Install and set-up Subversion with WebSVN on Apache2 with SSL on Ubuntu

Here are some notes on setting up a subversion server using WebSVN. This will all be encrypted over SSL, using Apache2.

WebSVN is a nice web-based front-end to Subversion. It supports RSS feeds, so you can know when team members commit to the repository, and you can view different revisions (and the differences between them) on line. There are a whole slew of reasons why it’s cool, but I won’t go into it any further.

This setup requires Apache2. You can get it with:

sudo apt-get install apache2

If you want to build it from source for some reason (like if you are building a rails stack) that’s fine, but I won’t go into that here.

To create an SSL certificate:

sudo apache2-ssl-certificate

Just answer the questions, and a self-signed certificate will be created. (If you get the error sudo: apache2-ssl-certificate: command not found, see this information about changes in Feisty Fawn.)

Enable SSL in Apache:

sudo a2enmod ssl

Tell Apache to listen on port 443 by editing /etc/apache2/ports.conf and adding the following line:

Listen 443

Now that Apache is working on SSL, we can set up subversion. This basic install will allow you to use Subversion the usual way, using Apache for authentication. In a few steps we will install WebSVN.

Get the required packages:

sudo apt-get install subversion libapache2-svn

We will put our repository in /var/svn but you can really put it anywhere. In this case, the repository is called project:

sudo mkdir /var/svn
sudo svnadmin create /var/svn/project

Then, we need to set the appropriate permissions. The repository needs to be readable and writable by the webserver for WebSVN to function properly, and we will also create a subversion group that can read and write to it. Make sure to add all users of the repository to this group. (Note: this really only applies to users who can log in to your system and use subversion, or who use suversion over ssh. If they only use the http interface, they don’t need to have accounts on your system, so they don’t need to be put in the group.)

sudo addgroup subversion
sudo adduser myusername subversion
sudo chown -R www-data:subversion /var/svn
sudo chmod -R 775 /var/svn

Next, we will set up Apache so it will serve the repository.

First, we need to be sure the right modules are enabled. They probably already are, but it doesn’t hurt to check:

a2enmod dav
a2enmod dav_svn

Next, we need to set up the users.

htpasswd2 -c /etc/apache2/dav_svn.passwd myusername
htpasswd2 /etc/apache2/dav_svn.passwd anotheruser

(sudo htpasswd -c -m /etc/apache2/dav_svn.passwd myusername for Feisty Fawn users)

Note the -c will create a new password file. If you already have a password file at the specified location it will be overwritten. If you omit the -c this command will add a new user to the password file.

Next, we must set up the VirtualHost for our subversion server. Here is an example file that you can put in /etc/apache2/sites-available/svn.example.com. Be sure to make a symlink to that file in /etc/apache2/sites-enabled:

NameVirtualHost svn.example.com:443
<VirtualHost svn.example.com:443>
      ServerAdmin webmaster@example.com

      SSLEngine On
      SSLCertificateFile /etc/apache2/ssl/apache.pem

      <Location /project>
        DAV svn
        SVNPath /var/svn/project

        AuthType Basic
        AuthName "Subversion Repository"
        AuthUserFile /etc/apache2/dav_svn.passwd

        # Required authentication
        Require valid-user

        # Require encryption
        SSLRequireSSL

      </Location>
      ErrorLog /var/log/apache2/error.log

      LogLevel warn

      CustomLog /var/log/apache2/access.log combined
      ServerSignature On

</VirtualHost>

The ‘<Location /project>’ directive will allow you to use https://svn.example.com/project as your HTTPS-facing subversion directory. The ‘SVNPath’ directive will map that HTTPS-facing directory previously mentioned to the directory on your server.

Note that this will give anyone in the password file created above full read-write access to your repository. If you want more fine-grained access control, see the link below about AuthZ authentication.

Also, don’t forget to create a CNAME entry in your dns for svn.example.com.

You will need to get a couple of packages for this:

sudo apt-get install php4 enscript websvn

When WebSVN asks you about the parent folder, in this case, you can enter /var/svn and leave the path to specific repositories blank. This will make all repositories created in /var/svn show up in WebSVN. You can of course play with these settings, and make only cetain repositories show up.

The encript package will allow for some cool syntax highlighting in the web view. You can tweak its settings at /etc/websvn/config.inc but you don’t have to, so I won’t get into that.

Next, we need to put a section into our VirtualHost file to enable WebSVN:

DocumentRoot /var/www/websvn/

      <Location />
              Options FollowSymLinks
              order allow,deny
              allow from all
              AuthType Basic
              AuthName "Subversion Repository"
              Require valid-user
              AuthUserFile /etc/apache2/dav_svn.passwd
              <IfModule mod_php4.c>
                      php_flag magic_quotes_gpc Off
                      php_flag track_vars On
             </IfModule>
      </Location>

Once again, this is allowing anyone who has a password in your subversion password file to view anything in any repository. For me, since I’m really the only one using it, this is fine. For most people, though, you will probably want more security. If anyone wants to add a section about that to this page, feel free.

This will make the full file look like:

NameVirtualHost svn.example.com:443
<VirtualHost svn.example.com:443>
      ServerAdmin webmaster@example.com

      SSLEngine On
      SSLCertificateFile /etc/apache2/ssl/apache.pem

      DocumentRoot /var/www/websvn/
      <Location />
              Options FollowSymLinks
              order allow,deny
              allow from all
              AuthType Basic
              AuthName "Subversion Repository"
              Require valid-user
              AuthUserFile /etc/apache2/dav_svn.passwd
              <IfModule mod_php4.c>
                      php_flag magic_quotes_gpc Off
                      php_flag track_vars On
             </IfModule>
      </Location>

      <Location /project>
              DAV svn
              SVNPath /var/svn/project

              AuthType Basic
              AuthName "Subversion Repository"
              AuthUserFile /etc/apache2/dav_svn.passwd

              # Required authentication
              Require valid-user

              # Require encryption
              SSLRequireSSL

      </Location>
      ErrorLog /var/log/apache2/error.log

      LogLevel warn

      CustomLog /var/log/apache2/access.log combined
      ServerSignature On

</VirtualHost>

This way, you can go to https://svn.example.com/ and see the WebSVN interface. You can check out the repository we created with a command like:

svn co https://svn.example.com/project

http://davidwinter.me.uk/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/ How to set up AuthZ, for more fine-grained access control. If you want to restrict who can access what parts of the repository and how they can access it (read-write or read-only) then check this out.

http://www.howtoforge.com/debian_subversion_websvn This article provided the basis for what I did.

http://ubuntuforums.org/showthread.php?t=4466 Notes on setting up SSL with Apache