How to setup Apache Subversion behind Apache HTTP Server on Debian using dav_svn and authz_svn

Sun, Jan 28, 2018

Prerequisites

• Apache 2.4 is installed
• Let’s Encrypt is installed
• Subversion is installed
• Some SVN repositories have been created
  • /opt/svn/repo1
  • /opt/svn/repo2
• Subdomain svn.example.com pointing to the IP address of your Subversion server

SSL Certificate

Request a SSL certificate for svn.example.com using Let’s Encrypt:

service apache2 stop
./letsencrypt-auto certonly --standalone -d svn.example.com
service apache2 start

You’ll find your certificate here:

/etc/letsencrypt/live/svn.example.com/fullchain.pem

Apache Modules

On Debian you have to install libapache2-mod-svn in order to use the required Apache modules dav_svn and authz_svn:

aptitude install libapache2-mod-svn
a2enmod ssl dav dav_svn authz_svn
service apache2 restart

Users and Permissions

Using htpasswd we create a file .htpasswd_users for mapping user names to BCrypt passwords. We then create another file for defining user and group permissions on global and repository level.

mkdir /opt/svn_authz
cd /opt/svn_authz
htpasswd -cB .htpasswd_users admin
htpasswd -B .htpasswd_users jane
nano user_permissions

An example user_permissions file might look like this:

[groups]
group_repo1 = admin, linda, jerry
group_repo2 = admin, bob, jane

[/]
admin = rw

[repo1:/]
@group_repo1 = rw

[repo2:/]
@group_repo1 = r
@group_repo2 = rw

In this example the user admin has full access to all repositories, group_repo1 has full access to repo1 and read access to repo2 while group_repo2 has full access to repo2 and no access to any other repository.

Apache Site

Create the file /etc/apache2/sites-available/svn.example.com.conf. A very basic configuration using svn_authz and SSL might look like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName svn.example.com
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/svn.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/svn.example.com/privkey.pem

  <Location />
    DAV svn
    SVNParentPath /opt/svn
    AuthType Basic
    AuthName "Subversion Repository"
    AuthUserFile /opt/svn_authz/.htpasswd_users
    Require valid-user
    <IfModule mod_authz_svn.c>
      AuthzSVNAccessFile /opt/svn_authz/user_permissions
    </IfModule>
    SSLRequireSSL
  </Location>

</VirtualHost>
</IfModule>

Enable the new site and restart Apache:

a2ensite svn.example.com.conf
service apache2 restart

Set Apache as the owner of the SVN parent directory:

chown -R www-data:www-data /opt/svn

Test

Open https://svn.example.com/repo1 in your browser. A basic authentication prompt should come up where you can now log in with one of your users. Logging in as admin should be successful while logging in as jane should not, as she lacks permission for repo1.