Tuesday, October 31, 2006

Subversion and Apache

So, yesterday I came into the office with a pleasant surprise.

One of my coworkers turns around and says: "We have Apache up and running. Goto this URL and check this out."

And it's our Subversion repository over http, on Firefox, on a webpage!

When we started our process, we hadn't thought much about it. We initially went with the default svnserve option available in the 1.4 release - it worked out of the box with little to no configuration. The only problems there were the user authentication. By default Subversion authenticates against a file with a pretty simple scheme:

user1 = password1
user2 = password2

Not the most secure option, to be sure. We had talked about getting Apache up and running on the server we were hosting the repository on, but it was something that I thought we might tackle sometime this week. This guy spent his weekend installing and configuring Apache to work with our repository.

He used a couple of existing resources, and we only had to iron out a couple things to get it working right. I'll point these out here.

Here's our httpd.conf:

DAV svn
SVNPath x:/RepositoryPath/

# our user authentication policy
AuthName "SVN Server"
AuthType SSPI
SSPIAuthoritative On
SSPIOfferBasic On
Require valid-user

AuthzSVNAccessFile "x:/PathToOtherConfFile/AccessFileName.conf"

A couple gotchas that we rant into: the SVNPath needs a trailing slash - we had some authentication problems without it. Also, make sure you have SSPIOfferBasic On set. Windows machines with logged in domain users shouldn't have to authenticate manually - it'll pass credentials along for you. Firefox can still browse the repository, it'll just need to authenticate manually. I believe TortoiseSVN users won't need this option, but it's good to have in case you ever need to authenticate using any other client (such as the command-line version).

AuthzSVNAccessFile looks something similar to this

developers=DOMAIN\user1, DOMAIN\user2


Basically, you have groups of users that you can define, then their repository permissions. The example above gives the developers group read/write permissions to the entire repository ("/") while managers can only read.

You could do some more complicated things, like secure certain projects in the repository. The important thing to remeber is to have the usernames with the domain in all caps, followed by the username it it's correct case. The username passed into the DAV module will be checked against here first, then passed on to the domain controller, and it's case sensitive here.

Also, when you install Apache, it'll give you two options - install as service (Everyone) monitoring port 80, or not as a service, run from the command line (Just Me) and monitoring at port 8080. If you're using IIS, then you'll want to choose the second option. You can reconfigure the port, of course - it's in the httpd.conf file. Just find the part that has

Listen 8080

and change it to whichever you want.

When you finally get it configured correctly, you'll probably want to install Apache as a service. It's simple - just type

apache -k install -n "MyServiceName"

in the console. (Change "MyServiceName" to something else, unless that's what you really want it to show up as. It'll install itself in the Apache service monitor and the Windows Services menu.

One final caveat - you have to use Apache 2.0, not 2.2. The Subversion modules don't load.
Also, install Apache before you install Subversion if you can - it'll make your life much easier. The Subversion installer will detect Apache and copy all the required modules over where they need to go. If you didn't (like us) then you'll have to do it manually.

You'll need mod_authz_svn.so and mod_dav_svn.so, which should be found in your Subversion\httpd directory. Copy them to the Apache\modules directory. Then, get libdb42.bin from Subversion\bin and copy to Apache\bin. I think this is everything - if I've gotten something wrong I'll update this as necessary.

My project today is to get https working on Apache - I'll post later on how that goes.

No comments: