好像有一段時(shí)間沒有Update my blog了,沒辦法,近被Boss催的團(tuán)團(tuán)轉(zhuǎn),暈的很,而且還有該死的畢業(yè)論文來添亂,哎~~
為了留下點(diǎn)紀(jì)念,把前兩天配置的Apache + SSL + Subversion的文檔奉獻(xiàn)出來,我發(fā)現(xiàn)網(wǎng)上大部分文檔都是在Windows下配置的,在Linux下的配置文檔很少;而且其中一個(gè)重要的問題是它們都沒有與SSL相結(jié)合,我ft,真正企業(yè)級(jí)的應(yīng)用哪有不用SSL的,除非從一開始它想開源……
All By Our Smart Lili :)
Here are the steps we can follow, execut them in the order:
Step1:Install OpenSSL, Apache2 & Subversion
OpenSSL:
--------------------------------------------------------------------------------------
./config
make
make test
make install
--------------------------------------------------------------------------------------
Apache2:
--------------------------------------------------------------------------------------
./configure --enable-dav --enable-so --enable-deflate
--enable-ssl --with-ssl=/usr/local/ssl
make clean
make
make install
--------------------------------------------------------------------------------------
Subversion
--------------------------------------------------------------------------------------
./configure --with-zlib --enable-ssl --with-ssl
--with-libs=/usr/local/ssl:/usr/local/ssl/lib:/usr/local/lib:/usr/lib:/lib
make clean
make
make install
--------------------------------------------------------------------------------------
Note: Strongly suggest using tar package, if using rpm package, you maybe get an error about an “Unrecognized URL scheme” when aclearcase/" target="_blank" >ccess to subversion repository. One of the reasons is the dynamic linker/loader can’t find the plugins to load. So when we install subversion , “--enable-ssl --with-ssl” is necessary.
Step2: create certificate
1. # cd /usr/local/apache/conf
# mkdir ssl.crt
#cd ssl.crt
# cp /usr/local/openssl/ssl/misc/CA.sh
/usr/local/apache/conf/ssl.crt/CA.sh
2. Create self-signed Certificate Authority certificate/private key.
# ./CA.sh –newca
You will be asked to input these information:
MILY: Verdana">Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg, city) [Newbury]:CHENGDU
Organization Name (eg, company) [My Company Ltd]:CUIT
Organizational Unit Name (eg, section) []:ENG
Common Name (eg, your name or your server's hostname) []:MyServerName
Email Address []:someone@somewhere.net
Now in the directory /usr/local/apache/conf/ssl.crt/, a new directory ./demoCA is created. ../demoCA/private/cakey.pem is the private key and ../demoCA/cacert.pem is the certificate.
3.Create web server certificate request and private key, and to sign server certificate using CA private key.
# openssl genrsa -des3 -out server.key 1024
#openssl req -new -key server.key -out server.csr
You will be asked to input these information again:
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:SICHUAN
Locality Name (eg, city) [Newbury]:CHENGDU
Organization Name (eg, company) [My Company Ltd]:CUIT
Organizational Unit Name (eg, section) []:ENG
Common Name (eg, your name or your server's hostname) []:192.168.?.?
Email Address []:someone@somewhere.com
Note: We must input server’s hostname or IP when asked input common name, it is very important.
# mv server.csr newreq.pem
# ./CA.sh –sign
Now we get a server certificate named newcert.pem, rename newcert.pem as server.crt:
#mv newcert.pem server.crt
4. Generate client certificate request and private key, and to sign client certificate using CA private key.
# openssl genrsa -des3 -out client.key 1024
# openssl req -new -key client.key -out client.csr
#openssl ca -in client.csr -out client.crt
#openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Step3: Edit ssl.conf & httpd.conf
Ssl.conf:
I edit my ssl.conf as below:
---------------------------------------------------------------------------------
DocumentRoot https://192.168.?.?
ServerName 192.168.?.?:443
ServerAdmin someone@somewhere.com
Add the following lines or delete “#” before them:
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/demoCA
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
--------------------------------------------------------------------------------
Httpd.conf:
Configurate the Apache httpd.conf file as below:
---------------------------------------------------------------------------------
Change from “Listen 80” à“Listen 127.0.0.1:80” to limit somebody access to server by http://192.168.?.?.
Add: “ServerAdmin someone@somewhere.com”
Add: “ServerName 192.168.?.?:443”
Change from “AllowOverride None” à “AllowOverride All”
Change from “” à“”
Change from “AccessFileName.htaccess” à“AccessFileName /home/mysvn/.htaccess”
Add :“NameVirtualHost 192.168.?.?:443”
Put the following lines into :
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
(If the two lines above already exist, please skip.)
VirtualHost 192.168.?.?:443>
DocumentRoot "/home/mysvn"
ServerName 192.168.?.?
ServerAdmin someone@somewhere.com
SSLEngine on
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/demoCA/cacert.pem
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key
DAV svn
SVNParentPath /home/mysvn
AuthzSVNAccessFile /home/mysvn/authz.conf
---------------------------------------------------------------------------------
Now we edit .htaccess as the following:
---------------------------------------------------------------------------------
AuthType Basic
AuthName "subversion repository"
AuthUserFile /home/mysvn/.htpasswd
Require valid-user
---------------------------------------------------------------------------------
.We can use “htpasswd –c /home/mysvn/.htpasswd user_name” to create user and password for the first time, “-c ” isn’t needed after that.
The file authz.conf can be used to limite user’s authority. Edit as below:
---------------------------------------------------------------------------------
[groups]
groupA = rchu, jhuang, mhsu, hma, jxu, tzheng, jlai, tho, lwei, sliu,
groupB = ipu, ddong, aho, mmcgrew, jliu, jliang, khuang, vyang, azhou, kye
[xyz:/]
@groupA = rw
@groupB = rw
[t1:/]
@groupA = rw
[t2:/]
@groupB = rw
---------------------------------------------------------------------------------
So all people can checkout xyz, the numbers of groupA can checkout t1 , the numbers of groupB can checkout t2.
Use “/usr/local/apache2/bin/apachetl startssl ” to start apache, “/usr/local/apache2/bin/apachetl stop” to stop it.
That’s all.
Wish you good luck!
For protect our company information, all "?" can be replaced by any ip address like and so are emails.
