Apache+SSL搭建更安全的SVN服务器
SVN作为代码版本管理工具,在软件公司都会用得到,其详细原理在此不作介绍。以下将详细介绍基于linux平台的SSL SVN服务器配置。
一、服务器环境
[root@localhost ~]# cat /etc/issue #系统版本
CentOS release 5.5 (Final)
Kernel \r on an \m
[root@localhost ~]# uname -a #内核版本
Linux localhost 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux
[root@rac02 ~]# getconf LONG_BIT #操作系统位数
32
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 #服务器IP
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.163.255
HWADDR=00:0C:29:DC:1B:67
IPADDR=192.168.163.45
NETMASK=255.255.255.0
NETWORK=192.168.163.0
ONBOOT=yes
二、搭建ssl svn服务器需要安装openssl,apr,apr-util,httpd,sqlite,neon,subversion
step1:安装openssl (下载地址:http://www.openssl.org/source/)
[root@localhost svn]# wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz
[root@localhost svn]# tar zxvf openssl-1.0.0g.tar.gz
[root@localhost svn]# cd openssl-1.0.0g
[root@localhost openssl-1.0.0g]# make
[root@localhost openssl-1.0.0g]# make install
[root@localhost openssl-1.0.0g]# cp /usr/local/ssl/bin/openssl /usr/bin/ #覆盖系统默认的openssl命令
[root@localhost openssl-1.0.0g]# openssl version
OpenSSL 1.0.0g 18 Jan 2012
备注:通常系统已默认安装openssl,并且与之依赖的包很多,可不卸载直接编译安装;或就用系统默认版本。
step2:安装http源码包前需安装apr,apr-util
[root@localhost svn]# service httpd stop #停止系统默认的httpd服务,或通过yum erase httpd卸载
[root@localhost svn]# chkconfig httpd off #若不卸载,可设置开机不启动
安装apr
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-1.4.6.tar.gz
[root@localhost svn]# tar zxvf apr-1.4.6.tar.gz
[root@localhost svn]# cd apr-1.4.6
[root@localhost apr-1.4.6]# ./configure
[root@localhost apr-1.4.6]# make && make install #在/usr/local/apr/bin/下生成apr-1-config
安装apr-util
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-util-1.4.1.tar.gz
[root@localhost svn]# tar zxvf apr-util-1.4.1.tar.gz
[root@localhost svn]# cd apr-util-1.4.1
[root@localhost apr-util-1.4.1]# ./configure --with-apr=/usr/local/apr/bin/apr-1-config #需要指定apr位置,否则会报错
[root@localhost apr-util-1.4.1]# make && make install #在/usr/local/apr/bin/下生成apu-1-config
安装httpd
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//httpd/httpd-2.2.22.tar.gz
[root@localhost svn]# tar zxvf httpd-2.2.22.tar.gz
[root@localhost svn]# cd httpd-2.2.22
[root@localhost httpd-2.2.22]#./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --enable-dav --enable-dav-fs --enable-dav-lock --enable-ssl --with-ssl=/usr/local/ssl/ --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr/bin/apu-1-config --enable-mods-shared=all
[root@localhost httpd-2.2.22]# make
[root@localhost httpd-2.2.22]# make install
备注:在使用httpd-2.0编译时,当用./configure 指定apr及apr-util目录时make时会报错,httpd-2.0.x发行版不被apr 1.x支持
reference: https://issues.apache.org/bugzilla/show_bug.cgi?id=37573
使用./configure加的参数在此不作详细说明,若不清楚如何加参数,可以用./configure –help查看
step3:svn源码包安装前需安装sqlite,neon
安装sqlite
[root@localhost svn]# tar zxvf sqlite-amalgamation-3.6.13.tar.gz
[root@localhost svn]# cd sqlite-3.6.13/
[root@localhost sqlite-3.6.13]# ./configure --prefix=/usr/local/sqlite
[root@localhost sqlite-3.6.13]# make && make install
[root@localhost sqlite]# cp /usr/local/sqlite/bin/sqlite3 /usr/bin/
[root@localhost sqlite]# sqlite3 #查看版本为新安装版本
SQLite version 3.6.13
安装neon
neon是一个http和WebDav客户端库,用于支持http或https协议方式访问(系统默认版本为neon 0.25.5)
[root@localhost svn]# wget http://www.webdav.org/neon/neon-0.29.6.tar.gz
[root@localhost svn]# tar zxvf neon-0.29.6.tar.gz
[root@localhost svn]# cd neon-0.29.6
[root@localhost neon-0.29.6]# ./configure --enable-shared --with-ssl --with-libs=/usr/local/ssl/lib --enable-webdav #配置完成后会提示已支持ssl
[root@localhost neon-0.29.6]# make
[root@localhost neon-0.29.6]# make install
[root@localhost /]# neon-config --version #查看安装后版本
neon 0.29.6
安装svn
svn系统默认安装版本为1.4.2,需卸载(# svn --version)
[root@localhost svn]# yum erase subversion #卸载系统默认安装的svn
[root@localhost svn]# wget http://subversion.tigris.org/downloads/subversion-1.6.18.tar.gz
[root@localhost svn]# tar zxvf subversion-1.6.18.tar.gz
[root@localhost svn]# cd subversion-1.6.18
[root@localhost subversion-1.6.18]# ./configure --prefix=/usr/local/svn \
--with-apxs=/usr/local/apache/bin/apxs \
--with-apr=/usr/local/apr/bin/apr-1-config \
--with-apr-util=/usr/local/apr/bin/apu-1-config \
--with-ssl=/usr/local/ssl --with-neon=/usr/local/bin/neon-config \
--with-sqlite=/usr/local/sqlite --enable-option-checking
[root@localhost subversion-1.6.18]# make
[root@localhost subversion-1.6.18]# make install
[root@localhost subversion-1.6.18]# cp /usr/local/svn/lib/* /usr/lib/
[root@localhost subversion-1.6.18]# cp /usr/local/svn/bin/* /usr/bin/
[root@localhost bin]# svn --version #查看svn版本 svn, version 1.6.18 (r1303927)
三、配置SVN
step1:修改httpd.conf,查看并确保已加载以下模块
[root@localhost bin]# vi /usr/local/apache/conf/httpd.conf
.......
Include conf/extra/httpd-dav.conf #将前面的#号去掉
Include conf/extra/httpd-ssl.conf #将前面的#号去掉
.......
#需要有以下模块支持,这是在编译httpd前加相关参数生成的
LoadModule ssl_module modules/mod_ssl.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_lock_module modules/mod_dav_lock.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
...
...
...
#######################################
#以下部分可不添加,若添加则同时支持http和https访问
#repository resides.
<Location /repos>
DAV svn
SVNPath /svn/repos
AuthzSVNAccessFile /usr/local/svn/svn-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /usr/local/svn/svn-auth-conf
Require valid-user
SSLRequireSSL #若增加此行,则只能用https访问
</Location>
#######################################
:wq
备注:若同时在httpd.conf和httpd-dav.conf中添加svn数据仓库及密码文件路径等,则可同时支持http及https访问,若在httpd.conf中增加了SSLRequireSSL,则只支持https访问。
step2: 编辑/usr/local/apache/conf/extra/httpd-dav.conf,指定数据仓库、密码文件/访问空制文件路径
[root@localhost extra]# cp httpd-dav.conf httpd-dav.conf.bk #先备份
[root@localhost extra]# vi httpd-dav.conf #修改httpd-dav.conf,在末尾添加以下内容
....
....
#for svn.
<Location /repos>
DAV svn
SVNPath /svn/repos
AuthzSVNAccessFile /usr/local/svn/svn-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /usr/local/svn/svn-auth-conf
Require valid-user
</Location>
:wq
编辑完成后保存退出,接下来要配置ssl进行加密传输
step3:创建ssl证书文件,SSL SVN能否配置成功,创建证书文件很关键
[root@localhost conf]# pwd #在/usr/local/apache/conf目录下创建ssl证书文件,因为/usr/local/apache/conf/extra/httpd-ssl.conf文件中指定证书文件路径在/usr/local/apache/conf下
/usr/local/apache/conf
1)生成密钥key及证书请求request
[root@localhost conf]# openssl req -new > server.crt.csr
Generating a 1024 bit RSA private key
............++++++
.........................................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:firefly
Verifying - Enter PEM pass phrase: firefly
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:localhost #服务器主机名,或用服务器IP
Email Address []:firefly@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:firefly
An optional company name []:firefly
2)从key中去除密钥口令passphrase。
[root@localhost conf]# openssl rsa -in privkey.pem -out server.key
Enter pass phrase for privkey.pem: firefly
writing RSA key
3)把证书请求转换成证书server.crt,即通过生成的私钥生成证书
[root@localhost conf]# openssl x509 -in server.crt.csr -out server.crt -req -signkey server.key -days 365 #证书有效时间为1年
Signature ok
subject=/C=CN/ST=GD/L=SZ/O=tydic/OU=IT/CN=localhost/emailAddress=tanggh@tydic.com
Getting Private key
备注:若创建证书文件名及路径与上不一致,可修改/usr/local/apache/conf/extra/httpd-ssl-conf
创建证书方法可参照官网:http://www.apache-ssl.org/
#############################################################
也可用以下三步生成证书
1) 生成密钥server.key
root@localhost conf]# openssl genrsa 1024 > server.key
Generating RSA private key, 1024 bit long modulus
..................++++++
.........................................++++++
e is 65537 (0x10001)
2) 生成证书请求文件server.csr.crt
[root@localhost conf]# openssl req -new -key server.key > server.csr.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:tanggh@tydic.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tghfly
An optional company name []:tghfly
3) 根据密钥及证书请求文件生成证书server.crt
[root@localhost conf]# openssl req -x509 -days 365 -key server.key -in server.csr.crt > server.crt
#############################################################
[root@localhost conf]# ../bin/apachectl -t #检查apache配置文件语法
Syntax OK
step4:创建svn用户及密码文件svn-auth-conf,密码经过MD5加密,所以不能直接往svn-auth-conf中添加用户
[root@localhost bin]# cd /usr/local/apache2/bin
[root@localhost bin]# ./htpasswd -cm /usr/local/svn/svn-auth-conf tgh # -c参数是初始化创建密码文件,后续创建用户不用加此参数
New password:
Re-type new password:
Adding password for user tgh
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf aa
New password:
Re-type new password:
Adding password for user aa
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf bb
New password:
Re-type new password:
Adding password for user bb
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf cc
New password:
Re-type new password:
Adding password for user cc
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf dd
New password:
Re-type new password:
Adding password for user dd
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf firefly
New password:
Re-type new password:
Adding password for user firefly
step5:创建访问控制文件,设置用户访问权限
[root@localhost bin]# vi /usr/local/svn/svn-acl-conf
[groups]
staff = aa, bb, cc, dd
[/]
tgh = rw
firefly = rw
@staff = rw
step6:配置svn数据仓库
[root@localhost ~]# mkdir /svn
[root@localhost svn]# svnadmin create /svn/repos
[root@localhost svn]# chmod -R 755 /svn #目录访问修改权限
[root@localhost ~]# chown -R daemon:daemon /svn/ #修改目录属主及属组为daemon,不然客户端在commit时会报权限问题
[root@localhost svn]# cd /usr/local/apache2/bin
[root@localhost svn]# ./apachectl start
完成以上步骤后,在IE浏览器中输入https://192.168.163.45/repos,根据提示输入用户名及密码后,看到 repos-Revision 0:/ 的页面即ssl svn配置成功了。
SVN的目录结构也是树形的,此处以repos作为根目录,此时可以在根下创建多个工程项目,以下在客户端举例说明。
备注:在修改svn目录时,为什么要修改成daemon组,而不是apache或其他组呢,原因是编译安装httpd后在httpd.conf文件中配置的是daemon用户组;而系统采用rpm包默认安装httpd是属于apache用户组的
step7:以下创建一个project,并在其中添加多个项目文件,导入到svn仓库中来演示SVN的应用
[root@localhost svn]# cd /tmp
[root@localhost tmp]# mkdir projects #在/tmp下创建一个project
[root@localhost tmp]# cd projects/
[root@localhost projects]# mkdir bi_projects
[root@localhost projects]# mkdir crm_projects
[root@localhost project]# svn import /tmp/projects/ file:///svn/repos/projects -m "Initial repos for projects" #将project中内容导入到svn仓库中
step8:设置Apache服务开机自启动
[root@localhost project]# echo "/usr/local/apache/bin/apachectl start" >> /etc/rc.d/rc.local #在rc.local中添加httpd开机自启动服务
step9:客户端浏览器访问界面