SVN: Restricting Access: Difference between revisions
(New page: {{SVN Nav}} '''Restring Access''' With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an ...) |
(No difference)
|
Revision as of 09:19, 15 August 2009
|
Uniform Server 5.0-Nano. Subversion (SVN) |
Restring Access
With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.
That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.
This page covers the above scenarios.
Password file
First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.
UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.
Finally inside this folder is the password file .htpasswd.
|
mike:root john:123 fred:pas123 |
Note: All the following examples use this file.
Basic Authentication
Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.
Note: Passwords and data can be sniffed and access gained.
Apache configuration
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add the four lines as shown to the location block.
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd Require valid-user </location> |
|
Test 1
Browser:
|
|
Client:
|
Note: All repositories are protected.
Basic Authentication - Less Draconian
The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.
Selectively target
Replace the above line Require valid-user with this block of code. The line has been wrapped within a LimitExcept directive. This targets any requests other than a read and forces authentication.
# For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept>
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd # For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </location> |
|
Test 2
Browser:
|
|
Client:
|
Basic Authentication + SSL
I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.
Sounds to good to be true! Well yes because you do require a server certificate. If you have not already created a server certificate do so now as follows:
- Left or right mouse click on UniTray Icon
- Mouse-over Advanced and click Server Certificate and key Generator
- Press enter at all prompts to accept the default values.
- Restart servers.
Apache configuration
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add add single line as shown:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd SSLRequireSSL Require valid-user </location> |
|
Test 3
Browser:
|
|
Client:
|
Note 1: All repositories are protected.
Note 2: Remember to use https
Basic Authentication - Less Draconian + SSL
Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above). We take the less-draconian solution and add a single line as show blow:
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd # For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> SSLRequireSSL Require valid-user </LimitExcept> </location> |
|
Test 4
Browser:
|
|
Client:
|
Summary
On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.
You can employ more selective authorisation although I have not covered this at least you have a working base to work from.
Basic authentication with SSL encryption is more than adequate for small teams and personal use.
Related links
- Repos styles Open Source project - If you don't like the default styles this site is worth a visit.
Conclusion
This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN. Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.