Goal is to set up private a SVN and Mediawiki accessible via SSL after user authentication only (on Ubuntu Linux). For authentication, the existing system users/groups should be used for both services, i.e. users in group svn should be permitted to access the SVN repository, users in group wiki are allowed to see and edit the Wiki.

Securing MediaWiki can be done using the HttpAuth extension. Here is the relevant configuration in LocalSettings.php:

session_start();
if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE['fpwiki_en_UserID']) {
        require_once("$IP/extensions/HttpAuthPlugin.php");
        $wgAuth = new HttpAuthPlugin();
        $wgHooks['AutoAuthenticate'][] = array($wgAuth, 'autoAuthenticate');
}

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;

$wgShowIPinHeader = false;

$wgHooks['PersonalUrls'][] = 'DisableLogout';

function DisableLogout(&$personal_urls, $title) {
  $personal_urls['logout'] = null;
  return true;
}

Of course, access to the Wiki has to be controlled in Apache:

<Location /wiki>
        SSLRequireSSL

        AuthType Basic
        AuthName "MediaWiki"
        AuthBasicProvider external
        AuthExternal pwauth
        Require group wiki
</Location>

See my notes on the setup of mod_authnz_external for user authentication. Don't forget to restrict access to /var/lib/mediawiki/config to localhost and specify parameters for mod_authnz_external so it finds pwauth

	AddExternalAuth pwauth /usr/local/bin/pwauth
	SetExternalAuthMethod pwauth pipe

Configuration of SVN is rather simple: put the following in /etc/apache2/mods-available/dav_svn.conf:

        SSLRequireSSL

        AuthType Basic
        AuthName "Subversion Repositories"
        AuthBasicProvider external
        AuthExternal pwauth
        Require group svn

Here are the relevant files. Use with care!

posted at: 21:33 | path: /configuration | permanent link

If you do, don't forget to

1. Add user www-data to group shadow (dangerous!)
2. Put directive AuthBasicAuthoritative Off in front of your AuthPEM stanza
3. Make sure to enable the module: a2enmod auth_mod_pam

posted at: 20:54 | path: /configuration | permanent link

Use the system users and groups for web authentication? Via PAM? Why is a simple thing so awkward and not directly supported by Apache?

Here is a critical essay describing PAM authentication via mod_authnz_external and pwauth. One has to compile pwauth on Ubuntu, though. I didn't test PAM but just went with /etc/shadow.

posted at: 20:53 | path: /configuration | permanent link

Install ssl-cert package and do

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Want certificates valid longer than one month? Nope, look here, here (fixed for Ubuntu Intrepid), here.

posted at: 20:40 | path: /configuration | permanent link

Using NAT in VirtualBox guests is straightforward, but when you want to access a network service provided by the guest, some additional setup is required.

While everybody seems to follow a moderately complex host interface / bridging configuration, there actually is a slick alternative (described in the Virtual Box user manual): NAT with port forwarding. Use the following commands on the host to configure forwarding of host port 2222 to port 22 in the guest.

VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol" TCP
VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort" 22
VBoxManage setextradata "Linux Guest" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort" 2222

"Linux Guest" is the name of the virtual machine, guestssh is just an identifier describing the service.

posted at: 20:27 | path: /configuration | permanent link