Computers Linux

Make SVN trust a new CA

I routinely use Subversion to host all my software projects. For a long time I just got used to permanently accept the certificate warning when checking out a certain project – even though what I really wanted was for SVN to trust my home-made root CA certificate. Finally, I have found time to learn how to make SVN trust my CA and here is how:

  1. Download the root CA certificate
  2. Check that the certificate is in PEM form by issuing “openssl x509 -text -in certificate.crt”. If the output doesn’t make sense, then try with “openssl x509 -text in certificate.crt -inform der”
  3. To convert a DER certificate to PEM, issue “openssl x509 -in certificate-der.crt -inform der -out certificate-pem.crt -outform pem”
  4. You may want to copy the CA certificate to /etc/ssl/certs – although it is not required
  5. Edit your ./subversion/servers file. Change or add the value ssl-authority-files in the [globals] section so that it includes the CA certificate (in PEM form). The ssl-authority-files value is colon separated.
Computers Linux

Combine subversion, WebSVN and a web page in one Apache site

In my last post I wrote about how to get libapache_mod_auth_pam to play nicely with Apache2. This post is about putting it all together, complete with WebSVN and a default web page so that one can write an introductory text to the users using the site.

Getting subversion up and running on Apache was explained in the last post. The problem with that, however, is that the Location directive means that all content on the site is directed to dav_svn. Hence, it is not possible to access an index.html page in the root, nor the /websvn folder. If you try, you will just get the message “Could not open the requested SVN filesystem”.

Of course, the simple solution to this would be to put the dav_svn module one folder down in the site structure (e.g.<repository>) by changing the Location directive to <Location /repositories/>. But that is ugly.

I assume there are many ways to solve this but here is how I did it.

  1. First, create two sites – and (or whatever you want to call them).
  2. Configure the site as explained in the previous post
  3. Configure the site as you would any other static site, adding a index.html file in the root with whatever content you want to have there
  4. Now, before the Location directive in the site definition, add the following:

  5. RewriteEngine on
    RewriteRule ^/$ index.html [R]
    ProxyPass /websvn/
    ProxyPassReverse /websvn/
    ProxyPass /index.html

  6. Finally, you may also want to add SSL support for the site but I won’t go into that here

To make this work, a couple of Apache2 modules must be enabled, namely: proxy, proxy_http and rewrite.

What the above does is that it rewrites accesses to the root URL / to /index.html. Then, all requests to either /index.html or /websvn are proxied to the other site (which does not have dav_svn enabled so they work fine there).

With everything in place, you should be able to access for the index.html page, for the WebSVN interface to the repositories – and anything else for the real repositories.

A prettier solution would be if the Location directive for Apache supported negated regular expressions but I have come to the conclusion that it doesn’t – at least not the version I am using (2.2.8).

%d bloggers like this: