In a previous post, I was trying to get communication with my Subversion repository secured (somehow...either over SSL or using SVN+SSH). Well, I finally did that...nearly a year ago...and forgot how.
Now, I have to do it again. Lesson learned: If you ever have to research how to do something, blog about it so that others can benefit and so you can repeat it.
Instead of using the binaries available on Tigris, this time I'm using the CollabNet package (version 1.4.6). They distribute a very nice and convenient installer that also includes and configures Apache for you (I de-selected the SVNSERVE option during installation because I don't intend to serve the repository through that channel).
This is a test installation that I'm preparing for a demo (still trying to convince my company to dump VSS, and now TFS, in favor of a system that works for all of the technologies, languages, and IDE's that we use). I instructed the installer to put Apache on "localhost" at port 8080; after all, I'm a Windows developer who works with Web applications, so I need to keep IIS available on port 80.
When the installer completes, open the Services console and start the Apache daemon. Browse to http://localhost:8080 as a sanity test just to make sure that Apache is, in fact, running and configured correctly (at this stage, at least - we still need to configure a repository and tell Apache where it is).
Next, create a test repository with the following command (the repository name "test1" isn't important, it will be deleted later once the setup is verified; and the repository path C:\Repositories is the repository root I gave to the CollabNet installer).
svnadmin create C:\Repositories\test1
Now I should be able to access the repository at http://localhost:8080/svn/test1, and "WOO-HOO!!!", I can. The browser shows me "Revision 0: /", just as it should.
The information found at http://www.neilstuff.com/apache/apache2-ssl-windows.htm (Create Self-Signed Certificate and Enable SSL in Apache 2.0.X) helped me get the SSL working (later I found this as well). I found that I didn't need to install OpenSSL since the CollabNet distribution came with it (it is in the httpd subdirectory of the installation directory), but I did need an OpenSSL.cnf configuration file (here and here). I also didn't need to install Apache since that was done by the CollabNet installation.
So now that I am able to access the repository through either http://localhost:8080/svn/test1 or https://localhost/svn/test1, I want to force access through SSL and disallow any access on port 8080. There's no use serving an encrypted version if the same content will also be served in plaintext.
Edit the httpd/conf/httpd.conf file (relative to the CollabNet installation directory) to contain the following lines:
<Location />
SSLRequireSSL
</Location>
Now http://localhost:8080 returns Forbidden, but https://localhost gives the Apache installation page. Great, so everything is encrypted over the wire, but we're still allowing everyone (anonymous) access. Moving along...
This page gives instructions on setting up the Apache server to use SSPI (Windows) or Basic (password file) authentication, or a combination of both of them working together (e.g., to support internal development staff as well as external contributors for whom you might not want to create Windows accounts). Note that there is an error in the "Multiple Authentication Sources" section. The advice given says that both AuthAuthoritative and SSPIAuthoritative should be Off, although the example shown states "SSPIAuthoritative On". This should, in fact, be "SSPIAuthoritative Off".
No comments:
Post a Comment