Installing CVSWebNT on Apache Webserver

Notes:

Software versions used:

· Apache version 1.3.20

· CVSWebNT version 1.93g

· CVS server 1.11.1.1 (build 27)

· Activestate Perl 5.6.1. (“ActivePerl”as it’s now called)

Notethat the above may not be the latest available, but were the ones used in thisinstallation

Using Apache

The Apache server can be used very easilyin place of the various flavours ofIIS, usually installed as part of NT server and Windows 2000 server, optionally2000 Workstation. IIS has a potted historyof security weaknesses, and unless you want to continually patch it, or youneed any unique features that it provides, such as per directory authenticationusing NTFS permissions, then Apache is probably your simpler and more securebet. You can install Apache in NT/2000server or workstation, I use 2000 Workstation as a test environment beforemoving to an NT server – installation and configuration are the same.

Read the Windows – specific Apachedocumentation after you install it – there are some useful things in there!

Also read the information on devguy at http://www.devguy.com/fp/cfgmgmt/cvs/cvs_admin_nt.htm#CVSWEBIISas much of this is relevant to Apache too, and these instructions are based onit. However one of the better thingsabout Apache is that one does not need to mess with IUSR_ , IWAM_, groups,application protection levels, and all the other MS paraphernalia, whichconfuse the hell out of most people - well me anyway! Apache just gets on with the job and you can understand what it’sdoing. Apache runs under SYSTEM user, that’s it.

Apache Installation

Disable IIS. The easiest way without uninstalling is simply to disable the IIS service, using the “services” icon in NT, or Administrative tools | services in 2000. This allows you to continue using the IIS FTP service if you want, or try IIS without reinstallation. Select “World Wide Web Publishing Service” and change it to “disabled” as shown:

TCP/IP Port 80 isnow free for Apache.

Download and install Apache as a service and reboot. You will then get an Apache service appear in your list of services, and make sure it is set to startup automatically. If you want to protect yourself from prying eyes during configuration and test, an easy and reliable way is install something like Zonealarm and disallow server access to Apache from the Internet (see Zonealarm programs option, and set Apache to only be a server on your local network). This way you can allow local machines for testing purposes, without the rest of the world having a go, as they will if you don’t protect yourself (these days, it’s the best way to catch a virus too).

Configuration

Apache is currently configured through 1file called httpd.conf, though it supports a number of separate conf files for backwardcompatibility. You can use the suppliedhttpd.conf with only a few changes to get a basic CVSWebNT website working.
In the text below, I use localhost as the server name – replace with your domain name as required, butI suggest using localhost for initial testing at least.

Some issues:

CVSWeb creates its web pages on the fly via Perl and delivers them to Apache. So you need Perl and you need to tell Apache how to use it.
CVSWeb produces a basic home page, and it’s a bit fiddly to edit the cvsweb.conf file to make a home page to your exact taste. My recommendation is stick to a simple homepage generated by CVSweb and do your own home page as a normal webpage with a link to the CVSweb cgi. There’s another reason for this – the syntax to get into the CVSweb homepage has to be exact, with a trailing / If you type something like http://localhost/cgi-bin/cvsweb/cvsweb.cgi, you’ll be greeted by:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request…

You need http://localhost/cgi-bin/cvsweb/cvsweb.cgi/ and users will forget this.

Editing httpd.conf

Use Apache help files to help you do yourbasic configuration.

Remember that to make Apache”see” any changes to httpd.conf, you must stopand restart the Apache service in your Windows control panel. Windows 2000 provides a 1-button restartbutton, just for this purpose, in NT you have to stop and start separately.

In httpd.conf, you need to set:

ServerName – any name that suits you.

Optional -
DirectoryIndex index.html index.htm
allows me to use index.htm file as my homepage.

Optional - If you read Apache’s documentation, it suggests setting
DefaultType to something like application/octet-stream
to prevent web browsers from interpreting non-text files as text. This should be useful in the context of CVSWeb as you may be viewing non-text files from CVS and want to prevent browsers showing them as text. However, I think browsers have become cleverer and try to show absolutely anything that they can, and this trick does not appear to be useful in IE5+ and latest Netscape (6.2).

Tell Apache how to deal with cgi’s by uncommenting the line:
AddHandler cgi-script .cgi

That’s all you need to do for a basicconfiguration. You should read up someof the Apache documentation on security, my brute force approach was to securethe whole site – see below.

Basic testing

The above is all you have to do to makeApache work in its default mode, out of the box. If you type http://localhost inyour web browser now, you’ll see the Apache documentation which now forms thedefault website on your machine. If yousee some Microsoft IIS stuff, then you’ve not disabled IIS. Make sure Apache is working properly beforeyou go any further.

Perl

Download and install ActivePerl fromActivestate.

I suggest you install it in the defaultc:\perl and add that to your path (must be in the path), as most of thedocumentation and many scripts come configured for this. Other than that, perl needs noconfiguration.

Remember, if you need to change the SYSTEMpath (not your own path – there are 2 listings for environment variables inWinNT/2000), it will only take effect after logout and logging back in onWindows 2000, or reboot.

You may need to edit any script that runs on this server, including CVSwebNT, so that itcan find your installation of Perl. Youdo this by editing the "hash-bang" line at the beginning of thescript as follows:

Scripts often come with the Unix default:

#!/usr/bin/perl

For the NT/Win2k installation I describe,change it to:

#!/perl/bin/perl

Find the printenv.pl script (supplied by Apache) in your cgi-bin directory, and edit the first line as above. Run the perl test by typing
http://localhost/cgi-bin/printenv.pland you should see a listing of your environment in your browser if perl andApache are running OK together.

Configure for CVSWebNT

So you’ve now got Apache working with Perl,time to try out CVSWebNT. I installedcvsweb in a separate cgi-bin directory as I like to see related things in 1place. I keep cvsweb.conf in thatdirectory to keep related things together.

CVS

Make sure to install a version of CVSNT other than 1.11.1.2, builds 34-39, I recommend 27.
Change your CVS setup to specify the LockDir option. E.g., if the repository is at c:/cvs, put the locks in c:/locks. Make sure the lock folder e.g., c:/locks has full control by SYSTEM and Everyone
Give the users SYSTEM and Everyone full control over c:\winnt\temp or where ever the system TEMP and TMP environment variables are pointing
Extract all files from the RCS distribution (you can get the latest RCS at the GNU site), and put them in a utils directory in the path (see below).
Install the Compress::Zlib module. This is optional (yet recommended anyway, since it avoids running an external process) unless you have gzip.exe in your path.
Extract all files from the cvsweb distribution to c:\program files\apache group\apache\cgi-bin\cvsweb Move the folder
c:\program files\apache group\apache\cgi-bin\cvsweb\icons to
c:\program files\apache group\apache\icons.

More editing of httpd.conf

You can leave documentroot as it is for now, serving up Apache documentation, but if you’vedone your own home page as described above, you’ll need to tell Apache where tofind this when someone types the relevant URL. There are personal preferences for this – you can replace Apache’sdocumentation in htdocs, but I used

c:\programfiles\apache group\apache\www

as my root, so I set

DocumentRoot"C:/Program Files/Apache Group/Apache/www"

And I have my index.htm(homepage) there. It’s always advisableto put a basic index.htm file in all subdirectories below this, in case someonehits on a directory by luck, for which Apache will by default serve up a fulldirectory listing. With index.htm inthere, it will serve that up instead of a directory listing - it can be a blankor redirect page. Also see “security”below – you can globally disable directory listings if you want, and this maybe easier and more secure if you never want a directory listing anywhere on theweb server.

Configuring CVSweb.conf

There are no changes specifically necessaryfor Apache vs. IIS in cvsweb.conf.

In cvsweb.cgi, youwill need to point the script to your .conf file. The followinginstructions very much follow the IIS installation…

Follow the instructions listed in thecvsweb readme file, which are summarized as follows. There are moreinstructions in the readme, these are the basics:

a. Set %CVSROOT folders in c:\programfiles\apache group\apache\cgi-bin\cvsweb\cvsweb.conf. You must use a local path name, you can't use :cvsnt: or :pserver: or :local:. Use forward slashes instead of backslashes.
%CVSROOT = (
'Development' => 'c:/cvs/na',
'Admin' => 'c:/cvs/admin'
);
And also change the next line which specifiesthe default repository name to use.

b. You can try modifying cvsweb.conf and alter the line
#$ENV{'PATH'} = '/usr/local/bin';
Remove the leading # and enter a semicolon-delimited list of folders that contain cvs.exe and rcs.exe (use forwardslashes instead of backslashes).
$ENV{'PATH'} .= 'c:/cvsbin;c:/rcsbin';
but it may be better to just make sure that the rcs tools and cvs.exe are inthe SYSTEM path. Problems have been known to happen with the former solution.

c. Modify c:\program files\apachegroup\apache\cgi-bin\cvsweb\cvsweb.cgi. Look for the line $config = early on in the file and change it to (use forward slashes insteadof backslashes):
$config =$ENV{'CVSWEB_CONFIG'} || 'c:/program files/Apachegroup/Apache/cgi-bin/cvsweb/cvsweb.conf';

For the icons, you can use Apache’s own, orthe ones that come with cvsweb.

Basic security

Protecting your site with passwords

Perhaps the easiest way to protect yoursite, and keep the various worms out, is to set

AllowOverrideAuthConfig

in the httpd.conf file and follow Apache’s documentation on the use of .htaccess and passwordfiles.

I put a .htaccess fileright in the root of my site at

C:\Program Files\Apache Group\Apache\www

With the contents:

AuthUserFile "/Program files/Apache group/Apache/password"

AuthType Basic

AuthName "Richard's Laptop!"

require valid-user

and as it works recursively, this protectsthe whole site. For simple requirements, you can manage the password file manually,but if you want to get fancy, there are various 3^rd party access andauthentication managers that you can get to manage the password file, such aselite cgi’s “Account Manager” at http://cgi.elitehost.com/ .

There are methods for protecting individualtrees in CVS using NTFS file permissions etc, but this is not really practicalfor a website running Apache – that’s when you might reconsider IIS.

Preventing directory listings

If you want to prevent people from surfingthe directories available to your webserver, (other than those designed intoscripts or webpages) add a – in front of indexes as shown below in httpd.conf:

    Options -Indexes FollowSymLinks MultiViews

So for example, users trying to get to saythe contents of http://localhost/images/ will get:

Forbidden

You don't have permission to access /images/ on this server.

Log files

Apache creates large text based logfiles, access.log and error.log, andI’m not currently aware of a specific tool to manage them on NT. To prune them, you need to stop the Apacheservice. I use an old DOS programcalled logtrim in a scheduled batch file:

REM cleanup Apache logs

net stop apache

c:\utils\dos\horst\logtrim C:\Progra~1\Apache~1\Apache\logs\error.log 1000 1000

c:\utils\dos\horst\logtrim C:\Progra~1\Apache~1\Apache\logs\access.log 1000 1000

net start apache

This only takes a couple of seconds torun. You may want something moresophisticated to cycle log files monthly, for example.

Logfile analysis

Analog is an excellent tool to produce anHTML report based on logfile content. One could automate an analog session to create monthly HTML reports,then delete the raw log files.