Yang paling fleksibel dari semua kemungkinan penyiapan server untuk Subversion adalah yang berbasis Apache. Meskipun sedikit lebih sulit untuk menyiapkan, ia menawarkan keuntungan yang tidak bisa disediakan oleh server lain:
The Apache based Subversion server uses the WebDAV protocol which is supported by many other programs as well. You could e.g. mount such a repository as a “Web folder” in the Windows explorer and then access it like any other folder in the file system.
Anda bisa mengarahkan browser Anda ke URL dari repositori Anda dan melihat isinya tanpa harus menginstalasi klien Subversion. Ini memberikan akses ke data Anda ke lingkup pengguna yang lebih luas.
Anda bisa menggunakan setiap mekanisme otentikasi yang didukung oleh Apache, termasuk SSPI dan LDAP.
Karena Apache sangat stabil dan aman, Anda secara otomatis mendapatkan keamanan yang sama untuk repositori Anda. Ini termasuk enkripsi SSL.
The first thing you need before installing Apache is a computer with Windows 2000, Windows XP+SP1, Windows 2003, Vista or Server 2008.
Please note that Windows XP without the service pack 1 will lead to bogus network data and could therefore corrupt your repository!
Download versi terbaru dari server web Apache dari http://httpd.apache.org/download.cgi. Pastikan bahwa Anda mendownload versi 2.2.x - versi 1.3.xx tidak akan bekerja!
Installer msi untuk Apache dapat ditemukan dengan mengklik pada other files, kemudian browse ke binaries/win32filename>. Anda mungkin ingin memilih berkas msi apache-2.2.x-win32-x86-openssl-0.9.x.msi (salah satu yang termasuk OpenSSL).Once you have the Apache2 installer you can double click on it and it will guide you through the installation process. Make sure that you enter the server-URL correctly (if you don't have a DNS name for your server just enter the IP-address). I recommend to install Apache for All Users, on Port 80, as a Service. Note: if you already have IIS or any other program running which listens on port 80 the installation might fail. If that happens, go to the programs directory, \Apache Group\Apache2\conf and locate the file httpd.conf. Edit that file so that Listen 80 is changed to a free port, e.g. Listen 81. Then restart the installation - this time it should finish without problems.Now test if the Apache web server is running correctly by pointing your web browser to http://localhost/ - a preconfigured Website should show up.Jika Anda memutuskan untuk menginstalasi Apache sebagai layanan, harap berhati-hati bahwa secara bawaan ia akan berjalan sebagai akun sistem lokal. Akan menjadi lebih aman bagi Anda untuk membuat akun terpisah bagi Apache untuk dijalankan.Pastikan bahwa akun pada server di mana Apache berjalan mempunyai entri eksplisit dalam daftar kontrol akses direktori repositori (klik-kanan direktori | properti | keamanan), dengan kontrol penuh. Jika tidak, pengguna tidak akan bisa mengkomit perubahan mereka.Meskipun Apache berjalan sebagai sistem lokal, Anda masih memerlukan entri itu (yang akan menjadi akun SYSTEM dalam hal ini).If Apache does not have this permission set up, your users will get Access denied error messages, which show up in the Apache error log as error 500.
Download the latest version of the Subversion Win32 binaries for Apache. Be sure to get the right version to integrate with your version of Apache, otherwise you will get an obscure error message when you try to restart. If you have Apache 2.2.x go to http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=8100.
Jalankan instalator Subversion dan ikuti instruksi. Jika instalator Subversion mengenali Anda telah menginstalasi Apache, maka Anda hampir selesai. Jika ia tidak menemukan server Apache maka Anda harus melakukan beberapa langkah tambahan.
Menggunakan windows explorer, pergi ke direktori instalasi Subversion (biasanya c:\program files\Subversion) dan cari file /httpd/mod_dav_svn.so dan mod_authz_svn.so. Copy file ini ke direktori modul Apache (biasanya c:\program files\apache group\apache2\modules ).
Salin file /bin/libdb*.dll dan /bin/intl3_svn.dll dari direktori instalasi Subversion ke direktori bin Apache.
Edit file konfigurasi Apache (biasanya C:\Program Files\Apache Group\Apache2\conf\httpd.conf) dengan editor teks seperti Notepad dan buat perubahan berikut:
Uncomment (remove the '#' mark) the following lines:
#LoadModule dav_fs_module modules/mod_dav_fs.so #LoadModule dav_module modules/mod_dav.so
Add the following two lines to the end of the LoadModule section.
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so
Now you have set up Apache and Subversion, but Apache doesn't know how to handle Subversion clients like TortoiseSVN yet. To get Apache to know which URL will be used for Subversion repositories you have to edit the Apache configuration file (usually located in c:\program files\apache group\apache2\conf\httpd.conf) with any text editor you like (e.g. Notepad):
At the end of the config file add the following lines:
<Location /svn> DAV svn SVNListParentPath on SVNParentPath D:\SVN #SVNIndexXSLT "/svnindex.xsl" AuthType Basic AuthName "Subversion repositories" AuthUserFile passwd #AuthzSVNAccessFile svnaccessfile Require valid-user </Location>
This configures Apache so that all your Subversion repositories are physically located below D:\SVN. The repositories are served to the outside world from the URL: http://MyServer/svn/ . Access is restricted to known users/passwords listed in the passwd file.
To create the passwd file, open the command prompt (DOS-Box) again, change to the apache2 folder (usually c:\program files\apache group\apache2) and create the file by entering
bin\htpasswd -c passwd <username>
This will create a file with the name passwd which is used for authentication. Additional users can be added with
bin\htpasswd passwd <username>
Mulai lagi layanan Apache.
Arahkan browser Anda ke http://MyServer/svn/MyNewRepository (di mana MyNewRepository adalah nama dari repositori Subversion yang Anda buat sebelumnya). Jika semuanya berjalan baik Anda seharusnya ditanya nama pengguna dan kata sandi, kemudian Anda bisa melihat isi dari repositori Anda.
A short explanation of what you just entered:
Tabel 3.1. Apache httpd.conf Settings
| Seting | Penjelasan |
|---|---|
| <Location /svn> | berarti bahwa repositori Subversion tersedia dari URL http://MyServer/svn/ |
| DAV svn | memberitahu Apache modul mana yang bertanggung jawab untuk melayani URL itu - dalam hal ini modul Subversion. |
| SVNListParentPath on | For Subversion version 1.3 and higher, this directive enables listing all the available repositories under SVNParentPath. |
| SVNParentPath D:\SVN | memberitahu Subversion untuk mencari repositori di bawah D:\SVN |
| SVNIndexXSLT "/svnindex.xsl" | Used to make the browsing with a web browser prettier. |
| AuthType Basic | adalah untuk mengaktifkan otentikasi dasar, misalnya Nama pengguna/kata sandi |
| AuthName "Subversion repositories" | digunakan sebagai informasi kapan saja dialog otentikasi muncul untuk memberitahu pengguna untuk apa otentikasi itu |
| AuthUserFile passwd | menetapkan file kata sandi yang mana yang digunakan untuk otentikasi |
| AuthzSVNAccessFile | Lokasi dari file Akses untuk path di dalam repositori Subversion |
| Require valid-user | menetapkan bahwa hanya pengguna yang memasukan nama pengguna/kata sandi yang benar yang diizinkan untuk mengakses URL |
But that's just an example. There are many, many more possibilities of what you can do with the Apache web server.
Jika Anda menginginkan repositori Anda mempunyai akses baca untuk setiap orang tapi hanya akses tulis untuk pengguna tertentu Anda bisa mengubah baris
Require valid-user
to
<LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept>
Using a passwd file limits and grants access to all of your repositories as a unit. If you want more control over which users have access to each folder inside a repository you can uncomment the line
#AuthzSVNAccessFile svnaccessfile
and create a Subversion access file. Apache will make sure that only valid users are able to access your /svn location, and will then pass the username to Subversion's AuthzSVNAccessFile module so that it can enforce more granular access based upon rules listed in the Subversion access file. Note that paths are specified either as repos:path or simply path. If you don't specify a particular repository, that access rule will apply to all repositories under SVNParentPath. The format of the authorization-policy file used by mod_authz_svn is described in “Path-Based Authorization”
To make browsing the repository with a web browser 'prettier', uncomment the line
#SVNIndexXSLT "/svnindex.xsl"
and put the files svnindex.xsl, svnindex.css and menucheckout.ico in your document root directory (usually C:/Program Files/Apache Group/Apache2/htdocs). The directory is set with the DocumentRoot directive in your Apache config file.
You can get those three files directly from our source repository at http://tortoisesvn.googlecode.com/svn/trunk/contrib/svnindex. (“TortoiseSVN bebas!” explains how to access the TortoiseSVN source repository).
The XSL file from the TortoiseSVN repository has a nice gimmick: if you browse the repository with your web browser, then every folder in your repository has an icon on the right shown. If you click on that icon, the TortoiseSVN checkout dialog is started for this URL.
If you used the SVNParentPath directive then you don't have to change the Apache config file every time you add a new Subversion repository. Simply create the new repository under the same location as the first repository and you're done! In my company I have direct access to that specific folder on the server via SMB (normal windows file access). So I just create a new folder there, run the TortoiseSVN command → and a new project has a home...
Jika Anda menggunakan Subversion 1.3 atau terbaru, Anda bisa menggunakan direktif SVNListParentPath on untuk membolehkan Apache untuk menghasilkan daftar dari semua proyek yang tersedia jika Anda mengarahkan browser Anda di path utama daripada di repositori tertentu.
The mod_authz_svn module permits fine-grained control of access permissions based on user names and repository paths. This is available with the Apache server, and as of Subversion 1.3 it is available with svnserve as well.
Contoh file akan terlihat seperti ini:
[groups] admin = john, kate devteam1 = john, rachel, sally devteam2 = kate, peter, mark docs = bob, jane, mike training = zak # Default access rule for ALL repositories # Everyone can read, admins can write, Dan German is excluded. [/] * = r @admin = rw dangerman = # Allow developers complete access to their project repos [proj1:/] @devteam1 = rw [proj2:/] @devteam2 = rw [bigproj:/] @devteam1 = rw @devteam2 = rw trevor = rw # Give the doc people write access to all the docs folders [/trunk/doc] @docs = rw # Give trainees write access in the training repository only [TrainingRepos:/] @training = rw
Catatan bahwa pemeriksaan setiap path merupakan operasi yang mahal, terutama dalam hal log revisi. Server memeriksa setiap path yang berubah dalam setiap revisi dan memeriksanya agar bisa dibaca, yang menghabiskan waktu pada revisi yang mempengaruhi sejumlah besar dari file.
Authentication and authorization are separate processes. If a user wants to gain access to a repository path, she has to meet both, the usual authentication requirements and the authorization requirements of the access file.
Seperti Anda mungkin telah mengetahui bahwa Anda perlu membuat entri nama pengguna/kata sandi dalam file passwd untuk setiap pengguna secara terpisah. Dan jika (untuk alasan keamanan) Anda ingin pengguna Anda secara periodik mengubah kata sandinya Anda harus membuat perubahan secara manual.
But there's a solution for that problem - at least if you're accessing the repository from inside a LAN with a windows domain controller: mod_auth_sspi!
The original SSPI module was offered by Syneapps including source code. But the development for it has been stopped. But don't despair, the community has picked it up and improved it. It has a new home on SourceForge.
Download the module which matches your apache version, then copy the file mod_auth_sspi.so into the Apache modules folder.
Edit the Apache config file: add the line
LoadModule sspi_auth_module modules/mod_auth_sspi.so
to the LoadModule section. Make sure you insert this line before the line
LoadModule auth_module modules/mod_auth.so
To make the Subversion location use this type of authentication you have to change the line
AuthType Basic
to
AuthType SSPI
also you need to add
SSPIAuth On SSPIAuthoritative On SSPIDomain <domaincontroller> SSPIOmitDomain on SSPIUsernameCase lower SSPIPerRequestAuth on SSPIOfferBasic On
within the <Location /svn> block. If you don't have a domain controller, leave the name of the domain control as <domaincontroller>.
Note that if you are authenticating using SSPI, then you don't need the AuthUserFile line to define a password file any more. Apache authenticates your username and password against your windows domain instead. You will need to update the users list in your svnaccessfile to reference DOMAIN\username as well.
The SSPI authentication is only enabled for SSL secured connections (https). If you're only using normal http connections to your server, it won't work.
To enable SSL on your server, see the chapter: “Mengamankan server dengan SSL”
Subversion AuthzSVNAccessFile files are case sensitive in regard to user names (JUser is different from juser).
In Microsoft's world, Windows domains and user names are not case sensitive. Even so, some network administrators like to create user accounts in CamelCase (e.g. JUser).
Perbedaan ini bisa mengganggu Anda ketika menggunakan otentikasi SSPI karena windows domain dan nama-nama pengguna yang dioper ke Subversion dalam huruf yang sama seperti yang diketik oleh pengguna dalam promp. Internet Explorer sering mengoper nama pengguna ke Apache secara otomatis menggunakan apapun jenis huruf akun yang dibuat.
The end result is that you may need at least two entries in your AuthzSVNAccessFile for each user -- a lowercase entry and an entry in the same case that Internet Explorer passes to Apache. You will also need to train your users to also type in their credentials using lower case when accessing repositories via TortoiseSVN.
Apache's Error and Access logs are your best friend in deciphering problems such as these as they will help you determine the username string passed onto Subversion's AuthzSVNAccessFile module. You may need to experiment with the exact format of the user string in the svnaccessfile (e.g. DOMAIN\user vs. DOMAIN//user) in order to get everything working.
Ini juga mungkin untuk mempunyai lebih dari satu sumber otentikasi untuk repositori Subversion Anda. Untuk melakukan ini, Anda perlu untuk membuat setiap tipe otentikasi non-authoritative, agar Apache memeriksa sumber multipel untuk nama pengguna/kata sandi yang sama.
Skenario umum adalah menggunakan keduanya, otentikasi Windows domain dan file passwd, agar Anda bisa menyediakan akses SVN ke pengguna yang tidak mempunyai login Windows domain.
To enable both Windows domain and passwd file authentication, add the following entries within the <Location> block of your Apache config file:
AuthBasicAuthoritative Off SSPIAuthoritative Off
Here is an example of the full Apache configuration for combined Windows domain and passwd file authentication:
<Location /svn> DAV svn SVNListParentPath on SVNParentPath D:\SVN AuthName "Subversion repositories" AuthzSVNAccessFile svnaccessfile.txt # NT Domain Logins. AuthType SSPI SSPIAuth On SSPIAuthoritative Off SSPIDomain <domaincontroller> SSPIOfferBasic On # Htpasswd Logins. AuthType Basic AuthBasicAuthoritative Off AuthUserFile passwd Require valid-user </Location>
Even though Apache 2.2.x has OpenSSL support, it is not activated by default. You need to activate this manually.
In the apache config file, uncomment the lines:
#LoadModule ssl_module modules/mod_ssl.so
and at the bottom
#Include conf/extra/httpd-ssl.conf
then change the line (on one line)
SSLMutex "file:C:/Program Files/Apache Software Foundation/\ Apache2.2/logs/ssl_mutex"
to
SSLMutex default
Next you need to create an SSL certificate. To do that open a command prompt (DOS-Box) and change to the Apache folder (e.g. C:\program files\apache group\apache2) and type the following command:
bin\openssl req -config conf\openssl.cnf -new -out my-server.csr
You will be asked for a passphrase. Please don't use simple words but whole sentences, e.g. a part of a poem. The longer the phrase the better. Also you have to enter the URL of your server. All other questions are optional but we recommend you fill those in too.
Normally the privkey.pem file is created automatically, but if it isn't you need to type this command to generate it:
bin\openssl genrsa -out conf\privkey.pem 2048
Next type the commands
bin\openssl rsa -in conf\privkey.pem -out conf\server.key
and (on one line)
bin\openssl req -new -key conf\server.key -out conf\server.csr \ -config conf\openssl.cnf
and then (on one line)
bin\openssl x509 -in conf\server.csr -out conf\server.crt
-req -signkey conf\server.key -days 4000
This will create a certificate which will expire in 4000 days. And finally enter (on one line):
bin\openssl x509 -in conf\server.cert -out conf\server.der.crt
-outform DER
These commands created some files in the Apache conf folder (server.der.crt, server.csr, server.key, .rnd, privkey.pem, server.cert).
Mulai lagi layanan Apache.
Arahkan browser Anda ke https://namaserver/svn/project ...
Jika Anda mengamankan server Anda dengan SSL dan menggunakan otentikasi terhadap windows domain Anda akan menemukan bahwa melihat repositori dengan Internet Explorer tidak bekerja lagi. Jangan khawatir - ini hanya Internet Explorer tidak bisa mengotentikasi. Browsers lainnya tidak mempunyai masalah itu dan TortoiseSVN dan klien Subversion lain masih bisa mengotentikasi.
Jika Anda masih ingin menggunakan IE untuk melihat repositori Anda bisa:
define a separate <Location /path> directive in the Apache config file, and add the SSPIBasicPreferred On. This will allow IE to authenticate again, but other browsers and Subversion won't be able to authenticate against that location.
Menawarkan browsing dengan otentikasi tidak dienkripsi (tanpa SSL) juga. Sangat aneh IE tidak mempunyai masalah dengan otentikasi jika koneksi tidak diamankan dengan SSL.
In the SSL "standard" setup there's often the following statement in Apache's virtual SSL host:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
There are (were?) good reasons for this configuration, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 But if you want NTLM authentication you have to use keepalive. If You uncomment the whole SetEnvIf you should be able to authenticate IE with windows authentication over SSL against the Apache on Win32 with included mod_auth_sspi.
When you've set up SSL to make your repository more secure, you might want to disable the normal access via non-SSL (http) and only allow https access. To do this, you have to add another directive to the Subversion <Location> block: SSLRequireSSL.
An example <Location> block would look like this:
<Location /svn> DAV svn SVNParentPath D:\SVN SSLRequireSSL AuthType Basic AuthName "Subversion repositories" AuthUserFile passwd #AuthzSVNAccessFile svnaccessfile Require valid-user </Location>
Sent to the TortoiseSVN mailing list by Nigel Green. Thanks!
In some server configurations you may need to setup a single server containing 2 virtual SSL hosts: The first one for public web access, with no requirement for a client certificate. The second one to be secure with a required client certificate, running a Subversion server.
Adding an SSLVerifyClient Optional directive to the per-server section of the Apache configuration (i.e. outside of any VirtualHost and Directory blocks) forces Apache to request a client Certificate in the initial SSL handshake. Due to a bug in mod_ssl it is essential that the certificate is requested at this point as it does not work if the SSL connection is re-negotiated.
The solution is to add the following directive to the virtual host directory that you want to lock down for Subversion:
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
This directive grants access to the directory only if a client certificate was received and verified successfully.
To summarise, the relevant lines of the Apache configuration are:
SSLVerifyClient Optional
### Virtual host configuration for the PUBLIC host
### (not requiring a certificate)
<VirtualHost 127.0.0.1:443>
<Directory "pathtopublicfileroot">
</Directory>
</VirtualHost>
### Virtual host configuration for SUBVERSION
### (requiring a client certificate)
<VirtualHost 127.0.0.1:443>
<Directory "subversion host root path">
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
</Directory>
<Location /svn>
DAV svn
SVNParentPath /pathtorepository
</Location>
</VirtualHost>