WOW, i'll try out as soon as i have the server back :-) /thanks adrian
2007/10/3, Thibault Genessay <[EMAIL PROTECTED]>: > > Hi Adrian > > Here's how I installed and configured apache for svn + dav + ssl on our > SVN server. It has not been hacked so far, but who knows, my configuration > might also be breakable. I'm not running svnserve at all, and got no problem > accessing my repo from tortoise svn on windows, and the command line svn on > linux. > > I use a Debian 4 box. The paths may change for another linux distribution > but I guess the method remains the same. This tuto assumes that your box's > URL is ' mybox.osg.com ' > > 1) install apache2 and openssl if not already done. Also, install the SVN > package for apache2 (on debian it is 'libapache2-svn') > 2) make sure mod_dav and auth_basic modules are activated by looking into > /etc/apache2/mods-enabled (if a symlink is present, the module is > activated). By default basic_auth is. Use 'a2enmod' to activate the modules > 'dav' and 'dav_svn'. > 3) set up a virtual host for your HTTPS server. You can use the following > file as a replacement for '/etc/apache2/sites-available/default' > > NameVirtualHost *:443 > <VirtualHost *:443> > ServerAdmin [EMAIL PROTECTED] > > SSLEngine on > SSLCertificateFile /etc/apache2/ssl/server.crt > SSLCertificateKeyFile /etc/apache2/ssl/server.pem > > ServerName mybox.osg.com > > DocumentRoot /var/www/mysite/ > > <Directory /> > AuthType Basic > Require valid-user > AuthName "My site" > AuthUserFile /etc/apache2/mysite.pwd > Options FollowSymLinks > AllowOverride None > </Directory> > > # Subversion > <Location /svn> > DAV svn > SVNPath /var/svn/projects > AuthType Basic > AuthName "Subversion repository" > AuthUserFile /etc/apache2/mysite- svn.pwd > Require valid-user > </Location> > ErrorLog /var/log/apache2/error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > > CustomLog /var/log/apache2/access.log combined > ServerSignature Off > > </VirtualHost> > > As you can see, we've assumed that several files and directories exist: > - the website itself, located in /var/www/mysite/ (does not really *need* > to exist, if you only need subversion) > - the svn repository, located in /var/svn/projects > - the /etc/apache2/ssl/server.crt and /etc/apache2/ssl/server.pem files, > which constitute the SSL certificate > - /etc/apache2/mysite.pwd and /etc/apache2/mysite-svn.pwd. Those are > apache password files created with htpasswd. If the users that can access > the web page are the same than the users that can use SVN, you can use the > same file. > > 4) now create a self-signed RSA certificate (of course, if you have your > own signed certificate, use it). This procedure is a very brief summary of > what can be found on > http://www.akadia.com/services/ssh_test_certificate.html > > cd /tmp > # Create a private key > openssl genrsa -des3 -out server.key 1024 > # Create a sign request > openssl req -new -key server.key -out server.csr > # Remove the password from the private key so that we don't type it each > time apache starts > cp server.key server.key.org > openssl rsa -in server.key.org -out server.key > # Sign the certificate using the request > openssl x509 -req -days 365 -in server.csr -signkey server.key -out > server.crt > # Install the stuff > mkdir /etc/apache2/ssl > cp server.crt server.pem /etc/apache/ssl > chmod 400 /etc/apache2/ssl/* > > 5) Populate your HTTPS password file(s) by using 'htpasswd'. E.g. if you > want 'bobby' and 'scotty' to access your repo, then you can do > htpasswd -c /etc/apache2/mysite-svn.pwd bobby > htpasswd /etc/apache2/mysite-svn.pwd scotty > > 6) make sure that your various passwords and certificates files are only > readable by root > > 7) Restart apache and you're done > > I certainly have forgotten something so it won't work "as is" - it never > does - but you've got the plan > > Note that this configuration allows for a very simple access scheme: the > persons listed in your mysite-svn.pwd will be given read-write access. So > the access is all or nothing. This might not be sufficient for your needs. > If you need finer grained access control, have a look at the > AuthzSVNAccessFile directive, e.g. adding > AuthzSVNAccessFile /etc/apache2/dav_svn.authz > in your <Location /svn> section will allow you to configure the r/w > accesses with the dav_svn.authz file. > > Hope this helps ! > > Cheers > > Thibault > > On 10/2/07, Adrian Egli <[EMAIL PROTECTED]> wrote: > > > hi > > > > we got yesterday night an really bad attack on our svn server. it's runs > > under linux, and i am not a linux expert. so i would like to > > run svn in an appache, and only if i work with it, the svn server should > > be executed. is there out an expert who can help me > > with an step by step manual. > > > > i used just the svnserve and may i did a huge misstake open the firewall > > :-( > > > > many thanks > > > > /adegli > > > > -- > > ******************************************** > > Adrian Egli > > _______________________________________________ > > osg-users mailing list > > [email protected] > > http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org > > > > > > > > _______________________________________________ > osg-users mailing list > [email protected] > http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org > > -- ******************************************** Adrian Egli
_______________________________________________ osg-users mailing list [email protected] http://lists.openscenegraph.org/listinfo.cgi/osg-users-openscenegraph.org
