Archive

Posts Tagged ‘Security’

How-To Set Up SVN and Trac

February 2, 2010 16 comments

What are SVN and Trac?

SVN: is a free/open-source Version Control System. Subversion (SVN) manages files and directories over time. Files are placed into a central repository and every change every made to the files or directories are remembered.

Trac: is an enhanced wiki and issue tracking system for software development projects. It provides a Graphical front end to SVN where diffs in files can be obtained. It cannot update the SVN repository. It simply provides a Project Management interface, wiki, ticketing system, and SVN front end.

Installation

sudo apt-get install apache2
sudo apt-get install subversion
sudo apt-get install libapache2-svn
sudo apt-get install trac
sudo apt-get install libapache2-mod-fastcgi libapache2-mod-fcgid

Setting Up SVN and Trac

To make things simple and flexible in case you want to make some changes in the future, configurations will be set in individual files, i.e. as virtual sites, then they will be enabled/disabled when needed.

1-Creating SVN Repository:

cd /var
sudo mkdir MyProjects
cd MyProjects
sudo mkdir svn
cd svn
sudo svnadmin create SVN_Project_01
sudo chown -R www-data.www-data /var/MyProjects

2-Setting Up Trac

cd /var/MyProjects/
sudo mkdir trac
cd trac
sudo trac-admin Trac_Project_01 initenv
-->Project Name [My Project]>
-->Database connection string [sqlite:db/trac.db] (choose defaults)
-->Repository type [svn]>
-->Path to repository [/path/to/repos]> /var/MyProjects/svn/SVN_Project_01
sudo chown -R www-data.www-data /var/MyProjects
sudo trac-admin /var/MyProjects/trac/Trac_Project_01 permission add username MILESTONE_ADMIN REPORT_ADMIN ROADMAP_ADMIN TICKET_ADMIN TRAC_ADMIN

Setting Up Apache:

At this stage, we need to secure the web access to the repository so only authorized persons who can modify it, enable the SSL mode so connection is encrypted, and modify apache configurations accordingly:

Securing Web Access

  1. Enable the Authenticated Access by adding a username and password:
    sudo htpasswd -cb /etc/apache2/passwords username password
    
  2. Enabling the SSL Module:
    Refer to this blog: How-To Enable SSL on Apache2 Server

Trac Configurations

Note: You will need to download the Trac package and link to the cgi-bin/trac.cgi and cgi-bin/trac.fcgi in the configuration.
In my case, this the path to these files after extracting:

ls /usr/local/Trac-0.11.6/cgi-bin

Create the following files or you may create one of them:

Track through CGI
cd /etc/apache2/sites-available/
cat > svn.cgi
##SVN

<Location /MyProjects/svn/SVN_Project_01>
	DAV svn
	SVNPath /var/MyProjects/svn/SVN_Project_01

	AuthType Basic
	AuthName "Subversion Repository - SVN_Project_01"
	AuthUserFile /etc/apache2/.htpasswd

#	<LimitExcept GET PROPFIND OPTIONS REPORT>
		Require valid-user
		SSLRequireSSL
#	</LimitExcept>
</Location>


##Trac

ScriptAlias /MyProjects/trac /usr/local/Trac-0.11.6/cgi-bin/trac.cgi
<Location /MyProjects/trac>
	SetEnv TRAC_ENV_PARENT_DIR /var/MyProjects/trac
</Location>

<Location "/MyProjects/trac">
        SSLRequireSSL
        AuthType Basic
        AuthName "Trac Login for Projectname Website"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
</Location>


<Location "/MyProjects/trac/Trac_Project_01/login">
	SSLRequireSSL
	AuthType Basic
	AuthName "Trac Login for Projectname Website"
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Location>
Track through FCGI
cd /etc/apache2/sites-available/
cat > svn.fcgi
##SVN

<Location /MyProjects/svn/SVN_Project_01>
	DAV svn
	SVNPath /var/MyProjects/svn/SVN_Project_01

	AuthType Basic
	AuthName "Subversion Repository - SVN_Project_01"
	AuthUserFile /etc/apache2/.htpasswd

#	<LimitExcept GET PROPFIND OPTIONS REPORT>
		Require valid-user
		SSLRequireSSL
#	</LimitExcept>
</Location>



##Trac

ScriptAlias /MyProjects/trac /usr/local/Trac-0.11.6/cgi-bin/trac.fcgi
##fastcgi
#FastCgiConfig -initial-env TRAC_ENV=/var/MyProjects/trac/Trac_Project_01
#FastCgiConfig -initial-env TRAC_ENV_PARENT_DIR=/var/MyProjects/trac

##fcgi
DefaultInitEnv TRAC_ENV_PARENT_DIR /var/MyProjects/trac

#<Location "/MyProjects/trac">
	##fastcgi
	#SetEnv TRAC_ENV_PARENT_DIR "/var/MyProjects/trac"
	#SetEnv TRAC_ENV "/var/MyProjects/trac/Trac_Project_01"
	#AddHandler fastcgi-script .fcgi

	#AuthType Basic
        #AuthName "Trac Repository - Trac_Project_01"
        #AuthUserFile /etc/apache2/.htpasswd
	#Require valid-user
	#SSLRequireSSL
#</Location>

<Location "/MyProjects/trac/Trac_Project_01/login">
	SSLRequireSSL
	AuthType Basic
	AuthName "Trac Login for Projectname Website"
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Location>

Track through FastCGI
cd /etc/apache2/sites-available/
cat > svn.fastcgi
##SVN

<Location /MyProjects/svn/SVN_Project_01>
	DAV svn
	SVNPath /var/MyProjects/svn/SVN_Project_01

	AuthType Basic
	AuthName "Subversion Repository - SVN_Project_01"
	AuthUserFile /etc/apache2/.htpasswd

#	<LimitExcept GET PROPFIND OPTIONS REPORT>
		Require valid-user
		SSLRequireSSL
#	</LimitExcept>
</Location>



##Trac

ScriptAlias /MyProjects/trac /usr/local/Trac-0.11.6/cgi-bin/trac.fcgi
#FastCgiConfig -initial-env TRAC_ENV=/var/MyProjects/trac/Trac_Project_01
FastCgiConfig -initial-env TRAC_ENV_PARENT_DIR=/var/MyProjects/trac

#DefaultInitEnv TRAC_ENV /var/MyProjects/trac/Trac_Project_01

<Location "/MyProjects/trac">
	#SetEnv TRAC_ENV_PARENT_DIR "/var/MyProjects/trac"
	#SetEnv TRAC_ENV "/var/MyProjects/trac/Trac_Project_01"
	AddHandler fastcgi-script .fcgi

	#AuthType Basic
        #AuthName "Subversion Repository - SVN_Project_01"
        #AuthUserFile /etc/apache2/.htpasswd
	#Require valid-user
	#SSLRequireSSL
</Location>

<Location "/MyProjects/trac/Trac_Project_01/login">
	SSLRequireSSL
	AuthType Basic
	AuthName "Trac Login for Projectname Website"
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Location>
Track through Python
cd /etc/apache2/sites-available/
cat > svn.python
##SVN

<Location /MyProjects/svn/SVN_Project_01>
	DAV svn
	SVNPath /var/MyProjects/svn/SVN_Project_01
	
	AuthType Basic
	AuthName "Subversion Repository - SVN_Project_01"
	AuthUserFile /etc/apache2/.htpasswd
	
#	<LimitExcept GET PROPFIND OPTIONS REPORT>
		Require valid-user
		SSLRequireSSL
#	</LimitExcept>
</Location>


##Trac

<Location /MyProjects/trac>
	SetHandler mod_python
	PythonInterpreter main_interpreter
	PythonHandler trac.web.modpython_frontend
	PythonOption TracEnvParentDir /var/MyProjects/trac
	PythonOption TracUriRoot /MyProjects/trac
	
	#SSLRequireSSL
	#AuthType Basic
	#AuthName "Trac Login for Projectname Website"
	#AuthUserFile /etc/apache2/.htpasswd
	#Require valid-user
</Location>

<Location "/MyProjects/trac/Trac_Project_01/login">
	SSLRequireSSL
	AuthType Basic
	AuthName "Trac Login for Projectname Website"
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Location>

After that, you will need to enable ONLY one of them:

sudo a2ensite svn.cgi

Or

sudo a2ensite svn.fcgi

Or

sudo a2ensite svn.fastcgi

Or

sudo a2ensite svn.python

Finally, reload apache server:

sudo /etc/init.d/apache2 reload

Try to open these links:
https://localhost/MyProjects/svn/SVN_Project_01
https://localhost/MyProjects/trac

Next

You will need to configure your prefered IDE with the created SVN repository if it supports the synchronization with SVN repositories. In my case as a Java/Java EE Developer, I’ ll refer to the most known open IDEs which are: NetBeans and Eclipse. SVN is just a little part of them to control versioning!

Hence, this would help you get a well managed and organized development environment!

___________________

References

https://help.ubuntu.com/community/UbuntuTracHowto
http://wiki.kartbuilding.net/index.php/Trac_and_SVN
http://trac.edgewall.org/wiki/TracGuide

How-To Enable SSL on Apache2 Server

January 13, 2010 2 comments

Why to Enable SSL Mode?

Without digressing too much in the Security topic, SSL (Secure Socket Layer) is a cryptographic protocol that provides security for communications over networks such as the Internet. Therefore, you will need such a protocol to protect your connection with the web server by encrypting the information being exchanged. So, if a sniffer drops into the connection then that information is not compromised. e.g. remotely logging in to your machine requires from you to submit your username and password. If the connection is not encrypted using one of the cryptographic protocols then such must-be-kept-secret information is exposed and imagine the impact on your system if such info was in somebody’s hand!

So, let’s discuss the steps of how to enable the SSL mode:

  1. Generate a Self-Signed Certificate
    cd /etc/apache2/
    sudo mkdir certs
    cd ./certs
    sudo openssl req -new -x509 -nodes -days 365 -out server.crt -keyout server.key
    
  2. Encrypt the Private Key (Optional)
    The way of doing it is by passing a “passphrase“:

    sudo openssl rsa -des3 -in server.key -out server.key
    

    Note: I tend not to do this step due to the fact that when Apache2 is restarted you will be asked to type the passphrase again. Therefore, I just change the key and certificate files permission so they are only read by Apache2!

  3. Enable the SSL Modules
    You can either enable the SSL Module by running these commands:

    sudo a2enmod ssl
    sudo /etc/init.d/apache2 restart
    

    OR if you are curious about what it does you can do the following steps instead:

    cd /etc/apache2/mods-enabled
    sudo ln -s /etc/apache2/mods-available/ssl.load ./
    sudo /etc/init.d/apache2 restart
    
  4. Create the SSL Site
    sudo pico /etc/apache2/sites-available/MySSL
    
    ##################################
    ##-->@Author Husain Al-Khamis<--##
    ##################################
    <VirtualHost "*:443">
            ServerAdmin webmaster@localhost
    
            DocumentRoot /var/www
    
            ##-->Me<--##
    
            SSLEngine on
            SSLCertificateFile /etc/apache2/certs/server.crt
            SSLCertificateKeyFile /etc/apache2/certs/server.key
    
            ##-->Me<--##
    
            <Directory "/">
                    Options FollowSymLinks
                    AllowOverride None
            </Directory>
            <Directory "/var/www/">
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Order allow,deny
                    allow from all
            </Directory>
    
            ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
            <Directory "/usr/lib/cgi-bin">
                    AllowOverride None
                    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                    Order allow,deny
                    Allow from all
            </Directory>
    
            ErrorLog /var/log/apache2/error.log
    
            # Possible values include: debug, info, notice, warn, error, crit,
            # alert, emerg.
            LogLevel warn
    
            CustomLog /var/log/apache2/access.log combined
    
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
            Options Indexes MultiViews FollowSymLinks
            AllowOverride None
            Order deny,allow
            Deny from all
            Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
    
  5. Listen on Port 443
    Open ports.conf:

    	sudo pico /etc/apache2/ports.conf
    	

    And add the following:

    	<IfModule mod_ssl.c>
    		# SSL name based virtual hosts are not yet supported, therefore no
    		# NameVirtualHost statement here
    		NameVirtualHost *:443
    		Listen 443
    	</IfModule>
    
  6. Enable the SSL Site
    Same as in step# 3, you can either perform these commands

    sudo a2ensite MySSL
    sudo /etc/init.d/apache2 restart
    

    OR alternatively, you can do it manually in this way:

    sudo pico /etc/apache2/apache2.conf
    

    And add the following to the end of it:

    # Include the secured host configurations:
    Include /etc/apache2/sites-available/MySSL
    

    Then, Restart Apache2:

    sudo /etc/init.d/apache2 restart
    

So, have a secure web surfing!