Configuring Subversion (revision 1.1)

Introduction

This page describes how Alexis Huxley installed and configured his front-end Apache web server to manage multiple Subversion repositories.

Procedure

1. Set some environment variables:

   WEBSITENAME=<name-of-website>  #  e.g. WEBSITENAME=svn.pasta.freemyip.com

2. Clone the template components by running:

   cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME.conf \
           > /etc/apache2/sites-available/$WEBSITENAME.conf
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \
           > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf

3. Migrate repository content as follows:
   1. On the old subversion server run:

      mv  <repo-path> <repo-path>.old
      svnadmin dump <repo-path>.old > <repo-name>.dump

   2. Transfer the dump file from the server to the new one.
   3. On the new subversion server run:

      svnadmin create <repo-path>.new
      svnadmin load <repo-path>.new < <repo-name>.dump
      chown -R www-data:www-data <repo-path>.new
      mv <repo-path>.new <repo-path> 
      

   4. Migrate the subversion.htdigest file, if in use.
4. Configure as follows:
   1. There is no index of repositories; to block people checking if there is add something like the following to /etc/apache2/sites-available/$WEBSITENAME:

      <LocationMatch ^/$>
          Deny from all
          Options None
          ErrorDocument 403 Forbidden.
      </LocationMatch>

   2. For public repositories (read-only unless authenticated), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:

      <Location /main>
          DAV svn
          SVNPath /svn/main
          <LimitExcept GET PROPFIND OPTIONS REPORT>
              AuthType Digest
              AuthName "Subversion Service"
              AuthBasicProvider file
              AuthUserFile /etc/apache2/subversion.htdigest
              Require valid-user
           </LimitExcept>
      </Location>

   3. For public repositories (no access unless authenticated), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:

      <Location /private>
          DAV svn
          SVNPath /svn/private
          AuthType Digest
          AuthName "Subversion Service"
          AuthBasicProvider file
          AuthUserFile /etc/apache2/subversion.htdigest
          Require valid-user
      </Location>

   4. If you want to use LDAP authentication, then replace:

      AuthType Digest
      AuthName "Subversion Service"
      AuthBasicProvider file
      AuthUserFile /etc/apache2/subversion.htdigest
      Require valid-user

      with:

      AuthType Basic
      AuthName "Subversion Service"
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ziti.pasta.net/ou=Users,dc=pasta,dc=net?uid
      Require valid-user

      and:

      1. adjust AuthLDAPUrl accordingly (see here for more details)
      2. Run:

         a2enmod authnz_ldap ldap

   5. Check that the repository paths, as mentioned in the Apache configuration are accessible.
   6. Create /var/www/$WEBSITENAME/robots.txt containing:

      User-agent: *
      Disallow: /svn/

   7. If you wish to allow commit logs to be corrected after the commit has been made (I won’t do this until I really need to) then run:

      cd <repo-root-dir>/hooks
      cp pre-revprop-change.tmpl pre-revprop-change

      The command to actually change the property is:

      svn propedit -r <revision> --revprop svn:log <url>

      (This is take from from the FAQ).

5. Enable the required modules and the website with:

   apt-get install subversion libapache2-mod-svn
   a2enmod auth_digest
   a2ensite $WEBSITENAME
   a2ensite $WEBSITENAME-ssl
   systemctl restart apache2

6. To test:
   1. Enable selective website redirection to facilitate testing without affecting your viewers as described below.
   2. Visit the new site and check everything works (though you can expect certificate warnings).
   3. Disable selective website redirection (by undoing what you did earlier).
7. To activate:
   1. You can now set up SSL certification according to Setting up LetsEncrypt (revision 2) but note that, if that procedure requires you to make changes on the firewall, then you need to keep those changes in place on the firewall until all websites have been migrated (otherwise unmigrated sites won’t work).
   2. If there is an old frontend webserver and you’re in the process of replacing it with the new frontend webserver you’re currently configuring then on the old webserver proxy all traffic for this specific website to the new webserver with something like:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://anelli.pasta.net/
      ProxyPassReverse / https://anelli.pasta.net/
      ProxyPreserveHost On

      (Note the ProxyPreserveHost which is necessary so that the website name requested by the client is passed on to the new frontend webserver so that it knows to which vhost to pass the request; otherwise it will serve the default vhost.)

A note on client-side plain-text password stores

In Subversion 1.12, support for plain-text password stores was disabled by default at compile time. This is extensively discussed here. The upshot is that if you want to cache a password in plain-text then you should:

1. Run:

   cd /tmp
   wget https://svn.pasta.freemyip.com/main/smalltools/trunk/bin/svn-cache-passwd
   chmod 755 svn-cache-passwd
   ./svn-cache-passwd <repo-url>

   and follow the prompts.

See also

• Computing
• Configuring web services (revision 2)