Repositories access control with apache mod dav svn and mod perl » History » Version 16
Jean-Philippe Lang, 2010-01-09 14:18
slight change to the title
1 | 16 | Jean-Philippe Lang | h1. Repositories access control with apache, mod_dav_svn and mod_perl |
---|---|---|---|
2 | 1 | Nicolas Chuche | |
3 | 2 | Nicolas Chuche | {{>TOC}} |
4 | |||
5 | 4 | Jean-Philippe Lang | h2. Overview |
6 | 1 | Nicolas Chuche | |
7 | 3 | Jean-Philippe Lang | In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module. |
8 | 1 | Nicolas Chuche | |
9 | You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases). |
||
10 | 4 | Jean-Philippe Lang | |
11 | 15 | Jean-Philippe Lang | On Debian/ubuntu you can do : |
12 | 11 | Shaun Mangelsdorf | |
13 | 15 | Jean-Philippe Lang | sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl |
14 | 1 | Nicolas Chuche | |
15 | 15 | Jean-Philippe Lang | If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users. |
16 | 1 | Nicolas Chuche | |
17 | h2. Enabling apache modules |
||
18 | |||
19 | On debian/ubuntu : |
||
20 | |||
21 | <pre> |
||
22 | 15 | Jean-Philippe Lang | sudo a2enmod dav |
23 | sudo a2enmod dav_svn |
||
24 | sudo a2enmod perl |
||
25 | 4 | Jean-Philippe Lang | </pre> |
26 | 1 | Nicolas Chuche | |
27 | 15 | Jean-Philippe Lang | h2. Apache configuration for Subversion repositories |
28 | 1 | Nicolas Chuche | |
29 | 15 | Jean-Philippe Lang | You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@ |
30 | Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@): |
||
31 | 1 | Nicolas Chuche | |
32 | 15 | Jean-Philippe Lang | * the first one @/svn@ will be used by users to access repositories with authentication |
33 | * the second @/svn-private@ provides a private read-only with IP limitation so that Redmine can browse repositories |
||
34 | 1 | Nicolas Chuche | |
35 | <pre> |
||
36 | 15 | Jean-Philippe Lang | # /svn location for users |
37 | PerlLoadModule Apache::Redmine |
||
38 | 14 | TaeKyeong Wang | <Location /svn> |
39 | DAV svn |
||
40 | 1 | Nicolas Chuche | SVNParentPath "/var/svn" |
41 | |||
42 | AuthType Basic |
||
43 | AuthName redmine |
||
44 | Require valid-user |
||
45 | |||
46 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
47 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
48 | |||
49 | ## for mysql |
||
50 | 15 | Jean-Philippe Lang | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
51 | 1 | Nicolas Chuche | ## for postgres |
52 | 15 | Jean-Philippe Lang | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
53 | ## for SQLite3 |
||
54 | # RedmineDSN "DBI:SQLite:dbname=database.db" |
||
55 | 1 | Nicolas Chuche | |
56 | 15 | Jean-Philippe Lang | RedmineDbUser "redmine" |
57 | RedmineDbPass "password" |
||
58 | 1 | Nicolas Chuche | </Location> |
59 | 4 | Jean-Philippe Lang | |
60 | 15 | Jean-Philippe Lang | # /svn location for Redmine |
61 | 4 | Jean-Philippe Lang | <Location /svn-private> |
62 | DAV svn |
||
63 | SVNParentPath "/var/svn" |
||
64 | Order deny,allow |
||
65 | Deny from all |
||
66 | # only allow reading orders |
||
67 | 1 | Nicolas Chuche | <Limit GET PROPFIND OPTIONS REPORT> |
68 | Allow from redmine.server.ip |
||
69 | 3 | Jean-Philippe Lang | </Limit> |
70 | 1 | Nicolas Chuche | </Location> |
71 | 3 | Jean-Philippe Lang | </pre> |
72 | 1 | Nicolas Chuche | |
73 | 15 | Jean-Philippe Lang | After reloading apache conf, you can try to browse some public repository with: |
74 | 1 | Nicolas Chuche | |
75 | <pre> |
||
76 | svn ls http://my.svn.server/svn/myproject |
||
77 | 8 | Nicolas Chuche | </pre> |
78 | 1 | Nicolas Chuche | |
79 | 15 | Jean-Philippe Lang | If you try to browse a repository of a private project, you'll be asked for your Redmine password. |
80 | 8 | Nicolas Chuche | |
81 | 15 | Jean-Philippe Lang | If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. |
82 | 8 | Nicolas Chuche | |
83 | <pre> |
||
84 | PerlLoadModule Apache::Redmine |
||
85 | 12 | Todd Nine | <Location /svn> |
86 | DAV svn |
||
87 | SVNParentPath "/var/svn" |
||
88 | |||
89 | AuthType Basic |
||
90 | AuthName redmine |
||
91 | Require valid-user |
||
92 | |||
93 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
94 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
95 | |||
96 | ## for mysql |
||
97 | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
||
98 | ## for postgres |
||
99 | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
||
100 | |||
101 | RedmineDbUser "redmine" |
||
102 | RedmineDbPass "password" |
||
103 | #Cache the last 50 auth entries |
||
104 | RedmineCacheCredsMax 50 |
||
105 | </Location> |
||
106 | </pre> |
||
107 | |||
108 | |||
109 | 15 | Jean-Philippe Lang | h2. Apache configuration for Git repositories |
110 | 12 | Todd Nine | |
111 | 15 | Jean-Philippe Lang | Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. |
112 | |||
113 | You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : |
||
114 | 8 | Nicolas Chuche | |
115 | <pre> |
||
116 | Alias /git /var/git |
||
117 | |||
118 | 9 | Nicolas Chuche | PerlLoadModule Apache::Redmine |
119 | 8 | Nicolas Chuche | <Location /git> |
120 | DAV on |
||
121 | |||
122 | AuthType Basic |
||
123 | Require valid-user |
||
124 | AuthName "Git" |
||
125 | |||
126 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
127 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
128 | |||
129 | RedmineDSN "DBI:mysql:database=redmine;host=localhost" |
||
130 | RedmineDbUser "redmine" |
||
131 | RedmineDbPass "password" |
||
132 | </Location> |
||
133 | |||
134 | Alias /git-private /var/git |
||
135 | |||
136 | <Location /git-private> |
||
137 | Order deny,allow |
||
138 | Deny from all |
||
139 | <Limit GET PROPFIND OPTIONS REPORT> |
||
140 | Options Indexes FollowSymLinks MultiViews |
||
141 | Allow from 127.0.0.1 |
||
142 | </Limit> |
||
143 | </Location> |
||
144 | </pre> |
||
145 | |||
146 | To verify that you can access repository through Redmine.pm, you can use curl : |
||
147 | <pre> |
||
148 | % curl --netrc --location http://localhost/git/ecookbook/HEAD |
||
149 | ref: refs/heads/master |
||
150 | </pre> |
||
151 | 13 | Thomas Pihl | |
152 | h2. Gotchas |
||
153 | |||
154 | If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result. |
||
155 | Example: |
||
156 | > ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}): |
||
157 | (if your repo are named rm-code) |