Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box…

 


crosspost from http://rextang.net/blogs/work/


Ok, after a full installation of Subversion on my server, here is the complete installation steps for reference.


Some readings:



Software to install upon this writing:



Installation Steps:


1. Install Apache Httpd package on Windows 2003 Server.


Remember to get a port or a ip for Httpd and prevent it from conflict to original IIS 6 on the box.


2. Install OpenSSL for Apache Httpd package.


Follow the steps provided in my post or Rob Gonda’s post listed above.


3. Install Subversion and TortoiseSVN


Follow Rob Gonda’s first installation post, but skip the svnservice part to install svnserv as a windows service. it’s not necessary since we are going to let Httpd host the repository access.


4. edit httpd.conf


for httpd.conf , some blocks need to take a look: (example here used the dedicated ip 10.0.0.1 with port 80 and port 443 for apache httpd and dns record svn.server1.abc.com , www.server1.abc.com , www2.server1.abc.com , server1.abc.com all point to 10.0.0.1)

# Place the right server root
ServerRoot “C:/Program Files/Apache Group/Apache2″

# Listen to the right ip and port
Listen 10.0.0.1:80

# Load the proper modules for use
LoadModule auth_module modules/mod_auth.so
LoadModule dav_module modules/mod_dav.so
# ———– SSL module
LoadModule ssl_module modules/mod_ssl.so
LoadModule deflate_module modules/mod_deflate.so
# ———– Subversion module
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

# admin email
ServerAdmin
admin@abc.com

# main site server name
ServerName server1.abc.com:80

# main document root
DocumentRoot “d:/apachewebs”

# main doc root access rules
<Directory “d:/apachewebs”>
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

# index file name
DirectoryIndex index.html index.html.var index.htm

# Bring in additional module-specific configurations, for ssl config
<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

# open virtual host to host other apache sites
# with different hostname, for future php / mysql application use
NameVirtualHost 10.0.0.1:80

# Main site
<VirtualHost 10.0.0.1:80>
    ServerName server1.abc.com # the dns name to map to this virtual host
    ServerAdmin
admin@abc.com
    DocumentRoot d:/apachewebs/server1.abc.com.web
    ErrorLog logs/server1.abc.com.web-error_log
    CustomLog logs/server1.abc.com.web-access_log common

    # subversion settings for this virtual host
    # will be access via
http://server1.abc.com/svn/repo1/
    # for a paticular repository “repo1″ under the svn parent path.
    # it’s the root svn folder and will contain repositories under it
    <Location /svn >
        DAV svn
        SVNParentPath “f:/svnrepo” # the root svn folder

        # authentication
        AuthName “server1.abc.com Subversion Authentication”
        AuthType Basic # just use basic auth
       
        # authorization
        AuthzSVNAccessFile “d:/subversion-settings/dev1-authz”
        AuthUserFile “d:/subversion-settings/dev1-passwd”
        Require valid-user # every access must auth
    </Location>
   
</VirtualHost>

# some website with html/php files
<VirtualHost 10.0.0.1:80>
    ServerName
www.server1.abc.com
    ServerAdmin admin@abc.com
    DocumentRoot d:/apachewebs/www.server1.abc.com.web
    ErrorLog logs/www.server1.abc.com.web-error_log
    CustomLog logs/www.server1.abc.com.web-access_log common
</VirtualHost>

# some other normal website with different dns name and virtual host
<VirtualHost 10.0.0.1:80>
    ServerName www2.server1.abc.com
    ServerAdmin
admin@abc.com
    DocumentRoot d:/apachewebs/www2.server1.abc.com.web
    ErrorLog logs/www2.server1.abc.com.web-error_log
    CustomLog logs/www2.server1.abc.com.web-access_log common
</VirtualHost>

# a virtual host for subversion access
<VirtualHost 10.0.0.1:80>
    # noticed that this is a dedicate dns name for subversion
    ServerName svn.server1.abc.com
    ServerAdmin
admin@abc.com
    # ignore and comment out folder
    # DocumentRoot d:/apachewebs/svn.server1.abc.com.web
    ErrorLog logs/svn.server1.abc.com.web-error_log
    CustomLog logs/svn.server1.abc.com.web-access_log common

    # map the DAV to the root
    # so that for a repository “repo1″ the path will be
    #
http://svn.server1.abc.com/repo1/
    <Location / >
        DAV svn
        SVNParentPath “f:/svnrepo”

        # authentication
        AuthName “server1.abc.com Subversion Authentication”
        AuthType Basic
       
        # authorization
        AuthzSVNAccessFile “d:/subversion-settings/dev1-authz”
        AuthUserFile “d:/subversion-settings/dev1-passwd”
        Require valid-user
    </Location>

</VirtualHost>


5. edit ssl.conf


for ssl.conf , it to listen to port 443 for a ip and define virtual host for a dns name to host svn dirctory as well as some normal files. since apache only got 1 ip for this ssl connection, only 1 ssl dns name and virtual host can be defined here. the setting block providing below is only the modified parts regards to ssl.conf file provided by download OpenSSL zip file.

# Listen to 443 port
Listen 10.0.0.1:443

# define virtual host
<VirtualHost 10.0.0.1:443>

#   General setup for the virtual host
DocumentRoot “d:/apachewebs/server1.abc.com.web”
ServerName server1.abc.com:443
ServerAdmin
admin@abc.com
ErrorLog logs/error_log
TransferLog logs/access_log

    # only https://server1.abc.com/svn belongs to DAV svn
    # for a repository “repo1″ , the access path via SSL is
    #
https://server1.abc.com/svn/repo1/
    <Location /svn >
        DAV svn
        SVNParentPath “f:/svnrepo”

        # authentication
        AuthName “server1.abc.com Subversion Authentication”
        AuthType Basic
       
        # authorization
        AuthzSVNAccessFile “d:/subversion-settings/dev1-authz”
        AuthUserFile “d:/subversion-settings/dev1-passwd”
        Require valid-user
    </Location>

SSLEngine on
# the folder path to put the key file
# relative to Apache root foldder
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
</VirtualHost>                                 


6. for self made SSL certificate files (server.crt and server.key above)


refer to this post . unzip the OpenSSL package and go to the bin directory. 3 main steps and command line using openssl.exe to get the 2 files.

d:\openssl bin folder> openssl req -config openssl.cnf -new -out server.csr
d:\openssl bin folder> openssl rsa -in privkey.pem -out server.key
d:\openssl bin folder> openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Create an Apache/conf/ssl directory and move server.key and server.crt into it (the one provided above). 


7. for subversion authentication and authorization files (dev1-authz and dev1-passwd files above)


refer to subversion book chapter 6 for more information about this section.

dev1-authz content:

[groups]
# “developer1″ and “developer2″ are login name
# defined in “dev1-passwd” file
# “dev1group” is group name
dev1group = developer1 , developer2

# repo1 repository root (“/”) settings
[repo1:/]
#allow read write access for the developer1
developer1 = rw
# not allow access for all others
* =

# repo2 repository root (“/”) settings
[repo2:/]
#allow read write access for the developer2
developer2 = rw
# not allow access for all others
* =

# repo3 repository root (“/”) settings
[repo3:/]
#allow read write access for the group
@dev1group = rw
# allow read access for all others
* = r

dev1-passwd file can use htpasswd.exe file to generated MD5 encrypted password file for use here. or simply just use notepad to write plan text file like this:

developer1:passwd-for-developer1
developer2:passwd-for-developer2


8. that’s all set! just re-start Apache Httpd and use TortoiseSVN to test aceessing self-made repositories.


at the server, open a cmd.exe , using svnadmin.exe to create some repository.

c:\> svnadmin create f:\svnrepo\repo1
c:\> svnadmin create f:\svnrepo\repo2
c:\> svnadmin create f:\svnrepo\repo3

then just use TortoiseSVN to browse / checkout / import some files to those repository. some url can use by above settings, both SSL way and not SSL ways.

http://server1.abc.com/svn/repo1/ with developer1 login access, non-ssl way
http://svn.server1.abc.com/repo2/ with only developer2 login access non-ssl way.
https://server1.abc.com/svn/repo3/ with both developer1 and developer2 login , using ssl.

repo1 to repo3 in above urls can just change in any urls to access each repository in any url way above. however, due to use basic auth here, it’s strongly recommanded using ssl way to access the repositories to prevent network sniffer of the http traffic to easily get the passwords.

it’s also possible to use sspi authentication with subversion and httpd, refer the post here or other links provided in Rob Gonda’s ports.


That’s all I got to let my subversion running on a windows 2003 server box with ssl support and basic authentication. I didn’t use SSPI since I am not using Windows AD Domain to manage my developer accounts. if AD is used for developer accounts, then SSPI will be a better auth way to go.


Technorati Tags: apache , httpdopensslsubversion


 

Apache Httpd 2.0.x with SSL on Windows 2003 Server box coexist with IIS 6, in 2 IP Addresses…

 


crosspost from http://rextang.net/blogs/work/


Since Subversion needs to use Apache Httpd as the front-end web interface, I am thinking to install an Apache Httpd in my Windows 2003 Server, together with IIS6 for working and hosting my ASP.NET websites. The following are instructions of my installation of those stuffs. I’ll point out the originals of information I got from but will just document all here in case related posts in blogs or websites are gone.


The Windows 2003 Server box now got 2 real IP addresses and I’ll put 1 IP for IIS6 and the other one for Apache Httpd, so that both web servers can use port 80 and also put SSL on Apache Httpd, thus those sites can be accessed via most of corporate networks without being blocking by firewalls.


The latest versions of software upon writing now are:


  • Apache Httpd 2.0.55, win32 msi installer without ssl support
  • OpenSSL 0.9.8a for ApacheHttpd 2.0.55

Before Installing Apache, tuning Windows Server Environment with IIS 6:


(from http://www.experts-exchange.com/Web/Web_Servers/Q_21152899.html)


To change the IPs IIS consumes upon start up change
IIS 6 – http://support.microsoft.com/default.aspx?scid=kb;en-us;813368&Product=iis60

for apache
http://httpd.apache.org/docs-2.0/bind.html
http://httpd.apache.org/docs-2.0/mod/mpm_common.html#listen

From IBM doc:
http://www-306.ibm.com/software/webservers/httpservers/doc/v1326/manual/ibm/9acdafpa.htm#afenable
“When the port binds to a particular TCP/IP adapter, the Cache Accelerator disables.”
So try to disable cache accelerator: comment out AfpaEnable directive.


The main purpose is to let IIS6 listen to specific IP addresses instead of all IPs, to let Apache get one specific IP to use. first use httpcfg.exe from Windows 2003 server tools to tell IIS only listen to one IP. then I can start to install Apache Httpd.


Installing Apache Httpd with SSL:


(from Rob Gonda, Multiple SVN repositories for Windows using Apache)


2. Install Apache 2.0.55 by downloading and installing: http://www.apache.org/

3. After the installation finishes, run the following from a command prompt: “net stop apache2″ (to stop the web server)

4. If you DON’T want/need SSL support, skip to step 9b below.

5. Rename httpd.conf in the apache config. directory (default is “c:\program files\apache group\apache2\conf”) to httpd.conf.save

6. Browse to http://smithii.com/ross/download.php?file=apache-2.0.55_openssl-0.9.8a.zip answer the questions and download and open the zip file (assuming you are allowed to do so).

7. Extract files from the zip you just opened to the base apache install directory (default is “c:\program files\apache group\apache2″). Be sure you preserve the folder names when extracting (i.e., don’t just extract all the files to the same dir.)

8. Open ssl.conf in the apache configuration directory with notepad and change as follows:

a. Change “<IfDefine SSL>” to “#<IfDefine SSL>”

b. Change “</IfDefine>” to “#</IfDefine>” (last line of file)
This avoids the requirement of starting apache with the “-DSSL” parameter (which I couldn’t get to work when running apache as a service).

9. Open httpd.conf in the apache configuration directory with notepad (default is “c:\program files\apache group\apache2\conf”) and change the contents as follows:

a. Replace all “d:\test\apache2″ with “c:\program files\apache group\apache2″ (or whatever your base apache install directory is). Hint: Ctrl+H in notepad will allow you to do find/replace

b. Uncomment (remove “#”) from “#LoadModule dav_module modules/mod_dav.so”


9b should be for Subversion to use.


for SSL part, remember to use openssl.exe provided in OpenSSL zip file to generate self certificate instead of using the provided example one.


for httpd.conf , in order to use specific IP address, using Listen directive to do it:


Listen xxx.xxx.xxx.xxx:80 # the ip address for Apache httpd


the SSL 443 port listen is done at ssl.conf.


for other directives, like doing VirtualHost for Name-based hosting, refer to installed maunal at http://localhost/manual/.


As SSL using port 443, it’s only possible for using main site configured in httpd.conf to support SSL in this setup since only 1 ip is dedicated for Apache Httpd (needs to be ip-based hosting). if going to use SSL in every virtual host, it’s necessary to give every VirtualHost a specific ip address. refer to post here and here for more information.


It’s possible to using main site configuration to support SSL and configure other VirtualHost for other html / php based file system site to host other sites in the same Apache Httpd. but then the NameVirtualHost directive should not use the same ip of the main site or else main site configuration will be overwrited by VirtualHost settings and never run. so just use new ip or specify other ports for VirtualHosts.


As using above settings, it should be able to let IIS 6 and Apache Httpd with SSL support running in one Windows 2003 Server box. the key points are to let IIS listening to specific port and dedicate one ip to let Apache listen (or other ports). using Apache main site configuration to enable SSL support for later Subversion use also preserving VirtualHost settings on other ports for later use of PHP and MySql application testings.


Technorati Tags: apache , httpdopenssl


 

Test Driven Development (TDD) in Team System…

 


crosspost from http://rextang.net/blogs/work/


[via Rob Caron]


Doug Seven got a simple and easy to understand article for developers to understand the concepts of Test Driven Development using Visual Studio 2005 Team System.


Test Driven Development (TDD) is not a new concept. In fact, the idea of test-first, code-second has been around for many years. In the latest release of Microsoft’s premier developer tool, Visual Studio 2005 Team System many new features have been added, including features for testing software. What does this mean to you, the serious developer? It means you now have integrated unit testing that can be leveraged for Test Driven Development.


Technorati Tags: microsoft , vstudioarchitecture


 

Microsoft Team Foundation Server is ready…

 


crosspost from http://rextang.net/blogs/work/


[via Rob Caron]


As I was having changes on my career as well as life during those weeks, having not checked out blogs recently. seems lots of things are still happening day by day.


Rob posted at 2006/03/17 that TFS (Team Foundation Server) is going to RTM. also saw the announcement at TFS website that TFS is ready for MSDN download at 2006/03/20. it’s a week late for me to know this but should be still ok I guess.


As all the new development tools are all RTMed, it’s about time to dig into all the documents as well as format my server to build a new-age dev environment to adapt those new tools. As I quited my job couple weeks ago and am looking for new jobs (wish can be working at Tokyo though), I should get plently of time reading and testing those new tools. not bad for a job break and refresh!


Technorati Tags: microsoft , vstudio


 

Something new about MSF – Microsoft Solution Framework…

 


crosspost from http://rextang.net/blogs/work/


[via rohanthomas]


Microsoft had released new MSF templates at 2006/03/17, which “are” version 8.0 templates (should serve as MSF v4), including those 2:


  • MSF for Agile Software Development
  • MSF for CMMI┬« Process Improvement

    For more information please go to Microsoft MSF Website. I’ve downloaded those related files and demos and will find time to dig into them.

    Technorati Tags: microsoft , architectureagilecmmi

     

  • HowTo: Remove / Uninstall VMWare GSX Server from a Windows Domain Controller machine…

     


    crosspost from http://rex.la/blogs/work/


    The scenario is:


    I installed VMWare GSX Server on a Windows 2003 Server box before promoting it to a DC (Domain Controller). Since GSX Server is not able to be installed on a DC, it’s ok for now to install GSX server to let it run on the box. after GSX server installation, I promoted the box to become a Domain Controller (DC). therefore I got a Windows 2003 Server that acts as a Domain Controller and also have the ability to host some VMs for testing environments (this box got lots of RAM to use for VMs).


    Problem arised:


    Now I like to install VMWare Workstation 5.5 in this box. the installer told me I have to uninstall GSX Server prior the new installation of VMWare Workstation 5.5. so I tried to remove the GSX Server from Add/Remove programs in control panel. the installation program runs and after a few checking told me that “This product may not be installed on a Windows domain controller.” since it detected that this box is now a domain controller and prevent the installer to go further. therefore I am not able to uninstall GSX Server for now.


    HowTo solve this:


    A search to Google find the following post from Christopher Miller about hacking into a MSI installer. after downloading the Orca MSI Editing tool, started to guess and find the cached GSX Server installer at %windows%/Installer folder. After found the right msi file, open Orca to hack into the msi database. first find the error message at Error section using the Edit->Find function.


    gsxremove03.jpg


    It’s associated with a key “25002” and by finding this key, found a custom action “VM_Err_GSX_WinNT” about this:


    gsxremove02.jpg


    by backtracking again with this string found it be placed at “InstallUISequence” section.


    gsxremove01.jpg


    finally also found it appeared at LaunchCondition section.


    gsxremove04.jpg


    after removing related items (rows) at LaunchCondition and InstallUISequence sections, save the msi file, close Orca program and run the msi again, the checking of NT Domain is bypassed so that I can remove / uninstall VMWare GSX Server on a Domain Controller without problems, therefore be able to install VMWare Workstation 5.5 by then.


    Orca is really a convenient tool to edit msi files and bypassing some conditions that may cause installation or uninstallation not work, nice tool to have by hand!


    Technorati Tags: vmware , domain controller , virtual machine , installer , msi