nginx + http + svn + ldap

安装certbot

安装 certbot 为免费证书做准备

yum install certbot python2-certbot-nginx

安装 svn

安装svn

yum install svn

创建svn库

# 创建库
svnadmin create /var/svn/data

# 授权apache用户权限
chown -R apache:apache /var/svn/

# 创建svn账户密码文件
touch /var/svn/conf/passwd

# 创建svn授权文件
touch /var/svn/conf/authz

生成svn用户名密码

# 把“用户名”改成你需要的名字就可以了,可以使用中文
htpasswd /var/svn/conf/passwd 用户名

apache 配置

安装apache

yum install httpd
systemctl enable httpd

配置apache文件

# 注释掉httpd.conf的80端口监听
vi /etc/httpd/conf/httpd.conf
# Listen 80

# 添加svn配置文件
vi /etc/httpd/conf.d/w_svn_9001.conf
Listen 127.0.0.1:9001
<Location /svn/>
    DAV svn
    SVNParentPath /var/svn/data/
    # 可以列出svn中项目文件夹
    #SVNListParentPath on
    AuthType Basic
    AuthName "Subversion login:"
        # 指定密码文件
    AuthUserFile /var/svn/conf/passwd
  # 指定权限文件
    AuthzSVNAccessFile /var/svn/conf/authz
    Satisfy Any
    Require valid-user
</Location>

安装apache的svn模块

yum install mod_dav_svn -y

查看模块安装结果

ls /etc/httpd/modules/ | grep svn
mod_authz_svn.so
mod_dav_svn.so

启动apache服务

systemctl start httpd
systemctl enable httpd

Nginx 配置

nginx 安装

yum install nginx -y

配置域名、重定向

# nginx.conf

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        return 301 https://$host$request_uri;
    }

    server {
        listen       443 ssl;
        server_name  svn.andro.com;
        root         /usr/share/nginx/html;
    ssl_certificate /etc/letsencrypt/live/svn.andro.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/svn.andro.com/privkey.pem; # managed by Certbot

        include /etc/nginx/default.d/*.conf;

    #location /svn {
    location / {
              proxy_pass http://127.0.0.1:9001;
        }

}

备注:以上配置文件,ssl_certificatessl_certificate_key为自动配置好证书后的,前期没有证书的时候可以随便配置一个其他域名的证书用于nginx检测配置文件

nginx 生成证书

# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: svn.andro.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for svn.andro.com
Performing the following challenges:
http-01 challenge for svn.andro.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
No matching insecure server blocks listening on port 80 found.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://svn.andro.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: li@leng.tech).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/svn.andro.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/svn.andro.com/privkey.pem
   Your certificate will expire on 2021-10-24. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

配置计划任务,自动更新ssl证书

# crontab -l
# 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q

0 0,12 * * * certbot renew -q

 修改为通过 ldap 认证

安装 ldap 插件

yum -y install mod_ldap

修改httpd配置文件

# cat /etc/httpd/conf.d/w_svn_9001.conf
Listen 127.0.0.1:9001
<Location /svn/>
    DAV svn
    SVNParentPath /var/svn/data
    SVNListParentPath on
    AuthType Basic
    AuthName "Subversion login:"
        # 指定密码文件
  #  AuthUserFile /var/svn/conf/passwd
  # 指定权限文件
    #AuthzSVNAccessFile /var/svn/conf/authz
    AuthzSVNAccessFile /etc/svn_http_authz
    #Satisfy Any
    Satisfy all
    AuthBasicProvider ldap
    #AuthzLDAPAuthoritative on
    AuthLDAPURL "ldap://10.250.0.54/dc=cxzh,dc=ltd?uid?sub?(objectclass=*)"
    AuthLDAPBindDN "cn=Manager,dc=cxzh,dc=ltd"
    #AuthLDAPBindDN "ou=svn,ou=Group,dc=cxzh,dc=ltd"
    AuthLDAPBindPassword "password"
    Require valid-user
</Location>

重启httpd,验证

systemctl restart httpd.service

 

 
posted @ 2021-07-26 16:06  Star-Hitian  阅读(327)  评论(0编辑  收藏  举报