RHEL5 svn+https

Introduction

Here are the steps I took to install Subversion over https on RHEL5

Requirements

You will need mod_dav_svn in order to use Apache authentication for subversion repositories and mod_ssl for Apache over SSL to configure https+svn.

To install these if you are using the Apache RPM provided by RedHat Network: yum install mod_ssl mod_dav_svn

You will then need to reload apache.

Check config for errors: httpd -t

Reload service: service httpd reload

Apache configuration

By default, mod_ssl will add a ssl.conf file to /etc/httpd/conf.d/ssl.conf and include a default localhost certificate with generic information.  You can create a self-signed cert if you like or purchase a valid certificate.

I configured a virtual host to handle the subversion repository. Here is a copy of my virtual host stanza.

<VirtualHost *:443>

ServerAdmin webmaster@example.com

DocumentRoot /var/www/html

ServerName svn.example.com

ErrorLog logs/svn.example.com-error_log

CustomLog logs/svn.example.com-access_log common

<Location />

DAV svn

SVNParentPath /path/to/repo/

AuthType Basic

AuthName “Subversion repository”

AuthUserFile /path/to/svn-auth-file

Require valid-user

AuthzSVNAccessFile /path/to/svn-policy-file

</Location>

</VirtualHost>

SVN Policy File

Located at /path/to/svn-policy-file. The access file below will allow every authenticated user read access for a listing of all the repos.  By selecting repo1, user1 and user2 will be able to view the entire repo1 but user3 and user4 cannot.

[groups]

admins = admin1, admin2, admin3

[/:/]

@admins = rw

* = r

[repo1:/]

@admins = r

user1 = r

user2 = r

[repo2:/]

@admins = r

user3 = r

user4 = r

Apache Basic Authentication File

Finally we need to create an Apache authentication file for access to the subversion repository.

htpasswd -cm /path/to/svn-auth-file user1 [user1 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

htpasswd -m /path/to/svn-auth-file user2 [user2 password]

Note: Only the first command has -c option to create the file!

SELinux

I found this great post explaining how to get mod_svn, subversion and selinux all working together.

SELinux, Subversion and mod_svn

Excellent SELinux troubleshooting explained: http://www.threepillarglobal.com/troubleshooting-selinux-issues

Here’s what happened to me. I wanted to put my repository in a partition that was not under /var which is the where Apache by default stores it DocumentRoot.  Knowing that files need a particular SELinux context to run correctly under Apache  edited the security context to be the same as the /var/www/html directory which is the default directory.

chcon -R –reference=/var/www/html /path/to/repo

I was still getting SELinux errors and a permissions denied. All UNIX permissions were correct so I knew it was still SELinux.  So looking at the audit.log errors, I noticed that, similar to UNIX permissions, SELinux permissions are inherited and the permissions have to be correct going up to / as they are going down to the /path/to/repo.  So that lead me to check the SELinux permission on /data which is the partition I wanted my data on.

It was the SELinux permissions on /data that was preventing Apache from working properly. To resolve this I did the following:

chcon –reference=/var /data

NOTE: Make sure this change doesn’t break any other application that may be accessing files or using /data as it’s partition.

Now on to install redmine …

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s