Security Conscious,
High Availability Unix Hosting 		Configuring subversion access over HTTP/DAV
Language:
[English] [Français] [Norsk]
BBB Privacy Seal BBB Reliability Seal

Subversion repositories can be served by the Apache web server over the HTTP protocol (extended by WebDAV/DeltaV). The benefits of this system include high performance, fine-grained permission control, SSL support, alternative authentication modes and more. It is the solution of choice if your are behind a company firewall since it uses only standard HTTP or HTTPS connections. Repository content can also be accessed seamlessly from the web.

This method requires the use of a dedicated Apache server instance (described here), which is available to our Advanced and Corporate customers.

Creating the repository

If you have not created any Subversion repositories yet, you can create one with svnadmin: 

  $ svnadmin create ~/my-repository
Rebuilding Apache with mod_dav

If you do not already have your Apache server instance set up, follow these steps and pass the --enable-dav option to ./configure. Rebuild and reinstall your Apache server as explained in the guide.

Installing the mod_dav_svn modules

Grab the latest stable Subversion source release, unpack it to some temporary location and compile subversion using the following ./configure options: 

  $ mkdir $HOME/subversion
  $ tar -xzvf subversion-X.X.X.tar.gz
  $ cd subversion-X.X.X
  $ ./configure --prefix=$HOME/subversion --with-apxs=$HOME/apache/bin/apxs \
                --with-berkeley-db=/usr/local
  $ make && make install

You can then delete the ~/subversion-X.X.X and ~/subversion directories (the latter is not needed since we are only using the Apache modules).

Updating the Apache configuration

Make sure the following LoadModule statements appear in the Dynamic Shared Object (DSO) Support section of your Apache configuration file. The subversion installation should have automatically added the dav_svn_module and authz_svn_module lines. 

  LoadModule dav_module		modules/mod_dav.so
  LoadModule dav_svn_module     modules/mod_dav_svn.so
  #LoadModule authz_svn_module   modules/mod_authz_svn.so

Uncomment the authz_svn_module line if you wish to use fine-grained permissions (see below).

Finally, you can configure the access to the repositories. You have the choice to either add one <Location> section per repository, or to have a single <Location> specifying some directory containing all repositories and use fine-grained permission controls (see below).

Typically, you will want to use password authentication, but other methods are supported.

The following entry would give read-only access to everyone, and write access to users in the given AuthUserFile. You can use the htpasswd utility to create or update that file. 

  <Location /myproject>
    DAV svn
    SVNPath /path/to/myproject
    AuthType Basic
    AuthName "My project"
    AuthUserFile /path/to/authfile
    Order deny,allow
    <LimitExcept GET PROPFIND OPTIONS REPORT>
      Require valid-user
    </LimitExcept>
  </Location>

The following entry would give read/write access to users in the AuthUserFile, and no access to anyone else. 

<Location /myproject>
  DAV svn
  SVNPath /path/to/myproject
  AuthType Basic
  AuthName "My project"
  AuthUserFile /path/to/authfile
  Order deny,allow
  Require valid-user
</Location>
Testing the repository

Using either a remote Subversion client or the standard svn command from your shell, you can generate your working copy of the repository with the checkout command. If you are accessing public data over a read-only account, you can use a standard http URL: 

  $ svn co http://your-domain/myproject/

If you are accessing private data or using a read/write account, make sure to use an https URL: 

  $ svn co https://your-domain/myproject/

The contents of public repositories are also accessible from a web browser. Keep in mind that search engines will try to index any public data, so you may want to use a robots.txt file.

Using fine-grained permissions (optional)

Access controls for items within a repository can be configured using the mod_authz_svn module. Uncomment its LoadModule statement in your Apache configuration and edit your <Location> entry: 

  <Location /repos>
    DAV svn
    SVNPath /path/to/repos
            
    # Access Control via the authz module.
    AuthzSVNAccessFile /path/to/accessfile                 
            
    # Anonymous access is allowed. Prompt as needed.
    Satisfy Any
    Require valid-user
            
    AuthType Basic
    AuthName "Subversion repository"
    AuthUserFile /path/to/authfile                  
  </Location>

Create the file specified in AuthzSVNAccessFile. This file will contain the access control information: 

  [/]              # Allow the root of the repository to be browseable by all.
  * = r	           # Anonymous read access is allowed by all users.
  
  [/project1]      # Directory relative to /path/to/repos.
  * = r            # Everyone can read.
  johnny = rw      # User can read and write.
  rotten = rw
  
  [/project2]
  sid = rw
  vicious = rw

Links
This web site - © 2008 Csoft.net Hosting, Inc.
(Contact Us) (Our Privacy Policy) 		  End Software Patents!