Linux HTTPS+SVN服务器搭建

                             Linux HTTPS+SVN服务器搭建 

一、SVN简介：

         SVN是Subversion的简称，是一个开放源代码的版本控制系统，相较于RCS、CVS，它采用了分支管理系统，它的设计目标就是取代CVS。互联网上很多版本控制服务已从CVS迁移到Subversion。说得简单一点SVN就是用于多个人共同开发同一个项目，共用资源的目的。

SVN服务器有两种运行方式独立服务器，和借助apache运行。而本文就是使用借助apache服务器的方式来使用SVN

       注意：如要详细了解前查看  SVN详细介绍

二、搭建SVN服务器

  1.使用yum命令安装svn服务器

[root@localhost ~]# yum install -y subversion

   2.可以使用命令查看svn是否安装成功

[root@localhost ~]# svn
使用“svn help”得到用法。
[root@localhost ~]# svn help
[root@localhost ~]# svn --version
[root@localhost ~]# svnadmin help
...

   3.创建svn服务器的仓库

        先创建目录(这里目录可以随意，我为了方便自己管理就起了 /wfq)

[root@localhost /]# mkdir /wfq/svn/project

      然后创建仓库，仓库目录指定为刚才创建的目录

[root@localhost /]# svnadmin create /wfq/svn/project

      因为我们创建文件夹时使用root权限创建的所以我们需要修改组权限，防止因为权限不够而svn操作失败

[root@localhost /]# chown -R apache:apache /wfq/svn/project

       进入到该目录中就会发现生成了很多文件，文件中svn中最主要的配置就在conf目录中

[root@localhost /]# cd /wfq/svn/project/
[root@localhost project]# ll
总用量 8
drwxr-xr-x. 2 root root  54 1月  19 02:12 conf
drwxr-sr-x. 6 root root 233 1月  19 02:12 db
-r--r--r--. 1 root root   2 1月  19 02:12 format
drwxr-xr-x. 2 root root 231 1月  19 02:12 hooks
drwxr-xr-x. 2 root root  41 1月  19 02:12 locks
-rw-r--r--. 1 root root 229 1月  19 02:12 README.txt
[root@localhost project]# cd conf/
[root@localhost conf]# ll
总用量 12
-rw-r--r--. 1 root root 1080 1月  19 02:12 authz
-rw-r--r--. 1 root root  309 1月  19 02:12 passwd
-rw-r--r--. 1 root root 3090 1月  19 02:12 svnserve.conf

conf--|

      --|    authz                           ---svn的权限配置

      --|    passwd                       ---svn的密码配置(注意：因为我们要使用httpd 所以这里的密码验证文件不是密码文件所以不可以用)

      --|    svnserve.conf             ---svn的基本配置文件

    4.SVN指定库启动与关闭

               1.命令方式启动（有缺陷）

      关闭svn

[root@localhost ssl]# ps -ef|grep svnserve 
root       1438      1  0 19:06 ?        00:00:00 /usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /wfq/svn
root       1493   1137  0 19:23 pts/0    00:00:00 grep --color=auto svnserve
[root@localhost ssl]#kill -9 1438

    启动指定目录

[root@localhost ssl]# svnserve -d -r /wfq/svn/
[root@localhost ssl]# ps -ef|grep svnserve 
root       1509      1  0 19:24 ?        00:00:00 svnserve -d -r /wfq/svn/
root       1511   1137  0 19:24 pts/0    00:00:00 grep --color=auto svnserve
[root@localhost ssl]# systemctl restart httpd

      这种方式有点缺点就是不能   使用下面这几个命令来控制svn服务

[root@localhost ssl]# systemctl start svnserve
[root@localhost ssl]# systemctl restart svnserve
[root@localhost ssl]# systemctl stop svnserve
[root@localhost ssl]# systemctl status svnserve

         2.修改默认的启动目录

            将OPTIONS="-r /wfq/svn"变量修改未上面创建的根目录

[root@localhost ssl]# vi /etc/sysconfig/svnserve 
# OPTIONS is used to pass command-line arguments to svnserve.
#
# Specify the repository location in -r parameter:
OPTIONS="-r /wfq/svn"

          重启

[root@localhost ssl]# systemctl restart svnserve
[root@localhost ssl]# systemctl restart httpd

三、创建 apache环境支持http svn连接

    1.使用yum源下载httpd和mod_dav_svn两个模块

              httpd模块 是Apache超文本传输协议(HTTP)服务器的主程序。被设计为一个独立运行的后台进程，它会建立一个处理请求的子进程或线程的池。

              mod_dav_svn 配置指令 模块 是通过 Apache HTTP 服务器提供 Subversion 版本库服务的配置说明。

[root@localhost project]# yum install -y httpd mod_dav_svn

    2.创建用户和密码文件，并且配置svn权限

               创建密码文件 htpasswd 命令中  最后面的是用户名，然后输入密码回车，再次确认密码回车就会创建好文件

               如果要追加用户的话就使用   -m   命令 去掉c命令否则会覆盖了   

               使用命令查看后则会发现已创建该用户

 

[root@localhost /]# htpasswd -cm /wfq/svn/project/conf/http-auth bugwfq
New password: 
Re-type new password: 
Adding password for user bugwfq
[root@localhost /]# vi /wfq/svn/project/conf/http-auth 
bugwfq:$apr1$0FjoVFII$Zb4G0C8/r3ooQKPmcJHCi/
~
~
~

        进入到 conf/authz    文件中配置权限详细配置方式请参考   配置详解

[root@localhost /]# vi /wfq/svn/project/conf/authz 
### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to:
###  - a single user,
###  - a group of users defined in a special [groups] section,
###  - an alias defined in a special [aliases] section,
###  - all authenticated users, using the '$authenticated' token,
###  - only anonymous users, using the '$anonymous' token,
###  - anyone, using the '*' wildcard.
###
### A match can be inverted by prefixing the rule with '~'. Rules can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average
[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe
admin = bugwfq  #配置用户组  admin 组内成员 admin= zs，ls，ww
# [/foo/bar]
# harry = rw
# &joe = r
# * =
[/]
@admin = rw     #所属组权限配置  r读w写
# [repository:/baz/fuz]
"/wfq/svn/project/conf/authz" 37L, 1113C written

    3.配置svnserve.conf   文件

          去掉 下面几个配置前面的#号

•                 anon-access = read    
•                 auth-access = write
•                 password-db = http-auth     (指定刚才生成的密码文件)
•                 authz-db = authz

[root@localhost /]# vi /wfq/svn/project/conf/svnserve.conf 
### This file controls the configuration of the svnserve daemon, if you
### use it to allow access to this repository.  (If you only allow
### access through http: and/or file: URLs, then this file is
### irrelevant.)
### Visit http://subversion.apache.org/ for more information.
[general]
### The anon-access and auth-access options control access to the
### repository for unauthenticated (a.k.a. anonymous) users and
### authenticated users, respectively.
### Valid values are "write", "read", and "none".
### Setting the value to "none" prohibits both reading and writing;
### "read" allows read-only access, and "write" allows complete
### read/write access to the repository.
### The sample settings below are the defaults and specify that anonymous
### users have read-only access to the repository, while authenticated
### users have read and write access to the repository.
anon-access = read    
auth-access = write
### The password-db option controls the location of the password
### database file.  Unless you specify a path starting with a /,
### the file's location is relative to the directory containing
### this configuration file.
### If SASL is enabled (see below), this file will NOT be used.
### Uncomment the line below to use the default password file.
password-db = http-auth
### The authz-db option controls the location of the authorization
### rules for path-based access control.  Unless you specify a path
### starting with a /, the file's location is relative to the the
### directory containing this file.  If you don't specify an
### authz-db, no path-based access control is done.
### Uncomment the line below to use the default authorization file.
authz-db = authz
### This option specifies the authentication realm of the repository.
### If two repositories have the same authentication realm, they should
### have the same password database, and vice versa.  The default realm
"/wfq/svn/project/conf/svnserve.conf" 61L, 3085C written

     4.配置httpd.conf配置文件

                服务目录：/etc/httpd/
                主配置文件：/etc/httpd/conf/httpd.conf 

                 SVNParentPath /wfq/svn                                                     ##为根project 的上级目录
                 AuthUserFile /wfq/svn/project/conf/httppasswd                   ##密码文件位置  
                 AuthzSVNAccessFile /wfq/svn/project/conf/authz               ##权限配置

[root@localhost /]# vi /etc/httpd/conf/httpd.conf 

...
ServerName locahost:80
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath /wfq/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /wfq/svn/project/conf/httppasswd
AuthzSVNAccessFile /wfq/svn/project/conf/authz
Require valid-user
SVNAutoversioning on
ModMimeUsePathInfo on
</Location>
...
[root@localhost /]# 

       5.修改svn目录下文件的属主和属组

[root@localhost /]# cd /wfq/svn/
[root@localhost svn]# chown -R apache. project/
[root@localhost svn]# ll
总用量 0
drwxr-xr-x. 6 apache apache 86 1月  19 02:12 project
[root@localhost svn]# ll project/
总用量 8
drwxr-xr-x. 2 apache apache  71 1月  19 03:21 conf
drwxr-sr-x. 6 apache apache 233 1月  19 02:12 db
-r--r--r--. 1 apache apache   2 1月  19 02:12 format
drwxr-xr-x. 2 apache apache 231 1月  19 02:12 hooks
drwxr-xr-x. 2 apache apache  41 1月  19 02:12 locks
-rw-r--r--. 1 apache apache 229 1月  19 02:12 README.txt
[root@localhost svn]# 

            重启httpd

[root@localhost svn]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

           查看启动失败原因

[root@localhost svn]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 六 2019-01-19 03:57:46 CST; 1min 30s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 1952 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 1951 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=0/SUCCESS)
 Main PID: 1951 (code=exited, status=0/SUCCESS)

1月 19 03:57:46 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
1月 19 03:57:46 localhost.localdomain httpd[1951]: httpd (pid 1600) already running
1月 19 03:57:46 localhost.localdomain kill[1952]: kill: cannot find process ""
1月 19 03:57:46 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
1月 19 03:57:46 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
1月 19 03:57:46 localhost.localdomain systemd[1]: Unit httpd.service entered failed state.
1月 19 03:57:46 localhost.localdomain systemd[1]: httpd.service failed.

         查看日志

[root@localhost svn]# vi /var/log/httpd/error_log 
[Sat Jan 19 02:40:38.937489 2019] [core:notice] [pid 1599] SELinux policy enabled; httpd running as context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Sat Jan 19 02:40:38.938439 2019] [suexec:notice] [pid 1599] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Jan 19 02:40:38.954448 2019] [auth_digest:notice] [pid 1600] AH01757: generating secret for digest authentication ...
[Sat Jan 19 02:40:38.965269 2019] [lbmethod_heartbeat:notice] [pid 1600] AH02282: No slotmem from mod_heartmonitor
[Sat Jan 19 02:40:38.992931 2019] [mpm_prefork:notice] [pid 1600] AH00163: Apache/2.4.6 (CentOS) SVN/1.7.14 configured -- resuming normal operations
[Sat Jan 19 02:40:38.992970 2019] [core:notice] [pid 1600] AH00094: Command line: 'httpd'

     原来是本地80端口忘开了，这里为了方便直接关闭防火墙

[root@localhost /]# systemctl stop firewalld.service
[root@localhost /]# systemctl disable firewalld.service

然后接着重启发现虽然成功了，但是访问的时候报了500

The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

然后我查看了下错误日志

[Sat Jan 19 04:42:55.749505 2019] [authn_file:error] [pid 2207] (13)Permission denied: [client 192.168.4.208:10890] AH01620: Could not open password file: /wfq/svn/project/conf/httppasswd
[Sun Jan 20 03:43:02.936928 2019] [mpm_prefork:notice] [pid 2202] AH00171: Graceful restart requested, doing restart

发现是新装的系统SELinux未关闭，授权没有生效。

有两种处理方案：

1.永久关闭selinux并重启系统

[root@localhost ~]# vi /etc/selinux/config

    将SELINUX=enforcing修改为SELINUX=disabled

     重启系统reboot命令     应用相关设置 

参考文章：linux 关闭selinux

2.命令方式直接修改SVN目录的权限配置

chcon -R -h -t httpd_sys_content_t /wfq/svn/project

然后访问地址http://ip/svn/project    输入设置的账号和密码 看到该界面就说明访问成功了

四、升级为https访问 

   1.SSL环境搭建

     SSL数字证书

             1.下载openssl与mod_ssl模块

[root@localhost ~]# yum install -y openssl mod_ssl

             2.生成key和证书

[root@localhost ~]# mkdir /etc/httpd/conf/ssl/
[root@localhost ~]# cd /etc/httpd/conf/ssl/
[root@localhost ssl]# ll
总用量 0
[root@localhost ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
生成csr
[root@localhost ssl]# openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                             #国家名称（2个字母代码）
State or Province Name (full name) []:gd                         #省份
Locality Name (eg, city) [Default City]:sz                       #城市
Organization Name (eg, company) [Default Company Ltd]:xx         #公司名称
Organizational Unit Name (eg, section) []:xx                     #公司部门
Common Name (eg, your name or your server's hostname) []:bugwfq  #主机名
Email Address []:bugwfq@163.com                                  #邮件地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456                                   #密码
An optional company name []:bugwfq                               #可选的公司名称
...

#生成证书
[root@localhost ssl]# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key:
[root@localhost ssl]# ll
总用量 12
-rw-r--r-- 1 root root 997 1月  21 23:27 server.crt
-rw-r--r-- 1 root root 729 1月  21 23:26 server.csr
-rw-r--r-- 1 root root 963 1月  21 23:22 server.key

如果使用的阿里云服务器，并且有域名则找到对应的域名管理，开启ssl证书然后下载apache 对应的证书

 会生成以下几个文件

 将这些文件放到 /etc/httpd/conf/ssl  目录下

 

   2.配置SSL环境

         1. 打开/etc/httpd/conf/httpd.conf 配置文件配置以下信息

[root@localhost /]# vi /etc//httpd/conf/httpd.conf 
...
# Load config files in the "/etc/httpd/conf.d" directory, if any.
...
LoadModule ssl_module modules/mod_ssl.so 
Mutex default ssl-cache
SSLRandomSeed startup builtin
SSLSessionCache none
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
#SSLCertificateChainFile conf/ssl/X_X_X_chain.crt   #如果是openssl 生产的可以不配，如果是正规机构配置的可以放上去
...

<Location /svn>
DAV svn
...
ModMimeUsePathInfo on

SSLRequireSSL #配置该行，
</Location>

        2.重启httpd

[root@localhost /]# systemctl restart httpd

     然后访问对应的地址 https://xxx.xxx.xxx.xxx/svn/project

   因为我使用openssl 生成得，所以虽然证书可以了，但是只适用于开发环境，上面还会出现证书不安全的提示

(需要在电脑上手动安装证书   在这里就不提了)

   如果我们从专门得证书机构申请证书就不会出现提示（下面这个是我自己阿里云申请配置的）

  3.设置http重定向到https 

            因为默认是http请求

          所以我们要把http请求重定向到https的请求方式

         

    1.修改配置文件

   打开/etc/httpd/conf/httpd.conf 配置文件配置以下信息

        1).添加mod_rewrite.so模块

...
LoadModule ssl_module modules/mod_ssl.s    我添加在了这一行下面
LoadModule rewrite_module modules/mod_rewrite.so 
...

   2.配置重定向规则

...
我配置在了<Location /svn> 标签上方
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


<Location /svn> 
...

  3.重启httpd

[root@localhost ssl]# systemctl restart httpd

  搞定

 

注意： 

       有时候可能回遇到不同情况要多看日志或启动信息去解决，配置文件的配置可能每个电脑上配置的方式会有所差异

  在配置的时候尽量多摸索，多查询网上其他资料。

在这里附上我用到的一些命令

svnserve -d -r /路径   #指定目录启动其中 -d 表示守护进程-r 表示在后台执行 /路径 为svn的安装目录
ps -ef|grep svnserve   #这里是采取linux杀死进程的方式关闭SVN 
kill -9 pid            #杀死进程， 此4967为进程号
systemctl start 服务名     #启动服务 httpd/svnserve/........
systemctl stop 服务名      #关闭服务 httpd/svnserve/........
systemctl restart 服务名   #重启服务 httpd/svnserve/........
systemctl status  服务名   #服务的状态查看 可以查询错误

此外，用户的存储也可以使用mysql  http://www.cnblogs.com/lxmhhy/p/6044054.html