How to have a Subversion Repository on a Windows Server (+ security), part 1

The article is written based on Windows Server, CollabNet Subversion 1.6.1, Apache 2.2. Windows XP or Vista would do as well.

Subversion comes with it’s own server – svnserve. By default there is no security. One can install svn+ssh, but on a windows server and windows client that is a bit stupid.

The other option is to setup an Apache server with mod_dav and mod_dav_svn. Fortunately the CollabNet Subversion binary comes with Apache pre-bundled with those modules. The binary even installs viewvc, which is rather nice.

Installation steps.

After installing the bundle, however, there are a lot of things to do. Most of them manually. I’ll try to describe most of them here.

Download Collabnet Subversion Server binary from CollabNet (no other place to download it from). Registration required.

So we decided to use Apache instead of svnserve, so while installing one doesn’t have to make it a service. Only Apache should be installed as a service. Another pro for Apache is that it can host multiple SVN repositories as opposed to only one by svnserve AFAIK.

Now is the time to suggest that one make the Apache server run with limited credentials. By default the service would be running with Local System account which has more privileges than God the users in the Administrators group. The concrete steps would be to create one user with compmgmt.msc. Remove it from the Users group (which removes all the default privileges) and give this user Modify right for the httpd directory (one will most probably find it in C:\Program files\Subversion\httpd) and all the repositories.

The configuration. When installing Apache asks where is the repositories basedir. Using a basedir means that all the repositories are subdirectories of the basedir:

Subversion/httpd/conf/httpd.conf:

<Location /svn>
  DAV svn
  SVNParentPath "D:/SVN Repositories/"    <— put the qoutes. installer does not do it
</Location>

Note: by default the installer does not put quotes around the dir, so if there are space characters, the server will not start. One should put the quotes himself/herself.

Now is the time to say that the Apache server is very verbose. Every error show up in the Event Viewer in the Applications tab. There are always pretty good descriptions of what is wrong. I definitely like this feature of Apache. Unfortutely one has to use Google to figure how to fix it.

Another place to look for errors is httpd/logs/errors.log. Pretty readable. I’m positively surprised.

I don’t like the basedir approach – repositories with me are in different dirs. I do it like this

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"                   <— put the qoutes

</Location>

Authentication. Very shortly – http basic and http digest. Http basic is very insecure (only base64). Http basic looks like this:

<Location /svn/mycompany>

   DAV svn

   SVNPath "D:/My Company/Repository"

   AuthType Basic

   AuthName "MyCompany subversion repository"

  
AuthUserFile "C:\Program Files\Subversion/httpd/conf/svn_auth_file"

   Require valid-user

</Location>

Now, how to make the user’s file (svn_auth_file). Use htpasswd (only for http basic):

C:\Program Files\Subversion\httpd\bin>htpasswd -cm ..\conf\svn_auth_file mihail

New password: ******

Re-type new password: ******

Adding password for user mihail

C:\Program Files\Subversion\httpd\bin>htpasswd -m ..\conf\svn_auth_file ivan

New password: *****

Re-type new password: *****

Updating password for user ivan

The first time –c is used to create the file. Any subsequent user is with –m only (which stands for MD5 as far as I remember).

svn_auth_file:

mihail:$apr1$AzWq5tu5$k554PODb79n9TZwBxBDh..

ivan:$apr1$hlr9s6gK$oFLP1WtwvOLczyUSiP10v/

For http digest the configuration first the module has to be uncommented in httpd.conf:

LoadModule auth_digest_module modules/mod_auth_digest.so    <—uncomment this line

the configuration for the location is the following:

<Location /svn/mycompany>

AuthType Digest

And users are made with htdigest:

C:\Program Files\Subversion\httpd\bin>htdigest.exe –c ../conf/svn_auth_file "MyCompany subversion repository" mihail

Adding user mihail in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

C:\Program Files\Subversion\httpd\bin>htdigest.exe ../conf/svn_auth_file "MyCompany subversion repository" ivan

Adding user ivan in realm MyCompany subversion repository

New password: ******

Re-type new password: ******

The file svn_auth_file looks a bit different now:

mihail:MyCompany subversion repository:3d16aced3eac2fc74ce5663df86d145b

ivan:MyCompany subversion repository:3ff20546c01028d5008651445b62d2e0

Note: keep in mind that the realms in svn_auth_file and the <Location AuthName should match.

Note: do not confuse htpasswd and htdigest. They produce users for http basic and http digest respectively and are not interchangeable.

For now there is a pretty usable svn server that supports multiple repositories and digest auth. But the communication with the server is plain and unencrypted http.

The svnbook is available here (most up-to-date version 1.5): http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html. The chapter for servers is Chapter 6.

The next part is how to setup a SSL on top of Apache.

One thought on “How to have a Subversion Repository on a Windows Server (+ security), part 1”

  1. Hi all. To have a right to do a thing is not at all the same as to be right in doing it.
    I am from Burundi and bad know English, tell me right I wrote the following sentence: "Casino royale, performers gross, with simple times, playing some full diet."

    Thank you very much :(. Anastay.

Leave a Reply to Anastay Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.