Project

General

Profile

Repositories access control with apache mod dav svn and mod perl » History » Version 16

Jean-Philippe Lang, 2010-01-09 14:18
slight change to the title

1 16 Jean-Philippe Lang
h1. Repositories access control with apache, mod_dav_svn and mod_perl
2 1 Nicolas Chuche
3 2 Nicolas Chuche
{{>TOC}}
4
5 4 Jean-Philippe Lang
h2. Overview
6 1 Nicolas Chuche
7 3 Jean-Philippe Lang
In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module.
8 1 Nicolas Chuche
9
You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases).
10 4 Jean-Philippe Lang
11 15 Jean-Philippe Lang
On Debian/ubuntu you can do :
12 11 Shaun Mangelsdorf
13 15 Jean-Philippe Lang
  sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl
14 1 Nicolas Chuche
15 15 Jean-Philippe Lang
If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users.
16 1 Nicolas Chuche
17
h2. Enabling apache modules
18
19
On debian/ubuntu :
20
21
<pre>
22 15 Jean-Philippe Lang
sudo a2enmod dav
23
sudo a2enmod dav_svn
24
sudo a2enmod perl
25 4 Jean-Philippe Lang
</pre>
26 1 Nicolas Chuche
27 15 Jean-Philippe Lang
h2. Apache configuration for Subversion repositories
28 1 Nicolas Chuche
29 15 Jean-Philippe Lang
You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@
30
Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@):
31 1 Nicolas Chuche
32 15 Jean-Philippe Lang
* the first one @/svn@ will be used by users to access repositories with authentication
33
* the second @/svn-private@ provides a private read-only with IP limitation so that Redmine can browse repositories
34 1 Nicolas Chuche
35
<pre>
36 15 Jean-Philippe Lang
   # /svn location for users
37
   PerlLoadModule Apache::Redmine
38 14 TaeKyeong Wang
   <Location /svn>
39
     DAV svn
40 1 Nicolas Chuche
     SVNParentPath "/var/svn"
41
42
     AuthType Basic
43
     AuthName redmine
44
     Require valid-user
45
46
     PerlAccessHandler Apache::Authn::Redmine::access_handler
47
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
48
  
49
     ## for mysql
50 15 Jean-Philippe Lang
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
51 1 Nicolas Chuche
     ## for postgres
52 15 Jean-Philippe Lang
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
53
     ## for SQLite3
54
     # RedmineDSN "DBI:SQLite:dbname=database.db"
55 1 Nicolas Chuche
56 15 Jean-Philippe Lang
     RedmineDbUser "redmine"
57
     RedmineDbPass "password"
58 1 Nicolas Chuche
  </Location>
59 4 Jean-Philippe Lang
60 15 Jean-Philippe Lang
  # /svn location for Redmine
61 4 Jean-Philippe Lang
  <Location /svn-private>
62
    DAV svn
63
    SVNParentPath "/var/svn"
64
    Order deny,allow
65
    Deny from all
66
    # only allow reading orders
67 1 Nicolas Chuche
    <Limit GET PROPFIND OPTIONS REPORT>
68
      Allow from redmine.server.ip
69 3 Jean-Philippe Lang
    </Limit>
70 1 Nicolas Chuche
  </Location>
71 3 Jean-Philippe Lang
</pre>
72 1 Nicolas Chuche
73 15 Jean-Philippe Lang
After reloading apache conf, you can try to browse some public repository with:
74 1 Nicolas Chuche
75
<pre>
76
svn ls http://my.svn.server/svn/myproject
77 8 Nicolas Chuche
</pre>
78 1 Nicolas Chuche
79 15 Jean-Philippe Lang
If you try to browse a repository of a private project, you'll be asked for your Redmine password.
80 8 Nicolas Chuche
81 15 Jean-Philippe Lang
If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase.
82 8 Nicolas Chuche
83
<pre>
84
   PerlLoadModule Apache::Redmine
85 12 Todd Nine
   <Location /svn>
86
     DAV svn
87
     SVNParentPath "/var/svn"
88
89
     AuthType Basic
90
     AuthName redmine
91
     Require valid-user
92
93
     PerlAccessHandler Apache::Authn::Redmine::access_handler
94
     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
95
  
96
     ## for mysql
97
     RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
98
     ## for postgres
99
     # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
100
101
     RedmineDbUser "redmine"
102
     RedmineDbPass "password"
103
     #Cache the last 50 auth entries
104
     RedmineCacheCredsMax 50
105
  </Location>
106
</pre>
107
108
109 15 Jean-Philippe Lang
h2. Apache configuration for Git repositories
110 12 Todd Nine
111 15 Jean-Philippe Lang
Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. 
112
113
You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : 
114 8 Nicolas Chuche
115
<pre>
116
Alias /git /var/git
117
118 9 Nicolas Chuche
PerlLoadModule Apache::Redmine
119 8 Nicolas Chuche
<Location /git>
120
  DAV on
121
122
  AuthType Basic
123
  Require valid-user
124
  AuthName "Git"
125
126
  PerlAccessHandler Apache::Authn::Redmine::access_handler
127
  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
128
129
  RedmineDSN "DBI:mysql:database=redmine;host=localhost"
130
  RedmineDbUser "redmine"
131
  RedmineDbPass "password"
132
</Location>
133
134
Alias /git-private /var/git
135
136
<Location /git-private>
137
   Order deny,allow
138
   Deny from all
139
   <Limit GET PROPFIND OPTIONS REPORT>
140
      Options Indexes FollowSymLinks MultiViews
141
   Allow from 127.0.0.1
142
   </Limit>
143
</Location>
144
</pre>
145
146
To verify that you can access repository through Redmine.pm, you can use curl :
147
<pre>
148
% curl --netrc --location http://localhost/git/ecookbook/HEAD   
149
ref: refs/heads/master
150
</pre>
151 13 Thomas Pihl
152
h2. Gotchas
153
154
If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result.
155
Example: 
156
> ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}):
157
(if your repo are named rm-code)