好像有一段时间没有Update my blog了，没办法，近被Boss催的团团转，晕的很，而且还有该死的毕业论文来添乱，哎~~

为了留下点纪念，把前两天配置的Apache + SSL + Subversion的文档奉献出来，我发现网上大部分文档都是在Windows下配置的，在Linux下的配置文档很少；而且其中一个重要的问题是它们都没有与SSL相结合，我ft，真正企业级的应用哪有不用SSL的，除非从一开始它想开源……

 
All By Our Smart Lili :)

Here are the steps we can follow， execut them in the order:

Step1:Install OpenSSL， Apache2 & Subversion

OpenSSL:

--------------------------------------------------------------------------------------

./config
make
make test
make install

--------------------------------------------------------------------------------------

Apache2:

--------------------------------------------------------------------------------------

./configure --enable-dav --enable-so --enable-deflate
  --enable-ssl --with-ssl=/usr/local/ssl

make clean
make
make install

--------------------------------------------------------------------------------------

Subversion

--------------------------------------------------------------------------------------

./configure --with-zlib --enable-ssl --with-ssl
--with-libs=/usr/local/ssl:/usr/local/ssl/lib:/usr/local/lib:/usr/lib:/lib
make clean
make
make install

--------------------------------------------------------------------------------------

Note: Strongly suggest using tar package， if using rpm package， you maybe get an error about an “Unrecognized URL scheme” when aclearcase/" target="_blank" >ccess  to subversion repository. One of the reasons is the dynamic linker/loader can’t find the plugins to load. So when we install subversion ， “--enable-ssl --with-ssl” is necessary.

 

Step2:  create certificate

1.         # cd /usr/local/apache/conf

# mkdir ssl.crt

#cd ssl.crt

# cp /usr/local/openssl/ssl/misc/CA.sh

/usr/local/apache/conf/ssl.crt/CA.sh

    2. Create self-signed Certificate Authority certificate/private key.

# ./CA.sh –newca

You will be asked to input these information:

MILY: Verdana">Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg， city) [Newbury]:CHENGDU

Organization Name (eg， company) [My Company Ltd]:CUIT
Organizational Unit Name (eg， section) []:ENG
Common Name (eg， your name or your server's hostname) []:MyServerName
Email Address []:someone@somewhere.net

Now in the directory /usr/local/apache/conf/ssl.crt/， a new directory ./demoCA is created. ../demoCA/private/cakey.pem is the private key and ../demoCA/cacert.pem is the certificate.

3.Create web server certificate request and private key， and to sign server certificate using CA private key.

# openssl genrsa -des3 -out server.key 1024

#openssl req -new -key server.key -out server.csr

You will be asked to input these information again:

Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg， city) [Newbury]:CHENGDU

Organization Name (eg， company) [My Company Ltd]:CUIT
Organizational Unit Name (eg， section) []:ENG
Common Name (eg， your name or your server's hostname) []:192.168.?.?
Email Address []:someone@somewhere.com

Note: We must input server’s hostname or IP when asked input common name， it is very important.

# mv server.csr newreq.pem

# ./CA.sh –sign

Now we get a server certificate named newcert.pem， rename newcert.pem as server.crt:

#mv newcert.pem server.crt

4. Generate client certificate request and private key， and to sign client certificate using CA private key.

# openssl genrsa -des3 -out client.key 1024

# openssl req -new -key client.key -out client.csr

#openssl ca -in client.csr -out client.crt

#openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

 

Step3: Edit ssl.conf & httpd.conf

Ssl.conf:

I edit my ssl.conf as below:

---------------------------------------------------------------------------------

DocumentRoot https://192.168.?.?

ServerName 192.168.?.?:443

ServerAdmin someone@somewhere.com

Add the following lines or delete “#” before them:

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key

SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/demoCA

SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem

SSLVerifyClient require

SSLVerifyDepth  1

       --------------------------------------------------------------------------------

 

Httpd.conf:

Configurate the Apache httpd.conf file as below:

---------------------------------------------------------------------------------

Change from “Listen 80” à“Listen 127.0.0.1:80” to limit somebody access to server by http://192.168.?.?.

Add: “ServerAdmin someone@somewhere.com”

Add: “ServerName 192.168.?.?:443”

Change from “AllowOverride None” à “AllowOverride All”

Change from “” à“”

Change from “AccessFileName.htaccess” à“AccessFileName /home/mysvn/.htaccess”

Add :“NameVirtualHost 192.168.?.?:443”

Put the following lines into :

LoadModule dav_svn_module     modules/mod_dav_svn.so

LoadModule authz_svn_module   modules/mod_authz_svn.so

(If the two lines above already exist， please skip.)

VirtualHost 192.168.?.?:443>

DocumentRoot "/home/mysvn"

ServerName 192.168.?.?

ServerAdmin someone@somewhere.com

SSLEngine on

SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key

DAV svn

SVNParentPath /home/mysvn

AuthzSVNAccessFile /home/mysvn/authz.conf

---------------------------------------------------------------------------------

 

Now we edit .htaccess as the following:

---------------------------------------------------------------------------------

AuthType Basic

AuthName "subversion repository"

AuthUserFile /home/mysvn/.htpasswd

Require valid-user

---------------------------------------------------------------------------------

.We can use “htpasswd –c /home/mysvn/.htpasswd user_name” to create user and password for the first time， “-c ” isn’t needed after that.

The file authz.conf can be used to limite user’s authority. Edit as below:

---------------------------------------------------------------------------------

[groups]

 

groupA = rchu， jhuang， mhsu， hma， jxu， tzheng， jlai， tho， lwei， sliu，

groupB = ipu，  ddong， aho， mmcgrew， jliu， jliang， khuang， vyang， azhou， kye

[xyz:/]

@groupA = rw

@groupB = rw

 

[t1:/]

@groupA = rw

 

[t2:/]

@groupB = rw

---------------------------------------------------------------------------------

So all people can checkout xyz， the numbers of groupA can checkout t1 ， the numbers of groupB can checkout t2.

Use “/usr/local/apache2/bin/apachetl startssl ” to start apache， “/usr/local/apache2/bin/apachetl stop” to stop it.

That’s all.

Wish you good luck!

For protect our company information， all "?" can be replaced by any ip address like and so are emails.