Repositories access control with apache mod dav svn and mod perl » History » Version 44
F Abu-Nimeh, 2014-07-08 18:48
without AuthUserFile /dev/null apache will return a 500 internal error if a user doesn't have access. With this addition apache returns the expect 401 error
1 | 16 | Jean-Philippe Lang | h1. Repositories access control with apache, mod_dav_svn and mod_perl |
---|---|---|---|
2 | 1 | Nicolas Chuche | |
3 | 2 | Nicolas Chuche | {{>TOC}} |
4 | |||
5 | 4 | Jean-Philippe Lang | h2. Overview |
6 | 1 | Nicolas Chuche | |
7 | 23 | Eric Davis | In this documentation, we will configure apache to delegate authentication to mod_perl. It's tested on apache2 (@apache2-mpm-prefork@) with mysql and postgresql but should work with allmost every databases for which there is a perl DBD module. Apache2 with the high speed thread model might not load Perl correctly (@apache2-mpm-worker@). |
8 | 1 | Nicolas Chuche | |
9 | You need a working apache on your SVN server and you must install some modules at least mod_dav_svn, mod_perl2, DBI and DBD::mysql (or the DBD driver for you database as it should work on allmost all databases). |
||
10 | 4 | Jean-Philippe Lang | |
11 | 15 | Jean-Philippe Lang | On Debian/ubuntu you can do : |
12 | 11 | Shaun Mangelsdorf | |
13 | 43 | James Ang | <pre>sudo aptitude install libapache2-svn libapache-dbi-perl \ |
14 | libapache2-mod-perl2 libdbd-mysql-perl libdigest-sha1-perl \ |
||
15 | libauthen-simple-ldap-perl</pre> |
||
16 | 41 | Zack s | |
17 | 1 | Nicolas Chuche | On Turnkey Redmine Virtual Appliance you can do : |
18 | |||
19 | 43 | James Ang | <pre>apt-get install libapache2-svn libapache-dbi-perl \ |
20 | libapache2-mod-perl2 libauthen-simple-ldap-perl</pre> |
||
21 | 40 | Zack s | |
22 | 37 | Mischa The Evil | If the repositories are not created automatically by reposman.rb, it is important that the repository name is the same as the project identifier in Redmine, otherwise Redmine.pm will fail to authenticate users. For example, if the path to the repository is @/path/to/repository/foo-bar@, then the project Identifier on the Settings page must be @foo-bar@. |
23 | 1 | Nicolas Chuche | |
24 | h2. Enabling apache modules |
||
25 | |||
26 | On debian/ubuntu : |
||
27 | |||
28 | <pre> |
||
29 | 15 | Jean-Philippe Lang | sudo a2enmod dav |
30 | 21 | Marko Roeder | sudo a2enmod dav_svn # if you want to use svn |
31 | sudo a2enmod dav_fs # if you want to use git |
||
32 | 15 | Jean-Philippe Lang | sudo a2enmod perl |
33 | 4 | Jean-Philippe Lang | </pre> |
34 | 1 | Nicolas Chuche | |
35 | 15 | Jean-Philippe Lang | h2. Apache configuration for Subversion repositories |
36 | 1 | Nicolas Chuche | |
37 | You first need to copy or link @Redmine.pm@ to @/usr/lib/perl5/Apache/Redmine.pm@ |
||
38 | 37 | Mischa The Evil | * Redmine.pm can be found in $REDMINE_DIR/extra/svn/Redmine.pm |
39 | * In the Debian install, it is found /usr/share/redmine/extra/svn/Redmine.pm |
||
40 | |||
41 | 15 | Jean-Philippe Lang | Then add the following Location directives to your apache configuration (for example in @/etc/APACHE_DIR/conf.d/@): |
42 | 1 | Nicolas Chuche | |
43 | 17 | Joachim Fritschi | * the old how-to which suggested two separate locations for with @/svn@ and @/svn-private@ can be avoided |
44 | * with the @Satisfy any@ keyword from Apache you can define different authentication policies |
||
45 | * read access from the redmine-server or any validated user |
||
46 | * write access only validated users |
||
47 | 15 | Jean-Philippe Lang | |
48 | 17 | Joachim Fritschi | |
49 | 15 | Jean-Philippe Lang | <pre> |
50 | 1 | Nicolas Chuche | # /svn location for users |
51 | PerlLoadModule Apache::Redmine |
||
52 | <Location /svn> |
||
53 | DAV svn |
||
54 | SVNParentPath "/var/svn" |
||
55 | Order deny,allow |
||
56 | Deny from all |
||
57 | Satisfy any |
||
58 | 43 | James Ang | # If a client tries to svn update which involves updating many files, |
59 | # the update request might result in an error Server sent unexpected |
||
60 | # return value (413 Request Entity Too Large) in response to REPORT |
||
61 | # request,because the size of the update request exceeds the limit |
||
62 | # allowed by the server. You can avoid this error by disabling the |
||
63 | # request size limit by adding the line LimitXMLRequestBody 0 |
||
64 | # between the <Location...> and </Location> lines. |
||
65 | 42 | Terence Mill | LimitXMLRequestBody 0 |
66 | |||
67 | 43 | James Ang | # Only check Authentication for root path, nor again for recursive |
68 | # folder. |
||
69 | # Redmine core does only permit access on repository level, so this |
||
70 | # doesn't hurt security. On the other hand it does boost performance |
||
71 | # a lot! |
||
72 | 42 | Terence Mill | SVNPathAuthz off |
73 | 1 | Nicolas Chuche | |
74 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
75 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
76 | 17 | Joachim Fritschi | AuthType Basic |
77 | 18 | Joachim Fritschi | AuthName "Redmine SVN Repository" |
78 | 44 | F Abu-Nimeh | AuthUserFile /dev/null |
79 | 17 | Joachim Fritschi | |
80 | #read-only access |
||
81 | <Limit GET PROPFIND OPTIONS REPORT> |
||
82 | 19 | Joachim Fritschi | Require valid-user |
83 | 17 | Joachim Fritschi | Allow from redmine.server.ip |
84 | # Allow from another-ip |
||
85 | Satisfy any |
||
86 | </Limit> |
||
87 | # write access |
||
88 | <LimitExcept GET PROPFIND OPTIONS REPORT> |
||
89 | Require valid-user |
||
90 | </LimitExcept> |
||
91 | |||
92 | |||
93 | 1 | Nicolas Chuche | ## for mysql |
94 | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
||
95 | 4 | Jean-Philippe Lang | ## for postgres |
96 | 1 | Nicolas Chuche | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
97 | 4 | Jean-Philippe Lang | ## for SQLite3 |
98 | 1 | Nicolas Chuche | # RedmineDSN "DBI:SQLite:dbname=database.db" |
99 | |||
100 | RedmineDbUser "redmine" |
||
101 | RedmineDbPass "password" |
||
102 | </Location> |
||
103 | |||
104 | </pre> |
||
105 | |||
106 | 17 | Joachim Fritschi | h3. Testing the configuration: |
107 | 1 | Nicolas Chuche | |
108 | 17 | Joachim Fritschi | After reloading apache conf, you can try to browse some repository with: |
109 | |||
110 | 1 | Nicolas Chuche | <pre> |
111 | svn ls http://my.svn.server/svn/myproject |
||
112 | 4 | Jean-Philippe Lang | </pre> |
113 | 1 | Nicolas Chuche | |
114 | 17 | Joachim Fritschi | Any non-public repository should ask for a username and password. |
115 | 4 | Jean-Philippe Lang | |
116 | 17 | Joachim Fritschi | To test the authentication that allows you redmine server to read all repositories: |
117 | 1 | Nicolas Chuche | |
118 | 17 | Joachim Fritschi | Reading a private repository: |
119 | 3 | Jean-Philippe Lang | <pre> |
120 | 17 | Joachim Fritschi | svn ls http://my.svn.server/svn/myproject |
121 | </pre> |
||
122 | Try writing to the repository: |
||
123 | <pre> |
||
124 | svn mkdir http://my.svn.server/svn/myproject/testdir |
||
125 | </pre> |
||
126 | This should fail and ask for a password. |
||
127 | |||
128 | |||
129 | h3. optional LDAP Authentication |
||
130 | |||
131 | If you want to connect your LDAP authentication to Apache, you can install the Authen::Simple::LDAP perl module. I found that connecting to my LDAP server to authenticate with every request can be quite slow. I added the following to my configuration and had a significant performance increase. If you have configured an encrypted connection to the LDAP server you will need the IO::Socket::SSL module. |
||
132 | |||
133 | 20 | Stefan Stefansson | > *NOTE: the above wording is a little confusing. I attempt to clear up the issues I had with this in the following paragraph.* |
134 | > |
||
135 | 1 | Nicolas Chuche | > First of all, make sure that you have the Net::LDAP module installed as well. I installed Authen::Simple::LDAP through CPAN and found that nothing worked. Eventually I figured out that this was because the Authen::Simple::LDAP did not require the Net::LDAP module as a dependency but it is needed for our purpose here. I did this on CentOS and it seems that the Net::LDAP module can be installed via yum (@yum install perl-LDAP@) but the Authen::Simple::LDAP had to be installed via CPAN since there's no RPM for it in the CentOS repositories. |
136 | 37 | Mischa The Evil | > |
137 | |||
138 | To install the Authen::Simple::LDAP using CPAN use commands: |
||
139 | <pre> |
||
140 | 20 | Stefan Stefansson | cpan |
141 | 1 | Nicolas Chuche | cpan> install Authen::Simple::LDAP |
142 | </pre> |
||
143 | if the installation failed due to some dependencies, resolve the dependencies first. |
||
144 | |||
145 | > My second point is related to the below Apache config. The @PerlLoadModule Authen::Simple::LDAP@ is actually not required for having users authenticated via LDAP. It will happen automatically if both of the above modules are installed. So there really is no difference between the config snippet below and the one above except for the @RedmineCacheCredsMax 50@ line which is probably a good idea although it can result in users that have been deleted or removed in redmine still getting access to the repositories, at least for a little while. |
||
146 | |||
147 | <pre> |
||
148 | 20 | Stefan Stefansson | PerlLoadModule Apache::Redmine |
149 | 17 | Joachim Fritschi | PerlLoadModule Authen::Simple::LDAP |
150 | 1 | Nicolas Chuche | # PerlLoadModule IO::Socket::SSL |
151 | <Location /svn> |
||
152 | 8 | Nicolas Chuche | DAV svn |
153 | 43 | James Ang | # If a client tries to svn update which involves updating many files, the |
154 | # update request might result in an error Server sent unexpected return |
||
155 | # value (413 Request Entity Too Large) in response to REPORT request, |
||
156 | # because the size of the update request exceeds the limit allowed by the |
||
157 | # server. You can avoid this error by disabling the request size limit by |
||
158 | # adding the line LimitXMLRequestBody 0 between the <Location...> and |
||
159 | # </Location> lines. |
||
160 | 42 | Terence Mill | LimitXMLRequestBody 0 |
161 | |||
162 | # Only check Authentification for root path, nor again for recursive folder |
||
163 | 43 | James Ang | # Redmine core does only permit acces on repository level, so this doesn't |
164 | # hurt security. On the other hand it does boost performance a lot! |
||
165 | 42 | Terence Mill | SVNPathAuthz off |
166 | |||
167 | 12 | Todd Nine | SVNParentPath "/var/svn" |
168 | |||
169 | AuthType Basic |
||
170 | AuthName redmine |
||
171 | Require valid-user |
||
172 | |||
173 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
174 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
175 | |||
176 | ## for mysql |
||
177 | RedmineDSN "DBI:mysql:database=databasename;host=my.db.server" |
||
178 | ## for postgres |
||
179 | # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server" |
||
180 | |||
181 | 1 | Nicolas Chuche | RedmineDbUser "redmine" |
182 | 12 | Todd Nine | RedmineDbPass "password" |
183 | #Cache the last 50 auth entries |
||
184 | RedmineCacheCredsMax 50 |
||
185 | 15 | Jean-Philippe Lang | </Location> |
186 | 12 | Todd Nine | </pre> |
187 | 36 | neil johnson | |
188 | 1 | Nicolas Chuche | h2. Apache configuration for Git repositories |
189 | 38 | Lluís Vilanova | |
190 | *TODO*: This should probably be moved into [[HowTo configure Redmine for advanced git integration]] |
||
191 | 15 | Jean-Philippe Lang | |
192 | 1 | Nicolas Chuche | Now that reposman.rb can create git repositories, you can use Redmine.pm to access them the same way than subversion. |
193 | |||
194 | You first need to copy or link Redmine.pm to /usr/lib/perl5/Apache/Redmine.pm, then you add this configuration to apache : |
||
195 | |||
196 | <pre> |
||
197 | |||
198 | 37 | Mischa The Evil | PerlLoadModule Apache::Authn::Redmine |
199 | 1 | Nicolas Chuche | |
200 | 37 | Mischa The Evil | SetEnv GIT_PROJECT_ROOT /path/to/git/repos |
201 | SetEnv GIT_HTTP_EXPORT_ALL |
||
202 | |||
203 | ScriptAlias /git/ /usr/bin/git-http-backend/ |
||
204 | |||
205 | <Location /git> |
||
206 | 8 | Nicolas Chuche | AuthType Basic |
207 | Require valid-user |
||
208 | 1 | Nicolas Chuche | AuthName "Git" |
209 | 8 | Nicolas Chuche | |
210 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
211 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
212 | 1 | Nicolas Chuche | |
213 | 8 | Nicolas Chuche | RedmineDSN "DBI:mysql:database=redmine;host=localhost" |
214 | RedmineDbUser "redmine" |
||
215 | RedmineDbPass "password" |
||
216 | 37 | Mischa The Evil | RedmineGitSmartHttp yes |
217 | 8 | Nicolas Chuche | </Location> |
218 | |||
219 | Alias /git-private /var/git |
||
220 | |||
221 | <Location /git-private> |
||
222 | Order deny,allow |
||
223 | Deny from all |
||
224 | <Limit GET PROPFIND OPTIONS REPORT> |
||
225 | Options Indexes FollowSymLinks MultiViews |
||
226 | Allow from 127.0.0.1 |
||
227 | </Limit> |
||
228 | </Location> |
||
229 | </pre> |
||
230 | |||
231 | To verify that you can access repository through Redmine.pm, you can use curl : |
||
232 | <pre> |
||
233 | % curl --netrc --location http://localhost/git/ecookbook/HEAD |
||
234 | 13 | Thomas Pihl | ref: refs/heads/master |
235 | </pre> |
||
236 | |||
237 | 22 | Diego Oliveira | h2. Apache configuration for Mercurial repositories |
238 | |||
239 | 39 | Lluís Vilanova | *TODO*: This should probably be moved into [[HowTo configure Redmine for advanced Mercurial integration]] |
240 | |||
241 | 22 | Diego Oliveira | Create a file caled "hgweb.config" in the same folder as "hgwebdir.cgi". This foder will be the root repository folder. Then edit the "hgweb.config" with something like this: |
242 | |||
243 | <pre> |
||
244 | [paths] |
||
245 | /=/path/to/root/repository/** |
||
246 | |||
247 | [web] |
||
248 | allow_push = * |
||
249 | allowbz2 = yes |
||
250 | allowgz = yes |
||
251 | allowzip = yes |
||
252 | |||
253 | </pre> |
||
254 | |||
255 | Follows the instructions to install Redmine.pm as described and configure your apache like this. |
||
256 | |||
257 | <pre> |
||
258 | RewriteEngine on |
||
259 | PerlLoadModule Apache2::Redmine |
||
260 | PerlLoadModule Authen::Simple::LDAP |
||
261 | ScriptAliasMatch ^/hg(.*) /path/to/the/hgwebdir.cgi/$1 |
||
262 | <Location /hg> |
||
263 | AuthType Basic |
||
264 | AuthName "Mercurial" |
||
265 | Require valid-user |
||
266 | 1 | Nicolas Chuche | |
267 | #Redmine auth |
||
268 | PerlAccessHandler Apache::Authn::Redmine::access_handler |
||
269 | PerlAuthenHandler Apache::Authn::Redmine::authen_handler |
||
270 | RedmineDSN "DBI:mysql:database=redmine;host=localhost" |
||
271 | RedmineDbUser "DB_USER" |
||
272 | RedmineDbPass "DB_PASSWD" |
||
273 | </Location> |
||
274 | 37 | Mischa The Evil | |
275 | # Note: Do not use hg-private as the rewrite rule above will cause strange things to occur. |
||
276 | Alias /private-hg /path/to/hg/repos |
||
277 | |||
278 | <Location /private-hg> |
||
279 | Order deny, allow |
||
280 | Deny from all |
||
281 | <Limit GET PROPFIND OPTIONS REPORT> |
||
282 | Options Indexes FollowSymLinks MultiViews |
||
283 | Allow from 127.0.0.1 |
||
284 | </Limit> |
||
285 | </Location> |
||
286 | |||
287 | 22 | Diego Oliveira | |
288 | 1 | Nicolas Chuche | </pre> |
289 | 22 | Diego Oliveira | |
290 | h2. Gotchas |
||
291 | 13 | Thomas Pihl | |
292 | If you run this in Phusion Passenger, make sure you don't turn PassengerHighPerformance on. If you do, the rewrites to catch subversion dav will be bypassed with some interesting dump in the log as a result. |
||
293 | Example: |
||
294 | 1 | Nicolas Chuche | > ActionController::RoutingError (No route matches "/svn/rm-code" with {:method=>:get}): |
295 | (if your repo are named rm-code) |
||
296 | 27 | Bill Dieter | |
297 | 37 | Mischa The Evil | When using @Authen::Simple::LDAP@ for authentication, it is not sufficient to have the Administrator role to access a repository. The user must have a role with that specifically allows the user to browse, read, or write the repository. |