Configuring Subversion access via Apache on the Revision Control appliance

The following is the first guest blog post by Adrian Moya, a web developer and open source evangelist. He took first place in the TurnKey Development content, 2010. See more of Adrian's work on his website.

The TurnKey Revision Control appliance offers a quick version control server with 4 well known and tools for the job: Subversion, Git, Bazaar and Mercurial. Personally, I use it mostly for Subversion and Git. Although it's preconfigured with the most useful settings, I personally miss the possibility to access SVN using the http protocol (through Apache). In the following post I'll be explaning the procedure to add this feature:

1. Access the server via SSH (or via webshell in a browser https://server-ip:12320) and login as root using the password you setup when you installed the appliance. 

2. First we need to install the Apache module that provides SVN integration. Do so by executing the following commands:

apt-get update
apt-get install libapache2-svn

3. Next, we proceed by creating a file to store users and encrypted passwords to access the subversion repositories. The file will be created in /etc/subversion and we will call it svn-auth-file.

We'll use Apache's tool for creating users files called htpasswd. With the -cm option we create the file for the first time. Then to add aditional files we'll just use -m. The tool will ask us the password for the user twice.  We can check the generated file and it's content to see the list of users created.

htpasswd -cm /etc/subversion/svn-auth-file user1
htpasswd -m /etc/subversion/svn-auth-file user2

4. Now, let's edit the websvn site settings in Apache to add security using our newly created file. We edit the file /etc/apache2/conf.d/websvn and add 4 lines. The file should look as the following:

Alias /svn /usr/share/websvn
<Directory /usr/share/websvn>
  DirectoryIndex index.php
  Options FollowSymLinks
  Order allow,deny
  Allow from all
 AuthType Basic
 AuthName "Subversion repository"
 AuthUserFile /etc/subversion/svn-auth-file
 Require valid-user
</Directory>

5. We will configure Apache to access the repositories. For that, we create and edit the file /etc/apache2/conf.d/svnprivate with the following content: 

<Location /svn-private>
  DAV svn
  SVNParentPath /srv/repos/svn/
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /etc/subversion/svn-auth-file
  Require valid-user
</Location>

6. We proceed to reload Apache's settings so the changes take affect. We must also give apache ownership over the subversion repo files, found at /srv/repos/svn. 

service apache2 reload
chown -R www-data:www-data /srv/repos/svn/

7. We can already access our repositories, which you can try using your web browser and opening the url http://server-ip/svn-private/reponame. You'll get the standard Apache dialog asking for user and password. Input your credentials and you'll be able to browse the repository:

Adding Secure Access SSL (https)

If we try to make checkout using the svn client via https, we'll get the following error:

"Server certificate was missing commonName attribute in subject name"

The svn client needs, to be able to access using https to a repository, that the sever's certificate has the commonName attribute, wich is empty in the default certificate. So we need to create a new certificate which contains that atribute. We can do that with the following commands (I'll use a fqdn of svn.example.com as an example):

1. Install the openssl tools:

apt-get install openssl

2. We create the certificate key using the fqdn as the name (so we know that certificate belongs to that domain): 

openssl genrsa 4096 > /etc/ssl/private/svn.example.com.key

3. Generate the certificate, and be sure to put something in the value of attribute commonName when asked. You can put the fqdn there (svn.example.com).

openssl req -new -key /etc/ssl/private/svn.example.com.key -x509 -days 365 -out /etc/ssl/certs/svn.example.com.pem

4. Edit the file /etc/apache2/sites-available/default-ssl and set the certificate settings to use our just created certificate files. You'll have to modify the following lines:

SSLCertificateFile    /etc/ssl/certs/svn.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/svn.example.com.key

5. Disable and enable the default-ssl site so it picks up the changes, and tell apache to reload:

a2dissite default-ssl
a2ensite default-ssl
service apache2 reload

Now, the first time you access the repo via https, the client will alert us that the certificate is not from a trusted authority. Just accept the certificate permantly. The next time you try to access you'll be prompted the user name and password and you'll be able to obtain the code.

You can check this post in spanish here.