1 <?xml version="1.0" encoding="UTF-8"?>
\r
2 <!DOCTYPE sect1 SYSTEM "../../../dtd/dblite.dtd">
\r
3 <sect1 id="tsvn-serversetup-apache">
\r
4 <title>Apache Based Server</title>
\r
5 <sect2 id="tsvn-serversetup-apache-1">
\r
6 <title>Introduction</title>
\r
8 <primary>Apache</primary>
\r
11 The most flexible of all possible server setups for Subversion
\r
12 is the Apache based one. Although a bit more complicated to set up,
\r
13 it offers benefits that other servers cannot:
\r
16 <primary>WebDAV</primary>
\r
23 The Apache based Subversion server uses the
\r
24 WebDAV protocol which is supported by many other
\r
25 programs as well. You could e.g. mount such
\r
26 a repository as a <quote>Web folder</quote> in the Windows
\r
27 explorer and then access it like any other
\r
28 folder in the file system.
\r
33 <term>Browsing The Repository</term>
\r
36 You can point your browser to the URL of your
\r
37 repository and browse the contents of it without
\r
38 having a Subversion client installed. This
\r
39 gives access to your data to a much wider circle of
\r
45 <term>Authentication</term>
\r
48 You can use any authentication mechanism Apache
\r
49 supports, including SSPI and LDAP.
\r
54 <term>Security</term>
\r
57 Since Apache is very stable and secure,
\r
58 you automatically get the same security for your
\r
59 repository. This includes SSL encryption.
\r
65 <sect2 id="tsvn-serversetup-apache-2">
\r
66 <title>Installing Apache</title>
\r
68 The first thing you need before installing Apache is a computer
\r
69 with Windows 2000, Windows XP+SP1, Windows 2003, Vista or Server 2008.
\r
72 Please note that Windows XP without the service pack 1
\r
73 will lead to bogus network data and could therefore
\r
74 corrupt your repository!
\r
80 Download the latest version of the Apache
\r
82 <ulink url="http://httpd.apache.org/download.cgi">
\r
83 <citetitle>http://httpd.apache.org/download.cgi</citetitle>
\r
85 Make sure that you download the version 2.2.x -
\r
86 the version 1.3.xx won't work!
\r
89 The msi installer for Apache can be found by clicking on <literal>other files</literal>,
\r
90 then browse to <filename>binaries/win32</filename>. You may want to choose
\r
91 the msi file <filename>apache-2.2.x-win32-x86-openssl-0.9.x.msi</filename>
\r
92 (the one that includes OpenSSL).
\r
97 Once you have the Apache2 installer you
\r
98 can double click on it and it will guide you through
\r
99 the installation process. Make sure that you enter
\r
100 the server-URL correctly (if you don't have a DNS name
\r
101 for your server just enter the IP-address). I recommend
\r
103 <emphasis>for All Users, on Port 80, as a Service</emphasis>.
\r
104 Note: if you already have IIS or any other
\r
105 program running which listens on port 80 the
\r
106 installation might fail. If that happens, go to the
\r
107 programs directory,
\r
108 <filename>\Apache Group\Apache2\conf</filename>
\r
109 and locate the file
\r
110 <filename>httpd.conf</filename>. Edit that file so that
\r
111 <literal>Listen 80</literal> is changed to a free
\r
112 port, e.g. <literal>Listen 81</literal>.
\r
113 Then restart the installation - this time it should
\r
114 finish without problems.
\r
119 Now test if the Apache web server is running
\r
120 correctly by pointing your web browser to
\r
121 <systemitem class="url">http://localhost/</systemitem>
\r
122 - a preconfigured Website should show up.
\r
128 If you decide to install Apache as a service, be warned that
\r
129 by default it will run as the local system account.
\r
130 It would be a more secure practice for you to create a
\r
131 separate account for Apache to run as.
\r
134 Make sure that the account on the server that Apache is running as
\r
135 has an explicit entry in the repository directory's access control
\r
136 list (right-click directory | properties | security), with full
\r
137 control. Otherwise, users will not be able to commit their changes.
\r
140 Even if Apache runs as local system, you still need such an entry
\r
141 (which will be the SYSTEM account in this case).
\r
144 If Apache does not have this permission set up, your users will get
\r
145 <quote>Access denied</quote> error messages, which show up in the Apache error log
\r
151 <sect2 id="tsvn-serversetup-apache-3">
\r
152 <title>Installing Subversion</title>
\r
157 Download the latest version of the Subversion Win32 binaries for
\r
158 Apache. Be sure to get the right version to integrate with your
\r
159 version of Apache, otherwise you will get an obscure error
\r
160 message when you try to restart.
\r
161 If you have Apache 2.2.x go to
\r
162 <ulink url="http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=8100">
\r
163 <citetitle>http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=8100</citetitle>
\r
169 Run the Subversion installer and follow
\r
170 the instructions. If the Subversion installer recognized
\r
171 that you've installed Apache, then you're almost done.
\r
172 If it couldn't find an Apache server then you have to
\r
173 do some additional steps.
\r
178 <primary>mod_authz_svn</primary>
\r
181 Using the windows explorer, go to the installation
\r
182 directory of Subversion (usually
\r
183 <filename>c:\program files\Subversion</filename>)
\r
185 <filename>/httpd/mod_dav_svn.so</filename> and
\r
186 <filename>mod_authz_svn.so</filename>. Copy these files
\r
187 to the Apache modules directory (usually
\r
188 <filename>c:\program files\apache group\apache2\modules
\r
194 Copy the file <filename>/bin/libdb*.dll</filename>
\r
195 and <filename>/bin/intl3_svn.dll</filename> from
\r
196 the Subversion installation directory to the Apache
\r
202 Edit Apache's configuration file (usually <filename>
\r
203 C:\Program Files\Apache
\r
204 Group\Apache2\conf\httpd.conf</filename>) with a text
\r
205 editor such as Notepad and make the following changes:
\r
208 Uncomment (remove the '<literal>#</literal>' mark) the
\r
211 #LoadModule dav_fs_module modules/mod_dav_fs.so
\r
212 #LoadModule dav_module modules/mod_dav.so
\r
214 Add the following two lines to the end of the
\r
215 <literal>LoadModule</literal> section.
\r
217 LoadModule dav_svn_module modules/mod_dav_svn.so
\r
218 LoadModule authz_svn_module modules/mod_authz_svn.so
\r
225 <sect2 id="tsvn-serversetup-apache-4">
\r
226 <title>Configuration</title>
\r
228 Now you have set up Apache and Subversion, but Apache doesn't
\r
229 know how to handle Subversion clients like TortoiseGit yet.
\r
230 To get Apache to know which URL will be used for Subversion
\r
231 repositories you have to edit the Apache configuration file (usually
\r
233 <filename>c:\program files\apache group\apache2\conf\httpd.conf</filename>)
\r
234 with any text editor you like (e.g. Notepad):
\r
238 At the end of the config file add the following lines:
\r
240 <Location /svn>
\r
242 SVNListParentPath on
\r
243 SVNParentPath D:\SVN
\r
244 #SVNIndexXSLT "/svnindex.xsl"
\r
246 AuthName "Subversion repositories"
\r
247 AuthUserFile passwd
\r
248 #AuthzSVNAccessFile svnaccessfile
\r
252 This configures Apache so that all your Subversion
\r
253 repositories are physically located below
\r
254 <filename>D:\SVN</filename>. The repositories are
\r
255 served to the outside world from the URL:
\r
256 <systemitem class="url">
\r
257 http://MyServer/svn/
\r
259 Access is restricted to known users/passwords
\r
260 listed in the <filename>passwd</filename> file.
\r
265 To create the <filename>passwd</filename>
\r
266 file, open the command prompt (DOS-Box) again,
\r
267 change to the <filename>apache2</filename> folder (usually
\r
268 <filename>c:\program files\apache
\r
269 group\apache2</filename>)
\r
270 and create the file by entering
\r
272 bin\htpasswd -c passwd <username>
\r
274 This will create a file with the name <filename>passwd</filename> which is
\r
275 used for authentication. Additional users can be added
\r
278 bin\htpasswd passwd <username>
\r
284 Restart the Apache service again.
\r
289 Point your browser to
\r
290 <systemitem class="url">http://MyServer/svn/MyNewRepository</systemitem>
\r
291 (where <filename>MyNewRepository</filename> is the name of the
\r
292 Subversion repository you created before). If all went
\r
293 well you should be prompted for a username and password,
\r
294 then you can see the contents of your
\r
301 <primary>SVNPath</primary>
\r
304 <primary>SVNParentPath</primary>
\r
307 A short explanation of what you just entered:
\r
308 <table id="tsvn-serversetup-apache-4-table">
\r
309 <title>Apache <filename>httpd.conf</filename> Settings</title>
\r
311 <colspec colnum="1" colwidth="1.5*"/>
\r
312 <colspec colnum="2" colwidth="3*"/>
\r
315 <entry>Setting</entry>
\r
316 <entry>Explanation</entry>
\r
321 <entry condition="pot"><Location /svn></entry>
\r
323 means that the Subversion repositories are available from the URL
\r
324 <systemitem class="url">http://MyServer/svn/</systemitem>
\r
328 <entry condition="pot">DAV svn</entry>
\r
330 tells Apache which module will be responsible to serve
\r
331 that URL - in this case the Subversion module.
\r
335 <entry condition="pot">SVNListParentPath on</entry>
\r
337 For Subversion version 1.3 and higher, this directive enables
\r
338 listing all the available repositories under
\r
339 <literal>SVNParentPath</literal>.
\r
343 <entry condition="pot">SVNParentPath D:\SVN</entry>
\r
345 tells Subversion to look for repositories below
\r
346 <filename>D:\SVN</filename>
\r
350 <entry condition="pot">SVNIndexXSLT "/svnindex.xsl"</entry>
\r
352 Used to make the browsing with a web browser
\r
357 <entry condition="pot">AuthType Basic</entry>
\r
359 is to activate basic authentication, i.e.
\r
364 <entry condition="pot">AuthName "Subversion repositories"</entry>
\r
366 is used as an information whenever an authentication
\r
367 dialog pops up to tell the user what the authentication is for
\r
371 <entry condition="pot">AuthUserFile passwd</entry>
\r
373 specifies which password file to use for authentication
\r
377 <entry condition="pot">AuthzSVNAccessFile</entry>
\r
379 Location of the Access file for paths inside a
\r
380 Subversion repository
\r
384 <entry condition="pot">Require valid-user</entry>
\r
386 specifies that only users who entered a correct
\r
387 username/password are allowed to access the URL
\r
393 But that's just an example. There are many, many more
\r
394 possibilities of what you can do with the Apache web server.
\r
398 If you want your repository to have read
\r
399 access for everyone but write access only for specific
\r
400 users you can change the line
\r
405 <LimitExcept GET PROPFIND OPTIONS REPORT>
\r
407 </LimitExcept>
\r
413 Using a <filename>passwd</filename> file limits and
\r
414 grants access to all of your repositories as a unit.
\r
415 If you want more control over which users have
\r
416 access to each folder inside a repository you can
\r
419 #AuthzSVNAccessFile svnaccessfile
\r
421 and create a Subversion access file. Apache will
\r
422 make sure that only valid users are able to access
\r
423 your <filename>/svn</filename> location, and will then
\r
424 pass the username to Subversion's <literal>AuthzSVNAccessFile</literal>
\r
425 module so that it can enforce more granular access
\r
426 based upon rules listed in the Subversion access file.
\r
427 Note that paths are specified either as
\r
428 <literal>repos:path</literal> or simply
\r
429 <literal>path</literal>. If you don't specify a
\r
430 particular repository, that access rule will apply to
\r
431 all repositories under
\r
432 <literal>SVNParentPath</literal>.
\r
433 The format of the authorization-policy file used by
\r
434 <literal>mod_authz_svn</literal> is described in
\r
435 <xref linkend="tsvn-serversetup-mod_authz_svn"/>
\r
440 To make browsing the repository with a web browser
\r
441 'prettier', uncomment the line
\r
443 #SVNIndexXSLT "/svnindex.xsl"
\r
445 and put the files <filename>svnindex.xsl</filename>,
\r
446 <filename>svnindex.css</filename> and
\r
447 <filename>menucheckout.ico</filename> in your document
\r
448 root directory (usually <filename>C:/Program Files/Apache Group/Apache2/htdocs</filename>).
\r
449 The directory is set with the <literal>DocumentRoot</literal> directive
\r
450 in your Apache config file.
\r
453 You can get those three files directly from our source repository
\r
455 <ulink url="http://TortoiseGit.tigris.org/svn/TortoiseGit/trunk/contrib/other/svnindex">
\r
456 <citetitle>http://TortoiseGit.tigris.org/svn/TortoiseGit/trunk/contrib/other/svnindex</citetitle>
\r
458 (<xref linkend="tsvn-preface-source"/> explains how to access the TortoiseGit source repository).
\r
461 The XSL file from the TortoiseGit repository has a nice
\r
462 gimmick: if you browse the repository with your web browser, then
\r
463 every folder in your repository has an icon on the right shown.
\r
464 If you click on that icon, the TortoiseGit checkout dialog
\r
465 is started for this URL.
\r
471 <sect2 id="tsvn-serversetup-apache-parent-path">
\r
472 <title>Multiple Repositories</title>
\r
474 <primary>SVNParentPath</primary>
\r
477 <primary>Index of projects</primary>
\r
480 If you used the <literal>SVNParentPath</literal> directive then you don't have to
\r
481 change the Apache config file every time you add a new Subversion
\r
482 repository. Simply create the new repository under the same
\r
483 location as the first repository and you're done! In my company
\r
484 I have direct access to that specific folder on the server via
\r
485 SMB (normal windows file access). So I just create a new folder
\r
486 there, run the TortoiseGit command
\r
488 <guimenu>TortoiseGit</guimenu>
\r
489 <guimenuitem>Create repository here...</guimenuitem>
\r
491 and a new project has a home...
\r
494 If you are using Subversion 1.3 or later, you can use the
\r
495 <literal>SVNListParentPath on</literal> directive to allow Apache
\r
496 to produce a listing of all available projects if you point your
\r
497 browser at the parent path rather than at a specific repository.
\r
500 <sect2 id="tsvn-serversetup-mod_authz_svn">
\r
501 <title>Path-Based Authorization</title>
\r
503 <primary>Authorization</primary>
\r
506 <primary>mod_authz_svn</primary>
\r
509 The <literal>mod_authz_svn</literal> module permits fine-grained control of access
\r
510 permissions based on user names and repository paths. This is
\r
511 available with the Apache server, and as of Subversion 1.3
\r
512 it is available with svnserve as well.
\r
515 An example file would look like this:
\r
519 devteam1 = john, rachel, sally
\r
520 devteam2 = kate, peter, mark
\r
521 docs = bob, jane, mike
\r
523 # Default access rule for ALL repositories
\r
524 # Everyone can read, admins can write, Dan German is excluded.
\r
529 # Allow developers complete access to their project repos
\r
538 # Give the doc people write access to all the docs folders
\r
541 # Give trainees write access in the training repository only
\r
547 Note that checking every path can be an expensive operation,
\r
548 particularly in the case of the revision log. The server
\r
549 checks every changed path in each revision and checks it for
\r
550 readability, which can be time-consuming on revisions which
\r
551 affect large numbers of files.
\r
554 Authentication and authorization are separate processes. If
\r
555 a user wants to gain access to a repository path, she has to meet
\r
556 <emphasis>both</emphasis>, the usual authentication requirements
\r
557 and the authorization requirements of the access file.
\r
560 <sect2 id="tsvn-serversetup-apache-5">
\r
561 <title>Authentication With a Windows Domain</title>
\r
563 <primary>Windows domain</primary>
\r
566 <primary>domaincontroller</primary>
\r
569 As you might have noticed you need to make a username/password
\r
570 entry in the <filename>passwd</filename> file for each user
\r
571 separately. And if (for security reasons) you want your users
\r
572 to periodically change their passwords you have to make the
\r
576 But there's a solution for that problem - at least if you're
\r
577 accessing the repository from inside a LAN with a windows
\r
578 domain controller: <literal>mod_auth_sspi</literal>!
\r
581 <primary>SSPI</primary>
\r
584 <primary>NTLM</primary>
\r
587 The original SSPI module was offered by Syneapps including
\r
588 source code. But the development for it has been stopped.
\r
589 But don't despair, the community has picked it up and improved
\r
590 it. It has a new home on
\r
591 <ulink url="http://sourceforge.net/projects/mod-auth-sspi/">
\r
592 <citetitle>SourceForge</citetitle>
\r
598 Download the module which matches your apache version,
\r
599 then copy the file <filename>mod_auth_sspi.so</filename>
\r
600 into the Apache modules folder.
\r
605 Edit the Apache config file: add the line
\r
607 LoadModule sspi_auth_module modules/mod_auth_sspi.so
\r
609 to the <literal>LoadModule</literal> section. Make sure you
\r
610 insert this line <emphasis>before</emphasis> the line
\r
612 LoadModule auth_module modules/mod_auth.so
\r
618 To make the Subversion location use this
\r
619 type of authentication you have to change the line
\r
627 also you need to add
\r
630 SSPIAuthoritative On
\r
631 SSPIDomain <domaincontroller>
\r
633 SSPIUsernameCase lower
\r
634 SSPIPerRequestAuth on
\r
637 within the <literal><Location /svn></literal> block.
\r
638 If you don't have a domain controller, leave the name of
\r
639 the domain control as <literal><domaincontroller></literal>.
\r
644 Note that if you are authenticating using SSPI, then you don't
\r
645 need the <literal>AuthUserFile</literal> line to define a
\r
646 password file any more. Apache authenticates your username and
\r
647 password against your windows domain instead. You will need to
\r
648 update the users list in your <filename>svnaccessfile</filename>
\r
649 to reference <literal>DOMAIN\username</literal> as well.
\r
654 The SSPI authentication is only enabled for SSL secured
\r
655 connections (https). If you're only using normal http
\r
656 connections to your server, it won't work.
\r
659 To enable SSL on your server, see the chapter:
\r
660 <xref linkend="tsvn-serversetup-apache-7"/>
\r
665 Subversion <filename>AuthzSVNAccessFile</filename> files are
\r
666 case sensitive in regard to user names (<literal>JUser</literal>
\r
667 is different from <literal>juser</literal>).
\r
670 In Microsoft's world, Windows domains and user names are not
\r
671 case sensitive. Even so, some network administrators like
\r
672 to create user accounts in CamelCase (e.g. <literal>JUser</literal>).
\r
675 This difference can bite you when using SSPI authentication
\r
676 as the windows domain and user names are passed to Subversion
\r
677 in the same case as the user types them in at the prompt.
\r
679 Internet Explorer often passes the username to Apache
\r
680 automatically using whatever case the account was created with.
\r
683 The end result is that you may need at least two entries in your
\r
684 <literal>AuthzSVNAccessFile</literal> for each user -- a lowercase entry and an
\r
685 entry in the same case that Internet Explorer passes to Apache.
\r
686 You will also need to train your users to also type in their
\r
687 credentials using lower case when accessing repositories via
\r
691 Apache's Error and Access logs are your best friend in
\r
692 deciphering problems such as these as they will help you
\r
693 determine the username string passed onto Subversion's
\r
694 <literal>AuthzSVNAccessFile</literal> module. You may need to
\r
695 experiment with the exact format of the user string in the
\r
696 <literal>svnaccessfile</literal>
\r
697 (e.g. <literal>DOMAIN\user</literal> vs.
\r
698 <literal>DOMAIN//user</literal>) in order to get
\r
699 everything working.
\r
703 <sect2 id="tsvn-serversetup-apache-6">
\r
704 <title>Multiple Authentication Sources</title>
\r
706 <primary>Multiple authentication</primary>
\r
709 It is also possible to have more than one authentication source for
\r
710 your Subversion repository. To do this, you need to make each
\r
711 authentication type non-authoritative, so that Apache will check
\r
712 multiple sources for a matching username/password.
\r
715 A common scenario is to use both Windows domain authentication and
\r
716 a <literal>passwd</literal> file, so that you can provide SVN access
\r
717 to users who don't have a Windows domain login.
\r
722 To enable both Windows domain and <filename>passwd</filename>
\r
723 file authentication, add the following entries within the
\r
724 <literal><Location></literal> block of your Apache config file:
\r
726 AuthBasicAuthoritative Off
\r
727 SSPIAuthoritative Off
\r
733 Here is an example of the full Apache configuration for combined Windows
\r
734 domain and <literal>passwd</literal> file authentication:
\r
736 <Location /svn>
\r
738 SVNListParentPath on
\r
739 SVNParentPath D:\SVN
\r
741 AuthName "Subversion repositories"
\r
742 AuthzSVNAccessFile svnaccessfile.txt
\r
744 # NT Domain Logins.
\r
747 SSPIAuthoritative Off
\r
748 SSPIDomain <domaincontroller>
\r
753 AuthBasicAuthoritative Off
\r
754 AuthUserFile passwd
\r
761 <sect2 id="tsvn-serversetup-apache-7">
\r
762 <title>Securing the server with SSL</title>
\r
764 <primary>SSL</primary>
\r
767 Even though Apache 2.2.x has OpenSSL support, it is not
\r
768 activated by default. You need to activate this manually.
\r
773 In the apache config file, uncomment the lines:
\r
775 #LoadModule ssl_module modules/mod_ssl.so
\r
779 #Include conf/extra/httpd-ssl.conf
\r
781 then change the line (on one line)
\r
783 SSLMutex "file:C:/Program Files/Apache Software Foundation/\
\r
784 Apache2.2/logs/ssl_mutex"
\r
795 Next you need to create an SSL certificate.
\r
796 To do that open a command prompt (DOS-Box) and change to
\r
797 the Apache folder (e.g.
\r
798 <filename>C:\program files\apache group\apache2</filename>)
\r
799 and type the following command:
\r
801 bin\openssl req -config conf\openssl.cnf -new -out my-server.csr
\r
803 You will be asked for a passphrase. Please don't use simple
\r
804 words but whole sentences, e.g. a part of a poem. The
\r
805 longer the phrase the better. Also you have to enter the
\r
806 URL of your server. All other questions are optional but we
\r
807 recommend you fill those in too.
\r
810 Normally the <filename>privkey.pem</filename> file is created
\r
811 automatically, but if it isn't you need to type this command
\r
814 bin\openssl genrsa -out conf\privkey.pem 2048
\r
818 Next type the commands
\r
820 bin\openssl rsa -in conf\privkey.pem -out conf\server.key
\r
824 bin\openssl req -new -key conf\server.key -out conf\server.csr \
\r
825 -config conf\openssl.cnf
\r
827 and then (on one line)
\r
829 bin\openssl x509 -in conf\server.csr -out conf\server.crt
\r
830 -req -signkey conf\server.key -days 4000
\r
832 This will create a certificate which will expire in
\r
833 4000 days. And finally enter (on one line):
\r
835 bin\openssl x509 -in conf\server.cert -out conf\server.der.crt
\r
838 These commands created some files in the Apache
\r
839 <filename>conf</filename> folder
\r
840 (<filename>server.der.crt</filename>,
\r
841 <filename>server.csr</filename>,
\r
842 <filename>server.key</filename>,
\r
843 <filename>.rnd</filename>,
\r
844 <filename>privkey.pem</filename>,
\r
845 <filename>server.cert</filename>).
\r
850 Restart the Apache service.
\r
855 Point your browser to
\r
856 <systemitem class="url">https://servername/svn/project</systemitem>
\r
862 <title>SSL and Internet Explorer</title>
\r
864 If you're securing your server with SSL and use authentication
\r
865 against a windows domain you will encounter that browsing
\r
866 the repository with the Internet Explorer doesn't work
\r
867 anymore. Don't worry - this is only the Internet Explorer
\r
868 not able to authenticate. Other browsers don't have that
\r
869 problem and TortoiseGit and any other Subversion client are
\r
870 still able to authenticate.
\r
873 If you still want to use IE to browse the repository
\r
878 define a separate <literal><Location /path></literal>
\r
879 directive in the Apache config file, and add the
\r
880 <literal>SSPIBasicPreferred On</literal>.
\r
881 This will allow IE to authenticate again, but
\r
882 other browsers and Subversion won't be able to
\r
883 authenticate against that location.
\r
888 Offer browsing with unencrypted authentication
\r
889 (without SSL) too. Strangely IE doesn't have any
\r
890 problems with authenticating if the connection
\r
891 is not secured with SSL.
\r
896 In the SSL "standard" setup there's often the
\r
897 following statement in Apache's virtual SSL host:
\r
899 SetEnvIf User-Agent ".*MSIE.*" \
\r
900 nokeepalive ssl-unclean-shutdown \
\r
901 downgrade-1.0 force-response-1.0
\r
903 There are (were?) good reasons for this configuration,
\r
905 <ulink url="http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49">
\r
906 <citetitle>http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49</citetitle>
\r
908 But if you want NTLM authentication you have to use <literal>keepalive</literal>.
\r
909 If You uncomment the whole <literal>SetEnvIf</literal> you should be able to
\r
910 authenticate IE with windows authentication over SSL against
\r
911 the Apache on Win32 with included <literal>mod_auth_sspi</literal>.
\r
918 <title>Forcing SSL access</title>
\r
920 When you've set up SSL to make your repository more secure, you
\r
921 might want to disable the normal access via non-SSL (http) and
\r
922 only allow https access.
\r
923 To do this, you have to add another directive to the Subversion
\r
924 <literal><Location></literal> block: <literal>SSLRequireSSL</literal>.
\r
927 An example <literal><Location></literal> block would look like this:
\r
929 <Location /svn>
\r
931 SVNParentPath D:\SVN
\r
934 AuthName "Subversion repositories"
\r
935 AuthUserFile passwd
\r
936 #AuthzSVNAccessFile svnaccessfile
\r
943 <sect2 id="tsvn-serversetup-apache-sslcerts">
\r
944 <title>Using client certificates with virtual SSL hosts</title>
\r
946 Sent to the TortoiseGit mailing list by Nigel Green. Thanks!
\r
949 In some server configurations you may need to setup a single server
\r
950 containing 2 virtual SSL hosts: The first one for public web access,
\r
951 with no requirement for a client certificate. The second one to be
\r
952 secure with a required client certificate, running a Subversion server.
\r
955 Adding an <literal>SSLVerifyClient Optional</literal> directive to the
\r
956 <emphasis>per-server</emphasis> section of the Apache configuration
\r
957 (i.e. outside of any <literal>VirtualHost</literal> and
\r
958 <literal>Directory</literal> blocks) forces Apache to request a client
\r
959 Certificate in the initial SSL handshake. Due to a bug in
\r
960 <literal>mod_ssl</literal> it is essential that the certificate is
\r
961 requested at this point as it does not work if the SSL connection
\r
965 The solution is to add the following directive to the virtual host
\r
966 directory that you want to lock down for Subversion:
\r
968 SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
\r
970 This directive grants access to the directory only if a
\r
971 client certificate was received and verified successfully.
\r
974 To summarise, the relevant lines of the Apache configuration are:
\r
976 SSLVerifyClient Optional
\r
978 ### Virtual host configuration for the PUBLIC host
\r
979 ### (not requiring a certificate)
\r
981 <VirtualHost 127.0.0.1:443>
\r
982 <Directory "pathtopublicfileroot">
\r
984 </VirtualHost>
\r
986 ### Virtual host configuration for SUBVERSION
\r
987 ### (requiring a client certificate)
\r
988 <VirtualHost 127.0.0.1:443>
\r
989 <Directory "subversion host root path">
\r
990 SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
\r
993 <Location /svn>
\r
995 SVNParentPath /pathtorepository
\r
997 </VirtualHost>
\r