Repositories access control with apache mod dav svn and mod perl » History » Version 18
Joachim Fritschi, 2010-01-18 10:53
1 | 16 | Jean-Philippe Lang | h1. Repositories access control with apache, mod_dav_svn and mod_perl |
---|---|---|---|
2 | 1 | Nicolas Chuche | |
3 | 2 | Nicolas Chuche | {{>TOC}} |
4 | |||
5 | 4 | Jean-Philippe Lang | h2. Overview |
6 | 1 | Nicolas Chuche | |
7 | 3 | Jean-Philippe Lang | In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module. |
8 | 1 | Nicolas Chuche | |
9 | You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases). |
||
10 | 4 | Jean-Philippe Lang | |
11 | 15 | Jean-Philippe Lang | On Debian/ubuntu you can do : |
12 | 11 | Shaun Mangelsdorf | |
13 | 15 | Jean-Philippe Lang | sudo aptitude install libapache2-svn libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl |
14 | 1 | Nicolas Chuche | |
15 | 15 | Jean-Philippe Lang | If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users. |
16 | 1 | Nicolas Chuche | |
17 | h2. Enabling apache modules |
||
18 | |||
19 | On debian/ubuntu : |
||
20 | |||
21 | <pre> |
||
22 | 15 | Jean-Philippe Lang | sudo a2enmod dav |
23 | sudo a2enmod dav_svn |
||
24 | sudo a2enmod perl |
||
25 | 4 | Jean-Philippe Lang | </pre> |
26 | 1 | Nicolas Chuche | |
27 | 15 | Jean-Philippe Lang | h2. Apache configuration for Subversion repositories |
28 | 1 | Nicolas Chuche | |
29 | 15 | Jean-Philippe Lang | You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@ |
30 | Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@): |
||
31 | 1 | Nicolas Chuche | |
32 | 17 | Joachim Fritschi | * the old how-to which suggested two separate locations for with @/svn@ and @/svn-private@ can be avoided |
33 | * with the @Satisfy any@ keyword from Apache you can define different authentication policies |
||
34 | * read access from the redmine-server or any validated user |
||
35 | * write access only validated users |
||
36 | 15 | Jean-Philippe Lang | |
37 | 17 | Joachim Fritschi | |
38 | 15 | Jean-Philippe Lang | <pre> |
39 | 1 | Nicolas Chuche | # /svn location for users |
40 | PerlLoadModule Apache::Redmine |
||
41 | <Location /svn> |
||
42 | DAV svn |
||
43 | 17 | Joachim Fritschi | SVNParentPath "/mnt/srv/svn" |
44 | Order deny,allow |
||
45 | Deny from all |
||
46 | Satisfy any |
||
47 | 1 | Nicolas Chuche | |
48 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
49 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
50 | 17 | Joachim Fritschi | AuthType Basic |
51 | 18 | Joachim Fritschi | AuthName "Redmine SVN Repository" |
52 | 17 | Joachim Fritschi | |
53 | #read-only access |
||
54 | <Limit GET PROPFIND OPTIONS REPORT> |
||
55 | Require valid-user |
||
56 | Allow from redmine.server.ip |
||
57 | # Allow from another-ip |
||
58 | Satisfy any |
||
59 | </Limit> |
||
60 | # write access |
||
61 | <LimitExcept GET PROPFIND OPTIONS REPORT> |
||
62 | Require valid-user |
||
63 | </LimitExcept> |
||
64 | |||
65 | |||
66 | 1 | Nicolas Chuche | ## for mysql |
67 | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
||
68 | 4 | Jean-Philippe Lang | ## for postgres |
69 | 1 | Nicolas Chuche | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
70 | 4 | Jean-Philippe Lang | ## for SQLite3 |
71 | 1 | Nicolas Chuche | # RedmineDSN "DBI:SQLite:dbname=database.db" |
72 | |||
73 | RedmineDbUser "redmine" |
||
74 | RedmineDbPass "password" |
||
75 | </Location> |
||
76 | |||
77 | </pre> |
||
78 | |||
79 | 17 | Joachim Fritschi | h3. Testing the configuration: |
80 | 1 | Nicolas Chuche | |
81 | 17 | Joachim Fritschi | After reloading apache conf, you can try to browse some repository with: |
82 | |||
83 | 1 | Nicolas Chuche | <pre> |
84 | svn ls http://my.svn.server/svn/myproject |
||
85 | 4 | Jean-Philippe Lang | </pre> |
86 | 1 | Nicolas Chuche | |
87 | 17 | Joachim Fritschi | Any non-public repository should ask for a username and password. |
88 | 4 | Jean-Philippe Lang | |
89 | 17 | Joachim Fritschi | To test the authentication that allows you redmine server to read all repositories: |
90 | 1 | Nicolas Chuche | |
91 | 17 | Joachim Fritschi | Reading a private repository: |
92 | 3 | Jean-Philippe Lang | <pre> |
93 | 17 | Joachim Fritschi | svn ls http://my.svn.server/svn/myproject |
94 | </pre> |
||
95 | Try writing to the repository: |
||
96 | <pre> |
||
97 | svn mkdir http://my.svn.server/svn/myproject/testdir |
||
98 | </pre> |
||
99 | This should fail and ask for a password. |
||
100 | |||
101 | |||
102 | h3. optional LDAP Authentication |
||
103 | |||
104 | If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module. |
||
105 | |||
106 | <pre> |
||
107 | 8 | Nicolas Chuche | PerlLoadModule Apache::Redmine |
108 | 17 | Joachim Fritschi | PerlLoadModule Authen::Simple::LDAP |
109 | # PerlLoadModule IO::Socket::SSL |
||
110 | 12 | Todd Nine | <Location /svn> |
111 | DAV svn |
||
112 | SVNParentPath "/var/svn" |
||
113 | |||
114 | AuthType Basic |
||
115 | AuthName redmine |
||
116 | Require valid-user |
||
117 | |||
118 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
119 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
120 | |||
121 | ## for mysql |
||
122 | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
||
123 | ## for postgres |
||
124 | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
||
125 | |||
126 | RedmineDbUser "redmine" |
||
127 | RedmineDbPass "password" |
||
128 | #Cache the last 50 auth entries |
||
129 | RedmineCacheCredsMax 50 |
||
130 | </Location> |
||
131 | </pre> |
||
132 | 15 | Jean-Philippe Lang | |
133 | 12 | Todd Nine | |
134 | 15 | Jean-Philippe Lang | h2. Apache configuration for Git repositories |
135 | |||
136 | Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. |
||
137 | 8 | Nicolas Chuche | |
138 | You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : |
||
139 | |||
140 | <pre> |
||
141 | 9 | Nicolas Chuche | Alias /git /var/git |
142 | 8 | Nicolas Chuche | |
143 | PerlLoadModule Apache::Redmine |
||
144 | <Location /git> |
||
145 | DAV on |
||
146 | |||
147 | AuthType Basic |
||
148 | Require valid-user |
||
149 | AuthName "Git" |
||
150 | |||
151 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
152 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
153 | |||
154 | RedmineDSN "DBI:mysql:database=redmine;host=localhost" |
||
155 | RedmineDbUser "redmine" |
||
156 | RedmineDbPass "password" |
||
157 | </Location> |
||
158 | |||
159 | Alias /git-private /var/git |
||
160 | |||
161 | <Location /git-private> |
||
162 | Order deny,allow |
||
163 | Deny from all |
||
164 | <Limit GET PROPFIND OPTIONS REPORT> |
||
165 | Options Indexes FollowSymLinks MultiViews |
||
166 | Allow from 127.0.0.1 |
||
167 | </Limit> |
||
168 | </Location> |
||
169 | </pre> |
||
170 | |||
171 | To verify that you can access repository through Redmine.pm, you can use curl : |
||
172 | <pre> |
||
173 | % curl --netrc --location http://localhost/git/ecookbook/HEAD |
||
174 | 13 | Thomas Pihl | ref: refs/heads/master |
175 | </pre> |
||
176 | |||
177 | h2. Gotchas |
||
178 | |||
179 | If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result. |
||
180 | Example: |
||
181 | 1 | Nicolas Chuche | > ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}): |
182 | (if your repo are named rm-code) |