HOWTO setup a small server

Apache2 (Webserver) with SVN/ViewVC

Installation

Prerequisit: OpenSSL, Heimdal, OpenLDAP This pages describes the setup of an Apache2 server with Subversion and ViewVC. In order to install the Apache2 server with Kerberos support, run the following command:

# apt-get install apache2 apache2-doc libapache2-mod-auth-kerb \
  libapache2-svn viewvc

SVN Repository

First you have to create a SVN repository (called test in this example):

# svnadmin create /data/svn/test
# chown -R www-data /data/svn/test

ViewVC Configuration

Now we configure ViewVC by modifying the following variables in its configuration file according to our needs. The directory /data/svn is assumed to be the base directory where all SVN repositories are located.

Excerpt: /etc/viewvc/viewvc.conf

## the next two must be commented:
#cvs_roots = ...
#svn_roots = ...
root_parents = /data/svn : svn
default_root = svn
address = <a href="mailto:webmaster@server.example.com">Contact administrator.</a>
languages = de, en-us
root_as_url_component = 1
docroot = /docroot

Apache2 Main Configuration

The following modules are not enabled by default and are required for the setup described here. You will have to enable them:

# a2enmod ldap
# a2enmod authnz_ldap
# a2enmod ssl

Now we can configure the Apache2 server. First of all some changes are required in one of the main configuration files (commenting the NameVirtualHost line is really required, the other two modifications to the Listen lines disable IPv6):

Excerpt: /etc/apache2/ports.conf

## the next one must be commented:
#NameVirtualHost *:80
Listen 0.0.0.0:80
Listen 0.0.0.0:443

Next you can create a site configuration based on the following template that redirects all connections to the unencrypted site to an encrypted one.

File: /etc/apache2/sites-available/main

NameVirtualHost *:443
<VirtualHost *:443>
	ServerAdmin webmaster@server.example.com
	
	DocumentRoot /var/www/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>

	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	#<Directory "/usr/lib/cgi-bin">
	#	AllowOverride None
	#	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	#	Order allow,deny
	#	Allow from all
	#</Directory>

	ErrorLog /var/log/apache2/error.log

	## Possible values include: debug, info, notice, warn, error, crit,
	## alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/access.log combined

	ServerSignature On

	## SSL key and certificate
	SSLEngine On
	SSLCACertificateFile /etc/ssl/certs/ca.crt
	SSLCertificateFile /etc/ssl/certs/server.crt
	SSLCertificateKeyFile /etc/ssl/private/server.key

	## Subversion
	<Location /svn>
		Order deny,allow
		Deny from all
		Allow from 127.0.0.0/8
	</Location>

	## ViewVC
	ScriptAlias /viewvc /usr/lib/cgi-bin/viewvc.cgi
	<Location /viewvc>
		Order deny,allow
		Deny from all
		Allow from 127.0.0.0/8
	</Location>

	Alias /docroot /usr/share/viewvc/
	<Directory /usr/share/viewvc/>
		Order deny,allow
		Deny from all
		Allow from all
	</Directory>

	## include repository specific configuration
	Include /etc/apache2/svn/*
</VirtualHost>

NameVirtualHost 127.0.0.1:80
<VirtualHost 127.0.0.1:80>
	ServerName localhost
	ServerAlias localhost
	DocumentRoot /var/www
	RedirectMatch (.*)$ https://localhost$1
</VirtualHost>

NameVirtualHost 223.1.2.1:80
<VirtualHost 223.1.2.1:80>
	ServerName server.example.com
	ServerAlias server.example.com
	DocumentRoot /var/www
	RedirectMatch (.*)$ https://server.example.com$1
</VirtualHost>

Now the directory /etc/apache2/svn must be created and the site enabled:

# mkdir /etc/apache2/svn
# a2dissite default
# a2ensite main

Apache2 requires access to the key file of the server:

# usermod -a -G ssl-cert www-data

Next you will have to create the keytab file for Apache2:

# kadmin -l
> add --random-key HTTP/server.example.com
> ext_keytab -k /etc/krb5.keytab.http HTTP/server.example.com
> q
# chown www-data: /etc/krb5.keytab.http

Finally, restart the server:

# /etc/init.d/apache2 restart

Apache2 Repository Configuration

The following snippet shows how to configure the repository for Kerberos authentication and authorization:

File: /etc/apache2/svn/test

## Subversion
<Location /svn/test>
	DAV svn
	SVNPath /data/svn/test

	## Kerberos authentication
	AuthType Kerberos
	AuthName "Kerberos v5 Login"
	Krb5Keytab /etc/krb5.keytab.http

	## option 1: (user) authorization
	Require user testuser@EXAMPLE.COM

	## option 2: permit access to all authenticated users
	#Require valid-user

	Order deny,allow
	Deny from all
	Allow from 127.0.0.0/8 223.1.2.0/24
</Location>

## ViewVC
<Location /viewvc/test>
	## like above, but without DAV and SVNPath lines
</Location>

The following snippet shows how to configure the repository for Kerberos authentication and LDAP authorization:

File: /etc/apache2/svn/test

## Subversion
<Location /svn/test>
	DAV svn
	SVNPath /data/svn/test

	## Kerberos authentication
	AuthType Kerberos
	AuthName "Kerberos v5 Login"
	Krb5Keytab /etc/krb5.keytab.http
	Krb5AuthToLocal on

	## LDAP authorization
	AuthLDAPURL ldaps://server.example.com/ou=people,dc=example,dc=com
	AuthLDAPGroupAttribute memberUid
	AuthLDAPGroupAttributeIsDN off

	## option 1: group authorization
	Require ldap-group cn=testgroup,ou=groups,dc=example,dc=com

	## option 2: group authorization, if primary users
	##           of a group are not listed in the group
	#Require ldap-group cn=testgroup,ou=groups,dc=example,dc=com
	#Require ldap-attribute gidNumber=10000
	#Satisfy any

	## option 3: user authorization
	#Require ldap-user testuser

	Order deny,allow
	Deny from all
	Allow from 127.0.0.0/8 223.1.2.0/24
</Location>

## ViewVC
<Location /viewvc/test>
	## like above, but without DAV and SVNPath lines
</Location>

To restrict only read-write access to some user(s) or groups and have anonymous read-only access, put this <LimitExcept> directive around the Require directives in the examples above:

Excerpt: /etc/apache2/svn/test

<LimitExcept GET PROPFIND OPTIONS REPORT>
	## only this user/group has read-write access:
	Require ...
</LimitExcept>

If you want to restrict read-only and read-write access to different users and/or groups, the <Limit> directive will be helpful. This extension of the previous example seems to work:

Excerpt: /etc/apache2/svn/test

<Limit GET PROPFIND OPTIONS REPORT>
	## only this user/group has read-only(!) access:
	Require ...
</Limit>

<LimitExcept GET PROPFIND OPTIONS REPORT>
	## only this user/group has read-write(!) access:
	Require ...
</LimitExcept>

To enable the repository configuration reload the server configuration:

# /etc/init.d/apache2 reload

The manual of Apache2 is now available under https://server.example.com/manual, the SVN repository under https://server.example.com/svn/test and ViewVC under https://server.example.com/viewvc/test.

Networking Requirements

Prerequisite: Shorewall To allow users to access the webserver, add the following to Shorewall's configuration and restart it:

Excerpt: /etc/shorewall/rules

# HTTP/HTTPS
#
ACCEPT		net		$FW		tcp	80
ACCEPT		net		$FW		tcp	443
#
# shorewall restart

Back to index.