Apache2 svn Multiple repositories - apache

I goggoled a lot about the feature to have multipe repositorie in different location on a server with apache2.
All describe to modify /etc/apache2/mods-available/dav_svn.conf as below:
# Subversion - team A
<Location "/a">
DAV svn
SVNPath /svn/team-a
SVNIndexXSLT "/svnindex.xsl"
</Location>
# Subversion - team B
<Location "/b">
DAV svn
SVNPath /svn/team-b
SVNIndexXSLT "/svnindex.xsl"
</Location>
I tried to modify mine, but it does not work. Below my config:
<Location /Repo1>
DAV svn
SVNParentPath /home/xxx/repositories/Repo1/
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn-users
</Location>
<Location /Repo2>
DAV svn
SVNParentPath /home/xxx/repositories/Repo2/
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn-users
</Location>
With this config none of two repositories work. If I enable 1 per time, the single repo works.
As you can see I want root repositories in different path: each root has different subrepositories.

SVNParentPath != SVNPath
SVNParentPath is parent-dir of all repos for location, but not repo

At the end it was a problem on rabbit SVN.
Using terminal all is ok.
Reinstalling RabbitSVN all is working well.

Related

How to configure SVN access control

I want to restrict access of selected users to selected SVN repositories by Apache. However, as I did the configuration using the authz mechanism, I don't have any access to the repositories after logging into SVN. http://<my_server>/svn/ displays a "Collection of Repositories" list which is empty. http://<my_server>/svn/mytestrepo1 is showing "Forbidden You don't have permission to access this resource."
The configuration looks like this (Debian OS):
the repositories are located in /svn directory
I created the users with the command htpasswd -cm /etc/apache2/dav_svn.passwd admin1
content of the /etc/apache2/mods-enabled/dav_svn.conf file:
<Location /svn>
DAV svn
SVNParentPath /svn
SVNListParentPath On
AuthType Basic
AuthName "SVN repos"
AuthUserFile /etc/apache2/dav_svn.passwd
AuthzSVNAccessFile /etc/apache2/svn_access.acl
# <LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
# </LimitExcept>
</Location>
content of the /etc/apache2/svn_access.acl file:
[groups]
admin = admin1
users = test1
[/]
* = r
#admin = rw
[repo:/mytestrepo1]
#users = rw
How can I solve this problem?
Ok, I found it. My svn_access.acl file had a lot of tabbed and commented lines. When I cleaned it and started with simple:
[/]
* = rw
it is working.

Invalid command 'PerlLoadModule', perhaps misspelled or defined by a module not included in the server configuration

Installed Redmine, configured automatic repository svn creation for this projects.
But when i restart httpd service, this erro happend.
[root#iZ23lttzrggZ config]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 42 of /etc/httpd/conf.d/subversion.conf:
Invalid command 'PerlLoadModule', perhaps misspelled or defined by a module not included in the server configuration
This my PerlLoadModule file:
PerlLoadModule Apache::Redmine
<Location /svn>
DAV svn
SVNParentPath "/opt/repositories/svn"
SVNListParentPath on
Order deny,allow
Deny from all
Satisfy any
LimitXMLRequestBody 0
SVNPathAuthz off
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "Subversion Repository"
Require valid-user
RedmineDSN "DBI:mysql:database=redmine_db;host=localhost:3306"
RedmineDbUser "redmine_admin"
RedmineDbPass "**********"
</Location>
DELETE this:
PerlLoadModule Apache::Redmine
<Location /svn>
DAV svn
SVNParentPath "/opt/repositories/svn"
SVNListParentPath on
Order deny,allow
Deny from all
Satisfy any
LimitXMLRequestBody 0
SVNPathAuthz off
PerlAccessHandler Apache::Authn::Redmine::access_handler
PerlAuthenHandler Apache::Authn::Redmine::authen_handler
AuthType Basic
AuthName "Subversion Repository"
Require valid-user
RedmineDSN "DBI:mysql:database=redmine_db;host=localhost:3306"
RedmineDbUser "redmine_admin"
RedmineDbPass "**********"
</Location>
And then restart the httpd service
[root#iZ23lttzrggZ lmmbao]# service httpd restart
yum install -y epel-release
yum install -y mod_perl

How to configure apache to serve http://svn.example.com/robots.txt?

I access SVN repositories via
http://svn.example.com/repo1
http://svn.example.com/repo2
...
with the following Apache configuration
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<VirtualHost xxx.xxx.xxx.xxx>
ServerName svn.example.com
<Location />
DAV svn
SVNParentPath /path/to/svn/repositories
AuthzSVNAccessFile /path/to/svn/conf/auth_policy
Satisfy Any
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/svn/conf/passwdfile
Require valid-user
</Location>
</VirtualHost>
I would like to prevent web crawlers from indexing the public repositories, but I cannot figure out how to properly set up the configuration to serve robots.txt from http://svn.example.com/robots.txt.
I have found a thread "stopping webcrawlers using robots.txt" from 2006, but it didn't help me solve the problem (Ryan's suggestion for redirection didn't work).
EDIT: I would prefer to keep the repositories at the top level rather than moving them to http://svn.example.com/something/reponame.
Don't put your Subversion repositories' virtual directory in the root of your server:
Wrong
<Location />
DAV svn
SVNParentPath /path/to/svn/repositories
Right
<Location /svn>
DAV svn
SVNParentPath /path/to/svn/repositories
Instead of your repository root being http://svn.example.com, it will be http://svn.exmaple.com/svn. This frees up http://svn.example.com to be a true document root which means you can add some documentation about your site, and put in a robots.txt file under http://svn.example.com/robots.txt.
Now, a well behaved robot will see the robot.txt file and not index your Subversion repository.

How to disable anonymous checkout with apache svn server

I build a SVN server with apache. It work fine.
I don't want to anonymous could checkout, so I set httpd like
<location /svn>
DAV svn
SVNListParentPath Off
SVNParentPath C:/SVN/
Satisfy All
AuthType Basic
AuthName "Subversion Dir"
AuthUserFile "C:\Program Files (x86)\Subversion\svn-auth-conf.txt"
AuthzSVNAccessFile "C:\Program Files (x86)\Subversion\svn-acl-conf.txt"
Require valid-user
</location>
but I still can checkout by commnd line like
svn co http://repos test
without any username and password
How can I do to solve this issue?
You may have stored credentials for this URL
Remove Satisfy - read "Blanket access control" in SVN Book with sample
AuthName ...
AuthType ...
AuthUserFile ...
Require valid-user

SVN, trailing slash in Location directive works on browser, but gives 403 error if removed

I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:
/var/www/svn/proj1
/var/www/svn/proj2
My subversion.conf has the following configurations:
<Location /svn/proj1>
DAV svn
SVNPath /var/www/svn/proj1
AuthzSVNAccessFile /etc/svn_proj1-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
<Location /svn/proj2/>
DAV svn
SVNParentPath /var/www/svn/proj2
SVNListParentPath on
AuthzSVNAccessFile /etc/svn_proj2-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.
If I remove the trailing slash from the location directive,
<Location /svn/proj2>
then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.
I am using it with TortoiseSVN, but project2 isn't working at all.
What should I look at in configurations?
Confused. Confused. Confused...
But, I'm easily confused...
You have two projects. The first one you use:
SVNPath /var/www/svn/proj1
and the second you use:
SVNParentPath /var/www/svn/proj2
Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.
So, exactly what is your setup? I have a feeling that they both should be SVNPath.
By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?
Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:
Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.
You can then configure both directories in a single configuration:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
SVNPathAuthz off
Require valid-user
</Location>
Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).
And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:
LoadModule authnz_ldap_module modules/authnz_ldap.so
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>
This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.
Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.
One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.
You're better off putting them elsewhere and changing the SVNParentPath.
The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.
So it should be:
<Location /svn/proj2/> <--- Here trailing slash (or not)
[..]
SVNPath /var/www/svn/proj2/ <--- Here same like Location
[...]
</Location>