From 3a7ef0b6994b8fe71ac0fc1ae17ed8f2469671eb Mon Sep 17 00:00:00 2001 From: Sven Strickroth Date: Wed, 7 Dec 2011 01:25:28 +0100 Subject: [PATCH] there is enough information about setting up a git server out there, TGit is a client Signed-off-by: Sven Strickroth --- doc/source/en/TortoiseGit/tortoisegit.xml | 1 - doc/source/en/TortoiseGit/tsvn_server/server.xml | 40 - .../en/TortoiseGit/tsvn_server/server_apache.xml | 1001 -------------------- .../en/TortoiseGit/tsvn_server/server_svn.xml | 468 --------- 4 files changed, 1510 deletions(-) delete mode 100644 doc/source/en/TortoiseGit/tsvn_server/server.xml delete mode 100644 doc/source/en/TortoiseGit/tsvn_server/server_apache.xml delete mode 100644 doc/source/en/TortoiseGit/tsvn_server/server_svn.xml diff --git a/doc/source/en/TortoiseGit/tortoisegit.xml b/doc/source/en/TortoiseGit/tortoisegit.xml index 1e3f97d35..d3958a62a 100644 --- a/doc/source/en/TortoiseGit/tortoisegit.xml +++ b/doc/source/en/TortoiseGit/tortoisegit.xml @@ -28,7 +28,6 @@ diff --git a/doc/source/en/TortoiseGit/tsvn_server/server.xml b/doc/source/en/TortoiseGit/tsvn_server/server.xml deleted file mode 100644 index 104415ea8..000000000 --- a/doc/source/en/TortoiseGit/tsvn_server/server.xml +++ /dev/null @@ -1,40 +0,0 @@ - - - - Setting Up A Server - - - To use TortoiseGit (or any other Git client), you need a place where your - repositories are located. You can either store your repositories locally and access - them using the file:// protocol or you can place them on a - server and access them with the http:// or - svn:// protocols. The two server protocols can also be - encrypted. - You use https:// or svn+ssh://. - This chapter shows you step by step on how you can set up - such a server on a Windows machine. - - - More detailed information on the Git server options, and how - to choose the best architecture for your situation, can be - found in the Git book under - - Server Configuration - . - - - If you don't have a server and you work alone then local repositories are - probably your best choice. You can skip this chapter and go directly to - . - - - If you were thinking about setting up a multi-user repository on a network - share, think again. Read - to find out why we think this is a bad idea. - - - - - - - diff --git a/doc/source/en/TortoiseGit/tsvn_server/server_apache.xml b/doc/source/en/TortoiseGit/tsvn_server/server_apache.xml deleted file mode 100644 index f9f6e263f..000000000 --- a/doc/source/en/TortoiseGit/tsvn_server/server_apache.xml +++ /dev/null @@ -1,1001 +0,0 @@ - - - - Apache Based Server - - Introduction - - Apache - - - The most flexible of all possible server setups for Git - is the Apache based one. Although a bit more complicated to set up, - it offers benefits that other servers cannot: - - - WebDAV - - - - WebDAV - - - The Apache based Git server uses the - WebDAV protocol which is supported by many other - programs as well. You could e.g. mount such - a repository as a Web folder in the Windows - explorer and then access it like any other - folder in the file system. - - - - - Browsing The Repository - - - You can point your browser to the URL of your - repository and browse the contents of it without - having a Git client installed. This - gives access to your data to a much wider circle of - users. - - - - - Authentication - - - You can use any authentication mechanism Apache - supports, including SSPI and LDAP. - - - - - Security - - - Since Apache is very stable and secure, - you automatically get the same security for your - repository. This includes SSL encryption. - - - - - - - Installing Apache - - The first thing you need before installing Apache is a computer - with Windows 2000, Windows XP+SP1, Windows 2003, Vista or Server 2008. - - - Please note that Windows XP without the service pack 1 - will lead to bogus network data and could therefore - corrupt your repository! - - - - - - Download the latest version of the Apache - web server from - - http://httpd.apache.org/download.cgi - . - Make sure that you download the version 2.2.x - - the version 1.3.xx won't work! - - - The msi installer for Apache can be found by clicking on other files, - then browse to binaries/win32. You may want to choose - the msi file apache-2.2.x-win32-x86-openssl-0.9.x.msi - (the one that includes OpenSSL). - - - - - Once you have the Apache2 installer you - can double click on it and it will guide you through - the installation process. Make sure that you enter - the server-URL correctly (if you don't have a DNS name - for your server just enter the IP-address). I recommend - to install Apache - for All Users, on Port 80, as a Service. - Note: if you already have IIS or any other - program running which listens on port 80 the - installation might fail. If that happens, go to the - programs directory, - \Apache Group\Apache2\conf - and locate the file - httpd.conf. Edit that file so that - Listen 80 is changed to a free - port, e.g. Listen 81. - Then restart the installation - this time it should - finish without problems. - - - - - Now test if the Apache web server is running - correctly by pointing your web browser to - http://localhost/ - - a preconfigured Website should show up. - - - - - - If you decide to install Apache as a service, be warned that - by default it will run as the local system account. - It would be a more secure practice for you to create a - separate account for Apache to run as. - - - Make sure that the account on the server that Apache is running as - has an explicit entry in the repository directory's access control - list (right-click directory | properties | security), with full - control. Otherwise, users will not be able to commit their changes. - - - Even if Apache runs as local system, you still need such an entry - (which will be the SYSTEM account in this case). - - - If Apache does not have this permission set up, your users will get - Access denied error messages, which show up in the Apache error log - as error 500. - - - - - - Installing Git - - - - - Download the latest version of the Git Win32 binaries for - Apache. Be sure to get the right version to integrate with your - version of Apache, otherwise you will get an obscure error - message when you try to restart. - If you have Apache 2.2.x go to - - http://Git.tigris.org/servlets/ProjectDocumentList?folderID=8100 - . - - - - - Run the Git installer and follow - the instructions. If the Git installer recognized - that you've installed Apache, then you're almost done. - If it couldn't find an Apache server then you have to - do some additional steps. - - - - - mod_authz_svn - - - Using the windows explorer, go to the installation - directory of Git (usually - c:\program files\Git) - and find the files - /httpd/mod_dav_svn.so and - mod_authz_svn.so. Copy these files - to the Apache modules directory (usually - c:\program files\apache group\apache2\modules - ). - - - - - Copy the file /bin/libdb*.dll - and /bin/intl3_svn.dll from - the Git installation directory to the Apache - bin directory. - - - - - Edit Apache's configuration file (usually - C:\Program Files\Apache - Group\Apache2\conf\httpd.conf) with a text - editor such as Notepad and make the following changes: - - - Uncomment (remove the '#' mark) the - following lines: - -#LoadModule dav_fs_module modules/mod_dav_fs.so -#LoadModule dav_module modules/mod_dav.so - - Add the following two lines to the end of the - LoadModule section. - -LoadModule dav_svn_module modules/mod_dav_svn.so -LoadModule authz_svn_module modules/mod_authz_svn.so - - - - - - - - Configuration - - Now you have set up Apache and Git, but Apache doesn't - know how to handle Git clients like TortoiseGit yet. - To get Apache to know which URL will be used for Git - repositories you have to edit the Apache configuration file (usually - located in - c:\program files\apache group\apache2\conf\httpd.conf) - with any text editor you like (e.g. Notepad): - - - - At the end of the config file add the following lines: - -<Location /svn> - DAV svn - SVNListParentPath on - SVNParentPath D:\SVN - #SVNIndexXSLT "/svnindex.xsl" - AuthType Basic - AuthName "Git repositories" - AuthUserFile passwd - #AuthzSVNAccessFile svnaccessfile - Require valid-user -</Location> - - This configures Apache so that all your Git - repositories are physically located below - D:\SVN. The repositories are - served to the outside world from the URL: - - http://MyServer/svn/ - . - Access is restricted to known users/passwords - listed in the passwd file. - - - - - To create the passwd - file, open the command prompt (DOS-Box) again, - change to the apache2 folder (usually - c:\program files\apache - group\apache2) - and create the file by entering - -bin\htpasswd -c passwd <username> - - This will create a file with the name passwd which is - used for authentication. Additional users can be added - with - -bin\htpasswd passwd <username> - - - - - - Restart the Apache service again. - - - - - Point your browser to - http://MyServer/svn/MyNewRepository - (where MyNewRepository is the name of the - Git repository you created before). If all went - well you should be prompted for a username and password, - then you can see the contents of your - repository. - - - - - - SVNPath - - - SVNParentPath - - - A short explanation of what you just entered: - - Apache <filename>httpd.conf</filename> Settings - - - - - - Setting - Explanation - - - - - <Location /svn> - - means that the Git repositories are available from the URL - http://MyServer/svn/ - - - - DAV svn - - tells Apache which module will be responsible to serve - that URL - in this case the Git module. - - - - SVNListParentPath on - - For Git version 1.3 and higher, this directive enables - listing all the available repositories under - SVNParentPath. - - - - SVNParentPath D:\SVN - - tells Git to look for repositories below - D:\SVN - - - - SVNIndexXSLT "/svnindex.xsl" - - Used to make the browsing with a web browser - prettier. - - - - AuthType Basic - - is to activate basic authentication, i.e. - Username/password - - - - AuthName "Git repositories" - - is used as an information whenever an authentication - dialog pops up to tell the user what the authentication is for - - - - AuthUserFile passwd - - specifies which password file to use for authentication - - - - AuthzSVNAccessFile - - Location of the Access file for paths inside a - Git repository - - - - Require valid-user - - specifies that only users who entered a correct - username/password are allowed to access the URL - - - - -
- But that's just an example. There are many, many more - possibilities of what you can do with the Apache web server. - - - - If you want your repository to have read - access for everyone but write access only for specific - users you can change the line - -Require valid-user - to - -<LimitExcept GET PROPFIND OPTIONS REPORT> -Require valid-user -</LimitExcept> - - - - - - Using a passwd file limits and - grants access to all of your repositories as a unit. - If you want more control over which users have - access to each folder inside a repository you can - uncomment the line - -#AuthzSVNAccessFile svnaccessfile - - and create a Git access file. Apache will - make sure that only valid users are able to access - your /svn location, and will then - pass the username to Git's AuthzSVNAccessFile - module so that it can enforce more granular access - based upon rules listed in the Git access file. - Note that paths are specified either as - repos:path or simply - path. If you don't specify a - particular repository, that access rule will apply to - all repositories under - SVNParentPath. - The format of the authorization-policy file used by - mod_authz_svn is described in - - - - - - To make browsing the repository with a web browser - 'prettier', uncomment the line - -#SVNIndexXSLT "/svnindex.xsl" - - and put the files svnindex.xsl, - svnindex.css and - menucheckout.ico in your document - root directory (usually C:/Program Files/Apache Group/Apache2/htdocs). - The directory is set with the DocumentRoot directive - in your Apache config file. - - - You can get those three files directly from our source repository - at - - http://TortoiseGit.tigris.org/svn/TortoiseGit/trunk/contrib/other/svnindex - . - ( explains how to access the TortoiseGit source repository). - - - The XSL file from the TortoiseGit repository has a nice - gimmick: if you browse the repository with your web browser, then - every folder in your repository has an icon on the right shown. - If you click on that icon, the TortoiseGit checkout dialog - is started for this URL. - - - - - - - Multiple Repositories - - SVNParentPath - - - Index of projects - - - If you used the SVNParentPath directive then you don't have to - change the Apache config file every time you add a new Git - repository. Simply create the new repository under the same - location as the first repository and you're done! In my company - I have direct access to that specific folder on the server via - SMB (normal windows file access). So I just create a new folder - there, run the TortoiseGit command - - TortoiseGit - Create repository here... - - and a new project has a home... - - - If you are using Git 1.3 or later, you can use the - SVNListParentPath on directive to allow Apache - to produce a listing of all available projects if you point your - browser at the parent path rather than at a specific repository. - - - - Path-Based Authorization - - Authorization - - - mod_authz_svn - - - The mod_authz_svn module permits fine-grained control of access - permissions based on user names and repository paths. This is - available with the Apache server, and as of Git 1.3 - it is available with svnserve as well. - - - An example file would look like this: - -[groups] -admin = john, kate -devteam1 = john, rachel, sally -devteam2 = kate, peter, mark -docs = bob, jane, mike -training = zak -# Default access rule for ALL repositories -# Everyone can read, admins can write, Dan German is excluded. -[/] -* = r -@admin = rw -dangerman = -# Allow developers complete access to their project repos -[proj1:/] -@devteam1 = rw -[proj2:/] -@devteam2 = rw -[bigproj:/] -@devteam1 = rw -@devteam2 = rw -trevor = rw -# Give the doc people write access to all the docs folders -[/trunk/doc] -@docs = rw -# Give trainees write access in the training repository only -[TrainingRepos:/] -@training = rw - - - - Note that checking every path can be an expensive operation, - particularly in the case of the revision log. The server - checks every changed path in each revision and checks it for - readability, which can be time-consuming on revisions which - affect large numbers of files. - - - Authentication and authorization are separate processes. If - a user wants to gain access to a repository path, she has to meet - both, the usual authentication requirements - and the authorization requirements of the access file. - - - - Authentication With a Windows Domain - - Windows domain - - - domaincontroller - - - As you might have noticed you need to make a username/password - entry in the passwd file for each user - separately. And if (for security reasons) you want your users - to periodically change their passwords you have to make the - change manually. - - - But there's a solution for that problem - at least if you're - accessing the repository from inside a LAN with a windows - domain controller: mod_auth_sspi! - - - SSPI - - - NTLM - - - The original SSPI module was offered by Syneapps including - source code. But the development for it has been stopped. - But don't despair, the community has picked it up and improved - it. It has a new home on - - SourceForge - . - - - - - Download the module which matches your apache version, - then copy the file mod_auth_sspi.so - into the Apache modules folder. - - - - - Edit the Apache config file: add the line - -LoadModule sspi_auth_module modules/mod_auth_sspi.so - - to the LoadModule section. Make sure you - insert this line before the line - -LoadModule auth_module modules/mod_auth.so - - - - - - To make the Git location use this - type of authentication you have to change the line - -AuthType Basic - - to - -AuthType SSPI - - also you need to add - -SSPIAuth On -SSPIAuthoritative On -SSPIDomain <domaincontroller> -SSPIOmitDomain on -SSPIUsernameCase lower -SSPIPerRequestAuth on -SSPIOfferBasic On - - within the <Location /svn> block. - If you don't have a domain controller, leave the name of - the domain control as <domaincontroller>. - - - - - Note that if you are authenticating using SSPI, then you don't - need the AuthUserFile line to define a - password file any more. Apache authenticates your username and - password against your windows domain instead. You will need to - update the users list in your svnaccessfile - to reference DOMAIN\username as well. - - - - - The SSPI authentication is only enabled for SSL secured - connections (https). If you're only using normal http - connections to your server, it won't work. - - - To enable SSL on your server, see the chapter: - - - - - - Git AuthzSVNAccessFile files are - case sensitive in regard to user names (JUser - is different from juser). - - - In Microsoft's world, Windows domains and user names are not - case sensitive. Even so, some network administrators like - to create user accounts in CamelCase (e.g. JUser). - - - This difference can bite you when using SSPI authentication - as the windows domain and user names are passed to Git - in the same case as the user types them in at the prompt. - - Internet Explorer often passes the username to Apache - automatically using whatever case the account was created with. - - - The end result is that you may need at least two entries in your - AuthzSVNAccessFile for each user -- a lowercase entry and an - entry in the same case that Internet Explorer passes to Apache. - You will also need to train your users to also type in their - credentials using lower case when accessing repositories via - TortoiseGit. - - - Apache's Error and Access logs are your best friend in - deciphering problems such as these as they will help you - determine the username string passed onto Git's - AuthzSVNAccessFile module. You may need to - experiment with the exact format of the user string in the - svnaccessfile - (e.g. DOMAIN\user vs. - DOMAIN//user) in order to get - everything working. - - - - - Multiple Authentication Sources - - Multiple authentication - - - It is also possible to have more than one authentication source for - your Git repository. To do this, you need to make each - authentication type non-authoritative, so that Apache will check - multiple sources for a matching username/password. - - - A common scenario is to use both Windows domain authentication and - a passwd file, so that you can provide SVN access - to users who don't have a Windows domain login. - - - - - To enable both Windows domain and passwd - file authentication, add the following entries within the - <Location> block of your Apache config file: - -AuthBasicAuthoritative Off -SSPIAuthoritative Off - - - - - - Here is an example of the full Apache configuration for combined Windows - domain and passwd file authentication: - -<Location /svn> - DAV svn - SVNListParentPath on - SVNParentPath D:\SVN - - AuthName "Git repositories" - AuthzSVNAccessFile svnaccessfile.txt - -# NT Domain Logins. - AuthType SSPI - SSPIAuth On - SSPIAuthoritative Off - SSPIDomain <domaincontroller> - SSPIOfferBasic On - -# Htpasswd Logins. - AuthType Basic - AuthBasicAuthoritative Off - AuthUserFile passwd - - Require valid-user -</Location> - - - - - Securing the server with SSL - - SSL - - - Even though Apache 2.2.x has OpenSSL support, it is not - activated by default. You need to activate this manually. - - - - - In the apache config file, uncomment the lines: - -#LoadModule ssl_module modules/mod_ssl.so - - and at the bottom - -#Include conf/extra/httpd-ssl.conf - - then change the line (on one line) - -SSLMutex "file:C:/Program Files/Apache Software Foundation/\ -Apache2.2/logs/ssl_mutex" - - to - -SSLMutex default - - - - - - - Next you need to create an SSL certificate. - To do that open a command prompt (DOS-Box) and change to - the Apache folder (e.g. - C:\program files\apache group\apache2) - and type the following command: - -bin\openssl req -config conf\openssl.cnf -new -out my-server.csr - - You will be asked for a passphrase. Please don't use simple - words but whole sentences, e.g. a part of a poem. The - longer the phrase the better. Also you have to enter the - URL of your server. All other questions are optional but we - recommend you fill those in too. - - - Normally the privkey.pem file is created - automatically, but if it isn't you need to type this command - to generate it: - -bin\openssl genrsa -out conf\privkey.pem 2048 - - - - Next type the commands - -bin\openssl rsa -in conf\privkey.pem -out conf\server.key - - and (on one line) - -bin\openssl req -new -key conf\server.key -out conf\server.csr \ --config conf\openssl.cnf - - and then (on one line) - -bin\openssl x509 -in conf\server.csr -out conf\server.crt - -req -signkey conf\server.key -days 4000 - - This will create a certificate which will expire in - 4000 days. And finally enter (on one line): - -bin\openssl x509 -in conf\server.cert -out conf\server.der.crt - -outform DER - - These commands created some files in the Apache - conf folder - (server.der.crt, - server.csr, - server.key, - .rnd, - privkey.pem, - server.cert). - - - - - Restart the Apache service. - - - - - Point your browser to - https://servername/svn/project - ... - - - - - SSL and Internet Explorer - - If you're securing your server with SSL and use authentication - against a windows domain you will encounter that browsing - the repository with the Internet Explorer doesn't work - anymore. Don't worry - this is only the Internet Explorer - not able to authenticate. Other browsers don't have that - problem and TortoiseGit and any other Git client are - still able to authenticate. - - - If you still want to use IE to browse the repository - you can either: - - - - define a separate <Location /path> - directive in the Apache config file, and add the - SSPIBasicPreferred On. - This will allow IE to authenticate again, but - other browsers and Git won't be able to - authenticate against that location. - - - - - Offer browsing with unencrypted authentication - (without SSL) too. Strangely IE doesn't have any - problems with authenticating if the connection - is not secured with SSL. - - - - - In the SSL "standard" setup there's often the - following statement in Apache's virtual SSL host: - -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - There are (were?) good reasons for this configuration, - see - - http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 - - But if you want NTLM authentication you have to use keepalive. - If You uncomment the whole SetEnvIf you should be able to - authenticate IE with windows authentication over SSL against - the Apache on Win32 with included mod_auth_sspi. - - - - - - - Forcing SSL access - - When you've set up SSL to make your repository more secure, you - might want to disable the normal access via non-SSL (http) and - only allow https access. - To do this, you have to add another directive to the Git - <Location> block: SSLRequireSSL. - - - An example <Location> block would look like this: - -<Location /svn> - DAV svn - SVNParentPath D:\SVN - SSLRequireSSL - AuthType Basic - AuthName "Git repositories" - AuthUserFile passwd - #AuthzSVNAccessFile svnaccessfile - Require valid-user -</Location> - - - - - - Using client certificates with virtual SSL hosts - - Sent to the TortoiseGit mailing list by Nigel Green. Thanks! - - - In some server configurations you may need to setup a single server - containing 2 virtual SSL hosts: The first one for public web access, - with no requirement for a client certificate. The second one to be - secure with a required client certificate, running a Git server. - - - Adding an SSLVerifyClient Optional directive to the - per-server section of the Apache configuration - (i.e. outside of any VirtualHost and - Directory blocks) forces Apache to request a client - Certificate in the initial SSL handshake. Due to a bug in - mod_ssl it is essential that the certificate is - requested at this point as it does not work if the SSL connection - is re-negotiated. - - - The solution is to add the following directive to the virtual host - directory that you want to lock down for Git: - -SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" - - This directive grants access to the directory only if a - client certificate was received and verified successfully. - - - To summarise, the relevant lines of the Apache configuration are: - -SSLVerifyClient Optional - -### Virtual host configuration for the PUBLIC host -### (not requiring a certificate) - -<VirtualHost 127.0.0.1:443> - <Directory "pathtopublicfileroot"> - </Directory> -</VirtualHost> - -### Virtual host configuration for Git -### (requiring a client certificate) -<VirtualHost 127.0.0.1:443> - <Directory "Git host root path"> - SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" - </Directory> - - <Location /svn> - DAV svn - SVNParentPath /pathtorepository - </Location> -</VirtualHost> - - - - diff --git a/doc/source/en/TortoiseGit/tsvn_server/server_svn.xml b/doc/source/en/TortoiseGit/tsvn_server/server_svn.xml deleted file mode 100644 index 5245c33de..000000000 --- a/doc/source/en/TortoiseGit/tsvn_server/server_svn.xml +++ /dev/null @@ -1,468 +0,0 @@ - - - - Svnserve Based Server - - Introduction - - svnserve - - - There may be situations where it's not possible to use Apache as - your server. Fortunately, Git includes Svnserve - - a lightweight stand-alone server which uses a custom protocol - over an ordinary TCP/IP connection. - - - In most cases svnserve is easier to setup and runs faster than - the Apache based server. And now that SASL support is included - it is easy to secure as well. - - - - Installing svnserve - - - - - Get the latest version of Git from - - http://Git.tigris.org/servlets/ProjectDocumentList?folderID=91 - . - Alternatively get a pre-packaged installer from CollabNet at - - http://www.collab.net/downloads/Git - . - This installer will setup svnserve as a Windows service, and also includes - some of the tools you need if you are going to use SASL for security. - - - - - If you already have a version of Git installed, and - svnserve is running, you will need to stop it before continuing. - - - - - Run the Git installer. If you run the installer on - your server (recommended) you can skip step 4. - - - - - Open the windows-explorer, go to the - installation directory of Git (usually - C:\Program Files\Git) and in the - bin directory, find the files - svnserve.exe, - intl3_svn.dll, - libapr.dll, - libapriconv.dll, - libapriutil.dll, - libdb*.dll, - libeay32.dll and - ssleay32.dll - - copy these files, or just copy all of the bin - directory, into a directory on your server e.g. - c:\svnserve - - - - - - - Running svnserve - - Now that svnserve is installed, you need it running - on your server. The simplest approach is to run the following from a DOS - shell or create a windows shortcut: - -svnserve.exe --daemon - - svnserve will now start waiting for incoming requests - on port 3690. The --daemon switch tells svnserve to run - as a daemon process, so it will always exist until it is manually terminated. - - - If you have not yet created a repository, follow the - instructions given with the Apache server setup - . - - - To test that svnserve is working, use - - TortoiseGit - Repo-Browser - - to view a repository. - - - Assuming your repository is located in - c:\repos\TestRepo, and your server is called - localhost, enter: - -svn://localhost/repos/TestRepo - - when prompted by the repo browser. - - - You can also increase security and save time entering URLs with - svnserve by using the --root switch to set the root - location and restrict access to a specified directory on the server: - -svnserve.exe --daemon --root drive:\path\to\repository\root - - Using the previous test as a guide, svnserve would now run as: - -svnserve.exe --daemon --root c:\repos - - And in TortoiseGit our repo-browser URL is now shortened to: - -svn://localhost/TestRepo - - Note that the --root switch is also needed if your repository is located - on a different partition or drive than the location of svnserve - on your server. - - - Svnserve will service any number of repositories. Just locate them somewhere - below the root folder you just defined, and access them using a URL relative - to that root. - - - - Do not create or access a Berkeley DB repository on a network share. - It cannot exist on a remote filesystem. - Not even if you have the network drive mapped to a drive letter. - If you attempt to use Berkeley DB on a network share, - the results are unpredictable - you may see mysterious errors - right away, or it may be months before you discover that your - repository database is subtly corrupted. - - - - Run svnserve as a Service - - svnserve - - - Running svnserve as a user is usually not the best way. - It means always having a user logged in on your server, - and remembering to restart it after a reboot. A better way is to run - svnserve as a windows service. Starting with Git 1.4, - svnserve can be installed as a native windows service. - - - To install svnserve as a native windows service, execute the following - command all on one line to create a service which is automatically - started when windows starts. - -sc create svnserve binpath= "c:\svnserve\svnserve.exe --service - --root c:\repos" displayname= "Git" depend= tcpip - start= auto - - If any of the paths include spaces, you have to use (escaped) quotes - around the path, like this: - -sc create svnserve binpath= " - \"C:\Program Files\Git\bin\svnserve.exe\" - --service --root c:\repos" displayname= "Git" - depend= tcpip start= auto - - You can also add a description after creating the service. This - will show up in the Windows Services Manager. - -sc description svnserve "Git server (svnserve)" - - - - Note the rather unusual command line format used by sc. - In the key= value pairs there must be no space between - the key and the = but there must be a space before the - value. - - - - Microsoft now recommend services to be run as under either the - Local Service or Network Service account. Refer to - - The Services and Service Accounts Security Planning Guide - . - To create the service under the Local Service account, append the - following to the example above. - -obj= "NT AUTHORITY\LocalService" - - Note that you would have to give the Local Service account - appropriate rights to both Git and your repositories, - as well as any applications which are used by hook scripts. - The built-in group for this is called "LOCAL SERVICE". - - - - Once you have installed the service, you need to go to the services - manager to start it (this time only; it will start automatically when - the server reboots). - - - For more detailed information, refer to - - Windows Service Support for Svnserve - . - - - If you installed an earlier version of svnserve using the - SVNService wrapper, and you now want to use - the native support instead, you will need to unregister the wrapper - as a service (remember to stop the service first!). - Simply use the command - -svnservice -remove - - to remove the service registry entry. - - - - - Basic Authentication with svnserve - - The default svnserve setup provides anonymous read-only access. - This means that you can use an svn:// URL - to checkout and update, or use the repo-browser in TortoiseGit - to view the repository, but you won't be able to commit any changes. - - - To enable write access to a repository, you need to edit the - conf/svnserve.conf file in your repository - directory. This file controls the configuration of the - svnserve daemon, and also contains useful documentation. - - - You can enable anonymous write access by simply setting: - -[general] -anon-access = write - - However, you will not know who has made changes to a repository, - as the svn:author property will be empty. - You will also be unable to control who makes changes to a - repository. This is a somewhat risky setup! - - - One way to overcome this is to create a password database: - -[general] -anon-access = none -auth-access = write -password-db = userfile - - Where userfile is a file which exists in - the same directory as svnserve.conf. This - file can live elsewhere in your file system (useful for when you - have multiple repositories which require the same access rights) - and may be referenced using an absolute path, or a path - relative to the conf directory. - If you include a path, it must be written - /the/unix/way. - Using \ or drive letters will not work. - The userfile should have a structure of: - -[users] -username = password -... - - This example would deny all access for unauthenticated - (anonymous) users, and give read-write access to users listed - in userfile. - - - - If you maintain multiple repositories using the same password - database, the use of an authentication realm will make life - easier for users, as TortoiseGit can cache your credentials - so that you only have to enter them once. More information - can be found in the Git book, specifically in the - sections - - Create a 'users' file and realm - - and - - Client Credentials Caching - - - - - - Better Security with SASL - - SASL - - - What is SASL? - - The Cyrus Simple Authentication and Security Layer is - open source software written by Carnegie Mellon University. - It adds generic authentication and encryption capabilities - to any network protocol, and as of Git 1.5 and later, - both the svnserve server and TortoiseGit client know how to - make use of this library. - - - For a more complete discussion of the options available, you should - look at the Git book in the section - - Using svnserve with SASL - . - If you are just looking for a simple way to set up secure - authentication and encryption on a Windows server, so that your - repository can be accessed safely over the big bad Internet, - read on. - - - - SASL Authentication - - To activate specific SASL mechanisms on the server, you'll - need to do three things. First, create a [sasl] - section in your repository's svnserve.conf - file, with this key-value pair: - -use-sasl = true - - - - Second, create a file called svn.conf in a - convenient location - typically in the directory where Git - is installed. - - - Thirdly, create two new registry entries to tell SASL where to - find things. Create a registry key named - [HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library] - and place two new string values inside it: - SearchPath set to the directory path containing - the sasl*.dll plug-ins (normally in the - Git install directory), and ConfFile set - to the directory containing the svn.conf file. - If you used the CollabNet installer, these registry keys will already - have been created for you. - - - Edit the svn.conf file to contain the following: - - -pwcheck_method: auxprop -auxprop_plugin: sasldb -mech_list: DIGEST-MD5 -sasldb_path: C:\TortoiseGit\sasldb - - The last line shows the location of the authentication database, - which is a file called sasldb. - This could go anywhere, but a convenient choice is the repository - parent path. Make sure that the svnserve service has read access - to this file. - - - If svnserve was already running, you will need to restart it to - ensure it reads the updated configuration. - - - Now that everything is set up, all you need to do is create some - users and passwords. To do this you need the - saslpasswd2 program. If you used the CollabNet - installer, that program will be in the install directory. - Use a command something like this: - -saslpasswd2 -c -f C:\TortoiseGit\sasldb -u realm username - - The -f switch gives the database location, - realm must be the same as the value you - defined in your repository's svnserve.conf - file, and username is exactly what you expect it to be. - Note that the realm is not allowed to contain space characters. - - - You can list the usernames stored in the database using the - sasldblistusers2 program. - - - - SASL Encryption - - To enable or disable different levels of encryption, you can - set two values in your repository's - svnserve.conf file: - -[sasl] -use-sasl = true -min-encryption = 128 -max-encryption = 256 - - - - The min-encryption and - max-encryption variables control the - level of encryption demanded by the server. To disable - encryption completely, set both values to 0. To enable - simple checksumming of data (i.e., prevent tampering and - guarantee data integrity without encryption), set both - values to 1. If you wish to allow (but not require) encryption, - set the minimum value to 0, and the maximum value to some - bit-length. To require encryption unconditionally, set both - values to numbers greater than 1. In our previous example, - we require clients to do at least 128-bit encryption, - but no more than 256-bit encryption. - - - - - Authentication with svn+ssh - - Another way to authenticate users with a svnserve - based server is to use a secure shell (SSH) to tunnel - requests through. It is not as simple to set up as SASL, - but it may be useful is some cases. - - - With this approach, svnserve is not run as a daemon - process, rather, the secure shell starts svnserve - for you, running it as the SSH authenticated user. To - enable this, you need a secure shell daemon on your server. - - - A basic method for setting up your server is given in - . - You can find other SSH topics within the FAQ by searching - for SSH. - - - Further information about svnserve can be found in the - - Version Control with Git - . - - - - Path-based Authorization with svnserve - - Starting with Git 1.3, svnserve supports the same - mod_authz_svn path-based authorization scheme - that is available with the Apache server. You need to edit the - conf/svnserve.conf file in your repository - directory and add a line referring to your authorization file. - -[general] -authz-db = authz - - Here, authz is a file you create to define - the access permissions. You can use a separate file for each - repository, or you can use the same file for several repositories. - Read - for a description of the file format. - - - -- 2.11.4.GIT