Saturday, September 27, 2008

Installing Subversion on Windows Server with Apache HTTP Server, SSL, Active Directory Authentication and Log Rotation

Necessary Software

First you will need to get hold of the software itself.
  • Subversion can be downloaded at tigris.org. This is the direct link to the installation packages. This guide assumes you download the Subversion binaries for Win32 as zip file and not as installer (at the time of writing the appropriate package is name svn-win32-1.5.2.zip)

  • Since we want to use SSL for communication with the subversion repository we need a Win32 binary of Apache HTTP server that has SSL support compiled in. This site has them. At the time of writing the latest 2.2.x release available is httpd-2.2.9-win32-x86-ssl.zip. The Microsoft Visual C++ 2008 Redistributable Package (x86) is needed to run the Apache binaries.
    Note that for Apache 2.0.x you will need a different svn distribution since the Subversion Apache modules need to be linked to a specific Apache version.

Installation

Subversion

Subversion is installed by simply unzipping the contents of the zip file (see above) to a directory of your choice. For this guide the directory c:\Program Files (x86)\Subversion is assumed to be the installation directory. A directory name that does not include the version number has the benefit that a new version of Subversion can easily be installed by overwriting the older version files.

In order to use the Subversion executables from the command line (like svnadmin for administering a repository) it is recommended to not add the c:\Program Files (x86)\Subversion\bin directory to the computer's PATH environment variable. The problem that might occur if you do so is that DDLs like ssleay32.dll and libeay32.dll that are part of the Subversion distribution might conflict with other versions of these libraries installed by other applications.

Apache HTTP Server

The Apache HTTP Server is installed by unzipping the contents of the zip file to a directory of your choice. For this guide the directory c:\Program Files (x86)\Apache2 is assumed to be the installation directory. Again, upgrading can be done by replacing the files in that directory.

Configuration

Apache HTTP Server

The official Apache HTTP Server documentation can be found here . The platform specific notes for Windows are especially interesting for this guide.

Basic Setup

Apache uses config files found in the conf subdirectory of the Apache installation. For the purpose of this guide only the httpd.conf, http-ssl.conf and http-dav.conf files are of interest.

The first thing to do is to adjust the path directives in httpd.conf. By default, all paths point to c:/Apache2. If you decided to install into this directory you can skip this step. Otherwise all paths directives to c:/Apache2 need to be replaced with c:/Program Files (x86)/Apache2 . Notice that the original config file uses forward slashes as path separators. Apache understands both forward slashes and backslashes but the rotatelogs program used for log rotation only recognizes the forward slashes as path separator so using them everywhere will yield a more uniform configuration file. There should be nine places (not including the comments) where the path needs to be changed.

Next, the Listen 80 directive should be changed to the port you want the server to listen to for non SSL requests. For this guide it is changed to 12080.

The following directives should also be adjusted to make sense for your installation: ServerAdmin and ServerName.

Integrating Subversion

Subversion is integrated into the Apache HTTP Server using two modules that are part of the Subversion distribution. The two modules need to be enabled in the httpd.conf file. Add the
following two lines to the Dynamic Shared Object (DSO) Support section:

LoadModule dav_svn_module "c:/Program Files (x86)/Subversion/bin/mod_dav_svn.so"
LoadModule authz_svn_module "c:/Program Files (x86)/Subversion/bin/mod_authz_svn.so"
These two modules need the DAV module that comes with Apache HTTP Server. Uncomment the following line:
LoadModule dav_module modules/mod_dav.so
Next, an URL needs to be defines to access the repositories. This is done using the following Location directive:

<location>
DAV svn
SVNListParentPath on
SVNParentPath "c:/svn"
</location>

Details about the Subversion-specific directives can be found in the subversion book . SVNParentPath points to the location of the repositories to expose using the /svn URL.

Enabling SSL

Configure SSL Modules
Uncomment the following line in the Dynamic Shared Object (DSO) Support section:
LoadModule ssl_module modules/mod_ssl.so
Generating a Self-Sign Certificate

A certificate is needed for SSL communication. It can either be a certificate issued by a trusted Certification Authority (CA) or one created yourself (a so called self-signed certificate). This guide assumes that a self-signed certificate is to be used and thus must first be generated.

The following command executed in the bin directory of the Apache HTTP server installation directory will generate a certificate named server.crt that is valid for ten years (3650 days).

openssl req -new -x509 -nodes -days 3650 -out server.crt -keyout server.key -config ../conf/openssl.cnf

When you run the command from a command window you will be prompted for details about the certificate like name of your organization, country and so on. This information will be stored into the certificate and later be available to the clients accessing the Apache HTTP Server using https/SSL. Make sure you specify the same name as CN (common name) when you are generating the keys as the one in ServerName in the config files. Otherwise, Apache will not start with SSL enabled.

The process also generates a private key file called server.key which is the private key used to sign the certificate created. OS-level access rights should be used to restrict access to the file.

Enabling SSL Mode

All SSL relevant settings are stored in httpd-ssl.conf. This file needs to be adjusted next. Again, the path to the actual installation needs to be changed like the httpd.conf file before.

The next thing to adjust is the Listen 443 directive. Change it to Listen 12443 to use 12443 as the SSL port (of course you may use different values for your setup).

The SSL Virtual Host Context section needs to be adjusted to match your installation. Like you did before in httpd.conf change the ServerName and ServerAdmin directives. The default port number of 443 also needs to be changed to 12443 everywhere.

The certificate created before is referenced in http-ssl.conf using the directives SSLCertificateFile and SSLCertificateKeyFile. Change it to point to the files created before (move them from the bin to the conf directory before):

SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key

Now, uncomment the following line in httpd.conf:

Include conf/extra/httpd-ssl.conf

The last step is to tell Apache to use the SLL mode. This requires passing the -D SSL start parameter when starting the server. See how this is done below.

Configuring Log File Rotation

Log files should not grow infinitely. The rotatelogs.exe program that comes bundled with the Apache HTTP Server can be used to implement log rotation. The relevant directive are found in httpd.conf and httpd-ssl.conf.

Replace the following directives in httpd.conf :
ErrorLog "logs/error.log"
with this one
ErrorLog '|"C:/Program Files (x86)/Apache2/bin/rotatelogs.exe" "C:/windows/system32/LogFiles/Apache2/error_%Y-%m-%d-%H_%M_%S.log" 10M'

CustomLog "logs/access.log" common
with this one
CustomLog '|"C:/Program Files (x86)/Apache2/bin/rotatelogs.exe" "C:/windows/system32/LogFiles/Apache2/access_%Y-%m-%d-%H_%M_%S.log" 10M' common

Replace the following directives in httpd-ssl.conf in the SSL Virtual Host Context section:
ErrorLog "logs/error.log"
with this one
ErrorLog '|"C:/Program Files (x86)/Apache2/bin/rotatelogs.exe" "C:/windows/system32/LogFiles/Apache2/ssl_error_%Y-%m-%d-%H_%M_%S.log" 10M'


CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
with this one
CustomLog '|"C:/Program Files (x86)/Apache2/bin/rotatelogs.exe" "C:/windows/system32/LogFiles/Apache2/ssl-request_%Y-%m-%d-%H_%M_%S.log" 10M' \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

TransferLog logs/access_log
with this one
TransferLog '|"C:/Program Files (x86)/Apache2/bin/rotatelogs.exe" "C:/windows/system32/LogFiles/Apache2/ssl_access_%Y-%m-%d-%H_%M_%S.log" 10M'

Authentication using Active Directory

To use Active Directory for authentication when a request is made to access a Subversion repository it is necessary to add the following two lines to load the necessary modules:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

The Location directive added above needs to be augmented by the following lines:
Require valid-user
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repositories"
AuthLDAPBindDN CN=LDAP,CN=Users,DC=somedomain,DC=com
AuthLDAPBindPassword xxxx
AuthLDAPURL "ldap://server1.somedomain.com:389/cn=Users,dc=somedomain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthzSVNAccessFile c:/svn/svn-access.txt

so that it looks like this:

<location>
DAV svn
SVNListParentPath on
SVNParentPath c:/svn
Require valid-user
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repositories"
AuthLDAPBindDN CN=LDAP,CN=Users,DC=somedomain,DC=com
AuthLDAPBindPassword xxxx
AuthLDAPURL "ldap://server1.somedomain.com:389/cn=Users,dc=somedomain,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthzSVNAccessFile c:/svn/svn-access.txt
</location>

The LDAP user (AuthLDAPBindDN) and the associated password are necessary in case Active Directory is not configured for anonymous queries.

For authorization via Active Directory take a look at PTEROPUS' blog.

WebDav for File Upload

When there a lot of files to add to the repository it makes sense to do that directly on the server because it is much faster. For this the files to add need to be available on the server. One easy way to provide a file upload possibility for the users that want something imported into the repository by an admin on the server is to provide a WebDav share. Users can then connect to this share using clients that are built-into many operating systems (such as Web Folders on Windows).

To setup WebDav uncomment these two line in httpd.conf:

LoadModule dav_fs_module modules/mod_dav_fs.so

Include conf/extra/httpd-dav.conf
and add the following lines to file httpd-dav.conf:

Alias /svnupload c:/svnupload

<location>
DAV on
Options Indexes
AllowOverride None
Order deny,allow
Allow from all
Require valid-user
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion Repository Upload"
AuthLDAPBindDN CN=LDAP,CN=Users,DC=somedomain,DC=com
AuthLDAPBindPassword xxxx
AuthLDAPURL "ldap://server1.somedomain.com:389
</location>
This will make the directory c:\svnupload accessible for uploading files using WebDav. The httpd-dav.conf file already contains a sample configuration called uploads which can be removed or commented out.

After the config files have been adjusted it is time to setup the server to run as a service. First, the sytnax of the config files need to be checked by running the command from the Apache bin directory.:

httpd.exe -t

If there are errors reported Apache will not be able to start.

Running Apache as a Windows Service

After the config files have been adjusted it is time to setup the server to run as a service. This can be acomplished by running the following command:
httpd -k install -n "Apache for Subversion"
See the platform specific notes for Windows for more options on installing the service.

This will create a new key in the Windows registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ApacheforSubversion. A string value named ImagePath will contain the following value: "C:\Program Files (x86)\Apache2\bin\httpd.exe" -k runservice

Use the registry editor to add -D SSL at the end of this value so that is will look like this: "C:\Program Files (x86)\Apache2\bin\httpd.exe" -k runservice -D SSL to enable the SSL mode.

User Account Setup

By default the Apache HTTPS Server runs under the Local System account when installed as a service. For security reasons it should run using a less privileged account. Use the Windows specific tools to create a new account for the server and the Services console to change the account under which the server is run.

Subversion

Create a repository at the location pointed to before if non exists yet by running:

svnadmin create c:\svn\test

from the Subversion bin directory. This will create a repository test which you should now be able to access via http://localhost:12080/svn/test and https://localhost:12443/svn/test