A Special Recipe Using Apache's HTTP
Using a custom module, Apache's httpd is capable of serving Subversion repositories via the WebDAV/DeltaV protocol over the local intranet or Internet. The WebDAV/DeltaV protocol is an extension of HTTP v1.1 with provisions that enable authoring (writing) capabilities on versioned files.
Note: Serving the repository via httpd does not require a special/custom port.
Rather than discussing in a dry theoretical manner how the various things work, I focus on some commonly asked questions in the SVN mailing lists. These are given in separate points below. Of course, for more detail, you can refer to the Collins-Sussman book.
Differences between "SVNPath" and "SVNParentPath":
- SVNPath. To serve a single repository, input is absolute path to the repo location
- SVNParentPath. To serve multiple repos located in a common parent directory. The advantage with this directive is that any new repositories created in this "common parent dir" shall be served immediately by httpd without having to restart the Web server daemon or change the Apache's httpd.conf.
- SVNListParentPath. When used along with SVNParentPath, this directive enables anyone with access to SVN hostname to view all the repos in this "common parent dir"; however, it is turned off by default for security reasons.
Basic Authentication
Authentication is set up using the htpasswd utility; the password generated using this tool should be stored in the file, /path/to/svn-auth-file.
Directives to be used (without the arrows shown below) with this authentication mechanism, in <Location> block, are given below:
DAV ==> svn AuthType ==> Basic AuthName ==> "Imaginary name" AuthUserFile ==> /path/to/svn-auth-file
Passwords used in this basic setup are transmitted as plain text over the network; hence, SVN admins concerned with security should use encryption mechanisms like SSL certificates. With this kind of arrangement, clients can authenticate using https:// instead of http://.
Configuring Neon
Opening up repository access to networks, outside the local intranet, necessitates the implementation of strict access control mechanisms. This is exactly the scenario wherein the Neon library is required, because it is capable of exchanging certificates with Apache's httpd. At the time of SVN client installation, if OpenSSL is enabled or compiled, then it is possible for SVN clients to use https://.
Neon is a generic webDAV/HTTP library with support for:
- Client/server certificates
- Repo access via proxy
- Repo access using a virtual domain name
The following module names, for SVN purposes, should be in the LoadModules directive:
- mod_dav
- mod_dav_svn
What is "mod_authz_svn"?
To implement path-based/per-directory access control, you must define the mechanism (i.e., the permissions for the various paths in the repo) in a "control file" that is in turn referred by the directive "AuthzSVNAccessFile" located in the <Location> block. Along with this directive, we should extend the LoadModule section, by adding mod_authz_svn immediately after the mod_dav_svn's entry.
The format of this control file, which defines path-based access, is similar that used by svnserve daemon. For the format of this control file, see the SVN book.
Here are the steps to configure and set up Subversion with Apache's httpd:
- Install Subversion and httpd, either from sources or using pre-built binary packages.
- Modify httpd.conf for the various directives, as listed in the items below.
- Add module names, mod_dav.so, mod_dav_svn.so, and mod_authz_svn.so in that order.
- Set the location of repos in <Location> block.
- Set up authentication, basic or encryption, and extend/add the new directives.
- Determine type of access to the repos. You can set either blanket access allowing a set of valid users to have read-only or read-write control on the repo or per-directory based control using custom rules written in a "control file".
A snapshot of the Apache config and repo permissions are shown in the following examples. With this basic setup, I demonstrate how to access the repos using http://.
$ls -l /opt/samagdocs/ total 56 drwxrwxr-x 2 apached svnplaygrp 4096 May 6 19:31 conf drwxrwxr-x 2 apached svnplaygrp 4096 Nov 27 00:43 dav drwxrwxr-x 5 apached svnplaygrp 4096 May 6 19:18 db -rwxrwxr-x 1 apached svnplaygrp 2 Nov 27 00:43 format drwxrwxr-x 2 apached svnplaygrp 4096 Nov 27 00:43 hooks drwxrwxr-x 2 apached svnplaygrp 4096 Nov 27 00:43 locks -rwxrwxr-x 1 apached svnplaygrp 229 Nov 27 00:43 README.txt $ls -ld /opt/samagdocs/ drwxrwxr-x 7 apached svnplaygrp 4096 Nov 27 00:43 /opt/samagdocs/ $cat /opt/samagdocs/conf/svn-auth-file ram:$apr1$C.gJb...$/fMmtuoOX3YWNF3ZPXAvm1
Here are the directives in Apache's httpd.conf:
LoadModules:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
Httpd should be run as user/group:
User apached Group svnplaygrp
Port number:
Listen 8080
No DNS server; server name is same as IP address:
<Location /samagrepo> DAV svn SVNPath /opt/samagdocs AuthType Basic AuthName "SAMAG Article Repo" AuthUserFile "/opt/samagdocs/conf/svn-auth-file" </Location>
The next logical step is to verify your configuration; let's start the Apache server and try out few commands, such as svn info and svn co:
$ps auxw | grep -i apache apached 2428 0.0 0.4 5584 2152 ? S 19:49 0:00 /opt/http-2.2.3/bin/httpd -k start apached 2429 0.0 0.6 5740 2732 ? S 19:49 0:00 /opt/http-2.2.3/bin/httpd -k start apached 2430 0.0 0.3 5448 1680 ? S 19:49 0:00 /opt/http-2.2.3/bin/httpd -k start apached 2431 0.0 0.3 5448 1680 ? S 19:49 0:00 /opt/http-2.2.3/bin/httpd -k start apached 2432 0.0 0.3 5448 1680 ? S 19:49 0:00 /opt/http-2.2.3/bin/httpd -k start
Now look at the actual SVN commands using http://. With the correct configuration, it is obvious from the commands shown below that repo access via http:// works. I show two commands: svn info and svn co, both accessing the repo via http://192.168.0.123:8080, as defined in httpd.conf:
svn info:
$/opt/svn-1.4.3/bin/svn info http://192.168.0.123:8080/samagrepo Path: samagrepo URL: http://192.168.0.123:8080/samagrepo Repository Root: http://192.168.0.123:8080/samagrepo Repository UUID: d87b2b87-2545-461f-ae99-430b66f94c56 Revision: 51 Node Kind: directory Last Changed Author: ram Last Changed Rev: 51 Last Changed Date: 2007-05-06 19:18:58 +0530 (Sun, 06 May 2007)
svn checkout:
$/opt/svn-1.4.3/bin/svn co -r HEAD http://192.168.0.123:8080/samagrepo samg-httpwc A samg-httpwc/trunk A samg-httpwc/trunk/images A samg-httpwc/trunk/images/svn_move.png . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A samg-httpwc/tags/23DEC_BL/images/svn_checkout.png A samg-httpwc/tags/23DEC_BL/svn_article Checked out revision 52.
Conclusion
TortoiseSVN, Subclipse, SVK, and Trac are some of the most popular clients, and high-level tools are available that use Subversion. For a complete list of clients and plugins, higher level tools that use Subversion, third-party browsing tools, as well as miscellaneous utilities and Subversion language bindings, please refer to the references.