Setting up Subversion Apache2 and SSL on Ubuntu JeOS or Ubuntu 8.04
TO DO
add variable for userid and replace user naem cjs with variable, check for sanity
check server name var and FQDM variables
Move man pages out of main how to and link longer explainations...
Auto logfile creation?
The Big Picture
This is an advanced tutorial that requires a good knowledge of the bash terminal / command line and at least a handle on a some of the technologies required to make this happen. Setting up subversion with apache2 and ssl requires some understanding of Apache2 itself, virtual Apache hosting, ssl certificate generation and usage, webdav and webdav Apache configuration, Apache modules, svn and user and group permissions. If you are planning on dropping this server onto the www you are probably going to want to add and enable a firewall and you will probably want to tighten up the default ssh configuration all without locking your server administrator (you?!) out.
At the end of this tutorial we want have a subversion repository with the following setup (although depending on you particular needs you may want to make adjustments) that is accessible via a URL like this https://servername/svn Or respository will be organized as follows:
/srv/svn/repos/agile
/srv/svn/repos/agile/trunk
/srv/svn/repos/agile/branches
/srv/svn/repos/agile/tags
Create a "good" host name and a "good" alias for your host
A lot of folks miss this step and regret it dearly later on.
Before you get started you might want to seriously consider aliasing the host name you want to user for your server. This allows you to move services (or the entire server) to another physical or virtual host with little or no downtime and limited reconfiguration of any clients using the services offered by a particular server.
For example if you server is called example.org and you give it an alias of svn-server.org you will be able to "move" svn-server.org (and your svn services) to another physical or virtual host without forcing clients to be reconfigured for the "new" server.
Domain name and alias ideas:
ssl.domain.tld
svn.doman.org
svn-domain.org
Variables
It might be helpful to have a few handy (bash) variables on hand to reduce typing. You may want to adjust these to suit your requirments
Apache Virtual Host
(aka, your ssl enable svn site name)
MY_SSL_WEBSITE=jeos-srv-0001.lsi-industries.com
Path to subversion directory
for a web accessible setup
SUBVERSION_DIR=/srv/svn
for a "home" based user or personal development setup you might prefer something like this SUBVERSION_DIR=/usr/local/svn or for a more general local setup, something like this SUBVERSION_DIR=/usr/local/svn as your subversion base directory
Path to subversion repository
In this example I am creating a folder under my svn directory which will hold all of my different svn repositories called "repos"
SUBVERSION_REPOSITORY=${SUBVERSION_DIR}/repos
Update and Upgrade
sudo apt-get update
sudo apt-get upgrade
Open SSH
Installing ssh will allow you to access your server more easily (and securely) from a remote syste
Install openssh-server
sudo apt-get install -y openssh-server
IMPORTANT NOTE: If your are planning on runnig this server on the www you are probably going to want to do some further ssh configuring for security. This configuration can vary depending on who requires access to your server. You need to do your home work cause you are going to want to get this part right! Be very carefull not to lock yourself out!
Access your system
Run the following from your remote system. Please note that it is MUCH easier to configure your server remotly. If you are running a virtual server this can easily be done from a host OS. This will allow you to copy and paste commands and do "paste" editing and will could potentially save you hours of configuration time.
Get your servers IP Address
run the following command on the server prompt
ifconfig
Example Output:
user@jeos-srv-0001:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:89:19:cf
inet addr:10.16.104.21 Bcast:10.16.104.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe89:19cf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16682 errors:0 dropped:0 overruns:0 frame:0
TX packets:8468 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22552889 (21.5 MB) TX bytes:591227 (577.3 KB)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ssh into your server
run this command from your host or local system
ssh 10.16.104.21
Example Output:
The authenticity of host '10.16.104.21 (10.16.104.21)' can't be established. RSA key fingerprint is 7f:19:30:cd:9a:0f:87:00:e9:3a:5d:b4:07:06:61:89. Are you sure you want to continue connecting (yes/no)? yes
Type in "yes" to complete the connection.
Configure your servers networking
By default Ubuntu is configured to use DHCP. If you want to run this on the internet you will want a fixed IP, otherwise skip this section.
backup /etc/network/interfaces - optional
sudo cp /etc/network/interfaces /etc/network/interfaces.original
edit /etc/network/interfaces
vi /etc/network/interfaces
Fixed IP Example
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 10.16.104.21 netmask 255.255.255.0 network 10.16.104.0 broadcast 10.16.104.255 gateway 10.16.104.1
Restart network
After making nay interface change you need to restart your systems networking.
sudo /etc/init.d/networking restart
Verify your changes
ifconfig
/etc/host and /etc/hostname
about /etc/hosts
man hosts
Example Output
(notice that we can set an alias in /etc/hosts
HOSTS(5) Linux Programmer’s Manual HOSTS(5)
NAME
hosts - The static table lookup for hostnames
SYNOPSIS
/etc/hosts
DESCRIPTION
This manual page describes the format of the /etc/hosts file. This
file is a simple text file that associates IP addresses with hostnames,
one line per IP address. For each host a single line should be present
with the following information:
IP_address canonical_hostname [aliases...]
Backup /etc/hosts
(your choice)
sudo cp /etc/hosts /etc/hosts.original
Edit /etc/hosts
sudo vim /etc/hosts
example of a simple alias configuration on a client system
# IP HOSTNAME ALIAS ANOTHER ALIAS 127.0.0.1 localhost 10.16.104.21 jeos-srv-0001.lsi-industries.com jeos-srv-0001 svn.jeos-srv-001
/etc/hostname
about
man hostname
Example Output
###
HOSTNAME(1) Linux Programmer’s Manual HOSTNAME(1)
NAME
hostname - show or set the system’s host name
dnsdomainname - show the system’s DNS domain name
SYNOPSIS
hostname [-v] [-a] [--alias] [-d] [--domain] [-f] [--fqdn] [-i] [--ip-address]
[--long] [-s] [--short] [-y] [--yp] [--nis]
hostname [-v] [-F filename] [--file filename] [hostname]
hostname [-v] [-h] [--help] [-V] [--version]
dnsdomainname [-v]
DESCRIPTION
Hostname is used to either set or display the current host or domain name of
the system. This name is used by many of the networking programs to identify
the machine. The domain name is also used by NIS/YP.
Examining the Current /etc/hostname
cat /etc/hostname
Making Changes to /etc/hostname
If you want your host name to be a fully qualified domain name (FQDM) you will need to adjust /etc/hostname. To get your current FQDN you can run
hostname -f
Example output
jeos-srv-0001.my-big-company.com
Set your FQDM
To set your standard hostname to be a FQDN use the format below (replacing with your FQDN)
Become Root
sudo su
Create your new hostname
sudo echo jeos-srv-0001.my-big-company.com > /etc/hostname
Load your changes
/etc/init.d/hostname.sh start
Exit the root shell
exit
Verify Your Changes
Now both the hostname and hostname -f commands should report the same output
for hostname run
hostnameFor your fully qualified domain name run:
hostname -f
Install apache2
sudo apt-get install -y apache2
Install subversion
sudo apt-get install -y subversion
Install libapache2-svn
sudo apt-get install libapache2-svn
Enable the SSL Apache2 module
sudo a2enmod ssl
Verify the apache2 ports.conf file
Make sure you can access on port 80 (Standard http port) and port 443 (via SSL, https)
cat /etc/apache2/ports.conf
Example of "OK" output:
Listen 80 <IfModule mod_ssl.c> Listen 443 </IfModule>
Create an SSL Certificate
Here we generate an SSL certificate that will allow you to access you svn web page using the more secure https rather than http
Install ssl
sudo apt-get install -y openssl
Ubuntu Hardy 8.04 Special Instructions
Unfortunately on Ubuntu Hardy 8.04 is you did not install a LAMP server you will be missing the apache2-ssl-certificate program used to create your ssl certificate. If your distro came with ssl you can skip ahead to the next section, otherwise you will need to download and install the executable and cretificate template as follows
Go to our home directory
cd ~
Create a place to hold the downloaded archive
mkdir -p sys/temp
Move into our new directory
cd sys/temp
Install wget
sudo apt-get install -y wget
Download our archive
wget http://launchpadlibrarian.net/7477840/apache2-ssl.tar.gz
Unarchive
tar -xzvf apache2-ssl.tar.gz
Copy to the cnf file to our apache2 share
sudo cp ssleay.cnf /usr/share/apache2/.
Create our ssl directory
sudo mkdir /etc/apache2/ssl
Generate SSL Certificate
sudo ./apache2-ssl-certificate
[ Fill in your certificate information as prompted ]
End of Ubuntu Hardy Special Instructions,
(If you are not running Ubuntu hardy you will still need to generate an SSL certificate using something like the above command.
Modify your ssl enabled site
Next we use the variable created at the beginning of this page called MY_SSL_WEBSITE to create a new template for our site from the default site template.
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/${MY_SSL_WEBSITE}
Add port 443 access to the custom site configuration file
sudo vim /etc/apache2/sites-available/${MY_SSL_WEBSITE}
Change the line NameVirtualHost *
to be:
NameVirtualHost *:443
Change the line <VirtualHost *>
to be:
<VirtualHost *:443>
Just above </VirtualHost>, (usually the last line in the file), add the following:
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.pem SSLProtocol all SSLCipherSuite HIGH:MEDIUM
Save and exit the editor
Enable our Apache site / Virtual Host
sudo a2ensite ${MY_SSL_WEBSITE}
Restart Apache, check for errors
sudo /etc/init.d/apache2 restart
Open dav_svn.conf for editing
Edit your Virtual Host config file to enable webdav only for this site (most people want this)
sudo vim /etc/apache2/sites-available/${MY_SSL_WEBSITE}
Edit the main dav_svn.conf file if you want all of your Virtual hosts to have webdav enabled. (not the case fro most people)
sudo vim /etc/apache2/mods-available/dav_svn.conf
Configure webdav
Paste the following code block into the file near the top of the file. (Just under the line ServerAdmin webmaster@localhost should be fine)
Make sure the SVNPath OR the SVNPaternPath reflect your systems configuration.
If you are not using a parent directory setup uncomment the line stating with SVNPAth and place comments (# signs) in front of both SVNParentPath and SVNListParentPath On
<Location /svn>
DAV svn
#SVNPath /srv/svn
SVNParentPath /srv/svn
SVNListParentPath On
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
</Location>
Save and Exit the editor when completed
Restart Apache
(Check for error messages and fails and make adjustments as required. Do you have a valid host name...
sudo /etc/init.d/apache2 restart
Testing Apache http
Get you host ip
ifconfig
Point your browser to the following URL, you should be prompted for your webdav user and password. This is a great time to resolve any problems before continuing.
Using the ip address
http://10.16.104.21
OR
Using the hostname
http://jeos-srv-0001.lsi-industries.com
You should see:
It works!
Setting up svn
Create a webdav user
use this format -> sudo htpasswd -cm /etc/apache2/dav_svn.passwd username
You will want to change cjs in the below example to be the user name you want to create. After running the command you will be prompted to enter a password for the user.
sudo htpasswd -cm /etc/apache2/dav_svn.passwd cjs
Restart
sudo /etc/init.d/apache2 restart
Testing https (SSL)
Open your favorite browser and try signing onto your svn installation. Replace localhost in the folloiwng URL with the name of your ssl server:
https://10.16.104.21
You should get a message similar to the following:
Secure Connection Failed 192.168.200.133 uses an invalid security certificate. The certificate is not trusted because it is self signed. The certificate is only valid for svn-srv-002 (Error code: sec_error_ca_cert_invalid) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Or you can add an exception…
Add an exception and get your ssl certificate!
You want to follow the link on the last line "Or you can add an exception…" then choose the "Add Exception..." button, then the "Get Certificate".
If you would like you can choose "View" to take a peek at your ssl certificate, or and finally the "Confirm" button. If everything is still working you will again see the "It Works!" apache page. Now you are really rocking.
Testing your webdav user and password
The setup outlined in this how to uses a configuration that will allow webdav sign on for the https address above in the /svn directory. To test you will now want to surf to something like the following web address.
https://localhost/svn
Login with the webdav user name and password you created. If you see something like the following you are in busness, otherwise you will want to get your webserver up and running before continuing!
Seeing the following is "Good" and means you webdav user id and password or working perfectly!
This XML file does not appear to have any style information associated with it. The document tree is shown below. − <D:error> <C:error/> − <m:human-readable errcode="2"> Can't open directory '/srv/svn': No such file or directory </m:human-readable> </D:error>
Setting up group and user permissions
Until now we have focused exclusively on the process of setting up and installing our web server and related required protocols. Now we are going to create our subversion repository and related required permission. If you want to read up on the Ubuntu slant on this you can refer to the following references:
References
Ubuntu Documentation AddUsersHowto
https://help.ubuntu.com/community/AddUsersHowto
Create a subversion group
Here we create a group that will have permissions that allow members to access subversion filessudo addgroup subversion
Add your userid and www-data to the subversion group
in this example our user is called "cjs", replace this with your own userid!sudo adduser cjs subversion
Add the www-data user to the subversion group
Here we give the apache server "permissions" that will allow it to access subversion owned files.
sudo adduser www-data subversion
You need to logout and login again to initialize new group memberships. In this case you may want to reboot your server or just restart apache depending on your circumstances.
Restart your Server
If you are connected via ssh you will be kicked off and need to log back on once the server restarts
sudo shutdown -r now
Creating your Repository
If you restarted your server you
The main repository structure
We can store multiple projects under the directory called "repos"
Create the directory on the file system
sudo mkdir -p /srv/svn/repos
Create the repository with the svnadmin svn command
sudo svnadmin create /srv/svn/repos
Create a directory to hold your first project
Change to the svn directory
cd /srv/svn
Create your projects directory on the file system
sudo mkdir -p /srv/svn/repos/agile
Change permissions for your repos directory
Make www-data (the Apache httpd user) the owner and subversion the group for the directory called "repos".
sudo chown -R www-data:subversion repos
Setup up permissions for your subversion repository files (folder are files in Unix too!)
Here we set the gid (group ID) for proper permissions on any new files added to yourrepository.
sudo chmod -R g+rws repos
Create a main project directory
Now that you have setup your user and directory permissions you should be able to execute the sollowing commands without the sudo command. If you need to use sudo your permisssions are not correct and you should resolve this issue before continuing.
svn mkdir file:///srv/svn/repos/agile -m "creating the agile project"
(If you get an error here you may not have setup your users permissions corretly or might be signed on as a different user.
Create the trunk, branches and tag directories for your new project
svn mkdir file:///srv/svn/repos/agile/trunk -m "creating the agile project trunk"
svn mkdir file:///srv/svn/repos/agile/branches -m "creating the agile project branches"
svn mkdir file:///srv/svn/repos/agile/tags -m "creating the agile project tags"
Checking out your new digs!
listing of your repository
svn list file:///srv/svn/repos
listing of your project
svn list file:///srv/svn/repos/agile
Testing the Whole Encalada!
https://servername/svn/
Again, you can substitue the servers IP address for the servername in the above URL
Example Output from a working system:
Collection of Repositories
Powered by Subversion version 1.4.6 (r28521).
Next step is populating your SVN Repository!!!
References
You can never have too few references
http://subversion.tigris.org/
http://ubuntuforums.org/showthread.php?t=51753
http://svnbook.red-bean.com/en/1.4/svn.serverconfig.multimethod.html
http://svnbook.red-bean.com/en/1.4/svn.serverconfig.svnserve.html#svn.se
http://justinrandell.id.au/node/39
http://linuxhappy.wordpress.com/2008/01/21/sucess-subversion-apache2-ssl-ubuntu-710-with-users/
http://davidwinter.me.uk/articles/2006/02/16/subversion-over-apache-2-on-ubuntu/
http://www.howtoforge.com/perfect-server-ubuntu8.04-lts
http://www.sellersrank.com/ubuntu/setup-apache-subversion-ssl-https-with-virtual-hosts-on-ubuntu/
