SVN作爲代碼版本管理工具,在軟件公司都會用得到,其詳細原理在此不作介紹。以下將詳細介紹基於linux平臺的SSL SVN服務器配置。
一、服務器環境
[root@localhost ~]# cat /etc/issue #系統版本
CentOS release 5.5 (Final)
Kernel \r on an \m
[root@localhost ~]# uname -a #內核版本
Linux localhost 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux
[root@rac02 ~]# getconf LONG_BIT #操作系統位數
32
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 #服務器IP
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.163.255
HWADDR=00:0C:29:DC:1B:67
IPADDR=192.168.163.45
NETMASK=255.255.255.0
NETWORK=192.168.163.0
ONBOOT=yes
二、搭建ssl svn服務器需要安裝openssl,apr,apr-util,httpd,sqlite,neon,subversion
step1:安裝openssl (下載地址:http://www.openssl.org/source/)
[root@localhost svn]# wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz
[root@localhost svn]# tar zxvf openssl-1.0.0g.tar.gz
[root@localhost svn]# cd openssl-1.0.0g
[root@localhost openssl-1.0.0g]# make
[root@localhost openssl-1.0.0g]# make install
[root@localhost openssl-1.0.0g]# cp /usr/local/ssl/bin/openssl /usr/bin/ #覆蓋系統默認的openssl命令
[root@localhost openssl-1.0.0g]# openssl version
OpenSSL 1.0.0g 18 Jan 2012
備註:通常系統已默認安裝openssl,並且與之依賴的包很多,可不卸載直接編譯安裝;或就用系統默認版本。
step2:安裝http源碼包前需安裝apr,apr-util
[root@localhost svn]# service httpd stop #停止系統默認的httpd服務,或通過yum erase httpd卸載
[root@localhost svn]# chkconfig httpd off #若不卸載,可設置開機不啓動
安裝apr
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-1.4.6.tar.gz
[root@localhost svn]# tar zxvf apr-1.4.6.tar.gz
[root@localhost svn]# cd apr-1.4.6
[root@localhost apr-1.4.6]# ./configure
[root@localhost apr-1.4.6]# make && make install #在/usr/local/apr/bin/下生成apr-1-config
安裝apr-util
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//apr/apr-util-1.4.1.tar.gz
[root@localhost svn]# tar zxvf apr-util-1.4.1.tar.gz
[root@localhost svn]# cd apr-util-1.4.1
[root@localhost apr-util-1.4.1]# ./configure --with-apr=/usr/local/apr/bin/apr-1-config #需要指定apr位置,否則會報錯
[root@localhost apr-util-1.4.1]# make && make install #在/usr/local/apr/bin/下生成apu-1-config
安裝httpd
[root@localhost svn]# wget http://mirror.bit.edu.cn/apache//httpd/httpd-2.2.22.tar.gz
[root@localhost svn]# tar zxvf httpd-2.2.22.tar.gz
[root@localhost svn]# cd httpd-2.2.22
[root@localhost httpd-2.2.22]#./configure --prefix=/usr/local/apache --enable-rewrite --enable-so --enable-dav --enable-dav-fs --enable-dav-lock --enable-ssl --with-ssl=/usr/local/ssl/ --with-apr=/usr/local/apr/bin/apr-1-config --with-apr-util=/usr/local/apr/bin/apu-1-config --enable-mods-shared=all
[root@localhost httpd-2.2.22]# make
[root@localhost httpd-2.2.22]# make install
備註:在使用httpd-2.0編譯時,當用./configure 指定apr及apr-util目錄時make時會報錯,httpd-2.0.x發行版不被apr 1.x支持
reference: https://issues.apache.org/bugzilla/show_bug.cgi?id=37573
使用./configure加的參數在此不作詳細說明,若不清楚如何加參數,可以用./configure –help查看
step3:svn源碼包安裝前需安裝sqlite,neon
安裝sqlite(版本發佈鏈接http://www.sqlite.org/src/timeline?n=200&t=release)
[root@localhost svn]# wget http://www.sqlite.org/src/tarball/SQLite-982cc7f4e7e2d8ab.tar.gz?uuid=982cc7f4e7e2d8abfc2025dfbec7c1ce8f95383b
[root@localhost svn]# tar zxvf sqlite-amalgamation-3.6.13.tar.gz
[root@localhost svn]# cd sqlite-3.6.13/
[root@localhost sqlite-3.6.13]# ./configure --prefix=/usr/local/sqlite
[root@localhost sqlite-3.6.13]# make && make install
[root@localhost sqlite]# cp /usr/local/sqlite/bin/sqlite3 /usr/bin/
[root@localhost sqlite]# sqlite3 #查看版本爲新安裝版本
SQLite version 3.6.13
安裝neon
neon是一個http和WebDav客戶端庫,用於支持http或https協議方式訪問(系統默認版本爲neon 0.25.5)
[root@localhost svn]# wget http://www.webdav.org/neon/neon-0.29.6.tar.gz
[root@localhost svn]# tar zxvf neon-0.29.6.tar.gz
[root@localhost svn]# cd neon-0.29.6
[root@localhost neon-0.29.6]# ./configure --enable-shared --with-ssl --with-libs=/usr/local/ssl/lib --enable-webdav #配置完成後會提示已支持ssl
[root@localhost neon-0.29.6]# make
[root@localhost neon-0.29.6]# make install
[root@localhost /]# neon-config --version #查看安裝後版本
neon 0.29.6
安裝svn
svn系統默認安裝版本爲1.4.2,需卸載(# svn --version)
[root@localhost svn]# yum erase subversion #卸載系統默認安裝的svn
[root@localhost svn]# wget http://subversion.tigris.org/downloads/subversion-1.6.18.tar.gz
[root@localhost svn]# tar zxvf subversion-1.6.18.tar.gz
[root@localhost svn]# cd subversion-1.6.18
[root@localhost subversion-1.6.18]# ./configure --prefix=/usr/local/svn \
--with-apxs=/usr/local/apache/bin/apxs \
--with-apr=/usr/local/apr/bin/apr-1-config \
--with-apr-util=/usr/local/apr/bin/apu-1-config \
--with-ssl=/usr/local/ssl --with-neon=/usr/local/bin/neon-config \
--with-sqlite=/usr/local/sqlite --enable-option-checking
[root@localhost subversion-1.6.18]# make
[root@localhost subversion-1.6.18]# make install
[root@localhost subversion-1.6.18]# cp /usr/local/svn/lib/* /usr/lib/
[root@localhost subversion-1.6.18]# cp /usr/local/svn/bin/* /usr/bin/
[root@localhost bin]# svn --version #查看svn版本 svn, version 1.6.18 (r1303927)
三、配置SVN
step1:修改httpd.conf,查看並確保已加載以下模塊
[root@localhost bin]# vi /usr/local/apache/conf/httpd.conf
.......
Include conf/extra/httpd-dav.conf #將前面的#號去掉
Include conf/extra/httpd-ssl.conf #將前面的#號去掉
.......
#需要有以下模塊支持,這是在編譯httpd前加相關參數生成的
LoadModule ssl_module modules/mod_ssl.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_lock_module modules/mod_dav_lock.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
...
...
...
#######################################
#以下部分可不添加,若添加則同時支持http和https訪問
#repository resides.
<Location /repos>
DAV svn
SVNPath /svn/repos
AuthzSVNAccessFile /usr/local/svn/svn-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /usr/local/svn/svn-auth-conf
Require valid-user
SSLRequireSSL #若增加此行,則只能用https訪問
</Location>
#######################################
:wq
備註:若同時在httpd.conf和httpd-dav.conf中添加svn數據倉庫及密碼文件路徑等,則可同時支持http及https訪問,若在httpd.conf中增加了SSLRequireSSL,則只支持https訪問。
step2: 編輯/usr/local/apache/conf/extra/httpd-dav.conf,指定數據倉庫、密碼文件/訪問空制文件路徑
[root@localhost extra]# cp httpd-dav.conf httpd-dav.conf.bk #先備份
[root@localhost extra]# vi httpd-dav.conf #修改httpd-dav.conf,在末尾添加以下內容
....
....
#for svn.
<Location /repos>
DAV svn
SVNPath /svn/repos
AuthzSVNAccessFile /usr/local/svn/svn-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /usr/local/svn/svn-auth-conf
Require valid-user
</Location>
:wq
編輯完成後保存退出,接下來要配置ssl進行加密傳輸
step3:創建ssl證書文件,SSL SVN能否配置成功,創建證書文件很關鍵
[root@localhost conf]# pwd #在/usr/local/apache/conf目錄下創建ssl證書文件,因爲/usr/local/apache/conf/extra/httpd-ssl.conf文件中指定證書文件路徑在/usr/local/apache/conf下
/usr/local/apache/conf
1)生成密鑰key及證書請求request
[root@localhost conf]# openssl req -new > server.crt.csr
Generating a 1024 bit RSA private key
............++++++
.........................................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:firefly
Verifying - Enter PEM pass phrase: firefly
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:localhost #服務器主機名,或用服務器IP
Email Address []:firefly@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:firefly
An optional company name []:firefly
2)從key中去除密鑰口令passphrase。
[root@localhost conf]# openssl rsa -in privkey.pem -out server.key
Enter pass phrase for privkey.pem: firefly
writing RSA key
3)把證書請求轉換成證書server.crt,即通過生成的私鑰生成證書
[root@localhost conf]# openssl x509 -in server.crt.csr -out server.crt -req -signkey server.key -days 365 #證書有效時間爲1年
Signature ok
subject=/C=CN/ST=GD/L=SZ/O=tydic/OU=IT/CN=localhost/[email protected]
Getting Private key
備註:若創建證書文件名及路徑與上不一致,可修改/usr/local/apache/conf/extra/httpd-ssl-conf
創建證書方法可參照官網:http://www.apache-ssl.org/
#############################################################
也可用以下三步生成證書
1) 生成密鑰server.key
root@localhost conf]# openssl genrsa 1024 > server.key
Generating RSA private key, 1024 bit long modulus
..................++++++
.........................................++++++
e is 65537 (0x10001)
2) 生成證書請求文件server.csr.crt
[root@localhost conf]# openssl req -new -key server.key > server.csr.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tydic
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tghfly
An optional company name []:tghfly
3) 根據密鑰及證書請求文件生成證書server.crt
[root@localhost conf]# openssl req -x509 -days 365 -key server.key -in server.csr.crt > server.crt
#############################################################
[root@localhost conf]# ../bin/apachectl -t #檢查apache配置文件語法
Syntax OK
step4:創建svn用戶及密碼文件svn-auth-conf,密碼經過MD5加密,所以不能直接往svn-auth-conf中添加用戶
[root@localhost bin]# cd /usr/local/apache2/bin
[root@localhost bin]# ./htpasswd -cm /usr/local/svn/svn-auth-conf tgh # -c參數是初始化創建密碼文件,後續創建用戶不用加此參數
New password:
Re-type new password:
Adding password for user tgh
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf aa
New password:
Re-type new password:
Adding password for user aa
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf bb
New password:
Re-type new password:
Adding password for user bb
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf cc
New password:
Re-type new password:
Adding password for user cc
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf dd
New password:
Re-type new password:
Adding password for user dd
[root@localhost bin]# ./htpasswd -m /usr/local/svn/svn-auth-conf firefly
New password:
Re-type new password:
Adding password for user firefly
step5:創建訪問控制文件,設置用戶訪問權限
[root@localhost bin]# vi /usr/local/svn/svn-acl-conf
[groups]
staff = aa, bb, cc, dd
[/]
tgh = rw
firefly = rw
@staff = rw
step6:配置svn數據倉庫
[root@localhost ~]# mkdir /svn
[root@localhost svn]# svnadmin create /svn/repos
[root@localhost svn]# chmod -R 755 /svn #目錄訪問修改權限
[root@localhost ~]# chown -R daemon:daemon /svn/ #修改目錄屬主及屬組爲daemon,不然客戶端在commit時會報權限問題
[root@localhost svn]# cd /usr/local/apache2/bin
[root@localhost svn]# ./apachectl start
完成以上步驟後,在IE瀏覽器中輸入https://192.168.163.45/repos,根據提示輸入用戶名及密碼後,看到 repos-Revision 0:/ 的頁面即ssl svn配置成功了。
SVN的目錄結構也是樹形的,此處以repos作爲根目錄,此時可以在根下創建多個工程項目,以下在客戶端舉例說明。
備註:在修改svn目錄時,爲什麼要修改成daemon組,而不是apache或其他組呢,原因是編譯安裝httpd後在httpd.conf文件中配置的是daemon用戶組;而系統採用rpm包默認安裝httpd是屬於apache用戶組的
step7:以下創建一個project,並在其中添加多個項目文件,導入到svn倉庫中來演示SVN的應用
[root@localhost svn]# cd /tmp
[root@localhost tmp]# mkdir projects #在/tmp下創建一個project
[root@localhost tmp]# cd projects/
[root@localhost projects]# mkdir bi_projects
[root@localhost projects]# mkdir crm_projects
[root@localhost project]# svn import /tmp/projects/ file:///svn/repos/projects -m "Initial repos for projects" #將project中內容導入到svn倉庫中
step8:設置Apache服務開機自啓動
[root@localhost project]# echo "/usr/local/apache/bin/apachectl start" >> /etc/rc.d/rc.local #在rc.local中添加httpd開機自啓動服務
step9:客戶端瀏覽器訪問界面
備註:以上即完成了ssl svn的配置。當然用戶也可以使用yum安裝openssl,apr,apr-util,httpd,neon,subversion等相關包來搭建ssl svn,使用yum方式非常簡單,在此不做說明。
題外話:在51cto編寫博文很有難度。之前用windows live writer 寫還算正常。今天用live writer折騰了個把小時,發佈後的博文只有標題,沒內容。而直接在網頁上編輯,從word中複製過來的格式又變了,嚴重影響博主的編寫心情。還望51cto能多多改進!