Secure SVN Server on Leopard

It's been a long time since I've set up an SVN server. I've been putting it off for a while now, until I came across this http://www.sonzea.com/articles/subversion-trac.html. Given the simplicity of it, I couldn't not set one up.

Out of fear that the site one day disappears, I outline below (almost verbatim in terms of the shell commands) what can be found on the above mentioned site. I want to make it perfectly clear that what I outline below was not originally written by me; I want to give credit where it's due.

Preliminaries

The instructions outlined below should not give you any problems if you're using all of the programs as provided by Leopard, namely: Apache 2 and SVN 1.4.4. It should be noted that if you have a more recent version of SVN, you may run into issues connecting to your repository through http. I was initially running SVN 1.6.2 (which is not the version that ships with Leopard,) and ran into such issues. It wasn't until I reverted back to 1.4.4 that my problems were solved.

Step 0 - Creating our SVN repository

First we need to create an SVN repository

$ cd /usr/local
$ sudo svnadmin create svnrepo
$ sudo chown -R www svnrepo

Next we will create the initial directory structure that is pretty much standard amongst SVN repositories:

$ cd /tmp
$ svn co file:///usr/loca/svnrepo
$ svn mkdir tags branches trunk
A     tags
A     branches
A     trunk
$ sudo svn ci -m "initial structure"
Adding branches
Adding tags
Adding trunk

Committed revision 1.

Step 1 - Enabling HTTP access

Create the following file:

/etc/apache2/extra/httpd-subversion.conf

Inside this file put:

LoadModule dav_svn_module libexec/apache2/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache2/mod_authz_svn.so

<Location /svnrepo>
    DAV svn
    SVNPath /usr/local/svnrepo
</Location>

Open the file:

/etc/apache2/httpd.conf

Append the following just after the SSL/TLS include:

# Subversion
Include /private/etc/apache2/extra/httpd-subversion.conf

Note: There is a symbolic link between /private/etc and /etc. So don't be confused as to why we created httpd-subversion.conf in /etc/apache2/extra, yet we're specifying that it's in /private/etc/apache2/extra . We're referring to the same thing here, and are using the /private pre-fixed location since this style is already used in httpd.conf

Restart Apache:

$ sudo apachectl restart

Now visit http://localhost/svnrepo . You should see our initial (Revision 1) of the SVN repository structure we created in Step 0.

Step 2 - Adding a Secure Socket Layer (SSL) to Apache

As referenced in the original article, this section was adapted from the material found at http://www.tc.umn.edu/~brams006/selfsign.html

Generate your own Certificate Authority (CA)

$ sudo openssl genrsa -des3 -out ca.key 4096
enter password

$ sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt
re-enter password from aboveCountry Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: State
Locality Name (eg, city) []: City
Organization Name (eg, company) []: company name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: name
Email Address []:

The password you entered above is the ca.key password. You will be asked in the next steps to create a server password. It is important to keep these separate and enter the correct one when prompted later on.

Now we need to generate a server key:

$ sudo openssl genrsa -des3 -out server.key 4096
Enter pass phrase for server.key: ****

The password you entered above is the server key. This is different from the ca.key password.

Now we need to generate a certificate signing request (CSR):

$ sudo openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) []: company name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: servername
Email Address []:

A challenge password []:
An optional company name []:

Now we need to sign the CSR with the CA and specify the server password, not the ca.key password:

$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=State/L=City/O=company/CN=server
Getting CA Private Key
Enter pass phrase for ca.key: *****

Now we want to make an insecure version of our key so Apache doesn't ask for a passkey each time it's restarted. We will need to specify the server key password when prompted, not the ca.key password:

$ sudo openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:
writing RSA key
$ sudo mv server.key server.key.secure

$ sudo mv server.key.insecure server.key
$ sudo cp server.key /etc/apache2/server.key
$ sudo cp server.crt /etc/apache2/server.crt

$ sudo chmod 600 server.key
$ sudo chmod 600 server.crt

Open the file:

/etc/apache2/httpd.conf

Change the following:

# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf

to

# Secure (SSL/TLS) connections
Include /private/etc/apache2/extra/httpd-ssl.conf

Restart Apache:

$ sudo apachectl restart

Now visit your server's main page using the HTTPS protocol: https://localhost. It should be the same as using the HTTP protocol: http://localhost

Step 3 - Modifying SVN to use SSL

Open the file:

/etc/apache2/extra/httpd-subversion.conf

Modify the contents to look like:

LoadModule dav_svn_module libexec/apache2/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache2/mod_authz_svn.so

<Location /svnrepo>
    DAV svn
    SVNPath /usr/local/svnrepo
    SSLRequireSSL
</Location>

Restart Apache:

$ sudo apachectl restart

Now visit your repository via HTTPS: https://localhost/svnrepo . You'll notice that if you visit it using the HTTP protocol, you'll see an exception: http://localhost/svnrepo

Step 4 - Modify SVN to Require Security Credentials

Create the authentication file:

$ sudo htpasswd -cm /etc/apache2/subversion.auth harry
New password: *****
Re-type new password: *****
Adding password for user harry
$ sudo chmod 600 subversion.auth
$ sudo chown www /etc/apache2/subversion.auth

The username and password specified above (harry and *****, respectively) will be required to log into your repository when you access it.

Open the file:

/etc/apache2/extra/httpd-subversion.conf

Modify the contents to look like:

LoadModule dav_svn_module libexec/apache2/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache2/mod_authz_svn.so

<Location /svnrepo>
    DAV svn
    SVNPath /usr/local/svnrepo

    # Require SSL connection for password protection.
    SSLRequireSSL

    # How to authenticate a user
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile /private/etc/apache2/subversion.auth

    # Only authenticated users may access the repository
    Require valid-user
</Location>

Restart apache:

$ sudo apachectl restart

Now visit https://localhost/svnrepo. You should be asked to enter in a username and password. Enter in the same credentials you specified above. The repository should load.

And that's it!

Filed under  //   mac   svn  

Comments (0)

Leave a comment...

 
To leave a comment on this posterous, please login by clicking one of the following.
Posterous-login     twitter

About