nginx + http + svn + ldap
安装certbot
安装 certbot 为免费证书做准备
yum install certbot python2-certbot-nginx
安装 svn
安装svn
yum install svn
创建svn库
# 创建库 svnadmin create /var/svn/data # 授权apache用户权限 chown -R apache:apache /var/svn/
# 创建svn账户密码文件
touch /var/svn/conf/passwd
# 创建svn授权文件
touch /var/svn/conf/authz
生成svn用户名密码
# 把“用户名”改成你需要的名字就可以了,可以使用中文 htpasswd /var/svn/conf/passwd 用户名
apache 配置
安装apache
yum install httpd systemctl enable httpd
配置apache文件
# 注释掉httpd.conf的80端口监听 vi /etc/httpd/conf/httpd.conf # Listen 80 # 添加svn配置文件 vi /etc/httpd/conf.d/w_svn_9001.conf Listen 127.0.0.1:9001 <Location /svn/> DAV svn SVNParentPath /var/svn/data/ # 可以列出svn中项目文件夹 #SVNListParentPath on AuthType Basic AuthName "Subversion login:" # 指定密码文件 AuthUserFile /var/svn/conf/passwd # 指定权限文件 AuthzSVNAccessFile /var/svn/conf/authz Satisfy Any Require valid-user </Location>
安装apache的svn模块
yum install mod_dav_svn -y
查看模块安装结果
ls /etc/httpd/modules/ | grep svn mod_authz_svn.so mod_dav_svn.so
启动apache服务
systemctl start httpd
systemctl enable httpd
Nginx 配置
nginx 安装
yum install nginx -y
配置域名、重定向
# nginx.conf server { listen 80; listen [::]:80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name svn.andro.com; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/svn.andro.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/svn.andro.com/privkey.pem; # managed by Certbot include /etc/nginx/default.d/*.conf; #location /svn { location / { proxy_pass http://127.0.0.1:9001; } }
备注:以上配置文件,ssl_certificate和ssl_certificate_key为自动配置好证书后的,前期没有证书的时候可以随便配置一个其他域名的证书用于nginx检测配置文件
nginx 生成证书
# sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: svn.andro.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for svn.andro.com Performing the following challenges: http-01 challenge for svn.andro.com Using default addresses 80 and [::]:80 ipv6only=on for authentication. Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/nginx.conf No matching insecure server blocks listening on port 80 found. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://svn.andro.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Subscribe to the EFF mailing list (email: li@leng.tech). IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/svn.andro.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/svn.andro.com/privkey.pem Your certificate will expire on 2021-10-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
配置计划任务,自动更新ssl证书
# crontab -l # 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
0 0,12 * * * certbot renew -q
修改为通过 ldap 认证
安装 ldap 插件
yum -y install mod_ldap
修改httpd配置文件
# cat /etc/httpd/conf.d/w_svn_9001.conf Listen 127.0.0.1:9001 <Location /svn/> DAV svn SVNParentPath /var/svn/data SVNListParentPath on AuthType Basic AuthName "Subversion login:" # 指定密码文件 # AuthUserFile /var/svn/conf/passwd # 指定权限文件 #AuthzSVNAccessFile /var/svn/conf/authz AuthzSVNAccessFile /etc/svn_http_authz #Satisfy Any Satisfy all AuthBasicProvider ldap #AuthzLDAPAuthoritative on AuthLDAPURL "ldap://10.250.0.54/dc=cxzh,dc=ltd?uid?sub?(objectclass=*)" AuthLDAPBindDN "cn=Manager,dc=cxzh,dc=ltd" #AuthLDAPBindDN "ou=svn,ou=Group,dc=cxzh,dc=ltd" AuthLDAPBindPassword "password" Require valid-user </Location>
重启httpd,验证
systemctl restart httpd.service
本文来自博客园, 作者:Star-Hitian, 转载请注明原文链接:https://www.cnblogs.com/Star-Haitian/p/15061906.html