SETTING UP CVS/SVN/HTTP/HTTPS ON YOUR HOME MACHINE

If you have any feedback about better ways of doing the same, please let me know and I will update the page accordingly.

PROVIDING A DOMAIN NAME FOR YOUR HOME MACHINE

ISPs typically provide two kinds of IP address plans for their customers: dynamic and static addresses. Most people use dynamic IP addresses because they are 2-3 times cheaper as compared to static IP addresses. This means that the IP address of your machine (or the external IP address of your router if you have one) is given to you only for a lease of time. Once this expires, a new IP address will be given. In this section, we will see how we can get a static hostname mapping for your machine inspite of having a dynamic IP address.

To get a static hostname, you will need to first create an account at http://www.dyndns.com. These accounts are free. Once logged in, update your account by providing information about your home machine and choosing a static hostname from the options provided.

Once your account is setup and configured, the next step is to setup your home router or machine to update your DynDNS account whenever you get a new IP address. Most routers available in the market already support this capability, so first check if your router does this. If it does, all you have to do is enter your DynDNS account information in your router's web interface and you are done. If it doesn't, you will have to use a third party software to provide the same functionality. You can find some such software here: (http://www.dyndns.com/support/clients).

DIRECTORY STRUCTURE SETUP

I don't like the way the groups structure is setup by Ubuntu by default. So, I changed a bunch of things to suit my taste better.

$ sudo mkdir -m 775 /home/cvs /home/svn /home/http /home/http/cgi $ sudo chmod g+s /home/cvs /home/svn /home/http /home/http/cgi $ sudo chgrp users /home/cvs /home/svn /home/http /home/http/cgi

SECURE SSH ACCESS TO THE SERVER

The default SSH configuration is quite safe to be used in a private environment. But, for a server which is exposed to the outside world, a few changes to the settings might be useful. Here are the changes I made:

• Install SSH and OpenSSH-Server packages

  $ sudo apt-get install ssh openssh-server

• Remove remote root login permissions

  $ sudo vim -c "%s/PermitRootLogin yes/PermitRootLogin no/g" -c ":wq" /etc/ssh/sshd_config

• Remove RSA permissions for ssh (DSA is a more secure and safer to use)

  $ sudo vim -c "%s/RSAAuthentication yes/RSAAuthentication no/g" -c ":wq" /etc/ssh/sshd_config

• Disallow password authentication (public keys are more difficult to hack)

  $ sudo vim -c "%s/\#PasswordAuthentication yes/PasswordAuthentication no/g" -c ":wq" /etc/ssh/sshd_config

• Restart the SSH daemon

  $ sudo /etc/init.d/ssh restart

CVS SERVER

Installing the CVS server is the easiest of the lot. The following command should do it:

• Initialize the CVS server.

  $ sudo cvs -d /home/cvs init

• Create a test module and verify that the CVS server is accessible. This requires the users to have accounts on your machine (and the SSH public key setup, as we have disabled password based login).

  $ mkdir test && cd test && cvs -d /home/cvs import vendor release && cd .. && rm -rf test $ cvs co [your_machine_name]:/home/cvs/test

SVN SERVER

This section describes how to setup the SVN server. It allows access in one of two ways -- over SSH or using Apache.

• Install the required packages.

  $ sudo apt-get install libapache2-svn libneon26 libsvn1 subversion subversion-tools

• Setup the SVN server.

  $ sudo svnadmin create /home/svn

• SVN creation doesn't seem to carry the appropriate permissions from the base directory for the internal directories and files. So, we set them explicitly.

  $ sudo bash -c "find /home/svn | xargs file | grep directory | cut -f1 -d':' | xargs chmod g+wx" $ sudo bash -c "find /home/svn | xargs file | grep -v directory | cut -f1 -d':' | xargs chmod g+w"

• Give appropriate users permissions for different projects or directories and files. These permissions are provided in the /home/svn/conf/authz file. Here is a copy of the file I use.
  
  
• Accessing the SVN over SSH. This requires the users to have accounts on your machine (and the SSH public key setup, as we have disabled password based login).

  $ svn co svn+ssh://[your_machine_name]/home/svn

HTTP SERVER

I used apache2 as the HTTP server. Here are the steps I followed:

• Install the required packages

  $ sudo apt-get install apache2 apache2-mpm-worker apache2-utils apache2.2-common libapr1 libaprutil1 libpcre3 libpq5

• Add the ServerName information to the configuration

  $ sudo bash -c "echo ServerName \"XXXXXX\" >> /etc/apache2/apache2.conf"

• Cleanup the HTTP sites configuration (/etc/apache2/sites-available/default). I use /home/http as the DocumentRoot (location where the files corresponding to the website are placed) and delete the default location used by apache2 (/var/www). Here is a copy that I use.

  $ sudo rm -rf /var/www

• Restart the apache2 server

  $ sudo /etc/init.d/apache2 restart

• Verify the server works fine.

  $ wget http://www.google.com -O /home/http/test-index.html $ firefox http://[your_domain_name]/test-index.html

HTTPS SERVER

Enable SSL request handling for the server.

• Create a base SSL configuration. We'll edit this as per our needs.

  $ sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl $ sudo ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl

• Create an SSL certificate for the site.

  $ sudo mkdir ssl $ sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf ssl/apache.pem

• Add details to specify the SSL apache module and the SSL certificate that should be used to the SSL configuration (/etc/apache2/sites-enabled/ssl). Here is a copy that I use.
  
  

• Configure the apache server to listen for HTTPS requests too by setting the appropriate listen port (443).

  $ sudo bash -c "echo Listen 443 >> /etc/apache2/ports.conf"

• Restart the apache2 server

  $ sudo /etc/init.d/apache2 restart

• Verify the server works fine.

  $ wget http://www.google.com -O /home/http/test-index.html $ firefox https://[your_domain_name]/test-index.html

ACCESSING THE SVN SERVER THROUGH APACHE WEBDAV

Using SSH to access your SVN server requires all SVN users to have login accounts on your home machine. You might or might not want this. Further, maintaining SSH keys for everyone can be a big headache. Luckily, SVN also provides an alternative approach for accessing it, using Apache2 Webdav. The advantage of this method is that you don't necessarily have to give all users who want to use the SVN an account on your machine. Apache maintains a separate user account system, that you can use.

• Create Apache accounts for everyone who wants to use the SVN.

  $ sudo htpasswd -c -m /home/svn/conf/dav_svn.passwd USER_TO_ADD

• Edit /etc/apache2/sites-available/ssl to add the following within the VirtualHost structure.

  <Location /svn>         DAV svn         SVNPath /home/svn         AuthType Basic         AuthName "SVN Repository"         AuthUserFile /home/svn/conf/dav_svn.passwd         Require valid-user         AuthzSVNAccessFile /home/svn/conf/authz </Location>

• Restart the apache2 server

  $ sudo /etc/init.d/apache2 restart

• Verify the server works fine.

  $ svn co https://[your_domain_name]/svn

SVN PASSWORD CHANGING CAPABILITY FOR INDIVIDUAL USERS

Typically SVN account passwords have to managed by the system administrator. This is inconvenient and not safe in general. Since SVN does not provide direct capability to allow users to modify their own passwords, here is a simple hack to do this. We first enable execution of CGI scripts for Apache. This can be a security risk, so we try to keep the permissions as restricted as possible.

• Enable CGI scripts (STEP 1): Edit /etc/apache2/apache2.conf to allow CGI and Perl scripts.

  $ sudo vim -c "%s/#AddHandler cgi-script .cgi/AddHandler cgi-script .cgi .pl/g" -c ":wq" /etc/apache2/apache2.conf

• Enable CGI scripts (STEP 2): Restrict CGI script execution to within a directory and only for authenticated users. Edit /etc/apache2/sites-enabled/ssl to add the following within the virtual host structure

  <Directory /home/http/cgi/*>         AuthType Basic         AuthName "SVN Repository"         AuthUserFile /home/svn/conf/dav_svn.passwd         Require valid-user         Options ExecCGI -MultiViews +SymLinksIfOwnerMatch         AllowOverride None </Directory>

• Setup a perl script to allow users to change their password. Here is the original version of the script that I found to do this. Here is a slightly modified version of the same script that I use. If you are using a different path to your Webdav authentication file, you'll need to modify this script to reflect that.

  $ sudo wget http://www.kluge.net/~felicity/random/htpasswd-pl.txt -O /home/http/cgi/htpasswd.pl $ sudo chmod +x /home/http/cgi/htpasswd.pl

• Give passwordless sudo permissions to www-data to allow the above script to work.

  $ sudo bash -c "echo www-data ALL=NOPASSWD: ALL >> /etc/sudoers"

FEEDBACK

You are all set. Have fun! Please do let me know your experiences, comments and suggestions. Especially, if I missed any setting or if there is a better way of doing the same, please let me know.