I'm setting up an SVN server on a CentOS VM. What I want to achieve is an SVN server on port 443 with multiple repositories accessible at an address https://192.168.0.5:443/svn/ReposXX/trunk
, for example. The network works fine. The new server is static on 192.168.0.5
. I'm trying to checkout a repository as a first test and I can't seem to get it working. I always get 'forbidden' (more details below!).
[root@svn svn]# uname -a
Linux svn 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@svn svn]# ping google.com
PING google.com (173.194.46.72) 56(84) bytes of data.
64 bytes from ord08s11-in-f8.1e100.net (173.194.46.72): icmp_seq=1 ttl=56 time=31.6 ms
The svn repositories are in /var/www/svn/svn/
. All folders/repositories inside belong to apache.apache
and have 664
rights.
[root@svn svn]# pwd
/var/www/svn/svn
[root@svn svn]# ls -la
total 68
drw-rw-r--. 17 apache apache 4096 Nov 28 19:05 .
drwxr-xr-x. 3 root root 4096 Nov 29 16:20 ..
drw-rw-r--. 7 apache apache 4096 Nov 28 18:38 Repos01
drw-rw-r--. 7 apache apache 4096 Nov 28 18:29 Repos02
drw-rw-r--. 7 apache apache 4096 Nov 28 18:47 Repos03
... 15 in total
I've been following various howtos and tutorials all over the place, and they're all making things in slightly different ways and none seem to be complete.
me@My-PC:~/SVN_TEST$ svn co https://192.168.0.5:443/random/Repos01/trunk/ Repos01
svn: OPTIONS of 'https://192.168.0.5:443/random/Repos01/trunk': 200 OK (https://192.168.100.5)
me@My-PC:~/SVN_TEST$ svn co https://192.168.0.5:443/svn/Repos01/trunk/ Repos01
svn: access to 'https://192.168.0.5:443/svn/Repos01/trunk' forbidden
The fact that I get 200 OK
(wrong URL) when I use a wrong URL, and forbidden
when I use a good one tells me that I at least have a part of it working.
So here are the configurations so far…
In /etc/httpd/conf/httpd.conf
I updated the line ServerName 192.168.0.5:443
. I removed any Listen
statement, as there's a Listen 443
line in ssl.conf
.
Here's the content of /etc/httpd/conf.d/subversion.conf
:
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
# SSL certificate location
#SSLEnable
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/public.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.pem
<Location /svn>
DAV svn
SVNParentPath /var/www/svn/svn
# Limit write permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
# Require SSL connection for password protection.
SSLRequireSSL
AuthzSVNAccessFile /etc/svn_access_file
AuthType Basic
AuthName "Subversion repos"
AuthBasicProvider ldap
AuthLDAPURL ldap://192.168.0.3:389/OU=CORP,DC=domCORP,DC=local?sAMAccountName?sub?(objectClass=*)
AuthzLDAPAuthoritative on
AuthLDAPBindDN "me@domCORP.local"
AuthLDAPBindPassword "mypass"
# Require ldap-group Users
# AuthUserFile /etc/svn_auth_file
AuthLDAPGroupAttributeIsDN off
Require valid-user
</LimitExcept>
</Location>
I tested the LDAP parameters with ldapsearch
and it seems to work fine. I want to LDAP to be responsible for authentication, and svn_access_file
to be responsible for access management (that's why I commented out svn_auth_file
).
I added a rule to the firewall to have 443 going through.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
Above the first REJECT
rule.
The server's only purpose will be to serve SVN repository, so it was a fresh install before, and there will not be anything else added.
I generated the certificates following a howto online…
openssl genrsa -des3 -out private.key 2048
openssl rsa -in -key private.key -out private.pem
openssl req -new -key private.key -out request.csr
openssl x509 -req -days 1000 -in request.csr -signKey private.key -out public.key
cp public.crt /etc/pki/tls/certs/public.crt
cp private.key /etc/pki/tls/private/private.key
cp private.pem /etc/pki/tls/private/private.pem
I'm sorry if I give too much, or unrelated information… Trying to show that I tried to make it work quite a bit.
I also tried to checkout from a Windows machine with TortoiseSVN. It asked me to accept the certificate, then refused with Access to 'https://192.168.0.5/svn/Repos01/trunk' forbidden
.
So, on Linux and Windows, it doesn't ask for any login//password and just tells me that it's forbidden.
Any help on this is greatly appreciated.
2013-11-30 Developments since yesterday
I gave more attention to the logs and could make things slightly progress. Looking at /var/log/httpd/ssl_error_log
, I fixed
Can't open file '/etc/svn_access_file': Permission denied.
Which led to
Can't open file '/var/www/svn/svn/ReposXX/format': Permission denied
I thought SELinux might be in the way, so I did
chcon -R -h -t httpd_sys_content_t /var/www/svn/svn
But that didn't help. I then deactivated SELinux completely to make sure it wasn't possibly part of the problem anymore.
I tried to change the rights to www
or www-data
, but these user don't even exist… so I didn't bother and left apache.apache
.
I also found somewhere these lines to set the file and directory rights:
find /var/www/svn/ -type f -exec chmod 660 {} \;
find /var/www/svn/ -type d -exec chmod 2770 {} \;
Didn't help either. That's where I'm at. I still get the error on format
file in ssl_error_log
.
Best Answer
The svn book states:
It is recommended installing repos outside of /var/www as the Apache default configuration already defines permissions on that DocumentRoot which could overlap with the svn configurations.
Perhaps it's a good idea if you try to move your repos directories outside of /var/www and reconfigure Apache in accordance.