TRAC note (2): Security Configuration

ArticleDirectory

• 1.1) install Apache with OpenSSL
• 1.3) Configure Apache SSL
• 3.1) Security Configuration
• 3.2) Use https to verify Logon

The previous article completed how to connect subversion and TRAC to Apache. If you use TRAC, you only need to configure the TRAC account.

However, for a team, direct access to the svn repository or TRAC over a local LAN or public network is not safe. If the network is under monitoring, any submitted information may be captured, Which is why HTTPS exists.

Therefore, before further exploring Trac, we must first talk about the configuration-safe, APACHE-based subversion, and the application lifecycle management system built by TRAC.

Before you start, if you haven't read my previous article: TRAC note (1): Install TRAC in windows, please take a look.

 

1) Configure SSL-based Apache

As we all know, all HTTP content is transmitted in plain text, which provides convenience for network darkness such as viruses and account theft. Many people may have seen the following prompt in the browser when logging on to a website:

Is to remind the user to enter the HTTPS secure connection, in which case the information will not leak.

The goal of this section is to configure Apache to use SSL, so that when implementing TRAC and Svn, you can avoid other users from capturing data packets to obtain their own accounts, thus implementing the destruction.

1.1) install Apache with OpenSSL

Download and install Apache integrated with OpenSSL.

1.2) create a security certificate

Run the following command in the D: \ apache \ bin directory:

Follow the prompts to fill in the content, this command generates an unsigned certificate: contains the server. CSR, privkey. pem file.

OpenSSL req-config ../CONF/OpenSSL. CNF-New-out server. CSR

Then generate the private key: Server. Key

OpenSSL RSA-In privkey. pem-out server. Key

Sign the certificate:

OpenSSL X509-in server. CSR-out server. CRT-req-signkey server. Key-days 9999

Finally, delete. RND and privkey. Pem, save server. CSR to a safe place, or delete it directly.
Copy the remaining server. CRT and server. Key to the Directory D: \ apache \ conf.

1.3) Configure Apache SSL

Copy D: \ apache \ conf \ extra \ httpd-ssl.conf to D: \ apache \ conf \ SSL. conf

Modify:

Sslmutex "file: D:/Apache/logs/ssl_mutex"

Is:

Sslmutex default

Modify:

<Virtualhost _ default _: 443>

Is:

<Virtualhost *: 443>

You may also need to modify sslcertificatefile and sslcertificatekeyfile to indicate the paths of server. CRT and server. Key described above.
Modify httpd. conf to load the SSL module:

Loadmodule ssl_module modules/mod_ssl.so

Add the following sentence to the end of httpd. conf:

Include "CONF/SSL. conf"

Start Apache. If it is successfully started and there is no problem accessing the page, it means it is successful.

Notes:
During the configuration of Apache, I encountered the problem that Apache was always unable to be started. After checking, I found that QQ occupied port 443.
Therefore, if you find that Apache cannot be started during the configuration process, use the netstat command or other tools (icesword, tcpviewer, etc.) to check the port occupation status, if 443 is occupied by software such as QQ, use the South China Tiger Head hacker to drop it.

 

2) Subversion Security Configuration

As described in the previous section, modify SVN access control as follows:

<Location/SVN/>Dav SVN svnparentpath "G: \ ALM \ SVN" svnlistparentpath on authzsvnaccessfile "G: \ ALM \ authz \ SVN. ACP "sslrequiressl authtype basic authname" Authorization realm "authuserfile" G: \ ALM \ authz \ Users. ACP "require valid-user</Location>

In the above configuration, the svn. ACP file format is the same as the/repos/CONF/authz file format configured in Subversion to manage user groups and access permissions.

Users. ACP is created by D: \ apache \ bin \ htpasswd.exe for use by TRAC and SVN to achieve intercommunication between users.

Therefore, the entire SVN database must be accessed through https, which is highly secure.

3) TRAC Security Configuration

TRAC has prepared a lot of things for us to verify users. We only need to configure the login mechanism.

3.1) Security Configuration

<Location/TRAC/Login>Authtype basic authname "Trac login" authuserfile G: \ ALM \ authz \ users. ACP require valid-user</Location>

Configure the same account as SVN.

3.2) Use https to verify Logon

The plaintext HTTP protocol is easy to leak. Therefore, you must set the logon URL to HTTPS.

Cancel comments from the following modules in httpd. conf to enable redirection:

Loadmodule rewrite_module modules/mod_rewrite.so

Add the following to the end of httpd. conf:CodeTo redirect logon to https:

Rewriteengine on Rewritecond % {server_port }! ^ 443 $ Rewriterule ^ (/TRAC/login) $ https: // % {SERVER_NAME} $1 [L, R]

The following code in SSL. conf:

</Virtualhost>

To:

Rewriteengine onrewritecond % {server_port }! ^ 8080 $ rewriterule! ^ (/TRAC/login) $ http: // % {SERVER_NAME }: 8080 $1 [L, R]</Virtualhost>

The role of the above configuration is to redirect to HTTPS when requesting to log on to TRAC. For any URL not logged on to Trac, It is redirected to HTTP.

 

4) Conclusion

Now, the TRAC system has been basically installed, but it is still not enough. In the next section, I will introduce some basic concepts in the TRAC system and how to manage TRAC permissions.

Warning: TRAC 0.11b1 is used in this article. It is not guaranteed that the content of this article applies to other versions.
We also do not recommend that you deploy this beta version in the actual environment. If you encounter any problems, it will be irrelevant to you.
If you have any questions, please mail me: rszealic {at} gmail.com
Copyright: Reserves the right to modify and publish this article. Anyone who wants to repost Part or all of this article must retain three types of information, including the author zealic, source, and copyright. The reference in this article is unrestricted.

5) Reference

Apache mod_rewrite:

Http://www.uplinux.com/download/doc/apache/ApacheManual/mod/mod_rewrite.html#rewritemap

To install apache2 SSL in Windows:
Http://tech.163dz.com/php/sslconfig.html
Http://bbs.iusesvn.com/thread-158-1-1.html
Http://bbs.iusesvn.com/viewthread.php? Tid = 1650 & statsdata = 13 || 1700

Tutorial on subversion configuration and installation (3)
Http://www.cnblogs.com/Java_Aix/archive/2005/02/10/103717.html

 

Set up a Subversion server in Windows
Http://indian.blog.163.com/blog/static/10881582007112415021751/