Apache+SSL搭建更安全的SVN服务器 

SVN作为代码版本管理工具,在软件公司都会用得到,其详细原理在此不作介绍。以下将详细介绍基于linux平台的SSL SVN服务器配置。

一、服务器环境

[root@localhost ~]# cat /etc/issue #系统版本
CentOS release 5.5 (Final)
Kernel \r on an \m

[root@localhost ~]# uname -a #内核版本
Linux localhost 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux

[root@rac02 ~]# getconf LONG_BIT #操作系统位数
32

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0  #服务器IP

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]

DEVICE=eth0

BOOTPROTO=static

BROADCAST=192.168.163.255

HWADDR=00:0C:29:DC:1B:67

IPADDR=192.168.163.45

NETMASK=255.255.255.0

NETWORK=192.168.163.0

ONBOOT=yes

二、搭建ssl svn服务器需要安装openssl,apr,apr-util,httpd,sqlite,neon,subversion

step1:安装openssl (下载地址:http://www.openssl.org/source/)

[root@localhost svn]# wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz

[root@localhost svn]# tar zxvf openssl-1.0.0g.tar.gz

[root@localhost svn]# cd openssl-1.0.0g

[root@localhost openssl-1.0.0g]# make

[root@localhost openssl-1.0.0g]# make install

[root@localhost openssl-1.0.0g]# cp /usr/local/ssl/bin/openssl /usr/bin/ #覆盖系统默认的openssl命令

[root@localhost openssl-1.0.0g]# openssl version

OpenSSL 1.0.0g 18 Jan 2012

备注:通常系统已默认安装openssl,并且与之依赖的包很多,可不卸载直接编译安装;或就用系统默认版本。 

step2:安装http源码包前需安装apr,apr-util

[root@localhost svn]# service httpd stop #停止系统默认的httpd服务,或通过yum erase httpd卸载

[root@localhost svn]# chkconfig httpd off #若不卸载,可设置开机不启动

安装apr

[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-1.4.6.tar.gz

[root@localhost svn]# tar zxvf apr-1.4.6.tar.gz

[root@localhost svn]# cd apr-1.4.6

[root@localhost apr-1.4.6]# ./configure

[root@localhost apr-1.4.6]# make && make install #在/usr/local/apr/bin/下生成apr-1-config

安装apr-util

[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-util-1.4.1.tar.gz

[root@localhost svn]# tar zxvf apr-util-1.4.1.tar.gz

[root@localhost svn]# cd apr-util-1.4.1

[root@localhost apr-util-1.4.1]# ./configure --with-apr=/usr/local/apr/bin/apr-1-config #需要指定apr位置,否则会报错

[root@localhost apr-util-1.4.1]# make && make install #在/usr/local/apr/bin/下生成apu-1-config

安装httpd

[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//httpd/httpd-2.2.22.tar.gz

[root@localhost svn]# tar zxvf httpd-2.2.22.tar.gz

[root@localhost svn]# cd httpd-2.2.22

[root@localhost httpd-2.2.22]#./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --enable-dav --enable-dav-fs --enable-dav-lock --enable-ssl --with-ssl=/usr/local/ssl/ --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr/bin/apu-1-config --enable-mods-shared=all

[root@localhost httpd-2.2.22]# make

[root@localhost httpd-2.2.22]# make install 

备注:在使用httpd-2.0编译时,当用./configure 指定apr及apr-util目录时make时会报错,httpd-2.0.x发行版不被apr 1.x支持

reference: https://issues.apache.org/bugzilla/show_bug.cgi?id=37573

使用./configure加的参数在此不作详细说明,若不清楚如何加参数,可以用./configure –help查看

step3:svn源码包安装前需安装sqlite,neon

安装sqlite

[root@localhost svn]# tar zxvf sqlite-amalgamation-3.6.13.tar.gz

[root@localhost svn]# cd sqlite-3.6.13/

[root@localhost sqlite-3.6.13]# ./configure --prefix=/usr/local/sqlite

[root@localhost sqlite-3.6.13]# make && make install

[root@localhost sqlite]# cp /usr/local/sqlite/bin/sqlite3 /usr/bin/

[root@localhost sqlite]# sqlite3 #查看版本为新安装版本

SQLite version 3.6.13

安装neon

neon是一个http和WebDav客户端库,用于支持http或https协议方式访问(系统默认版本为neon 0.25.5)

[root@localhost svn]# wget http://www.webdav.org/neon/neon-0.29.6.tar.gz

[root@localhost svn]# tar zxvf neon-0.29.6.tar.gz

[root@localhost svn]# cd neon-0.29.6

[root@localhost neon-0.29.6]# ./configure --enable-shared --with-ssl --with-libs=/usr/local/ssl/lib --enable-webdav #配置完成后会提示已支持ssl

[root@localhost neon-0.29.6]# make

[root@localhost neon-0.29.6]# make install

[root@localhost /]# neon-config --version #查看安装后版本

neon 0.29.6

安装svn

svn系统默认安装版本为1.4.2,需卸载(# svn --version)

[root@localhost svn]# yum erase subversion #卸载系统默认安装的svn

[root@localhost svn]# wget http://subversion.tigris.org/downloads/subversion-1.6.18.tar.gz

[root@localhost svn]# tar zxvf subversion-1.6.18.tar.gz

[root@localhost svn]# cd subversion-1.6.18

[root@localhost subversion-1.6.18]# ./configure --prefix=/usr/local/svn \

--with-apxs=/usr/local/apache/bin/apxs \

--with-apr=/usr/local/apr/bin/apr-1-config \

--with-apr-util=/usr/local/apr/bin/apu-1-config \

--with-ssl=/usr/local/ssl --with-neon=/usr/local/bin/neon-config \

--with-sqlite=/usr/local/sqlite --enable-option-checking

[root@localhost subversion-1.6.18]# make

[root@localhost subversion-1.6.18]# make install

[root@localhost subversion-1.6.18]# cp /usr/local/svn/lib/* /usr/lib/

[root@localhost subversion-1.6.18]# cp /usr/local/svn/bin/* /usr/bin/

[root@localhost bin]# svn --version #查看svn版本 svn, version 1.6.18 (r1303927)

三、配置SVN

step1:修改httpd.conf,查看并确保已加载以下模块

[root@localhost bin]# vi /usr/local/apache/conf/httpd.conf

.......

Include conf/extra/httpd-dav.conf #将前面的#号去掉

Include conf/extra/httpd-ssl.conf #将前面的#号去掉

.......

#需要有以下模块支持,这是在编译httpd前加相关参数生成的

LoadModule ssl_module modules/mod_ssl.so

LoadModule dav_module modules/mod_dav.so

LoadModule dav_lock_module modules/mod_dav_lock.so

LoadModule dav_fs_module modules/mod_dav_fs.so

LoadModule dav_svn_module modules/mod_dav_svn.so

LoadModule authz_svn_module modules/mod_authz_svn.so

...

...

...

#######################################

#以下部分可不添加,若添加则同时支持http和https访问

#repository resides.

<Location /repos>

DAV svn

SVNPath /svn/repos

AuthzSVNAccessFile /usr/local/svn/svn-acl-conf

AuthType Basic

AuthName "Subversion repos"

AuthUserFile /usr/local/svn/svn-auth-conf

Require valid-user

SSLRequireSSL #若增加此行,则只能用https访问

</Location>

#######################################

:wq

备注:若同时在httpd.conf和httpd-dav.conf中添加svn数据仓库及密码文件路径等,则可同时支持http及https访问,若在httpd.conf中增加了SSLRequireSSL,则只支持https访问。

step2: 编辑/usr/local/apache/conf/extra/httpd-dav.conf,指定数据仓库、密码文件/访问空制文件路径

[root@localhost extra]# cp httpd-dav.conf httpd-dav.conf.bk #先备份

[root@localhost extra]# vi httpd-dav.conf #修改httpd-dav.conf,在末尾添加以下内容

....

....

#for svn.

<Location /repos>

DAV svn

SVNPath /svn/repos

AuthzSVNAccessFile /usr/local/svn/svn-acl-conf

AuthType Basic

AuthName "Subversion repos"

AuthUserFile /usr/local/svn/svn-auth-conf

Require valid-user

</Location>

:wq

编辑完成后保存退出,接下来要配置ssl进行加密传输

step3:创建ssl证书文件,SSL SVN能否配置成功,创建证书文件很关键

[root@localhost conf]# pwd #在/usr/local/apache/conf目录下创建ssl证书文件,因为/usr/local/apache/conf/extra/httpd-ssl.conf文件中指定证书文件路径在/usr/local/apache/conf下

/usr/local/apache/conf

1)生成密钥key及证书请求request

[root@localhost conf]# openssl req -new > server.crt.csr

Generating a 1024 bit RSA private key

............++++++

.........................................................................++++++

writing new private key to 'privkey.pem'

Enter PEM pass phrase:firefly

Verifying - Enter PEM pass phrase: firefly

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:GD

Locality Name (eg, city) []:SZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:localhost #服务器主机名,或用服务器IP

Email Address []:firefly@126.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:firefly

An optional company name []:firefly

 

2)从key中去除密钥口令passphrase。

[root@localhost conf]# openssl rsa -in privkey.pem -out server.key

Enter pass phrase for privkey.pem: firefly

writing RSA key

3)把证书请求转换成证书server.crt,即通过生成的私钥生成证书

[root@localhost conf]# openssl x509 -in server.crt.csr -out server.crt -req -signkey server.key -days 365 #证书有效时间为1年

Signature ok

subject=/C=CN/ST=GD/L=SZ/O=tydic/OU=IT/CN=localhost/emailAddress=tanggh@tydic.com

Getting Private key

备注:若创建证书文件名及路径与上不一致,可修改/usr/local/apache/conf/extra/httpd-ssl-conf

创建证书方法可参照官网:http://www.apache-ssl.org/

#############################################################

也可用以下三步生成证书

1) 生成密钥server.key

root@localhost conf]# openssl genrsa 1024 > server.key

Generating RSA private key, 1024 bit long modulus

..................++++++

.........................................++++++

e is 65537 (0x10001)

2) 生成证书请求文件server.csr.crt

[root@localhost conf]# openssl req -new -key server.key > server.csr.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:GD

Locality Name (eg, city) []:SZ

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:localhost

Email Address []:tanggh@tydic.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:tghfly

An optional company name []:tghfly

3) 根据密钥及证书请求文件生成证书server.crt

[root@localhost conf]# openssl req -x509 -days 365 -key server.key -in server.csr.crt > server.crt

#############################################################

 

[root@localhost conf]# ../bin/apachectl -t #检查apache配置文件语法

Syntax OK

step4:创建svn用户及密码文件svn-auth-conf,密码经过MD5加密,所以不能直接往svn-auth-conf中添加用户

[root@localhost bin]# cd /usr/local/apache2/bin

[root@localhost bin]# ./htpasswd -cm /usr/local/svn/svn-auth-conf tgh # -c参数是初始化创建密码文件,后续创建用户不用加此参数

New password:

Re-type new password:

Adding password for user tgh

[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf aa

New password:

Re-type new password:

Adding password for user aa

[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf bb

New password:

Re-type new password:

Adding password for user bb

[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf cc

New password:

Re-type new password:

Adding password for user cc

[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf dd

New password:

Re-type new password:

Adding password for user dd

[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf firefly

New password:

Re-type new password:

Adding password for user firefly

step5:创建访问控制文件,设置用户访问权限

[root@localhost bin]# vi /usr/local/svn/svn-acl-conf

[groups]

staff = aa, bb, cc, dd

[/]

tgh = rw

firefly = rw

@staff = rw

step6:配置svn数据仓库

[root@localhost ~]# mkdir /svn

[root@localhost svn]# svnadmin create /svn/repos

[root@localhost svn]# chmod -R 755 /svn #目录访问修改权限

[root@localhost ~]# chown -R daemon:daemon /svn/ #修改目录属主及属组为daemon,不然客户端在commit时会报权限问题

[root@localhost svn]# cd /usr/local/apache2/bin

[root@localhost svn]# ./apachectl start

完成以上步骤后,在IE浏览器中输入https://192.168.163.45/repos,根据提示输入用户名及密码后,看到 repos-Revision 0:/ 的页面即ssl svn配置成功了。

SVN的目录结构也是树形的,此处以repos作为根目录,此时可以在根下创建多个工程项目,以下在客户端举例说明。

备注:在修改svn目录时,为什么要修改成daemon组,而不是apache或其他组呢,原因是编译安装httpd后在httpd.conf文件中配置的是daemon用户组;而系统采用rpm包默认安装httpd是属于apache用户组的

step7:以下创建一个project,并在其中添加多个项目文件,导入到svn仓库中来演示SVN的应用

[root@localhost svn]# cd /tmp

[root@localhost tmp]# mkdir projects #在/tmp下创建一个project

[root@localhost tmp]# cd projects/

[root@localhost projects]# mkdir bi_projects

[root@localhost projects]# mkdir crm_projects

[root@localhost project]# svn import /tmp/projects/ file:///svn/repos/projects -m "Initial repos for projects" #将project中内容导入到svn仓库中

step8:设置Apache服务开机自启动

[root@localhost project]# echo "/usr/local/apache/bin/apachectl start" >> /etc/rc.d/rc.local #在rc.local中添加httpd开机自启动服务

step9:客户端浏览器访问界面