but it looks it would be very useful for others. Nicely written and easy to follow.

Good on you for stepping out and doing a guest blog post. Hope we hear more from you!

Adrian Moya's picture

Try first to stablish communicaction with the example repo (helloworld). Are you trying to access with http or https?

Give a bit more info about your case to see if we can help.

jordanthompson's picture

Hi all,

I am running this (turnkey subversion server) as a VM Workstation on a windows host.  I currently have a backup scheme that runs on the windows host, so I would like to have the host maintain the svn repository folders.  I understand this is not going to work via a samba share, but I was hoping to share the folder via Workstation and have it appear as a "native" file system on the client.  I tried installing VM ware tools, but am having a devil of a time (trying to find directory of C header files...) because the Turnkey client is skinnied down with no source code fat.

Soooo, before I knock myself out trying to get this to work, has anyone tried (and succeeded) in getting this (or something like it) to work?

thanks in advance,

Jordan

[edit] I just realized this was probably not posted in the correct forum - I appologize.  If an admin would relocate it, I'd appreciate it.

jordanthompson's picture

OK, I finally go this to work...

First I did this:

http://www.howtogeek.com/howto/ubuntu/how-to-share-folders-with-your-ubu...

Which led me to this (to install the tools on the client):

http://www.howtogeek.com/howto/ubuntu/install-vmware-tools-on-ubuntu-edg...

Then I soft-linked the mounted folder to /srv/repos/svn (removed the svn directory first)

And all is well with the world: I can perform my backups from my host and the client is using the folder to support svn.

Jeremy Davis's picture

But I have been successful in using AD authentication for a number of Linux apps. I would assume that you want some sort of LDAP module and/or plugin... I guess you'd use the Apache LDAP module?

Pages

Add new comment