Installation of Subversion on Ubuntu, with Apache, SSL, and BasicAuth.
January 7th, 2007 <apache, howto, svn, tech, ubuntu>I did it again! Yet another installation of Subversion for “standard” project development purposes, i.e. using Apache2, WebDAV, SSL, Basic Authentication. In case I do it again … and soon again, I recorded the installation howto logs.
NOTE: The target OS is Ubuntu Edgy 6.10, and Feisty. I use $NAME notation to refer to places to be substituted by the installation specific values
1. Install packages:
sudo apt-get install subversion libapache2-svn libapache-mod-dav apache2
2. Enable SSL:
sudo a2enmod ssl
sudo sh -c "echo 'Listen 443' >> /etc/apache2/ports.conf"
3. Generate Certificate:
Ubuntu < Feisty:
sudo apache2-ssl-certificate
Use the server name to be used for access the web server.
Ubuntu >= Feisty: (thanx Roderik)
sudo apt-get install ssl-cert
sudo mkdir /etc/apache2/ssl
sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
4. Create Virtual Host:
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/$SITENAME
sudo vim /etc/apache2/sites-available/$SITENAME
change:
NameVirtualHost *:443
<VirtualHost *:443>
add:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
5. Enable the site:
sudo a2ensite $SITENAME
sudo /etc/init.d/apache2 restart
A warning that complaints about failure of server name determination can be fixed by adding ServerName $SERVERNAME to the main Apache config /etc/apache2/apache2.conf
6. Adding repository(ies):
The following setup assumes we want to host multiple repositories.
sudo mkdir /var/svn
sudo svnadmin create /var/svn/$REPOS
sudo chown -R www-data:www-data /var/svn/$REPOS
sudo chmod -R g+ws /var/svn/$REPOS
7. Adding Basic Authentication:
sudo htpasswd2 -c -m /etc/apache2/dav_svn.passwd $AUTH_USER
8. Enable and configure WebDAV and SVN:
Add to /etc/apache2/mods-available/dav_svn.conf
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
SSLRequireSSL
and for non-anonymous access comment out:
#<LimitExcept GET PROPFIND OPTIONS REPORT>
#</LimitExcept>
(optionally the same configuration can be set for particular virtual host only, i.e. /etc/apache2/sites-available/$SITENAME)
9. Finalization: (guess what?)
sudo /etc/init.d/apache2 restart
Testing:
Web access:
lynx https://localhost/svn/$REPOS exposes the repository.
lynx http://localhost/svn/$REPOS says: eat my shorts , i.e. 403-forbidden.
An initial import:
svn import --username $AUTH_USER $A_FILE https://localhost/svn/$REPOS/testdir -m “Testing”
… and check-out:
svn co --username $AUTH_USER https://localhost/svn/$REPOS
To add a new repository just repeat the step 6 (without making the root directory of course).
If you wish to configure a single repository only, instead of point 6:
sudo svnadmin create /var/svn
sudo chown -R www-data:www-data /var/svn
sudo chmod -R g+ws /var/svn
and in /etc/apache2/mods-available/dav_svn.conf (step 8) use this instead of SVNParentPath:
SVNPath /var/svn
Above all, check the great SVN Book.
35 Responses to “Installation of Subversion on Ubuntu, with Apache, SSL, and BasicAuth.”
- 1 Pingback on Jan 13th, 2007 at 12:56
Leave a Reply
Search
Latest
- XPather 1.4 on Firefox 3
- Easy cron scheduling in Ruby.
- Rhotoalbum - a ruby photo album generator
- Acquisition of LumberJaczk Technologies
- JSSh for Firefox on Linux (because Firewatir loves it)
- Subversion: move, migrate, split
- Installation of Subversion on Ubuntu, with Apache, SSL, and BasicAuth.
- XPather 1.3 on Firefox 2.0
- New Version of XPather 1.1
- On-top-of-Web Applications’ Address: lumberjaczk.org
This is a great step-by-step tutorial. Worked like a dream for me on Ubuntu Breezy with Apache 2.0.54. Thanks very much!
The only thing that might catch newbies out is a badly configured fresh Ubuntu installation that may give a “locale not recognized” error when first running svn commands. This is an OS error, rather than an SVN error (apparently the same error can arise on Debian and Suse systems, although I’ve not encountered that myself). A simple
# (sudo) apt-get install language-pack-en-base
will fix the problem in most cases without even the need for a reboot.
Thanks for the helpful guide. I am running into a problem where I cannot perform the webdav copy operation over ssl. I read something that was 2 years old saying that this operation is not available on virtualhosts over ssl, but I haven’t been able to find any official word on that.
Furthermore I am NOT running anything through a proxy, which is the only reason anyone proposes for the problem
$ svn commit -m’ ‘
Adding svntesting/test2
svn: Commit failed (details follow):
svn: COPY of test2: 502 Bad Gateway
Any ideas? I’ve been trying to fix this on and off for months and have come up with nothing.
thanks for the info :)
works like charm!
Great guide.
The only problem I had was setting up the /etc/apache2/mods-available/dav_svn.conf file. I was editing the existing file, and didn’t notice that the property was SVNParentPath instead of SVNPath. My own fault for not paying enough attention to detail.
Thanks for publishing this.
Reply to John Bachir for the error SVN COPY 502 bad gateway over HTTPS.
The explanation:
It seems there is no standard solution to this problem. Greg Stein has refused to implement a workaround in the Apache module: the problem happens because the hardware (reverse proxy, SSL accelerator or whatever decrypts the HTTPS) doesn’t do correctly his job. It modifies the URL in the request but not in the “Destination” header of the DAV “COPY” requests (these DAV requests are issued from the SVN client when you do either a “copy” or “move”). Then when the svn server checks the parameters, it finds something incorrect. The position of Greg is understandable as it’s not a problem caused by Apache or by SVN. The way we’ve fixed it here has required implementing a script inside the ssl accelerator, in order to also modify the “Destination” header in the DAV “COPY” requests to our SVN server. This solution works perfect, we’ve almost forgotten it’s in place. If you can’t do it in your reverse proxy (or if you don’t have a reverse proxy but just Apache), it’s also possible to do it with a PERL script installed inside Apache (using mod_perl and the directives SetHandler and PerlHeaderParserHandler in the apache configuration file). If both these can’t be done in your environment, your last resort will be to activate the ssl connection between the reverse proxy and Apache (but this wasn’t possible in my case).
For reference:
http://svn.haxx.se/users/archive-2006-03/0549.shtml
http://svn.haxx.se/users/archive-2003-08/0780.shtml
One possible solution (using mod_perl):
http://subversion.tigris.org/servlets/ReadMsg?listName=dev&msgNo=96866
Cheers.
Jean-Pol
does’nt the SSLEngine line need to look like this
SSLEngine on
andrew> yes it does ..thx :)
Jean-Pol-
Thanks so much for the response, I’ll look closely at those URLs.
-John
you also need a sudo here
chmod -R g ws /var/svn/$REPOS
Works perfectly on Ubuntu Feisty Herd 5 - thanks!
Running into a problem, /etc/apache2/mods-available/dav_svn.conf does not exist. I have all the packages installed, so I know that is not the issue. I checked my entire system and dav_svn.conf does not exist anywhere, or any other dav_svn file. I do have dav_fs.conf, but I assume that to be a different module. Sorry, am not new to Linux, but I am new to Apache. I am running Ubuntu 6.10.
Thanks
Ryan, I don’t know what/why/who but I’ve run to a similar problem recently when shuffling several apache2 versions (on Ubuntu Edgy). The dav_svn.* files were just missing. From my experience it was enough to add the config files manually. Search for some on the net, or just insert s.t. like: dav_svn conf file:
and dav_svn.load:
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.soLoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
Hi, looks like a nice concise tutorial.
I’m going to check over my configuration against your instructions,
but essentially I’m stuck: When I enabled the basic authorization,
the server refuses to let a client sign up.
When I look in the apache2 log, it states that it can’t find the /etc/apache2/dav_syn.passwd file.
I’ve looked over the file permissions etc, but I so far haven’t found anything out of place.
Any thoughts?
Cheers,
Gord Wait
I decided to just follow the above instructions (I think) and I’m having problems at the apache2 restart step. Apache won’t start and I get an error:
(98): make_sock: could not bind to address [::]:443
no listening sockets available, shutting down
Unable to open logs
I’ll go back over all the directions carefully again, but - help! -
I solved the “could not bind” issue - I commented out any Listen entry in all
the apache2 files, EXCEPT for ports.conf.
Now apache is up and running again, but I’m back to the original problem I mentioned in 13 above, where apache can not read the password file for some reason.. Arggg…!
Wonderful, I put a link to this page on my blog too : http://zubuntu.blogspot.com/2007/01/installation-of-subversion-on-ubuntu_4250.html
Thanks!
I spend literally an hour trying to get Subversion rebuilt on my new server (moving from FC4 to Ubuntu D, I didn’t set up the original SVN repo) until I found this page. My killer? I had SVNPath instead of SVNParentPath.
Thank you, for the record, for this step-by-step walkthough. This made it all super-easy.
In Feisty, instead of apache2-ssl-certificate you have to use:
sudo apt-get install ssl-cert
sudo mkdir /etc/apache2/ssl
sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Hope that helps someone.
Thanks for the tip about the change with Feisty. I was stuck until I saw that.
Hi all,
I get this error:
Error: PROPFIND request failed on ‘/svn/myRepos’
Error: PROPFIND ‘/svn/myRepos’: 405 Method Not Allowed (https://127.0.0.1)
I have this in my dav_svn.conf
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName “Subversion Repository”
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
SSLRequireSSL
Any idea why I still receive the PROPFIND error?
Regards,
OObOOntOO
Well, I got stumped and it looks like some kind of authentication problem:
————-
jim@sgtrock:~/DevProjects/test$ svn import –username jim \
https://localhost/svn/test -m “testing”
svn: PROPFIND request failed on ‘/svn/test’
svn: PROPFIND of ‘/svn/test’: 301 Moved Permanently (https://localhost)
————
“jim” is a valid user in dav_svn.passwd
my SVNParentPath is set to /var/www/svn
The top level repository has been created at /var/www/svn
“test” has been created one directory down.
Connecting anonymously through a Web browser shows that localhost/svn/test is currently at Revision 0.
What am I missing? Any ideas?
TIA
Hi,
I fixed the problem, I had to move the
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName “Subversion Repository”
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
SSLRequireSSL
from dav_svn.conf to /etc/apache2/sites-available/servername
And insert the data in between the
// right here
Now it works all peachy and fine (also make sure the documentroot is not equal to the svnpath)
Regards
OObOOntOO
Hey, Roderik.
Thx for mentioning that, quite helpful ;)
Worked a treat! Thanks ever so much!
Mike
On Ubuntu Feisy (7.04), you need to modify a little at step 7:
Change:
sudo htpasswd2 -c -m /etc/apache2/dav_svn.passwd $AUTH_USER
To:
sudo htpasswd -c -m /etc/apache2/dav_svn.passwd $AUTH_USER
As the command htpasswd2 is not found on Feisy.
See also: https://bugs.launchpad.net/ubuntu/ source/apache2/ bug/77675
Thanks for the tips, I tried following them but I am continually getting 500 errors and the error message “need AuthName” in the logs when I try to visit my new svn site. I’m not being asked for the authname, and I don’t want to provide one by default because I want the users to provide -their- names, which I have already set up and added to htpasswd.
Does anyone have some suggestions? Tried googling but all I am coming up with are similar questions on sites with no answers. Thanks.
I use to do:
sudo apache2-ssl-certificate -days 10000
to get a cert that doesn’t run out after 1 month… now my server can run till I retire without whining about the cert being expired…
However, if you want security it could perhaps be a good idea to change cert now and then… I don’t know… and I’m not security-paranoid so… 2035 as last valid year works fine for me…
On Gusty (7.10), the package libapache-mod-dav is not found. So the tip is to enable Ubuntu 6.06 LTS Community Maintained (universe) repository in Synaptic, then install it, then disable :)
Works on Ubuntu 7.10… Just some notes:
- Dav module is already included on Apache2
- The htpasswd2 does not exist… Instead, use the htpasswd… Also, the command described on the article just create a single user… In order to add more than one user, just append to the file as follows:
sudo htpasswd >> -c -m /etc/apache2/dav_svn.passwd $USERNAME
- Warning message
“apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName”
-> just add the following to global section of the apache2.conf
ServerName $HOSTNAME
Where $HOSTNAME is the convenient name you choose… I’m working on a localhost machine behind a firewall from a router, so I just used “localhost”
- Warning messages
[warn] NameVirtualHost *:443 has no VirtualHosts
[warn] NameVirtualHost *:0 has no VirtualHosts
-> The article states to change, the …*443 line, but on mine there was nothing… So I had added the section instead of changing
NameVirtualHost *
To
NameVirtualHost *:443
Everything works great!!!! Thanks a lot
Great Help Thanks
one tip: when I restarted apache it failed
I fixed it by opening the /etc/apache2/ports.conf
and commenting out with # the 3 extra lines I found in mine
#
# Listen 443
#
I guess I didnt need to add the line “Listen 443″ to my set up “ubuntu server 7.10″
Great Tut
Pugna
I only had two problems -
1. adding the “Listen 443″ port to ports.conf caused the apache server restart to fail with this error:
98): make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
Unable to open logs
Removing the extra Listen 443 statement from the ports.conf file fixed this.
2. Somehow my first attempt at generating the SSL cert failed, causing this error in the log file upon restart:
[error] Init: Unable to read server certificate from file /etc/apache2/ssl/apache.pem
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
The server _appeared_ to start (no errors/warnings on the console) but trying to hit it from the browser or lynx showed that it was not in fact running.
Fix was to delete the cert file (/etc/apache2/ssl/apache.pem) then generate it again.
Thanks for publishing this - it saved a great deal of time and energy for many people!
HI
I am trying to install SVN Apache and SSL on Ubuntu Hardy Heron
I followed all the instructions but still get this error :
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
We got apache running yesterday with SSL and a colleague of mine installed Samba , and this morning i whent ahead and create the svn repositories and when restarting apache it gives the socket error.
Any one that can give me maybe a hint?
Thanks in advance
Hi,
I get this problem when i am using SVN via apache reverse proxy. ? Any ideas ??
svn: PROPFIND request failed on ‘/svn/REPOSITORY’
svn: PROPFIND of ‘/svn/REPOSITORY’: 405 Method Not Allowed (https://pc2)
PC 1- SVN server Apache (SSL enabled)
PC 2- APache (reverse proxy proxypass) connects to PC1 via SSl
when svn list https://PC1/svn/REPOSITORY is issued
In PC-2
in config file /etc/apache2/sites-available/myconfig (included via a2ensite command)
ProxyPassReverse /svn/REPOSITORY/ https://PC1/svn/REPOSITORY/
ProxyPass svn/REPOSITORY/ https://PC1/svn/REPOSITORY/
Order Deny,Allow
Allow from all
Satisfy Any
svn list https://pc2/pc1/
QUOTE:
Hi,
I fixed the problem, I had to move the
DAV svn
SVNParentPath /var/svn
AuthType Basic
AuthName “Subversion Repository”
AuthUserFile /etc/apache2/dav_svn.passwd
Require valid-user
SSLRequireSSL
from dav_svn.conf to /etc/apache2/sites-available/servername
And insert the data in between the
// right here