Introduction
This page describes how Alexis Huxley installed and configured his front-end Apache web server to manage multiple Subversion repositories.
Procedure
- Set some environment variables:
WEBSITENAME=<name-of-website> # e.g. WEBSITENAME=svn.pasta.freemyip.com
- Clone the template components and create the log directory by running:
cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME sed "s/WEBSITENAME/$WEBSITENAME/g" \ < /etc/apache2/sites-available/WEBSITENAME.conf \ > /etc/apache2/sites-available/$WEBSITENAME.conf sed "s/WEBSITENAME/$WEBSITENAME/g" \ < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \ > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf mkdir /var/log/apache2/$WEBSITENAME chown www-data:www-data /var/log/apache2/$WEBSITENAME - For each Subversion respository, migrate repository content as follows:
- On the old subversion server run:
mv <repo-path> <repo-path>.old svnadmin dump <repo-path>.old > <repo-name>.dump
- Transfer the dump file from the server to the new one.
- On the new subversion server run:
svnadmin create <repo-path>.new svnadmin load <repo-path>.new < <repo-name>.dump chown -R www-data:www-data <repo-path>.new mv <repo-path>.new <repo-path>
- Note that dumping is pretty quick but loading can take several hours.
- On the old subversion server run:
- To block people checking what repositories exist, add something like the following to /etc/apache2/sites-available/$WEBSITENAME:
<LocationMatch ^/$> Deny from all Options None ErrorDocument 403 Forbidden. </LocationMatch> - For each public repositories (read-only unless authenticated), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:
<Location /main> DAV svn SVNPath /svn/main <LimitExcept GET PROPFIND OPTIONS REPORT> AuthType Digest AuthName "Subversion Service" AuthBasicProvider file AuthUserFile /etc/apache2/subversion.htdigest Require valid-user </LimitExcept> </Location> - For each private repositories (no access unless authenticated), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:
<Location /private> DAV svn SVNPath /svn/private AuthType Digest AuthName "Subversion Service" AuthBasicProvider file AuthUserFile /etc/apache2/subversion.htdigest Require valid-user </Location> - f you want to use LDAP authentication, then:
- Replace:
AuthType Digest AuthName "Subversion Service" AuthBasicProvider file AuthUserFile /etc/apache2/subversion.htdigest Require valid-user
with:
AuthType Basic AuthName "Subversion Service" AuthBasicProvider ldap AuthLDAPUrl ldap://ziti.pasta.net/ou=Users,dc=pasta,dc=net?uid Require valid-user
- Adjust AuthLDAPUrl accordingly (see here for more details)
- Run:
a2enmod authnz_ldap ldap
- Replace:
- Check that the repository paths, as mentioned in the Apache configuration are accessible.
- Create /var/www/$WEBSITENAME/robots.txt containing:
User-agent: * Disallow: /svn/
- Enable the required modules and the website with:
apt -y install subversion libapache2-mod-svn a2enmod auth_digest a2ensite $WEBSITENAME a2ensite $WEBSITENAME-ssl systemctl restart apache2
- Before proceeding, make sure that:
- the old repositories are renamed so as to be inaccessible
- the
svnadmin loadcommands have finished - the
chowncommands on the new repositories have been run
(This reminder is here because it is probable that I would continue with this installation with the
svadmin loadcommands running in parallel). - Configure HTTPS access as described at Setting up Lets Encrypt (revision 2.1).
- As a test attempt to update all working copies.
A note on client-side plain-text password stores
In Subversion 1.12, support for plain-text password stores was disabled by default at compile time. This is extensively discussed here. The upshot is that if you want to cache a password in plain-text then you should:
- Run:
cd /tmp wget https://svn.pasta.freemyip.com/main/smalltools/trunk/bin/svn-cache-passwd chmod 755 svn-cache-passwd ./svn-cache-passwd <repo-url>
and follow the prompts.