James Selvakumar’s Blog

August 1, 2008

Extending Subversion with Apache

Filed under: subversion,version control — James @ 1:14 pm
Tags: ,

In one of my previous post, I explained about using TortoiseSVN with subversion. Continuing in the same vein, we will see how to extend subversion with the Apache web server. Apache, the most popular http server in the world provides powerful extension point to your subversion repositories and a strong understanding of how these two technologies work together is very important for those who are into it.

Objective:

- To learn how to configure Apache http server to provide remote access to subversion repositories.
- To learn how to configure authorization and access control to subversion repositories through Apache http server.

Pre-requisites:

- Subversion 1.4.6 for Apache 2.2
- TortoiseSVN

Step 1: Download Apache 2.2:

Download the latest Apache 2.2 installer from here.

Step 2: Install Apache 2.2:

Installing the Apache http server is very straightforward. Just follow the instructions in the installer gui.
Let’s call the Apache installation directory as APACHE_HOME. (Normally this shall be C:\Program Files\Apache Software Foundation\Apache2.2 in windows)

Step 3: Copy Subversion modules/dll for Apache:

Subversion comes with two modules that Apache can use to access the repositories.

1. mod_dav_svn.so – The subversion module to provide filesystem access
2. mod_authz_svn.so – The subversion module to provide fine grained access control

These two modules can be found in the SUBVERSION_HOME\bin directory. Copy these files to APACHE_HOME\modules directory.

It’s not over yet. There are two more files you need to copy to ensure that the Apache-Subversion setup works correctly.

1. libdb44.dll
2. intl3_svn.dll

Where are they located? Well, in the same SUBVERSION_HOME\bin directory. Copy these files to APACHE_HOME\bin directory.

Congrats! You have successfully setup your Apache http server. We will now look how to configure Apache to access your subversion repositories.

Step 4 (Optional): Create a Subversion Repository

You want me to explain this again…?

Step 5: Configure http.conf to load Subversion modules for Apache

The http.conf file is the configuration file used by Apache. It can be found in APACHE_HOME\conf directory. We need to configure this file to instruct Apache to load the subversion modules we copied in Step 3. (Remember..?)

Look for the “Dynamic Shared Object (DSO) Support” section in your http.conf. You can see many “LoadModule” statements in this section. Now, uncomment the following line:

LoadModule dav_module modules/mod_dav.so

Add the following lines after adding the above mentioned line:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Step 6: Configure Subversion repositories in http.conf

Assume that you have a repository at the location “E:\Subversion\Repositories\test-repository”. You want to access this repository using the url “http://localhost/svn/test-repository”. Let us instruct Apache on how to handle this scenario.

Go to the end of your http.conf file and add the following lines:
(Please replace the SVNPath mentioned here with that of yours. Note that we are using file separator “/” and not “\”)

DAV svn
SVNPath E:/Subversion/Repositories/test-repository

After adding this, restart your Apache service for the changes to take effect.

This is a bare minimum configuration which should enable Apache to access to your subversion repository. Want to check this? Point your browser to the url “http://localhost/svn/test-repository” and Apache http server will be happily displaying all the files under your repository.

Step 7: Authentication

Now your subversion repository can be remotely accessed through Apache http server. And anyone in your network can do a subversion checkout by typing the following command in command prompt.

svn co http://localhost/svn/test-repository YOUR_DIRECTORY

(Or if you have tortoisesvn, you can right click inside any directory and do a “SVN Checkout”)

And people can even change the source code and “commit” the changes back to your repository. But you don’t want that to happen. You want only authenticated users to access your repository. With Apache, this can be a piece of cake for you. Apache comes with a inbuilt “htpasswd” command line utility to help you create users and passwords in a secured way. To put that into action, just follow these steps:

- Open command prompt and navigate to APACHE_HOME\bin directory.
- Type the command,

htpasswd -c “APACHE_HOME\conf\users.htpasswd” james

Here you are instructing the “htpasswd” utility to create a new user named “james” in a password file called “users.htpasswd” in the directory “APACHE_HOME\conf”. When you enter this command, you will be prompted to enter a password for this user and to confirm it as well. Apache will use MD5 encryption standard (by default) to encrypt the password and store that in the “users.htpasswd” file mentioned by you.

The following screenshot explains this process.

To add more users you can use the following command:

htpasswd “APACHE_HOME\conf\users.htpasswd” gift

This tells the htpasswd utility to add a user named “gift” in the same “users.htpasswd” file.

You have to instruct Apache to refer to this file for authentication. Open your http.conf file and modify the block you created in Step 6. Your block should now look like this:

DAV svn
SVNPath E:/Subversion/Repositories/test-repository
AuthType Basic
AuthName “Subversion test-repository”
AuthUserFile conf/users.htpasswd
Require valid-user

In the above block you are instructing Apache to use “Basic” authentication type and allow only “valid users” mentioned in the file “conf/users.htpasswd”.
(NOTE: You are mentioning the relative path of the “users.htpasswd” file from your document root. Your default document root is APACHE_HOME.)

Want to see your settings in action? Save your http.conf file, restart your Apache service and point your browser to the url “http://localhost/svn/test-repository”. You will not be able to access your repository as you did before, you must be authenticated to proceed further. You might see some popup window like this:

If you entered your credentials correctly, you can access the subversion repository through your browser. If your credentials were wrong, your browser will display a page like this:

Step 8: Access Control

Great! You have configured your Apache http server in such a way that only “authorized users” (specified by you in the file “users.htpasswd”) can access your subversion repository. Here comes another need which requires you to specify “specific users” to access “specific parts” of your repository. For example, you want to give your users “read-write” access to the “trunk” folder but only “read” access to “tags” folder. How to achieve this..?

First, create a file called test-repository-authz.conf in the directory APACHE_HOME\conf. We will now define the access controls for your users. It can look something like this:

[/]
james=r
gift=r[/trunk]
james=rw
gift=rw

This says that give “read” access to the users “james” and “gift” for all parts of the repository except for the “trunk” folder where they both will have “read-write” access.

But how will Apache refer to this file…? We need to modify our “Location” block again this time, something like this:

DAV svn
SVNPath E:/Subversion/Repositories/test-repository
AuthType Basic
AuthName “Subversion test-repository”
AuthUserFile conf/users.htpasswd
AuthzSVNAccessFile conf/test-repository-authz.conf
Require valid-user

That’s it! Now you have fine grained control over who access which portion of your repository.

Step 9 (Optional): Even more Access Control

Having successfully setup the Apache http server to access your subversion repositories, you are planning to enjoy your coffee break with your colleagues. Suddenly your boss calls you and says “Hei, I want even tight access control mechanism based on IP Address. I don’t want anyone to access our subversion repositories from any other machines other than the one we give access. I hope you can do it.” You think “Can Apache handle this scenario..?”. Why not..? This is how you do that with few more additional lines…

DAV svn
SVNPath E:/Subversion/Repositories/test-repositoryOrder deny,allow

#Deny access to all machines except for the ones listed in the “Allow” section
Deny from all

#Allow access to the following machines.
Allow from x.x.x.x
Allow from y.y.y.y

AuthType Basic
AuthName “Subversion test-repository”
AuthUserFile conf/users.htpasswd
AuthzSVNAccessFile conf/test-repository-authz.conf
Require valid-user

(Note: Please mention the actual IP address instead of “x.x.x.x” and “y.y.y.y”)

We will explore what these statements mean here.

Order deny,allow

The above statement instructs Apache to process “Deny” statements before “Allow” statements.

Deny from all

The above statement instructs Apache to deny access to all machines by default.

Allow from x.x.x.x
Allow from y.y.y.y

The above statement instructs Apache to allow access from the machines with the IP Address “x.x.x.x” and “y.y.y.y”.

Apache is such a versatile server that it provides many other options but that is outside the scope of this blog entry. Hopefully I will try to cover some of them in another post. Thank you very much for reading this post patiently. I hope this is useful to some of you.

About these ads

9 Comments »

  1. Very nice document, appricate your efforts.
    Browsing to all over for setup instructions , finallay successfully setup following your document

    Comment by Ram — September 26, 2008 @ 9:59 pm | Reply

  2. With Subversion 1.5.4, I found that you need all of the following DLL’s copied into your Apache bin folder:

    libsvn_wc-1.dll
    libsvn_subr-1.dll
    libsvn_repos-1.dll
    libsvn_fs-1.dll
    libsvn_delta-1.dll
    libaprutil-1.dll
    libapriconv-1.dll
    libapr-1.dll
    intl3_svn.dll
    libdb44.dll

    Just thought I would pass that along. Nice document. Thanks!

    Comment by JJ — December 10, 2008 @ 11:06 pm | Reply

    • Thank you so much, James, for painstakingly listing the points. We don’t realize that one of the reasons why Java open source is thriving is contributions like this.

      Thank you so much, JJ, this point you have mentioned in missing even in the TortoiseSVN documentation.

      Comment by Sree Kumar — April 22, 2013 @ 11:26 am | Reply

  3. Hi guys,
    Thank you for your feedback. I found some horrible html formatting in this post and I’ll try to fix it. :-)

    JJ,
    Thanks for sharing the information about subversion 1.5.x. Hopefully I’ll update the post shortly.

    Comment by James — February 3, 2009 @ 7:53 am | Reply

  4. Nice document, very helpful to setup SVN with Apache server.
    Thanks for sharing the document.

    Comment by Amrut — June 30, 2009 @ 6:04 am | Reply

  5. [...] have written an article named “Extending Subversion with Apache“. This article is about setting up Apache http server and configuring it to access subversion [...]

    Pingback by Extending Subversion by using TortoiseSVN | SolitaryGeek — August 16, 2009 @ 9:35 am | Reply

  6. After HOURS of searching I finally found your blog and got svn setup. All my questions were answered by you. Thank you!

    Comment by Michael — May 2, 2010 @ 10:50 pm | Reply

  7. hi,when i try to save the changes made to http.conf it says the access is denied
    what should i do?

    Comment by fathul — July 17, 2011 @ 7:41 am | Reply

  8. @faithful,

    That means you don’t have enough permissions to make changes to http.conf file.
    Which operating system to you use?

    Comment by James Selvakumar — July 18, 2011 @ 12:28 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: