Chapter 6. Server Configuration

Chapter 6. Server Configuration

Table of Contents

Overview
Network Model
Requests and Responses
Client Credentials Caching
svnserve, a custom server
Invoking the Server
Built-in authentication and authorization
Create a 'users' file and realm
Set access controls
SSH authentication and authorization
SSH configuration tricks
Initial setup
Controlling the invoked command
httpd, the Apache HTTP server
Prerequisites
Basic Apache Configuration
Authentication Options
Basic HTTP Authentication
SSL Certificate Management
Authorization Options
Blanket Access Control
Per-Directory Access Control
Disabling Path-based Checks
Extra Goodies
Repository Browsing
Other Features
Supporting Multiple Repository Access Methods

A Subversion repository can be accessed simultaneously by clients running on the same machine on which the repository resides using the file:/// method. But the typical Subversion setup involves a single server machine being accessed from clients on computers all over the office—or, perhaps, all over the world.

This section describes how to get your Subversion repository exposed outside its host machine for use by remote clients. We will cover Subversion's currently available server mechanisms, discussing the configuration and use of each. After reading this section, you should be able to decide which networking setup is right for your needs, and understand how to enable such a setup on your host computer.

Overview

Subversion was designed with an abstract network layer. This means that a repository can be programmatically accessed by any sort of server process, and the client “repository access” API allows programmers to write plugins that speak relevant network protocols. In theory, Subversion can use an infinite number of network implementations. In practice, there are only two servers at the time of writing.

Apache is an extremely popular webserver; using the mod_dav_svn module, Apache can access a repository and make it available to clients via the WebDAV/DeltaV protocol, which is an extension of HTTP. In the other corner is svnserve: a small, standalone server program that speaks a custom protocol with clients. Table 6-1 presents a comparison of the two servers.

Note that Subversion, as an open-source project, does not officially endorse any server as “primary” or “official”. Neither network implementation is treated as a second-class citizen; each server has advantages and disadvantages. In fact, it's possible for different servers to run in parallel, each accessing your repositories in its own way, and each without hindering the other (see the section called “Supporting Multiple Repository Access Methods”). Table 6.1, “Network Server Comparison” gives a brief overview and comparison of the two available Subversion servers—as an administrator, it's up to you to choose whatever works best for you and your users.

Table 6.1. Network Server Comparison

FeatureApache + mod_dav_svnsvnserve
Authentication optionsHTTP(S) basic auth, X.509 certificates, LDAP, NTLM, or any other mechanism available to Apache httpdCRAM-MD5 or SSH
User account optionsprivate 'users' fileprivate 'users' file, or existing system (SSH) accounts
Authorization optionsblanket read/write access, or per-directory read/write controlblanket read/write access, or per-directory write (but not read) control using a pre-commit hook
Encryptionvia optional SSLvia optional SSH tunnel
Interoperabilitypartially usable by other WebDAV clientsnot interoperable
Web viewinglimited built-in support, or via 3rd-party tools such as ViewVCvia 3rd-party tools such as ViewVC
Speedsomewhat slowersomewhat faster
Initial setupsomewhat complexfairly simple