Apache + SSL + Subversion

发表于:2007-05-26来源:作者:点击数: 标签:
好像有一段时间没有Update my blog了,没办法,最近被Boss催的团团转,晕的很,而且还有该死的毕业论文来添乱,哎~~ 为了留下点纪念,把前两天配置的Apache + SSL + Subversion的文档奉献出来,我发现网上大部分文档都是在 Windows 下配置的,在 Linux 下的

好像有一段时间没有Update my blog了,没办法,最近被Boss催的团团转,晕的很,而且还有该死的毕业论文来添乱,哎~~

为了留下点纪念,把前两天配置的Apache + SSL + Subversion的文档奉献出来,我发现网上大部分文档都是在Windows下配置的,在Linux下的配置文档很少;而且其中一个最重要的问题就是它们都没有与SSL相结合,我ft,真正企业级的应用哪有不用SSL的,除非从最一开始它就想开源……


All By Our Smart Lili :)

Here are the steps we can follow, execut them in the order:

Step1:Install OpenSSL, Apache2 & Subversion



make test
make install




./configure --enable-dav --enable-so --enable-deflate \
  --enable-ssl --with-ssl=/usr/local/ssl

make clean
make install




./configure --with-zlib --enable-ssl --with-ssl \
make clean
make install


Note: Strongly suggest using tar package, if using rpm package, you maybe get an error about an “Unrecognized URL scheme” when aclearcase/" target="_blank" >ccess  to subversion repository. One of the reasons is the dynamic linker/loader can’t find the plugins to load. So when we install subversion , “--enable-ssl --with-ssl” is necessary.


Step2:  create certificate

1.         # cd /usr/local/apache/conf

# mkdir ssl.crt

#cd ssl.crt

# cp /usr/local/openssl/ssl/misc/CA.sh \


    2. Create self-signed Certificate Authority certificate/private key.

# ./CA.sh –newca

You will be asked to input these information:

MILY: Verdana">Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg, city) [Newbury]:CHENGDU

Organization Name (eg, company) [My Company Ltd]:CUIT
Organizational Unit Name (eg, section) []:ENG
Common Name (eg, your name or your server's hostname) []:MyServerName
Email Address []:someone@somewhere.net

Now in the directory /usr/local/apache/conf/ssl.crt/, a new directory ./demoCA is created. ../demoCA/private/cakey.pem is the private key and ../demoCA/cacert.pem is the certificate.

3.Create web server certificate request and private key, and to sign server certificate using CA private key.

# openssl genrsa -des3 -out server.key 1024

#openssl req -new -key server.key -out server.csr

You will be asked to input these information again:

Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg, city) [Newbury]:CHENGDU

Organization Name (eg, company) [My Company Ltd]:CUIT
Organizational Unit Name (eg, section) []:ENG
Common Name (eg, your name or your server's hostname) []:
Email Address []:someone@somewhere.com

Note: We must input server’s hostname or IP when asked input common name, it is very important.

# mv server.csr newreq.pem

# ./CA.sh –sign

Now we get a server certificate named newcert.pem, rename newcert.pem as server.crt:

#mv newcert.pem server.crt

4. Generate client certificate request and private key, and to sign client certificate using CA private key.

# openssl genrsa -des3 -out client.key 1024

# openssl req -new -key client.key -out client.csr

#openssl ca -in client.csr -out client.crt

#openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out \ client.pfx


Step3: Edit ssl.conf & httpd.conf


I edit my ssl.conf as below:


DocumentRoot https://192.168.?.?

ServerName 192.168.?.?:443

ServerAdmin someone@somewhere.com

Add the following lines or delete “#” before them:

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key

SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/demoCA

SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem

SSLVerifyClient require

SSLVerifyDepth  1




Configurate the Apache httpd.conf file as below:


Change from “Listen 80” à“Listen” to limit somebody access to server by http://192.168.?.?.

Add: “ServerAdmin someone@somewhere.com

Add: “ServerName 192.168.?.?:443”

Change from “AllowOverride None” à “AllowOverride All”

Change from “à

Change from “AccessFileName.htaccess” à“AccessFileName /home/mysvn/.htaccess”

Add :“NameVirtualHost 192.168.?.?:443”

Put the following lines into :

LoadModule dav_svn_module     modules/mod_dav_svn.so

LoadModule authz_svn_module   modules/mod_authz_svn.so

(If the two lines above already exist, please skip.)

VirtualHost 192.168.?.?:443>

DocumentRoot "/home/mysvn"

ServerName 192.168.?.?

ServerAdmin someone@somewhere.com

SSLEngine on

SSLCACertificateFile \ /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key

DAV svn

SVNParentPath /home/mysvn

AuthzSVNAccessFile /home/mysvn/authz.conf



Now we edit .htaccess as the following:


AuthType Basic

AuthName "subversion repository"

AuthUserFile /home/mysvn/.htpasswd

Require valid-user


.We can use “htpasswd –c /home/mysvn/.htpasswd user_name” to create user and password for the first time, “-c ” isn’t needed after that.

The file authz.conf can be used to limite user’s authority. Edit as below:




groupA = rchu, jhuang, mhsu, hma, jxu, tzheng, jlai, tho, lwei, sliu,

groupB = ipu,  ddong, aho, mmcgrew, jliu, jliang, khuang, vyang, azhou, kye


@groupA = rw

@groupB = rw



@groupA = rw



@groupB = rw


So all people can checkout xyz, the numbers of groupA can checkout t1 , the numbers of groupB can checkout t2.

Use “/usr/local/apache2/bin/apachetl startssl ” to start apache, “/usr/local/apache2/bin/apachetl stop” to stop it.

That’s all.

Wish you good luck!

For protect our company information, all "?" can be replaced by any ip address like and so are emails.
