发表于: 星期四 十一月 17, 2005 9:06 am 发表主题: Redhat9 SVN apache(含ssl) 方式安装及配置(草稿)
--------------------------------------------------------------------------------
SVN apache 方式安装及配置:
1. 下载apache2和SVN源码包
2. 编译apache2
# ./configure --enable-dav --enable-so --enable-maintainer-mode
# make
# make install
3. 编译SVN
# ./configure --with-apxs=/usr/local/apache2/bin/apxs
# make
# make install
编译完成后会自动在 /usr/local/apache2/conf/httpd.conf 添加
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
4. 修改访问权限
# chown –R nobody /home/svn/
5. 创建用户luke
# htpasswd -c /home/svn/svn-auth-file luke
6. 编辑/usr/local/apache2/conf/httpd.conf,增加如下行
<Location /svn>
DAV svn
SVNPath /home/svn/svnroot # repository目录
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /home/svn/svn-auth-file
Require valid-user
</Location>
7. 启动httpd
# /usr/local/apache2/bin/httpd -k start
8. 客户端用
http://192.168.0.159/svn/访问,输入用户名和密码即可。
SVN apache+ssl 方式安装及配置:
1. 下载openssl和Apache2
注意:Apache2的版本需要是httpd-2.0.55,httpd-2.0.54有个BUG,SSL时编译不过。
2. 安装openssl
cd ~/server
# tar -zxvf openssl-0.9.7d.tar.gz
# cd openssl-0.9.7d
# ./configure
# make
# make install
手工将/usr/local/ssl/bin加入到PATH中。
3. 安装Apache
# tar -zxvf httpd-2.0.55.tar.gz
# ./configure --enable-so --enable-ssl --with-ssl=/usr/local/ssl --enable-rewrite --enable-dav --enable-maintainer-mode
# make
# make install
4. 生成 Apache 启动文件
# cd /etc/rc.d/init.d
# sed 's/sbin\/atd/local\/apache2\/bin\/httpd/g' atd > httpd
# sed 's/atd/httpd/g' httpd > /tmp/txt
# sed 's/at daemon/httpd daemon/g' /tmp/txt > httpd
# rm /tmp/txt
# chmod 755 httpd
# chkconfig --level 345 httpd on
# chkconfig --level 0126 httpd off
启动并测试Apache服务器
# /etc/rc.d/init.d/httpd start
如果出现:
Starting httpd daemon: [ OK ]
-------------------------------------------------------------------------------------
5. 建立自己的CA
# cd /usr/local/apache2/conf
# /usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.......................................++++++
.........................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: # 输入验证CA的私钥口令
Verifying - Enter PEM pass phrase: # 再次输入
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]
C
Organizational Unit Name (eg, section) []:RD
Common Name (eg, YOUR name) []:luke
Email Address []:
[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:lipman
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
84:4e:78:d3:5b:df:21:f2
Validity
Not Before: Nov 9 08:48:03 2005 GMT
Not After : Nov 8 08:48:03 2008 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = LC
organizationalUnitName = RD
commonName = luke
emailAddress =
[email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:B5:1D:81:0F:52:09:8B:45:93:6A:17:8C:EA:54
B:7C:7B:8D:31
X509v3 Authority Key Identifier:
keyid:C0:B5:1D:81:0F:52:09:8B:45:93:6A:17:8C:EA:54
B:7C:7B:8D:31
Certificate is to be certified until Nov 8 08:48:03 2008 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
会在当前目录下生成一个demoCA目录
./demoCA/certs
./demoCA/crl 电子证书撤销列表 (Certificate Revocation List)
./demoCA/newcerts 备份所有经这个 CA 签署过的电子证书
./demoCA/private CA 的私有区,存放了不可以外洩的资料,例如私钥
./demoCA/private/cakey.pem CA 的私钥
./demoCA/index.txt
./demoCA/cacert.pem CA 的证书
./demoCA/serial
-----------------------------------------------------------------------------------
6. Server端配置
# cd /usr/local/apache2/conf
# mkdir ssl
1) 生成server密钥
# openssl genrsa -out ssl/server.key 1024 #为了启动时不需要输入密码,删除加密选项 -3des
查看内容:需输入
# openssl rsa -noout -text -in ssl/server.key
2) 生成server待签名证书
# openssl req -new -key ssl/server.key -out ssl/server.csr
3) 用CA私钥签名
# openssl x509 -req -in ssl/server.csr -out ssl/servercert.pem -CA demoCA/cacert.pem -CAserial demoCA/serial -CAkey demoCA/private/cakey.pem -days 3650
查看内容:openssl x509 -noout -text -in ssl/servercert.pem
4) httpd.conf配置
<Location /svn>
DAV svn
#SVNPath /home/svn/svnroot
SVNParentPath /home/svn
AuthzSVNAccessFile /home/svn/access
SSLRequireSSL
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /home/svn/svn-auth-file
Require valid-user
</Location>
5) ssl.conf配置
ServerName LC:443 # LC是创建CA时的organizationName
SSLCertificateFile /usr/local/apache2/conf/ssl/servercert.pem
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/server.key
SSLCACertificateFile /usr/local/apache2/conf/demoCA/cacert.pem
6) 文件/home/svn/access内容示例
# directory specific authorization control
[groups]
Application = luke
#[svn:/svn install/trunk] #SVNPath /home/svn/svnroot
[svnroot:/]
@Application = rw
[doc:/]
@Application = rw
#[/]
#* = rw
7. 生成Client端证书
# cd /usr/local/apache2/conf
# mkdir client
1) 生成client密钥
# openssl genrsa -out client/test.key 1024
2) 生成client待签名证书
# openssl req -new -key client/test.key -out client/test.csr
3) 用CA私钥签名
# openssl x509 -req -in client/test.csr -out client/test.pem -CA demoCA/cacert.pem -CAserial demoCA/serial -CAkey demoCA/private/cakey.pem -days 3650
4) 生成Client端可以导入的个人证书
openssl pkcs12 -export -clcerts -in client/test.pem -inkey client/test.key -out client/test.p12
Enter Export Password:
Verifying - Enter Export Password:
5) 客户端SVN设置
编辑C:\Documents and Settings\luke\Application Data\Subversion\servers
增加如下内容:
[groups]
examplehost = 192.168.0.159
[examplehost]
ssl-client-cert-file = f:\linux\test.p12 # client证书所在的路径
# ssl-client-cert-password = 123456 # 安全起见,密码不要写在这里;不过这样很麻烦,在tortoisesvn里总要输入Export Password。