installation_iis.rst
110 lines
| 4.4 KiB
| text/x-rst
|
RstLexer
/ docs / installation_iis.rst
Henrik Stuart
|
r4500 | .. _installation_iis: | ||
Mads Kiilerich
|
r5413 | ===================================================================== | ||
Henrik Stuart
|
r4500 | Installing Kallithea on Microsoft Internet Information Services (IIS) | ||
===================================================================== | ||||
The following is documented using IIS 7/8 terminology. There should be nothing | ||||
preventing you from applying this on IIS 6 well. | ||||
.. note:: | ||||
For the best security, it is strongly recommended to only host the site over | ||||
a secure connection, e.g. using TLS. | ||||
Mads Kiilerich
|
r5433 | |||
Henrik Stuart
|
r4500 | Prerequisites | ||
------------- | ||||
Apart from the normal requirements for Kallithea, it is also necessary to get an | ||||
ISAPI-WSGI bridge module, e.g. isapi-wsgi. | ||||
Mads Kiilerich
|
r5433 | |||
Henrik Stuart
|
r4500 | Installation | ||
------------ | ||||
Søren Løvborg
|
r5425 | The following assumes that your Kallithea is at ``c:\inetpub\kallithea``, and | ||
Henrik Stuart
|
r4500 | will be served from the root of its own website. The changes to serve it in its | ||
own virtual folder will be noted where appropriate. | ||||
Mads Kiilerich
|
r5413 | Application pool | ||
Henrik Stuart
|
r4500 | ................ | ||
Make sure that there is a unique application pool for the Kallithea application | ||||
with an identity that has read access to the Kallithea distribution. | ||||
The application pool does not need to be able to run any managed code. If you | ||||
Søren Løvborg
|
r5425 | are using a 32-bit Python installation, then you must enable 32-bit program in | ||
the advanced settings for the application pool; otherwise Python will not be able | ||||
to run on the website and neither will Kallithea. | ||||
Henrik Stuart
|
r4500 | |||
.. note:: | ||||
Søren Løvborg
|
r5425 | The application pool can be the same as an existing application pool, | ||
as long as the Kallithea requirements are met by the existing pool. | ||||
Mads Kiilerich
|
r5413 | ISAPI handler | ||
Henrik Stuart
|
r4500 | ............. | ||
Henrik Stuart
|
r4554 | The ISAPI handler can be generated using:: | ||
Henrik Stuart
|
r4500 | |||
Henrik Stuart
|
r4554 | paster install-iis my.ini --root=/ | ||
Henrik Stuart
|
r4500 | |||
Henrik Stuart
|
r4554 | This will generate a ``dispatch.py`` file in the current directory that contains | ||
the necessary components to finalize an installation into IIS. Once this file | ||||
has been generated, it is necessary to run the following command due to the way | ||||
that ISAPI-WSGI is made:: | ||||
Henrik Stuart
|
r4500 | |||
Mads Kiilerich
|
r5502 | python2 dispatch.py install | ||
Henrik Stuart
|
r4500 | |||
Henrik Stuart
|
r4554 | This accomplishes two things: generating an ISAPI compliant DLL file, | ||
``_dispatch.dll``, and installing a script map handler into IIS for the | ||||
``--root`` specified above pointing to ``_dispatch.dll``. | ||||
Henrik Stuart
|
r4500 | |||
The ISAPI handler is registered to all file extensions, so it will automatically | ||||
Henrik Stuart
|
r4554 | be the one handling all requests to the specified root. When the website starts | ||
the ISAPI handler, it will start a thread pool managed wrapper around the paster | ||||
Henrik Stuart
|
r4500 | middleware WSGI handler that Kallithea runs within and each HTTP request to the | ||
site will be processed through this logic henceforth. | ||||
Authentication with Kallithea using IIS authentication modules | ||||
.............................................................. | ||||
The recommended way to handle authentication with Kallithea using IIS is to let | ||||
IIS handle all the authentication and just pass it to Kallithea. | ||||
To move responsibility into IIS from Kallithea, we need to configure Kallithea | ||||
to let external systems handle authentication and then let Kallithea create the | ||||
user automatically. To do this, access the administration's authentication page | ||||
and enable the ``kallithea.lib.auth_modules.auth_container`` plugin. Once it is | ||||
added, enable it with the ``REMOTE_USER`` header and check *Clean username*. | ||||
Finally, save the changes on this page. | ||||
Switch to the administration's permissions page and disable anonymous access, | ||||
otherwise Kallithea will not attempt to use the authenticated user name. By | ||||
default, Kallithea will populate the list of users lazily as they log in. Either | ||||
disable external auth account activation and ensure that you pre-populate the | ||||
user database with an external tool, or set it to *Automatic activation of | ||||
external account*. Finally, save the changes. | ||||
The last necessary step is to enable the relevant authentication in IIS, e.g. | ||||
Windows authentication. | ||||
Mads Kiilerich
|
r5433 | |||
Henrik Stuart
|
r4500 | Troubleshooting | ||
--------------- | ||||
Typically, any issues in this setup will either be entirely in IIS or entirely | ||||
in Kallithea (or Kallithea's WSGI/paster middleware). Consequently, two | ||||
different options for finding issues exist: IIS' failed request tracking which | ||||
is great at finding issues until they exist inside Kallithea, at which point the | ||||
ISAPI-WSGI wrapper above uses ``win32traceutil``, which is part of ``pywin32``. | ||||
In order to dump output from WSGI using ``win32traceutil`` it is sufficient to | ||||
type the following in a console window:: | ||||
Mads Kiilerich
|
r5502 | python2 -m win32traceutil | ||
Henrik Stuart
|
r4500 | |||
and any exceptions occurring in the WSGI layer and below (i.e. in the Kallithea | ||||
application itself) that are uncaught, will be printed here complete with stack | ||||
traces, making it a lot easier to identify issues. | ||||