Setting up subversion over ssl and nginx on debian

Subversion supports DAV protocol access only with Apache server. To get it running with nginx, apache has to be installed on the same system.

To start, install apache and svn support

apt-get install apache2 libapache2-svn

For apache and nginx web servers to coexist on the same computer and running at the same time, they would have to listen on the different ports. Standard ssl port is 443, lets set apache ssl to 8443. To prevent ports exposed to Internet, set apache to listen on port 8443 only localy.

Configure apache ports in /etc/apache2/ports.conf to be

Listen 127.0.0.1:8443

Activate SSL and the DAV modules on Apache

$ a2enmod ssl
$ a2enmod dav
$ a2enmod dav_svn

Restart apache

service apache2 restart

add DAV stuff

nano -w /etc/apache2/mods-available/dav_svn.conf

LoadModule dav_svn_module modules/mod_dav_svn.so

LoadModule authz_svn_module modules/mod_authz_svn.so


# Example configuration:

       DAV svn
       SVNPath /var/svn/my_repos
       SVNListParentPath on

       AuthType Basic
       AuthName "Subversion repository"
       AuthUserFile /var/svn/conf/svnusers.conf
       Require valid-user
       SSLRequireSSL

}}}

Link default ssl configuration

cd /etc/apache2/sites-enabled
cp ../sites-available/default-ssl.conf svn-ssl.conf
nano -w svn-ssl.conf

And also set Listen 127.0.0.1:8443 in svn-ssl.conf

Create password files


htpasswd -cm /var/svn/conf/svnusers.conf user1
htpasswd -m /var/svn/conf/svnusers.conf user2

Check permissions. Debian apache should use www-data user and group. You can double check it in /etc/apache2/apache2.conf and /etc/apache2/envvars files, or just by doing ps aux | grep apache.

Make sure the same user/group are owners of the repository.

chown -R www-data:www-data /var/svn/

Restart apache and check if it works, for example with links

links https://127.0.0.1:8443/svn/my_repos

Create nginx conf file, or add proxy pass in existing config

server {
    listen 80;
    server_name svn.myserver.com;
    return 301 https://$host$request_uri;
}


server {
    listen       443 ssl;
    server_name  svn.myserver.com;

    ssl on;

    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    access_log /var/log/nginx/svn.access.log;
    error_log /var/log/nginx/svn.error.log;

    location / {
          proxy_pass   https://127.0.0.1:8443;
    }
}

Restart nginx and check in your web browser.

Apache configuration for pylons

Recently some of our pylons servers experienced mysql overflow. Pylons app is served via apache 2.2 using worker mpm on gentoo with kernel 3.2. It uses sqlalchemy to access mysql server. The pylons error is:

>> self.pool.connect(),
Module sqlalchemy.pool:210 in connect
>> return _ConnectionFairy(self).checkout()
Module sqlalchemy.pool:371 in __init__
>> rec = self._connection_record = pool._do_get()
Module sqlalchemy.pool:685 in _do_get
>> (self.size(), self.overflow(), self._timeout))
TimeoutError: QueuePool limit of size 5 overflow 5 reached, connection timed out, timeout 30

Simultaneously, RAM hit 100% capacity and swap kicked in. Looking into memory use on the machine, mysql took ~6%, apache ~1%, and everything else was eaten by pylons. My apps use beaker for caching of certain functions. In principle, turning off cache might help, however it would increase system load and slowed down server response.

The quick workaround was to modify number requests per child in apache controlled by MaxRequestsPerChild global. This basically allows faster recycling of processes and freeing

/etc/apache2/modules.d/00_mpm.conf was modified to reduce MaxRequestsPerChild:

<IfModule mpm_worker_module>
StartServers 16
MinSpareThreads 85
MaxSpareThreads 125
ThreadsPerChild 48
MaxClients 768
MaxRequestsPerChild 2000
</IfModule>

Awstats & virtual hosts

Gentoo has finaly moved away from webapp-config and simplified updating awstats. The example of apache config file setting awstats for apache virtual hosts runnig wsgi application is given bellow. Prerequisites are apache proxy for wsgi app, and awstats visible at www.some_domain.com/awstats.pl using authentication.

    <VirtualHost *:80>
        ServerName www.some_domain.com
        Serveralias some_domain.com
        ServerAdmin admin@some_domain.com

        ErrorLog /var/log/apache2/www.some_domain.com-error.log
        CustomLog /var/log/apache2/www.some_domain.com-access.log combined

        # awstats config
        Alias /awstats/classes "/usr/share/awstats/wwwroot/classes/"
        Alias /awstats/css "/usr/share/awstats/wwwroot/css/"
        Alias /awstats/icon "/usr/share/awstats/wwwroot/icon/"
        ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"
        ScriptAlias /awstats "usr/share/awstats/wwwroot/cgi-bin/awstats.pl”
        ScriptAlias /awstats.pl "usr/share/awstats/wwwroot/cgi-bin/awstats.pl”

        <Directory "/usr/share/awstats/wwwroot">
                AllowOverride None
                Options None
                Order allow,deny
                Allow from all

                AuthType Basic
                AuthName "AWStats authenticated zone"
                AuthUserFile /etc/awstats/.htpasswd
                Require valid-user
        </Directory>
        <Directory "/usr/share/awstats/wwwroot/cgi-bin">
                SetHandler cgi-script
                Options +ExecCGI
        </Directory>

        ProxyPass /awstats !
        ProxyPass /awstats.pl !

        ProxyPass / http://localhost:5005/ retry=5
        ProxyPassReverse / http://localhost:5001/
        ProxyPreserveHost On
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
    </VirtualHost>

Awstats config file (in /etc/awstats/) with geo-ip (emerge dev-perl/Geo-IP)

LogFile="/var/log/apache2/www.some_domain.com-access.log"

LogType=W
LogFormat=1
LogSeparator=" "
HostAliases="localhost 127.0.0.1 REGEX[myserver\.com$]"
DNSLookup=2
DirCgi="/cgi-bin"
DirIcons="/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2

LevelForFileTypesDetection=1
LevelForWormsDetection=2

SiteDomain="www.some_domain.com"
DirData="/home/some_user/awstats"

LoadPlugin="geoip GEOIP_STANDARD /usr/share/GeoIP/GeoIP.dat"

To test configuration run
/usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.some_domain.com -update

If you wish cron to handle update on every hour:
crontab -e -usome_user

0 * * * * cd /etc/awstats/ && /usr/share/awstats/wwwroot/cgi-bin/awstats.pl  -config=www.some_domain.com -update  >/dev/null 2>&1

Error with log file

Error: LogFile parameter is not defined in config/domain file
Setup ('www.dajstadas.com' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

obviously check LogFile and read permissions, however, this might fail if you call awstats update outside /etc/awstats directory. Retry with


cd /etc/awstats/ && /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.some_domain.com -update