https://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&feed=atom&action=historySVN: Restricting Access - Revision history2024-03-28T18:23:45ZRevision history for this page on the wikiMediaWiki 1.41.0https://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&diff=4779&oldid=prevOlajideolaolorun: Reverted edits by Upazixorys (Talk); changed back to last version by Ric2010-11-24T08:22:55Z<p>Reverted edits by <a href="/Special:Contributions/Upazixorys" title="Special:Contributions/Upazixorys">Upazixorys</a> (<a href="/index.php?title=User_talk:Upazixorys&action=edit&redlink=1" class="new" title="User talk:Upazixorys (page does not exist)">Talk</a>); changed back to last version by <a href="/User:Ric" title="User:Ric">Ric</a></p>
<a href="https://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&diff=4779&oldid=4641">Show changes</a>Olajideolaolorunhttps://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&diff=4641&oldid=prevUpazixorys at 01:15, 24 November 20102010-11-24T01:15:23Z<p></p>
<a href="https://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&diff=4641&oldid=3812">Show changes</a>Upazixoryshttps://wiki.uniformserver.com/index.php?title=SVN:_Restricting_Access&diff=3812&oldid=prevRic: New page: {{SVN Nav}} '''Restring Access''' With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an ...2009-08-15T09:19:52Z<p>New page: {{SVN Nav}} '''Restring Access''' With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an ...</p>
<p><b>New page</b></p><div>{{SVN Nav}}<br />
'''Restring Access'''<br />
<br />
With the current configuration putting SVN on-line means anyone can access and modify your subversion repositories. In terms of data loss this is not an issue, all modification to a repository are captured and can be reverted.<br />
<br />
That said it’s a good idea to restrict access to individuals who are allowed to commit to a repository. Your project data may be particularly sensitive in this scenario restrict access and encrypt all transaction.<br />
<br />
This page covers the above scenarios.<br />
<br />
== Password file ==<br />
First requirement is to create a password file containing a list of names and passwords for all users allowed access to repositories.<br />
<br />
UniServer has a simple convention all password files are contained in folder UniServer\htpasswd this contains sub-folders that match the path to the folder being protected.<br />
<br />
Finally inside this folder is the password file '''.htpasswd'''. <br />
{|<br />
|-<br />
|<br />
* Create the folder C:\a_svn\UniServer\htpasswd\'''svn'''<br />
* Copy an existing '''.htpasswd''' password file to the above folder. Windows is a pain if a file has no name!&nbsp;&nbsp; <br />
* Edit the file copied. Add name and passwords pairs accordingly, example on right:<br />
|<br />
<pre><br />
mike:root <br />
john:123<br />
fred:pas123 <br />
</pre><br />
|}<br />
<br />
'''''Note'':''' All the following examples use this file.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Basic Authentication ==<br />
Basic authentication is very easy to set-up, its not indented to be secure but more of a deterrent to prevent casual users modifying repositories. This basic configuration will be secured later using SSL.<br />
<br />
Note: Passwords and data can be sniffed and access gained.<br />
<br />
=== Apache configuration ===<br />
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\'''httpd.conf''' Add the four lines as shown to the location block.<br />
{|<br />
|-<br />
|<br />
<pre><br />
<location /svn><br />
DAV svn<br />
SVNListParentPath on<br />
SVNParentPath C:/a_svn/UniServer/svn<br />
<br />
AuthType Basic<br />
AuthName "Subversion repositories"<br />
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd<br />
Require valid-user<br />
</location><br />
</pre><br />
|<br />
* '''AuthType Basic''' - Type of authentication is basic<br />
* '''AuthName''' - Name displayed a browsers challenge pop-up box<br />
* '''AuthUserFile''' - Path to the password file<br />
* '''Require valid-user''' - Informs Apache all users must supply a name and password. <br />
|}<br />
<br />
=== Test 1 ===<br />
{|<br />
|-valign="top"<br />
|<br />
'''''Browser'':'''<br />
* Restart servers<br />
* Type into browser<br />
** Either <nowiki>http://localhost/svn/</nowiki><br />
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>''' <br />
* Challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* You can now browse the repository<br />
|<br />
&nbsp;&nbsp;<br />
|<br />
'''''Client'':'''<br />
* Restart servers<br />
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) <br />
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki><br />
* Challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* You can now browse the repository<br />
* Or commit any changes<br />
|}<br />
'''''Note'':''' All repositories are protected.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Basic Authentication - Less Draconian ==<br />
The above is draconian, only authorised users can view the repository. Generally for an open source project you want users to have the ability to brows a repository and download working copies. Only developers have the additional capability to commit (write) to a repository.<br />
<br />
=== Selectively target ===<br />
Replace the above line '''Require valid-user''' with this block of code.<br />
The line has been wrapped within a '''LimitExcept''' directive. This targets any requests other than a read and forces authentication.<br />
<pre><br />
# For any operations other than these, require an authenticated user.<br />
# Hence this block limits write permission to list of valid users.<br />
<LimitExcept GET PROPFIND OPTIONS REPORT><br />
Require valid-user<br />
</LimitExcept><br />
</pre> <br />
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:<br />
{|<br />
|-<br />
|<br />
<pre><br />
<location /svn><br />
DAV svn<br />
SVNListParentPath on<br />
SVNParentPath C:/a_svn/UniServer/svn<br />
<br />
AuthType Basic<br />
AuthName "Subversion repositories"<br />
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd<br />
<br />
# For any operations other than these, require an authenticated user.<br />
# Hence this block limits write permission to list of valid users.<br />
<LimitExcept GET PROPFIND OPTIONS REPORT><br />
Require valid-user<br />
</LimitExcept><br />
<br />
</location><br />
</pre><br />
|<br />
* '''AuthType Basic''' - Type of authentication is basic<br />
* '''AuthName''' - Name displayed a browsers challenge pop-up box<br />
* '''AuthUserFile''' - Path to the password file<br />
<br />
<br />
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests. <br />
* '''Require valid-user''' - Informs Apache all users must supply a name and password. <br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
=== Test 2 ===<br />
{|<br />
|-valign="top"<br />
|<br />
'''''Browser'':'''<br />
* Restart servers<br />
* Type into browser<br />
** Either <nowiki>http://localhost/svn/</nowiki><br />
** Or '''<nowiki>http://localhost/svn/myproject/</nowiki>''' <br />
* User can brows repository.<br />
|<br />
&nbsp;&nbsp;<br />
|<br />
'''''Client'':'''<br />
* Restart servers<br />
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) <br />
* In bookmarks click on <nowiki>http://localhost/svn/myproject</nowiki><br />
* Can browse repository and create a new working copy.<br />
* Make a change in the working copy and '''commit'''<br />
* Will be challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* After initial authorisation you will not be challenged again during this connection..<br />
<br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
== Basic Authentication + SSL ==<br />
I have show how easy it is to set-up basic authentication and securing this with SSL is just as easy, only requires the addition of a single.<br />
<br />
Sounds to good to be true! Well yes because you do require a [[5.0-Nano: Enable SSL | '''server certificate''']]. If you have not already created a server certificate do so now as follows:<br />
<br />
* Left or right mouse click on '''UniTray Icon'''<br />
* Mouse-over '''Advanced''' and click '''Server Certificate and key Generator''' <br />
* '''Press enter''' at all prompts to accept the default values.<br />
* '''Restart''' servers.<br />
<br />
=== Apache configuration ===<br />
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\'''httpd.conf''' Add add single line as shown:<br />
{|<br />
|-<br />
|<br />
<pre><br />
<location /svn><br />
DAV svn<br />
SVNListParentPath on<br />
SVNParentPath C:/a_svn/UniServer/svn<br />
<br />
AuthType Basic<br />
AuthName "Subversion repositories"<br />
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd<br />
SSLRequireSSL<br />
Require valid-user<br />
</location><br />
</pre><br />
|<br />
* '''AuthType Basic''' - Type of authentication is basic<br />
* '''AuthName''' - Name displayed a browsers challenge pop-up box<br />
* '''AuthUserFile''' - Path to the password file<br />
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL<br />
* '''Require valid-user''' - Informs Apache all users must supply a name and password. <br />
|}<br />
<br />
=== Test 3 ===<br />
{|<br />
|-valign="top"<br />
|<br />
'''''Browser'':'''<br />
* Restart servers<br />
* Type into browser<br />
** Either <nowiki>https://localhost/svn/</nowiki><br />
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>''' <br />
* Challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* You can now browse the repository<br />
|<br />
&nbsp;&nbsp;<br />
|<br />
'''''Client'':'''<br />
* Restart servers<br />
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) <br />
* Select '''Bookmarks > Add Existing Repository''' enter '''https:'''<nowiki>//localhost/svn/myproject</nowiki><br />
* Challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* You can now browse the repository<br />
* Or commit any changes<br />
|}<br />
'''''Note 1'':''' All repositories are protected.<br />
<br />
'''''Note 2'':''' Remember to use '''https'''<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Basic Authentication - Less Draconian + SSL ==<br />
Similar to the above only this time no need to create a server certificate (assumes you aready creadted one see above).<br />
We take the less-draconian solution and add a single line as show blow:<br />
<br />
Edit file C:\a_svn\UniServer\usr\local\apache2\conf\httpd.conf and add the above as shown below:<br />
{|<br />
|-<br />
|<br />
<pre><br />
<location /svn><br />
DAV svn<br />
SVNListParentPath on<br />
SVNParentPath C:/a_svn/UniServer/svn<br />
<br />
AuthType Basic<br />
AuthName "Subversion repositories"<br />
AuthUserFile C:/a_svn/UniServer/htpasswd/svn/.htpasswd<br />
<br />
# For any operations other than these, require an authenticated user.<br />
# Hence this block limits write permission to list of valid users.<br />
<LimitExcept GET PROPFIND OPTIONS REPORT><br />
SSLRequireSSL<br />
Require valid-user<br />
</LimitExcept><br />
<br />
</location><br />
</pre><br />
|<br />
* '''AuthType Basic''' - Type of authentication is basic<br />
* '''AuthName''' - Name displayed a browsers challenge pop-up box<br />
* '''AuthUserFile''' - Path to the password file<br />
<br />
<br />
* '''<LimitExcept></LimitExcept>''' Separate '''Require valid-user''' and target write requests. <br />
* '''SSLRequireSSL''' - Informs Apache connection must be over a secure link using SSL <br />
* '''Require valid-user''' - Informs Apache all users must supply a name and password. <br />
|}<br />
<br />
'''''[[#top | Top]]'''''<br />
=== Test 4 ===<br />
{|<br />
|-valign="top"<br />
|<br />
'''''Browser'':'''<br />
* Restart servers<br />
* Type into browser<br />
** Either <nowiki>https://localhost/svn/</nowiki><br />
** Or '''<nowiki>https://localhost/svn/myproject/</nowiki>''' <br />
* User can brows repository.<br />
|<br />
&nbsp;&nbsp;<br />
|<br />
'''''Client'':'''<br />
* Restart servers<br />
* Start '''PortableRapidSVN''' (C:\a_svn\UniServer\svn_portable\PortableRapidSVN.exe) <br />
* In bookmarks click on <nowiki>https://localhost/svn/myproject</nowiki><br />
* Can browse repository and create a new working copy.<br />
* Make a change in the working copy and '''commit'''<br />
* Will be challenged for a name and password.<br />
** Enter one of the name/password pairs in the above list<br />
* After initial authorisation you will not be challenged again during this connection..<br />
<br />
|}<br />
<br />
== Summary ==<br />
On this page I have shown restricting access to repositories is not difficult. Securing using SSL is just as easy requiring only a single line.<br />
<br />
You can employ more selective authorisation although I have not covered this at least you have a working base to work from.<br />
<br />
Basic authentication with SSL encryption is more than adequate for small teams and personal use.<br />
<br />
'''''[[#top | Top]]'''''<br />
== Related links ==<br />
<br />
* [http://www.reposstyle.com/ Repos styles Open Source project] - If you don't like the default styles this site is worth a visit.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
== Conclusion ==<br />
This tutorial has covered installing Subversion (SVN) on UniServer 5.0-Nano cumulating in a portable version. Once copied to a USB memory stick remember to set the new paths in RapidSVN.<br />
Being a complete package it allows you to explore the whole process of version control. Once you have created a working server back it up. Use a copy to explore should you break it just delete the files and start again from a new copy of your back up.<br />
<br />
'''''[[#top | Top]]'''''<br />
<br />
----<br />
<br />
[[Category: Uniform Server 5.0-Nano]]<br />
[[Category: Installation]]</div>Ric