HOWTO setup a small server
Apache2 (Webserver) with SVN/ViewVC
Installation
Prerequisit: OpenSSL, Heimdal, OpenLDAP This pages describes the setup of an Apache2 server with Subversion and ViewVC. In order to install the Apache2 server with Kerberos support, run the following command:
# apt-get install apache2 apache2-doc libapache2-mod-auth-kerb \ libapache2-svn viewvc
SVN Repository
First you have to create a SVN repository (called test
in this example):
# svnadmin create /data/svn/test # chown -R www-data /data/svn/test
ViewVC Configuration
Now we configure ViewVC by modifying the following variables in its
configuration file according to our needs. The directory
/data/svn
is assumed to be the base
directory where all SVN repositories are located.
Excerpt: /etc/viewvc/viewvc.conf
## the next two must be commented: #cvs_roots = ... #svn_roots = ... root_parents = /data/svn : svn default_root = svn address = <a href="mailto:webmaster@server.example.com">Contact administrator.</a> languages = de, en-us root_as_url_component = 1 docroot = /docroot
Apache2 Main Configuration
The following modules are not enabled by default and are required for the setup described here. You will have to enable them:
# a2enmod ldap # a2enmod authnz_ldap # a2enmod ssl
Now we can configure the Apache2 server. First of all some changes are
required in one of the main configuration files (commenting the
NameVirtualHost
line is really required, the other two
modifications to the Listen
lines disable IPv6):
Excerpt: /etc/apache2/ports.conf
## the next one must be commented: #NameVirtualHost *:80 Listen 0.0.0.0:80 Listen 0.0.0.0:443
Next you can create a site configuration based on the following template that redirects all connections to the unencrypted site to an encrypted one.
File: /etc/apache2/sites-available/main
NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@server.example.com DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> #ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ #<Directory "/usr/lib/cgi-bin"> # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # Order allow,deny # Allow from all #</Directory> ErrorLog /var/log/apache2/error.log ## Possible values include: debug, info, notice, warn, error, crit, ## alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On ## SSL key and certificate SSLEngine On SSLCACertificateFile /etc/ssl/certs/ca.crt SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key ## Subversion <Location /svn> Order deny,allow Deny from all Allow from 127.0.0.0/8 </Location> ## ViewVC ScriptAlias /viewvc /usr/lib/cgi-bin/viewvc.cgi <Location /viewvc> Order deny,allow Deny from all Allow from 127.0.0.0/8 </Location> Alias /docroot /usr/share/viewvc/ <Directory /usr/share/viewvc/> Order deny,allow Deny from all Allow from all </Directory> ## include repository specific configuration Include /etc/apache2/svn/* </VirtualHost> NameVirtualHost 127.0.0.1:80 <VirtualHost 127.0.0.1:80> ServerName localhost ServerAlias localhost DocumentRoot /var/www RedirectMatch (.*)$ https://localhost$1 </VirtualHost> NameVirtualHost 223.1.2.1:80 <VirtualHost 223.1.2.1:80> ServerName server.example.com ServerAlias server.example.com DocumentRoot /var/www RedirectMatch (.*)$ https://server.example.com$1 </VirtualHost>
Now the directory /etc/apache2/svn
must be created and the site
enabled:
# mkdir /etc/apache2/svn # a2dissite default # a2ensite main
Apache2 requires access to the key file of the server:
# usermod -a -G ssl-cert www-data
Next you will have to create the keytab file for Apache2:
# kadmin -l > add --random-key HTTP/server.example.com > ext_keytab -k /etc/krb5.keytab.http HTTP/server.example.com > q # chown www-data: /etc/krb5.keytab.http
Finally, restart the server:
# /etc/init.d/apache2 restart
Apache2 Repository Configuration
The following snippet shows how to configure the repository for Kerberos authentication and authorization:
File: /etc/apache2/svn/test
## Subversion <Location /svn/test> DAV svn SVNPath /data/svn/test ## Kerberos authentication AuthType Kerberos AuthName "Kerberos v5 Login" Krb5Keytab /etc/krb5.keytab.http ## option 1: (user) authorization Require user testuser@EXAMPLE.COM ## option 2: permit access to all authenticated users #Require valid-user Order deny,allow Deny from all Allow from 127.0.0.0/8 223.1.2.0/24 </Location> ## ViewVC <Location /viewvc/test> ## like above, but without DAV and SVNPath lines </Location>
The following snippet shows how to configure the repository for Kerberos authentication and LDAP authorization:
File: /etc/apache2/svn/test
## Subversion <Location /svn/test> DAV svn SVNPath /data/svn/test ## Kerberos authentication AuthType Kerberos AuthName "Kerberos v5 Login" Krb5Keytab /etc/krb5.keytab.http Krb5AuthToLocal on ## LDAP authorization AuthLDAPURL ldaps://server.example.com/ou=people,dc=example,dc=com AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off ## option 1: group authorization Require ldap-group cn=testgroup,ou=groups,dc=example,dc=com ## option 2: group authorization, if primary users ## of a group are not listed in the group #Require ldap-group cn=testgroup,ou=groups,dc=example,dc=com #Require ldap-attribute gidNumber=10000 #Satisfy any ## option 3: user authorization #Require ldap-user testuser Order deny,allow Deny from all Allow from 127.0.0.0/8 223.1.2.0/24 </Location> ## ViewVC <Location /viewvc/test> ## like above, but without DAV and SVNPath lines </Location>
To restrict only read-write access to some user(s) or groups and have
anonymous read-only access, put this
<LimitExcept>
directive around the Require
directives in the examples above:
Excerpt: /etc/apache2/svn/test
<LimitExcept GET PROPFIND OPTIONS REPORT>
## only this user/group has read-write access:
Require ...
</LimitExcept>
If you want to restrict read-only and read-write
access to different users and/or groups, the <Limit>
directive will be helpful. This extension of the previous example seems to
work:
Excerpt: /etc/apache2/svn/test
<Limit GET PROPFIND OPTIONS REPORT> ## only this user/group has read-only(!) access: Require ... </Limit> <LimitExcept GET PROPFIND OPTIONS REPORT> ## only this user/group has read-write(!) access: Require ... </LimitExcept>
To enable the repository configuration reload the server configuration:
# /etc/init.d/apache2 reload
The manual of Apache2 is now available under https://server.example.com/manual
, the SVN repository under
https://server.example.com/svn/test
and ViewVC under https://server.example.com/viewvc/test
.
Networking Requirements
Prerequisite: Shorewall To allow users to access the webserver, add the following to Shorewall's configuration and restart it:
Excerpt: /etc/shorewall/rules
# HTTP/HTTPS # ACCEPT net $FW tcp 80 ACCEPT net $FW tcp 443 #
# shorewall restart