Setup subversion securely on CentOs
So you have a CentOs box and want to securely set up a subversion server with Apache, but keep finding only tutorials which are either:
- Not for CentOs
- Outdated
- Not focused on security at all
Search no more. I just went through the process with CentOs 4.4, and here’s a walkthrough on how to do it.
I’ll assume that you have Apache 2 running already. Get the subversion package, along with the Apache module for DAV access, by executing:
server# yum install svn mod_dav_svn
If you wish to confirm the version you have, run
server# subversion --version
which will list the available protocols. You should at least have the following:
* ra_dav : Module for accessing a repository via WebDAV (DeltaV) protocol.
- handles 'http' scheme
- handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
Once subversion is installed, you’ll need a directory on which to store the repositories. I’m using /home/subversion, so that I can just back it up along with the rest of the homes. That directory will hold three things: some subversion stylesheets for web display, the repositories themselves and the access files.
server# mkdir /home/subversion
server# mkdir /home/subversion/repos
server# mkdir /home/subversion/access
I’m creating a /repos directory since we’ll want to hold several repositories under the same tree. If you’ll want to use subversion’s stylesheet for display (which this tutorial assumes), you’ll have to copy them to the subversion directory. Create a separate directory for them – it’ll come in handy later.
server# mkdir /home/subversion/styles
server# cp /usr/share/doc/subversion-1.4.3/tools/xslt/svnindex* /home/subversion/styles
You should next create your first repository, let’s call it test.
server# svnadmin create /home/subversion/repos/test
And since you’ll be accessing this via apache, give permissions to the group.
server# chgrp apache -R /home/subversion/repos
server# chmod g+w -R /home/subversion/repos
We now have everything setup for subversion, but we still need some configuration as far as Apache goes. First, let’s take care of user authentication. Since we’ll be accessing this through the web, I’d much rather not use the system users, but a separate authentication process. Let’s create an authentication file on the access directory we created a bit ago.
server# cd /home/subversion/access
server# htpasswd -cm users mysvnuser
It’ll request a password. Create a sufficiently random one yourself, or use something like randpass.com to generate passwords for you. Note that -cm will create a new file, so if you want to add a new user you’ll have to use
server# htpasswd -m users secondsvnuser
Now you’ll create a file to specify what each user can do with the repository. On the same directory:
server# nano control
And fill it with entries describing the users permissions. Assuming mysvnuser had read and write permissions on test, but only read permission on secondtest, the file would be:
[test:/]
mysvnuser = rw
[secondtest:/]
mysvnuser = r
We’ll now create a self-signed SSL certificate, as described on this Dev411 article. I’ll just include the steps here, do go to their excellent article if you want a description of what’s going on.
server# openssl genrsa -des3 -rand file1:file1 -out svn.key 1024
server# openssl rsa -in svn.key -out svn.pem
server# openssl req -new -key svn.pem -out svn.csr
server# openssl x509 -req -days 365 -in svn.csr -signkey svn.pem -out svn.crt
Now we have your key file, svn.pem, and our certificate, svn.crt. Let’s copy them to the Apache directories, and remove permissions for anyone but root
server# cp svn.crt /etc/httpd/conf/ssl.crt/
server# cp svn.pem /etc/httpd/conf/ssl.key/
server# chmod go-rwx /etc/httpd/conf/ssl.crt/svn.crt
server# chmod go-rwx /etc/httpd/conf/ssl.key/svn.pem
And now, with the repository created, authentication tokens entered and certificates generated, let’s configure apache.
server# nano /etc/httpd/conf.d/svnsite.conf
Let’s suppose you’ll be creating a separate site for this, called svn.yoursitename.com. It’s quite possible that port 443 is already taken by some other site, so we’ll configure it on port 447.
<VirtualHost svn.yoursitename.com:447>
DocumentRoot "/home/subversion/styles"
ServerName svn.yoursitename.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/svn.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/svn.pem
<Location /repos>
DAV svn
SVNParentPath /home/subversion/repos
SVNIndexXSLT "/svnindex.xsl"
AuthzSVNAccessFile /home/subversion/access/control
Satisfy all
Require valid-user
# authenticating them valid ones
AuthType Basic
AuthName "Subversion Repositories at yoursitename.com"
AuthUserFile /home/subversion/access/users
</Location>
ServerAdmin webmaster@yoursitename.com
</VirtualHost>
See how we used the document root as /home/subversion/styles? You might feel tempted to skip that directory and just use /home/subversion as your document root, but that would be a bad idea – it’ll open your site up for scrutiny to anyone who cares to access https://svn.yoursitename:447/access/users.
Two things remain before you can use your site. First, edit /etc/httpd/conf/httpd.conf, and add the line
Listen 447
so that Apache will listen on that port as well. Then, restart apache:
server# apachectl restart
Two notes before we go:
- If you wish to import your first set of files, I strongly recommend reading up the excellent – and freely available – Version Control with Subversion.
- If you’re using subversion on Mac OS X, you might want to install the latest svn-client via
fink– the one I had on my machine didn’t support SSL by default.
And now, without any more public service announcements, point your browser to https://svn.yoursitename.com:447/repos/test and view your test repository. You’re all done!