SVN: Restricting Access: Difference between revisions
Upazixorys (talk | contribs) No edit summary |
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric) |
||
Line 1: | Line 1: | ||
{{SVN Nav}} | {{SVN Nav}} | ||
'''Restring Access''' | '''Restring Access''' | ||
Line 19: | Line 18: | ||
| | | | ||
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn''' | * Create the folder C:\a_svn\UniServer\htpasswd\'''svn''' | ||
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!& | * Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name! | ||
* Edit the file copied. Add name and passwords pairs accordingly, example on right: | * Edit the file copied. Add name and passwords pairs accordingly, example on right: | ||
| | | | ||
<pre> | |||
mike:root | mike:root | ||
john:123 | john:123 | ||
fred:pas123 | fred:pas123 | ||
</pre> | |||
|} | |} | ||
Line 43: | Line 42: | ||
|- | |- | ||
| | | | ||
<pre> | |||
<location /svn> | |||
DAV svn | DAV svn | ||
SVNListParentPath on | SVNListParentPath on | ||
Line 50: | Line 49: | ||
AuthType Basic | AuthType Basic | ||
AuthName | AuthName "Subversion repositories" | ||
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | ||
Require valid-user | Require valid-user | ||
</location> | |||
</pre> | |||
| | | | ||
* '''AuthType Basic''' - Type of authentication is basic | * '''AuthType Basic''' - Type of authentication is basic | ||
Line 64: | Line 63: | ||
=== Test 1 === | === Test 1 === | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
| | | | ||
'''''Browser'':''' | '''''Browser'':''' | ||
* Restart servers | * Restart servers | ||
* Type into browser | * Type into browser | ||
** Either | ** Either <nowiki>http://localhost/svn/</nowiki> | ||
** Or ''' | ** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>''' | ||
* Challenged for a name and password. | * Challenged for a name and password. | ||
** Enter one of the name/password pairs in the above list | ** Enter one of the name/password pairs in the above list | ||
* You can now browse the repository | * You can now browse the repository | ||
| | | | ||
& | | ||
| | | | ||
'''''Client'':''' | '''''Client'':''' | ||
* Restart servers | * Restart servers | ||
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | * Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | ||
* In bookmarks click on | * In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki> | ||
* Challenged for a name and password. | * Challenged for a name and password. | ||
** Enter one of the name/password pairs in the above list | ** Enter one of the name/password pairs in the above list | ||
Line 96: | Line 95: | ||
Replace the above line '''Require valid-user''' with this block of code. | Replace the above line '''Require valid-user''' with this block of code. | ||
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication. | The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication. | ||
<pre> | |||
# For any operations other than these, require an authenticated user. | # For any operations other than these, require an authenticated user. | ||
# Hence this block limits write permission to list of valid users. | # Hence this block limits write permission to list of valid users. | ||
<LimitExcept GET PROPFIND OPTIONS REPORT> | |||
Require valid-user | Require valid-user | ||
</LimitExcept> | |||
</pre> | |||
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below: | Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below: | ||
{| | {| | ||
|- | |- | ||
| | | | ||
<pre> | |||
<location /svn> | |||
DAV svn | DAV svn | ||
SVNListParentPath on | SVNListParentPath on | ||
Line 114: | Line 113: | ||
AuthType Basic | AuthType Basic | ||
AuthName | AuthName "Subversion repositories" | ||
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | ||
# For any operations other than these, require an authenticated user. | # For any operations other than these, require an authenticated user. | ||
# Hence this block limits write permission to list of valid users. | # Hence this block limits write permission to list of valid users. | ||
<LimitExcept GET PROPFIND OPTIONS REPORT> | |||
Require valid-user | Require valid-user | ||
</LimitExcept> | |||
</location> | |||
</pre> | |||
| | | | ||
* '''AuthType Basic''' - Type of authentication is basic | * '''AuthType Basic''' - Type of authentication is basic | ||
Line 131: | Line 130: | ||
* ''' | * '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests. | ||
* '''Require valid-user''' - Informs Apache all users must supply a name and password. | * '''Require valid-user''' - Informs Apache all users must supply a name and password. | ||
|} | |} | ||
Line 138: | Line 137: | ||
=== Test 2 === | === Test 2 === | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
| | | | ||
'''''Browser'':''' | '''''Browser'':''' | ||
* Restart servers | * Restart servers | ||
* Type into browser | * Type into browser | ||
** Either | ** Either <nowiki>http://localhost/svn/</nowiki> | ||
** Or ''' | ** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>''' | ||
* User can brows repository. | * User can brows repository. | ||
| | | | ||
& | | ||
| | | | ||
'''''Client'':''' | '''''Client'':''' | ||
* Restart servers | * Restart servers | ||
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | * Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | ||
* In bookmarks click on | * In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki> | ||
* Can browse repository and create a new working copy. | * Can browse repository and create a new working copy. | ||
* Make a change in the working copy and '''commit''' | * Make a change in the working copy and '''commit''' | ||
Line 177: | Line 176: | ||
|- | |- | ||
| | | | ||
<pre> | |||
<location /svn> | |||
DAV svn | DAV svn | ||
SVNListParentPath on | SVNListParentPath on | ||
Line 184: | Line 183: | ||
AuthType Basic | AuthType Basic | ||
AuthName | AuthName "Subversion repositories" | ||
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | ||
SSLRequireSSL | SSLRequireSSL | ||
Require valid-user | Require valid-user | ||
</location> | |||
</pre> | |||
| | | | ||
* '''AuthType Basic''' - Type of authentication is basic | * '''AuthType Basic''' - Type of authentication is basic | ||
Line 200: | Line 199: | ||
=== Test 3 === | === Test 3 === | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
| | | | ||
'''''Browser'':''' | '''''Browser'':''' | ||
* Restart servers | * Restart servers | ||
* Type into browser | * Type into browser | ||
** Either | ** Either <nowiki>https://localhost/svn/</nowiki> | ||
** Or ''' | ** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>''' | ||
* Challenged for a name and password. | * Challenged for a name and password. | ||
** Enter one of the name/password pairs in the above list | ** Enter one of the name/password pairs in the above list | ||
* You can now browse the repository | * You can now browse the repository | ||
| | | | ||
& | | ||
| | | | ||
'''''Client'':''' | '''''Client'':''' | ||
* Restart servers | * Restart servers | ||
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | * Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | ||
* Select '''Bookmarks | * Select '''Bookmarks > Add Existing Repository''' enter '''https:'''<nowiki>//localhost/svn/myproject</nowiki> | ||
* Challenged for a name and password. | * Challenged for a name and password. | ||
** Enter one of the name/password pairs in the above list | ** Enter one of the name/password pairs in the above list | ||
Line 236: | Line 235: | ||
|- | |- | ||
| | | | ||
<pre> | |||
<location /svn> | |||
DAV svn | DAV svn | ||
SVNListParentPath on | SVNListParentPath on | ||
Line 243: | Line 242: | ||
AuthType Basic | AuthType Basic | ||
AuthName | AuthName "Subversion repositories" | ||
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd | ||
# For any operations other than these, require an authenticated user. | # For any operations other than these, require an authenticated user. | ||
# Hence this block limits write permission to list of valid users. | # Hence this block limits write permission to list of valid users. | ||
<LimitExcept GET PROPFIND OPTIONS REPORT> | |||
SSLRequireSSL | SSLRequireSSL | ||
Require valid-user | Require valid-user | ||
</LimitExcept> | |||
</location> | |||
</pre> | |||
| | | | ||
* '''AuthType Basic''' - Type of authentication is basic | * '''AuthType Basic''' - Type of authentication is basic | ||
Line 261: | Line 260: | ||
* ''' | * '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests. | ||
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL | * '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL | ||
* '''Require valid-user''' - Informs Apache all users must supply a name and password. | * '''Require valid-user''' - Informs Apache all users must supply a name and password. | ||
Line 269: | Line 268: | ||
=== Test 4 === | === Test 4 === | ||
{| | {| | ||
|-valign= | |-valign="top" | ||
| | | | ||
'''''Browser'':''' | '''''Browser'':''' | ||
* Restart servers | * Restart servers | ||
* Type into browser | * Type into browser | ||
** Either | ** Either <nowiki>https://localhost/svn/</nowiki> | ||
** Or ''' | ** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>''' | ||
* User can brows repository. | * User can brows repository. | ||
| | | | ||
& | | ||
| | | | ||
'''''Client'':''' | '''''Client'':''' | ||
* Restart servers | * Restart servers | ||
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | * Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) | ||
* In bookmarks click on | * In bookmarks click on <nowiki>https://localhost/svn/myproject</nowiki> | ||
* Can browse repository and create a new working copy. | * Can browse repository and create a new working copy. | ||
* Make a change in the working copy and '''commit''' | * Make a change in the working copy and '''commit''' |
Latest revision as of 08:22, 24 November 2010
|
Uniform Server 5.0-Nano. Subversion (SVN) |
Restring Access
With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.
That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.
This page covers the above scenarios.
Password file
First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.
UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.
Finally inside this folder is the password file .htpasswd.
|
mike:root john:123 fred:pas123 |
Note: All the following examples use this file.
Basic Authentication
Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.
Note: Passwords and data can be sniffed and access gained.
Apache configuration
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add the four lines as shown to the location block.
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd Require valid-user </location> |
|
Test 1
Browser:
|
|
Client:
|
Note: All repositories are protected.
Basic Authentication - Less Draconian
The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.
Selectively target
Replace the above line Require valid-user with this block of code. The line has been wrapped within a LimitExcept directive. This targets any requests other than a read and forces authentication.
# For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept>
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd # For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </location> |
|
Test 2
Browser:
|
|
Client:
|
Basic Authentication + SSL
I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.
Sounds to good to be true! Well yes because you do require a server certificate. If you have not already created a server certificate do so now as follows:
- Left or right mouse click on UniTray Icon
- Mouse-over Advanced and click Server Certificate and key Generator
- Press enter at all prompts to accept the default values.
- Restart servers.
Apache configuration
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf Add add single line as shown:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd SSLRequireSSL Require valid-user </location> |
|
Test 3
Browser:
|
|
Client:
|
Note 1: All repositories are protected.
Note 2: Remember to use https
Basic Authentication - Less Draconian + SSL
Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above). We take the less-draconian solution and add a single line as show blow:
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:
<location /svn> DAV svn SVNListParentPath on SVNParentPath C:/a_svn/UniServer/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd # For any operations other than these, require an authenticated user. # Hence this block limits write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> SSLRequireSSL Require valid-user </LimitExcept> </location> |
|
Test 4
Browser:
|
|
Client:
|
Summary
On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.
You can employ more selective authorisation although I have not covered this at least you have a working base to work from.
Basic authentication with SSL encryption is more than adequate for small teams and personal use.
Related links
- Repos styles Open Source project - If you don't like the default styles this site is worth a visit.
Conclusion
This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN. Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.