Repositories access control with apache mod dav svn and mod perl » History » Revision 15
« Previous |
Revision 15/47
(diff)
| Next »
Jean-Philippe Lang, 2010-01-09 14:17
cleanup
Repositories access control with apache mod dav svn and mod perl¶
- Table of contents
- Repositories access control with apache mod dav svn and mod perl
Overview¶
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
On Debian/ubuntu you can do :
sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.
Enabling apache modules¶
On debian/ubuntu :
sudo a2enmod dav sudo a2enmod dav_svn sudo a2enmod perl
Apache configuration for Subversion repositories¶
You first need to copy or link Redmine.pm
to /usr/lib/perl5/Apache/Redmine.pm
Then add the following Location directives to your apache configuration (for example in /etc/APACHE_DIR/conf.d/
):
- the first one
/svn
will be used by users to access repositories with authentication - the second
/svn-private
provides a private read-only with IP limitation so that Redmine can browse repositories
# /svn location for users PerlLoadModule Apache::Redmine <Location /svn> DAV svn SVNParentPath "/var/svn" AuthType Basic AuthName redmine Require valid-user PerlAccessHandler Apache::Authn::Redmine::access_handler PerlAuthenHandler Apache::Authn::Redmine::authen_handler ## for mysql RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" ## for postgres # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" ## for SQLite3 # RedmineDSN "DBI:SQLite:dbname=database.db" RedmineDbUser "redmine" RedmineDbPass "password" </Location> # /svn location for Redmine <Location /svn-private> DAV svn SVNParentPath "/var/svn" Order deny,allow Deny from all # only allow reading orders <Limit GET PROPFIND OPTIONS REPORT> Allow from redmine.server.ip </Limit> </Location>
After reloading apache conf, you can try to browse some public repository with:
svn ls http://my.svn.server/svn/myproject
If you try to browse a repository of a private project, you'll be asked for your Redmine password.
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase.
PerlLoadModule Apache::Redmine <Location /svn> DAV svn SVNParentPath "/var/svn" AuthType Basic AuthName redmine Require valid-user PerlAccessHandler Apache::Authn::Redmine::access_handler PerlAuthenHandler Apache::Authn::Redmine::authen_handler ## for mysql RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" ## for postgres # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" RedmineDbUser "redmine" RedmineDbPass "password" #Cache the last 50 auth entries RedmineCacheCredsMax 50 </Location>
Apache configuration for Git repositories¶
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion.
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache :
Alias /git /var/git PerlLoadModule Apache::Redmine <Location /git> DAV on AuthType Basic Require valid-user AuthName "Git" PerlAccessHandler Apache::Authn::Redmine::access_handler PerlAuthenHandler Apache::Authn::Redmine::authen_handler RedmineDSN "DBI:mysql:database=redmine;host=localhost" RedmineDbUser "redmine" RedmineDbPass "password" </Location> Alias /git-private /var/git <Location /git-private> Order deny,allow Deny from all <Limit GET PROPFIND OPTIONS REPORT> Options Indexes FollowSymLinks MultiViews Allow from 127.0.0.1 </Limit> </Location>
To verify that you can access repository through Redmine.pm, you can use curl :
% curl --netrc --location http://localhost/git/ecookbook/HEAD ref: refs/heads/master
Gotchas¶
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
Example:
ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
(if your repo are named rm-code)
Updated by Jean-Philippe Lang about 14 years ago · 15 revisions