##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

docs: move authentication info to separate file...
Thomas De Schampheleire -
r7262:2898ea3f default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
This diff has been collapsed as it changes many lines, (604 lines changed) Show them Hide them
@@ -1,950 +1,368 b''
1 .. _setup:
2
3 =====
4 Setup
5 =====
6
7
8 Preparing front-end
9 -------------------
10
11 Temporarily, in the current Kallithea version, some extra steps are required to
12 build front-end files:
13
14 Find the right ``kallithea/public/less`` path with::
15
16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
17
18 Then run::
19
20 npm install
21 npm run less
22
23
24 Setting up Kallithea
25 --------------------
26
27 First, you will need to create a Kallithea configuration file. Run the
28 following command to do so::
29
30 gearbox make-config my.ini
31
32 This will create the file ``my.ini`` in the current directory. This
33 configuration file contains the various settings for Kallithea, e.g.
34 proxy port, email settings, usage of static files, cache, Celery
35 settings, and logging. Extra settings can be specified like::
36
37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
38
39 Next, you need to create the databases used by Kallithea. It is recommended to
40 use PostgreSQL or SQLite (default). If you choose a database other than the
41 default, ensure you properly adjust the database URL in your ``my.ini``
42 configuration file to use this other database. Kallithea currently supports
43 PostgreSQL, SQLite and MySQL databases. Create the database by running
44 the following command::
45
46 gearbox setup-db -c my.ini
47
48 This will prompt you for a "root" path. This "root" path is the location where
49 Kallithea will store all of its repositories on the current machine. After
50 entering this "root" path ``setup-db`` will also prompt you for a username
51 and password for the initial admin account which ``setup-db`` sets
52 up for you.
53
54 The ``setup-db`` values can also be given on the command line.
55 Example::
56
57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
58
59 The ``setup-db`` command will create all needed tables and an
60 admin account. When choosing a root path you can either use a new
61 empty location, or a location which already contains existing
62 repositories. If you choose a location which contains existing
63 repositories Kallithea will add all of the repositories at the chosen
64 location to its database. (Note: make sure you specify the correct
65 path to the root).
66
67 .. note:: the given path for Mercurial_ repositories **must** be write
68 accessible for the application. It's very important since
69 the Kallithea web interface will work without write access,
70 but when trying to do a push it will fail with permission
71 denied errors unless it has write access.
72
73 You are now ready to use Kallithea. To run it simply execute::
74
75 gearbox serve -c my.ini
76
77 - This command runs the Kallithea server. The web app should be available at
78 http://127.0.0.1:5000. The IP address and port is configurable via the
79 configuration file created in the previous step.
80 - Log in to Kallithea using the admin account created when running ``setup-db``.
81 - The default permissions on each repository is read, and the owner is admin.
82 Remember to update these if needed.
83 - In the admin panel you can toggle LDAP, anonymous, and permissions
84 settings, as well as edit more advanced options on users and
85 repositories.
1 .. _authentication:
2 Authentication setup
3 ====================
86 4
87
88 Internationalization (i18n support)
89 -----------------------------------
90
91 The Kallithea web interface is automatically displayed in the user's preferred
92 language, as indicated by the browser. Thus, different users may see the
93 application in different languages. If the requested language is not available
94 (because the translation file for that language does not yet exist or is
95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
96 configuration file is used as fallback. If no fallback language is explicitly
97 specified, English is used.
98
99 If you want to disable automatic language detection and instead configure a
100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
101 set ``i18n.lang`` to the desired language (or leave empty for English).
102
103
104 Using Kallithea with SSH
105 ------------------------
106
107 Kallithea currently only hosts repositories using http and https. (The addition
108 of ssh hosting is a planned future feature.) However you can easily use ssh in
109 parallel with Kallithea. (Repository access via ssh is a standard "out of
110 the box" feature of Mercurial_ and you can use this to access any of the
111 repositories that Kallithea is hosting. See PublishingRepositories_)
112
113 Kallithea repository structures are kept in directories with the same name
114 as the project. When using repository groups, each group is a subdirectory.
115 This allows you to easily use ssh for accessing repositories.
116
117 In order to use ssh you need to make sure that your web server and the users'
118 login accounts have the correct permissions set on the appropriate directories.
119
120 .. note:: These permissions are independent of any permissions you
121 have set up using the Kallithea web interface.
122
123 If your main directory (the same as set in Kallithea settings) is for
124 example set to ``/srv/repos`` and the repository you are using is
125 named ``kallithea``, then to clone via ssh you should run::
126
127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
128
129 Using other external tools such as mercurial-server_ or using ssh key-based
130 authentication is fully supported.
131
132 .. note:: In an advanced setup, in order for your ssh access to use
133 the same permissions as set up via the Kallithea web
134 interface, you can create an authentication hook to connect
135 to the Kallithea db and run check functions for permissions
136 against that.
137
138
139 Setting up Whoosh full text search
140 ----------------------------------
141
142 Kallithea provides full text search of repositories using `Whoosh`__.
143
144 .. __: https://whoosh.readthedocs.io/en/latest/
145
146 For an incremental index build, run::
147
148 gearbox make-index -c my.ini
149
150 For a full index rebuild, run::
151
152 gearbox make-index -c my.ini -f
153
154 The ``--repo-location`` option allows the location of the repositories to be overridden;
155 usually, the location is retrieved from the Kallithea database.
156
157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
158
159 gearbox make-index -c my.ini --index-only=vcs,kallithea
160
161 To keep your index up-to-date it is necessary to do periodic index builds;
162 for this, it is recommended to use a crontab entry. Example::
163
164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
165
166 When using incremental mode (the default), Whoosh will check the last
167 modification date of each file and add it to be reindexed if a newer file is
168 available. The indexing daemon checks for any removed files and removes them
169 from index.
170
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 or in the admin panel you can check the "build from scratch" checkbox.
5 Users can be authenticated in different ways. By default, Kallithea
6 uses its internal user database. Alternative authentication
7 methods include LDAP, PAM, Crowd, and container-based authentication.
173 8
174 9 .. _ldap-setup:
175 10
176 11
177 Setting up LDAP support
178 -----------------------
12 LDAP Authentication
13 -------------------
179 14
180 15 Kallithea supports LDAP authentication. In order
181 16 to use LDAP, you have to install the python-ldap_ package. This package is
182 17 available via PyPI, so you can install it by running::
183 18
184 19 pip install python-ldap
185 20
186 21 .. note:: ``python-ldap`` requires some libraries to be installed on
187 22 your system, so before installing it check that you have at
188 23 least the ``openldap`` and ``sasl`` libraries.
189 24
190 25 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191 26 and then *Save*, to enable the LDAP plugin and configure its settings.
192 27
193 28 Here's a typical LDAP setup::
194 29
195 30 Connection settings
196 31 Enable LDAP = checked
197 32 Host = host.example.com
198 33 Account = <account>
199 34 Password = <password>
200 35 Connection Security = LDAPS
201 36 Certificate Checks = DEMAND
202 37
203 38 Search settings
204 39 Base DN = CN=users,DC=host,DC=example,DC=org
205 40 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206 41 LDAP Search Scope = SUBTREE
207 42
208 43 Attribute mappings
209 44 Login Attribute = uid
210 45 First Name Attribute = firstName
211 46 Last Name Attribute = lastName
212 47 Email Attribute = mail
213 48
214 49 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215 50
216 51 Search settings
217 52 Base DN = DC=host,DC=example,DC=org
218 53 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219 54 LDAP Search Scope = SUBTREE
220 55
221 56 .. _enable_ldap:
222 57
223 58 Enable LDAP : required
224 59 Whether to use LDAP for authenticating users.
225 60
226 61 .. _ldap_host:
227 62
228 63 Host : required
229 64 LDAP server hostname or IP address. Can be also a comma separated
230 65 list of servers to support LDAP fail-over.
231 66
232 67 .. _Port:
233 68
234 69 Port : optional
235 70 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236 71 Defaults to 636 for LDAPS.
237 72
238 73 .. _ldap_account:
239 74
240 75 Account : optional
241 76 Only required if the LDAP server does not allow anonymous browsing of
242 77 records. This should be a special account for record browsing. This
243 78 will require `LDAP Password`_ below.
244 79
245 80 .. _LDAP Password:
246 81
247 82 Password : optional
248 83 Only required if the LDAP server does not allow anonymous browsing of
249 84 records.
250 85
251 86 .. _Enable LDAPS:
252 87
253 88 Connection Security : required
254 89 Defines the connection to LDAP server
255 90
256 91 PLAIN
257 92 Plain unencrypted LDAP connection.
258 93 This will by default use `Port`_ 389.
259 94
260 95 LDAPS
261 96 Use secure LDAPS connections according to `Certificate
262 97 Checks`_ configuration.
263 98 This will by default use `Port`_ 636.
264 99
265 100 START_TLS
266 101 Use START TLS according to `Certificate Checks`_ configuration on an
267 102 apparently "plain" LDAP connection.
268 103 This will by default use `Port`_ 389.
269 104
270 105 .. _Certificate Checks:
271 106
272 107 Certificate Checks : optional
273 108 How SSL certificates verification is handled -- this is only useful when
274 109 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275 110 with mandatory certificate validation, while the other options are
276 111 susceptible to man-in-the-middle attacks.
277 112
278 113 NEVER
279 114 A serve certificate will never be requested or checked.
280 115
281 116 ALLOW
282 117 A server certificate is requested. Failure to provide a
283 118 certificate or providing a bad certificate will not terminate the
284 119 session.
285 120
286 121 TRY
287 122 A server certificate is requested. Failure to provide a
288 123 certificate does not halt the session; providing a bad certificate
289 124 halts the session.
290 125
291 126 DEMAND
292 127 A server certificate is requested and must be provided and
293 128 authenticated for the session to proceed.
294 129
295 130 HARD
296 131 The same as DEMAND.
297 132
298 133 .. _Custom CA Certificates:
299 134
300 135 Custom CA Certificates : optional
301 136 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302 137 Python 2.7.10 and later default to using the system certificate store, and
303 138 this should thus not be necessary when using certificates signed by a CA
304 139 trusted by the system.
305 140 It can be set to something like `/etc/openldap/cacerts` on older systems or
306 141 if using self-signed certificates.
307 142
308 143 .. _Base DN:
309 144
310 145 Base DN : required
311 146 The Distinguished Name (DN) where searches for users will be performed.
312 147 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313 148
314 149 .. _LDAP Filter:
315 150
316 151 LDAP Filter : optional
317 152 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318 153 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319 154 which LDAP objects are identified as representing Users for
320 155 authentication. The filter is augmented by `Login Attribute`_ below.
321 156 This can commonly be left blank.
322 157
323 158 .. _LDAP Search Scope:
324 159
325 160 LDAP Search Scope : required
326 161 This limits how far LDAP will search for a matching object.
327 162
328 163 BASE
329 164 Only allows searching of `Base DN`_ and is usually not what you
330 165 want.
331 166
332 167 ONELEVEL
333 168 Searches all entries under `Base DN`_, but not Base DN itself.
334 169
335 170 SUBTREE
336 171 Searches all entries below `Base DN`_, but not Base DN itself.
337 172 When using SUBTREE `LDAP Filter`_ is useful to limit object
338 173 location.
339 174
340 175 .. _Login Attribute:
341 176
342 177 Login Attribute : required
343 178 The LDAP record attribute that will be matched as the USERNAME or
344 179 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345 180 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346 181 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347 182 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348 183 ::
349 184
350 185 (&(LDAPFILTER)(uid=jsmith))
351 186
352 187 .. _ldap_attr_firstname:
353 188
354 189 First Name Attribute : required
355 190 The LDAP record attribute which represents the user's first name.
356 191
357 192 .. _ldap_attr_lastname:
358 193
359 194 Last Name Attribute : required
360 195 The LDAP record attribute which represents the user's last name.
361 196
362 197 .. _ldap_attr_email:
363 198
364 199 Email Attribute : required
365 200 The LDAP record attribute which represents the user's email address.
366 201
367 202 If all data are entered correctly, and python-ldap_ is properly installed
368 203 users should be granted access to Kallithea with LDAP accounts. At this
369 204 time user information is copied from LDAP into the Kallithea user database.
370 205 This means that updates of an LDAP user object may not be reflected as a
371 206 user update in Kallithea.
372 207
373 208 If You have problems with LDAP access and believe You entered correct
374 209 information check out the Kallithea logs, any error messages sent from LDAP
375 210 will be saved there.
376 211
377 212 Active Directory
378 213 ^^^^^^^^^^^^^^^^
379 214
380 215 Kallithea can use Microsoft Active Directory for user authentication. This
381 216 is done through an LDAP or LDAPS connection to Active Directory. The
382 217 following LDAP configuration settings are typical for using Active
383 218 Directory ::
384 219
385 220 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386 221 Login Attribute = sAMAccountName
387 222 First Name Attribute = givenName
388 223 Last Name Attribute = sn
389 224 Email Attribute = mail
390 225
391 226 All other LDAP settings will likely be site-specific and should be
392 227 appropriately configured.
393 228
394 229
395 230 Authentication by container or reverse-proxy
396 231 --------------------------------------------
397 232
398 233 Kallithea supports delegating the authentication
399 234 of users to its WSGI container, or to a reverse-proxy server through which all
400 235 clients access the application.
401 236
402 237 When these authentication methods are enabled in Kallithea, it uses the
403 238 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404 239 perform the authentication itself. The authorization, however, is still done by
405 240 Kallithea according to its settings.
406 241
407 242 When a user logs in for the first time using these authentication methods,
408 243 a matching user account is created in Kallithea with default permissions. An
409 244 administrator can then modify it using Kallithea's admin interface.
410 245
411 246 It's also possible for an administrator to create accounts and configure their
412 247 permissions before the user logs in for the first time, using the :ref:`create-user` API.
413 248
414 249 Container-based authentication
415 250 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416 251
417 252 In a container-based authentication setup, Kallithea reads the user name from
418 253 the ``REMOTE_USER`` server variable provided by the WSGI container.
419 254
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
255 After setting up your container (see :ref:`apache_mod_wsgi`), you'll need
421 256 to configure it to require authentication on the location configured for
422 257 Kallithea.
423 258
424 259 Proxy pass-through authentication
425 260 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426 261
427 262 In a proxy pass-through authentication setup, Kallithea reads the user name
428 263 from the ``X-Forwarded-User`` request header, which should be configured to be
429 264 sent by the reverse-proxy server.
430 265
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
266 After setting up your proxy solution (see :ref:`apache_virtual_host_reverse_proxy`,
267 :ref:`apache_subdirectory` or :ref:`nginx_virtual_host`), you'll need to
433 268 configure the authentication and add the username in a request header named
434 269 ``X-Forwarded-User``.
435 270
436 271 For example, the following config section for Apache sets a subdirectory in a
437 272 reverse-proxy setup with basic auth:
438 273
439 274 .. code-block:: apache
440 275
441 276 <Location /someprefix>
442 277 ProxyPass http://127.0.0.1:5000/someprefix
443 278 ProxyPassReverse http://127.0.0.1:5000/someprefix
444 279 SetEnvIf X-Url-Scheme https HTTPS=1
445 280
446 281 AuthType Basic
447 282 AuthName "Kallithea authentication"
448 283 AuthUserFile /srv/kallithea/.htpasswd
449 284 Require valid-user
450 285
451 286 RequestHeader unset X-Forwarded-User
452 287
453 288 RewriteEngine On
454 289 RewriteCond %{LA-U:REMOTE_USER} (.+)
455 290 RewriteRule .* - [E=RU:%1]
456 291 RequestHeader set X-Forwarded-User %{RU}e
457 292 </Location>
458 293
459 294 Setting metadata in container/reverse-proxy
460 295 """""""""""""""""""""""""""""""""""""""""""
461 296 When a new user account is created on the first login, Kallithea has no information about
462 297 the user's email and full name. So you can set some additional request headers like in the
463 298 example below. In this example the user is authenticated via Kerberos and an Apache
464 299 mod_python fixup handler is used to get the user information from a LDAP server. But you
465 300 could set the request headers however you want.
466 301
467 302 .. code-block:: apache
468 303
469 304 <Location /someprefix>
470 305 ProxyPass http://127.0.0.1:5000/someprefix
471 306 ProxyPassReverse http://127.0.0.1:5000/someprefix
472 307 SetEnvIf X-Url-Scheme https HTTPS=1
473 308
474 309 AuthName "Kerberos Login"
475 310 AuthType Kerberos
476 311 Krb5Keytab /etc/apache2/http.keytab
477 312 KrbMethodK5Passwd off
478 313 KrbVerifyKDC on
479 314 Require valid-user
480 315
481 316 PythonFixupHandler ldapmetadata
482 317
483 318 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484 319 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485 320 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486 321 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487 322 </Location>
488 323
489 324 .. code-block:: python
490 325
491 326 from mod_python import apache
492 327 import ldap
493 328
494 329 LDAP_SERVER = "ldaps://server.mydomain.com:636"
495 330 LDAP_USER = ""
496 331 LDAP_PASS = ""
497 332 LDAP_ROOT = "dc=mydomain,dc=com"
498 333 LDAP_FILTER = "sAMAccountName=%s"
499 334 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500 335
501 336 def fixuphandler(req):
502 337 if req.user is None:
503 338 # no user to search for
504 339 return apache.OK
505 340 else:
506 341 try:
507 342 if('\\' in req.user):
508 343 username = req.user.split('\\')[1]
509 344 elif('@' in req.user):
510 345 username = req.user.split('@')[0]
511 346 else:
512 347 username = req.user
513 348 l = ldap.initialize(LDAP_SERVER)
514 349 l.simple_bind_s(LDAP_USER, LDAP_PASS)
515 350 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516 351
517 352 req.subprocess_env['X_REMOTE_USER'] = username
518 353 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519 354 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520 355 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521 356 except Exception, e:
522 357 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523 358
524 359 return apache.OK
525 360
526 361 .. note::
527 362 If you enable proxy pass-through authentication, make sure your server is
528 363 only accessible through the proxy. Otherwise, any client would be able to
529 364 forge the authentication header and could effectively become authenticated
530 365 using any account of their liking.
531 366
532 367
533 Integration with issue trackers
534 -------------------------------
535
536 Kallithea provides a simple integration with issue trackers. It's possible
537 to define a regular expression that will match an issue ID in commit messages,
538 and have that replaced with a URL to the issue.
539
540 This is achieved with following three variables in the ini file::
541
542 issue_pat = #(\d+)
543 issue_server_link = https://issues.example.com/{repo}/issue/\1
544 issue_sub =
545
546 ``issue_pat`` is the regular expression describing which strings in
547 commit messages will be treated as issue references. The expression can/should
548 have one or more parenthesized groups that can later be referred to in
549 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
550 can be used instead of simple parenthesized groups.
551
552 If the pattern should only match if it is preceded by whitespace, add the
553 following string before the actual pattern: ``(?:^|(?<=\s))``.
554 If the pattern should only match if it is followed by whitespace, add the
555 following string after the actual pattern: ``(?:$|(?=\s))``.
556 These expressions use lookbehind and lookahead assertions of the Python regular
557 expression module to avoid the whitespace to be part of the actual pattern,
558 otherwise the link text will also contain that whitespace.
559
560 Matched issue references are replaced with the link specified in
561 ``issue_server_link``, in which any backreferences are resolved. Backreferences
562 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
563 The special token ``{repo}`` is replaced with the full repository path
564 (including repository groups), while token ``{repo_name}`` is replaced with the
565 repository name (without repository groups).
566
567 The link text is determined by ``issue_sub``, which can be a string containing
568 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
569 empty, then the text matched by ``issue_pat`` is used verbatim.
570
571 The example settings shown above match issues in the format ``#<number>``.
572 This will cause the text ``#300`` to be transformed into a link:
573
574 .. code-block:: html
575
576 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
577
578 The following example transforms a text starting with either of 'pullrequest',
579 'pull request' or 'PR', followed by an optional space, then a pound character
580 (#) and one or more digits, into a link with the text 'PR #' followed by the
581 digits::
582
583 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
584 issue_server_link = https://issues.example.com/\2
585 issue_sub = PR #\2
586
587 The following example demonstrates how to require whitespace before the issue
588 reference in order for it to be recognized, such that the text ``issue#123`` will
589 not cause a match, but ``issue #123`` will::
590
591 issue_pat = (?:^|(?<=\s))#(\d+)
592 issue_server_link = https://issues.example.com/\1
593 issue_sub =
594
595 If needed, more than one pattern can be specified by appending a unique suffix to
596 the variables. For example, also demonstrating the use of named groups::
597
598 issue_pat_wiki = wiki-(?P<pagename>\S+)
599 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
600 issue_sub_wiki = WIKI-\g<pagename>
601
602 With these settings, wiki pages can be referenced as wiki-some-id, and every
603 such reference will be transformed into:
604
605 .. code-block:: html
606
607 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
608
609 Refer to the `Python regular expression documentation`_ for more details about
610 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
611
612
613 Hook management
614 ---------------
615
616 Hooks can be managed in similar way to that used in ``.hgrc`` files.
617 To manage hooks, choose *Admin > Settings > Hooks*.
618
619 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
620
621 To add another custom hook simply fill in the first textbox with
622 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
623 can be found in ``kallithea.lib.hooks``.
624
625
626 Changing default encoding
627 -------------------------
628
629 By default, Kallithea uses UTF-8 encoding.
630 This is configurable as ``default_encoding`` in the .ini file.
631 This affects many parts in Kallithea including user names, filenames, and
632 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
633 library is installed. If ``chardet`` is detected Kallithea will fallback to it
634 when there are encode/decode errors.
635
636 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
637 setting the ``HGENCODING`` environment variable, but will override it.
638
639
640 Celery configuration
641 --------------------
642
643 Kallithea can use the distributed task queue system Celery_ to run tasks like
644 cloning repositories or sending emails.
645
646 Kallithea will in most setups work perfectly fine out of the box (without
647 Celery), executing all tasks in the web server process. Some tasks can however
648 take some time to run and it can be better to run such tasks asynchronously in
649 a separate process so the web server can focus on serving web requests.
650
651 For installation and configuration of Celery, see the `Celery documentation`_.
652 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
653 or Redis_.
654
655 The use of Celery is configured in the Kallithea ini configuration file.
656 To enable it, simply set::
657
658 use_celery = true
659
660 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
661
662 Remember that the ini files use the format with '.' and not with '_' like
663 Celery. So for example setting `BROKER_HOST` in Celery means setting
664 `broker.host` in the configuration file.
665
666 To start the Celery process, run::
667
668 gearbox celeryd -c <configfile.ini>
669
670 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
671 for more info.
672
673 .. note::
674 Make sure you run this command from the same virtualenv, and with the same
675 user that Kallithea runs.
676
677
678 HTTPS support
679 -------------
680
681 Kallithea will by default generate URLs based on the WSGI environment.
682
683 Alternatively, you can use some special configuration settings to control
684 directly which scheme/protocol Kallithea will use when generating URLs:
685
686 - With ``https_fixup = true``, the scheme will be taken from the
687 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
688 (default ``http``).
689 - With ``force_https = true`` the default will be ``https``.
690 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691
692
693 Nginx virtual host example
694 --------------------------
695
696 Sample config for Nginx using proxy:
697
698 .. code-block:: nginx
699
700 upstream kallithea {
701 server 127.0.0.1:5000;
702 # add more instances for load balancing
703 #server 127.0.0.1:5001;
704 #server 127.0.0.1:5002;
705 }
706
707 ## gist alias
708 server {
709 listen 443;
710 server_name gist.example.com;
711 access_log /var/log/nginx/gist.access.log;
712 error_log /var/log/nginx/gist.error.log;
713
714 ssl on;
715 ssl_certificate gist.your.kallithea.server.crt;
716 ssl_certificate_key gist.your.kallithea.server.key;
717
718 ssl_session_timeout 5m;
719
720 ssl_protocols SSLv3 TLSv1;
721 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
722 ssl_prefer_server_ciphers on;
723
724 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
725 rewrite (.*) https://kallithea.example.com/_admin/gists;
726 }
727
728 server {
729 listen 443;
730 server_name kallithea.example.com
731 access_log /var/log/nginx/kallithea.access.log;
732 error_log /var/log/nginx/kallithea.error.log;
733
734 ssl on;
735 ssl_certificate your.kallithea.server.crt;
736 ssl_certificate_key your.kallithea.server.key;
737
738 ssl_session_timeout 5m;
739
740 ssl_protocols SSLv3 TLSv1;
741 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
742 ssl_prefer_server_ciphers on;
743
744 ## uncomment root directive if you want to serve static files by nginx
745 ## requires static_files = false in .ini file
746 #root /srv/kallithea/kallithea/kallithea/public;
747 include /etc/nginx/proxy.conf;
748 location / {
749 try_files $uri @kallithea;
750 }
751
752 location @kallithea {
753 proxy_pass http://127.0.0.1:5000;
754 }
755
756 }
757
758 Here's the proxy.conf. It's tuned so it will not timeout on long
759 pushes or large pushes::
760
761 proxy_redirect off;
762 proxy_set_header Host $host;
763 ## needed for container auth
764 #proxy_set_header REMOTE_USER $remote_user;
765 #proxy_set_header X-Forwarded-User $remote_user;
766 proxy_set_header X-Url-Scheme $scheme;
767 proxy_set_header X-Host $http_host;
768 proxy_set_header X-Real-IP $remote_addr;
769 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
770 proxy_set_header Proxy-host $proxy_host;
771 proxy_buffering off;
772 proxy_connect_timeout 7200;
773 proxy_send_timeout 7200;
774 proxy_read_timeout 7200;
775 proxy_buffers 8 32k;
776 client_max_body_size 1024m;
777 client_body_buffer_size 128k;
778 large_client_header_buffers 8 64k;
779
780
781 Apache virtual host reverse proxy example
782 -----------------------------------------
783
784 Here is a sample configuration file for Apache using proxy:
785
786 .. code-block:: apache
787
788 <VirtualHost *:80>
789 ServerName kallithea.example.com
790
791 <Proxy *>
792 # For Apache 2.4 and later:
793 Require all granted
794
795 # For Apache 2.2 and earlier, instead use:
796 # Order allow,deny
797 # Allow from all
798 </Proxy>
799
800 #important !
801 #Directive to properly generate url (clone url) for Kallithea
802 ProxyPreserveHost On
803
804 #kallithea instance
805 ProxyPass / http://127.0.0.1:5000/
806 ProxyPassReverse / http://127.0.0.1:5000/
807
808 #to enable https use line below
809 #SetEnvIf X-Url-Scheme https HTTPS=1
810 </VirtualHost>
811
812 Additional tutorial
813 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814
815
816 Apache as subdirectory
817 ----------------------
818
819 Apache subdirectory part:
820
821 .. code-block:: apache
822
823 <Location /PREFIX >
824 ProxyPass http://127.0.0.1:5000/PREFIX
825 ProxyPassReverse http://127.0.0.1:5000/PREFIX
826 SetEnvIf X-Url-Scheme https HTTPS=1
827 </Location>
828
829 Besides the regular apache setup you will need to add the following line
830 into ``[app:main]`` section of your .ini file::
831
832 filter-with = proxy-prefix
833
834 Add the following at the end of the .ini file::
835
836 [filter:proxy-prefix]
837 use = egg:PasteDeploy#prefix
838 prefix = /PREFIX
839
840 then change ``PREFIX`` into your chosen prefix
841
842
843 Apache with mod_wsgi
844 --------------------
845
846 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
847 that, you'll need to:
848
849 - Install mod_wsgi. If using a Debian-based distro, you can install
850 the package libapache2-mod-wsgi::
851
852 aptitude install libapache2-mod-wsgi
853
854 - Enable mod_wsgi::
855
856 a2enmod wsgi
857
858 - Add global Apache configuration to tell mod_wsgi that Python only will be
859 used in the WSGI processes and shouldn't be initialized in the Apache
860 processes::
861
862 WSGIRestrictEmbedded On
863
864 - Create a wsgi dispatch script, like the one below. Make sure you
865 check that the paths correctly point to where you installed Kallithea
866 and its Python Virtual Environment.
867 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
868 as in the following example. Once again, check the paths are
869 correctly specified.
870
871 Here is a sample excerpt from an Apache Virtual Host configuration file:
872
873 .. code-block:: apache
874
875 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
876 python-home=/srv/kallithea/venv
877 WSGIProcessGroup kallithea
878 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
879 WSGIPassAuthorization On
880
881 Or if using a dispatcher WSGI script with proper virtualenv activation:
882
883 .. code-block:: apache
884
885 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
886 WSGIProcessGroup kallithea
887 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
888 WSGIPassAuthorization On
889
890 Apache will by default run as a special Apache user, on Linux systems
891 usually ``www-data`` or ``apache``. If you need to have the repositories
892 directory owned by a different user, use the user and group options to
893 WSGIDaemonProcess to set the name of the user and group.
894
895 Example WSGI dispatch script:
896
897 .. code-block:: python
898
899 import os
900 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
901
902 # sometimes it's needed to set the current dir
903 os.chdir('/srv/kallithea/')
904
905 import site
906 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
907
908 ini = '/srv/kallithea/my.ini'
909 from paste.script.util.logging_config import fileConfig
910 fileConfig(ini)
911 from paste.deploy import loadapp
912 application = loadapp('config:' + ini)
913
914 Or using proper virtualenv activation:
915
916 .. code-block:: python
917
918 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
919 execfile(activate_this, dict(__file__=activate_this))
920
921 import os
922 os.environ['HOME'] = '/srv/kallithea'
923
924 ini = '/srv/kallithea/kallithea.ini'
925 from paste.script.util.logging_config import fileConfig
926 fileConfig(ini)
927 from paste.deploy import loadapp
928 application = loadapp('config:' + ini)
929
930
931 Other configuration files
932 -------------------------
933
934 A number of `example init.d scripts`__ can be found in
935 the ``init.d`` directory of the Kallithea source.
936
937 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
938
939
940 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
941 .. _python: http://www.python.org/
942 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
943 .. _Mercurial: https://www.mercurial-scm.org/
944 .. _Celery: http://celeryproject.org/
945 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 .. _RabbitMQ: http://www.rabbitmq.com/
947 .. _Redis: http://redis.io/
948 368 .. _python-ldap: http://www.python-ldap.org/
949 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
Show file before | Show file after | Hide comments
@@ -1,90 +1,91 b''
1 1 .. _index:
2 2
3 3 #######################
4 4 Kallithea Documentation
5 5 #######################
6 6
7 7 * :ref:`genindex`
8 8 * :ref:`search`
9 9
10 10
11 11 Readme
12 12 ******
13 13
14 14 .. toctree::
15 15 :maxdepth: 1
16 16
17 17 readme
18 18
19 19
20 20 Administrator guide
21 21 *******************
22 22
23 23 **Installation and upgrade**
24 24
25 25 .. toctree::
26 26 :maxdepth: 1
27 27
28 28 overview
29 29 installation
30 30 installation_win
31 31 installation_win_old
32 32 installation_iis
33 33 installation_puppet
34 34 upgrade
35 35
36 36 **Setup and configuration**
37 37
38 38 .. toctree::
39 39 :maxdepth: 1
40 40
41 41 setup
42 administrator_guide/auth
42 43 administrator_guide/vcs_setup
43 44 usage/email
44 45 usage/customization
45 46
46 47 **Maintenance**
47 48
48 49 .. toctree::
49 50 :maxdepth: 1
50 51
51 52 usage/backup
52 53 usage/performance
53 54 usage/debugging
54 55 usage/troubleshooting
55 56
56 57
57 58 User guide
58 59 **********
59 60
60 61 .. toctree::
61 62 :maxdepth: 1
62 63
63 64 usage/general
64 65 usage/vcs_notes
65 66 usage/locking
66 67 usage/statistics
67 68 api/api
68 69
69 70
70 71 Developer guide
71 72 ***************
72 73
73 74 .. toctree::
74 75 :maxdepth: 1
75 76
76 77 contributing
77 78 dev/translation
78 79 dev/dbmigrations
79 80
80 81
81 82 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
82 83 .. _python: http://www.python.org/
83 84 .. _django: http://www.djangoproject.com/
84 85 .. _mercurial: https://www.mercurial-scm.org/
85 86 .. _bitbucket: http://bitbucket.org/
86 87 .. _subversion: http://subversion.tigris.org/
87 88 .. _git: http://git-scm.com/
88 89 .. _celery: http://celeryproject.org/
89 90 .. _Sphinx: http://sphinx.pocoo.org/
90 91 .. _vcs: http://pypi.python.org/pypi/vcs
Show file before | Show file after | Hide comments
@@ -1,950 +1,599 b''
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Preparing front-end
9 9 -------------------
10 10
11 11 Temporarily, in the current Kallithea version, some extra steps are required to
12 12 build front-end files:
13 13
14 14 Find the right ``kallithea/public/less`` path with::
15 15
16 16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
17 17
18 18 Then run::
19 19
20 20 npm install
21 21 npm run less
22 22
23 23
24 24 Setting up Kallithea
25 25 --------------------
26 26
27 27 First, you will need to create a Kallithea configuration file. Run the
28 28 following command to do so::
29 29
30 30 gearbox make-config my.ini
31 31
32 32 This will create the file ``my.ini`` in the current directory. This
33 33 configuration file contains the various settings for Kallithea, e.g.
34 34 proxy port, email settings, usage of static files, cache, Celery
35 35 settings, and logging. Extra settings can be specified like::
36 36
37 37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
38 38
39 39 Next, you need to create the databases used by Kallithea. It is recommended to
40 40 use PostgreSQL or SQLite (default). If you choose a database other than the
41 41 default, ensure you properly adjust the database URL in your ``my.ini``
42 42 configuration file to use this other database. Kallithea currently supports
43 43 PostgreSQL, SQLite and MySQL databases. Create the database by running
44 44 the following command::
45 45
46 46 gearbox setup-db -c my.ini
47 47
48 48 This will prompt you for a "root" path. This "root" path is the location where
49 49 Kallithea will store all of its repositories on the current machine. After
50 50 entering this "root" path ``setup-db`` will also prompt you for a username
51 51 and password for the initial admin account which ``setup-db`` sets
52 52 up for you.
53 53
54 54 The ``setup-db`` values can also be given on the command line.
55 55 Example::
56 56
57 57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
58 58
59 59 The ``setup-db`` command will create all needed tables and an
60 60 admin account. When choosing a root path you can either use a new
61 61 empty location, or a location which already contains existing
62 62 repositories. If you choose a location which contains existing
63 63 repositories Kallithea will add all of the repositories at the chosen
64 64 location to its database. (Note: make sure you specify the correct
65 65 path to the root).
66 66
67 67 .. note:: the given path for Mercurial_ repositories **must** be write
68 68 accessible for the application. It's very important since
69 69 the Kallithea web interface will work without write access,
70 70 but when trying to do a push it will fail with permission
71 71 denied errors unless it has write access.
72 72
73 73 You are now ready to use Kallithea. To run it simply execute::
74 74
75 75 gearbox serve -c my.ini
76 76
77 77 - This command runs the Kallithea server. The web app should be available at
78 78 http://127.0.0.1:5000. The IP address and port is configurable via the
79 79 configuration file created in the previous step.
80 80 - Log in to Kallithea using the admin account created when running ``setup-db``.
81 81 - The default permissions on each repository is read, and the owner is admin.
82 82 Remember to update these if needed.
83 83 - In the admin panel you can toggle LDAP, anonymous, and permissions
84 84 settings, as well as edit more advanced options on users and
85 85 repositories.
86 86
87 87
88 88 Internationalization (i18n support)
89 89 -----------------------------------
90 90
91 91 The Kallithea web interface is automatically displayed in the user's preferred
92 92 language, as indicated by the browser. Thus, different users may see the
93 93 application in different languages. If the requested language is not available
94 94 (because the translation file for that language does not yet exist or is
95 95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
96 96 configuration file is used as fallback. If no fallback language is explicitly
97 97 specified, English is used.
98 98
99 99 If you want to disable automatic language detection and instead configure a
100 100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
101 101 set ``i18n.lang`` to the desired language (or leave empty for English).
102 102
103 103
104 104 Using Kallithea with SSH
105 105 ------------------------
106 106
107 107 Kallithea currently only hosts repositories using http and https. (The addition
108 108 of ssh hosting is a planned future feature.) However you can easily use ssh in
109 109 parallel with Kallithea. (Repository access via ssh is a standard "out of
110 110 the box" feature of Mercurial_ and you can use this to access any of the
111 111 repositories that Kallithea is hosting. See PublishingRepositories_)
112 112
113 113 Kallithea repository structures are kept in directories with the same name
114 114 as the project. When using repository groups, each group is a subdirectory.
115 115 This allows you to easily use ssh for accessing repositories.
116 116
117 117 In order to use ssh you need to make sure that your web server and the users'
118 118 login accounts have the correct permissions set on the appropriate directories.
119 119
120 120 .. note:: These permissions are independent of any permissions you
121 121 have set up using the Kallithea web interface.
122 122
123 123 If your main directory (the same as set in Kallithea settings) is for
124 124 example set to ``/srv/repos`` and the repository you are using is
125 125 named ``kallithea``, then to clone via ssh you should run::
126 126
127 127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
128 128
129 129 Using other external tools such as mercurial-server_ or using ssh key-based
130 130 authentication is fully supported.
131 131
132 132 .. note:: In an advanced setup, in order for your ssh access to use
133 133 the same permissions as set up via the Kallithea web
134 134 interface, you can create an authentication hook to connect
135 135 to the Kallithea db and run check functions for permissions
136 136 against that.
137 137
138 138
139 139 Setting up Whoosh full text search
140 140 ----------------------------------
141 141
142 142 Kallithea provides full text search of repositories using `Whoosh`__.
143 143
144 144 .. __: https://whoosh.readthedocs.io/en/latest/
145 145
146 146 For an incremental index build, run::
147 147
148 148 gearbox make-index -c my.ini
149 149
150 150 For a full index rebuild, run::
151 151
152 152 gearbox make-index -c my.ini -f
153 153
154 154 The ``--repo-location`` option allows the location of the repositories to be overridden;
155 155 usually, the location is retrieved from the Kallithea database.
156 156
157 157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
158 158
159 159 gearbox make-index -c my.ini --index-only=vcs,kallithea
160 160
161 161 To keep your index up-to-date it is necessary to do periodic index builds;
162 162 for this, it is recommended to use a crontab entry. Example::
163 163
164 164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
165 165
166 166 When using incremental mode (the default), Whoosh will check the last
167 167 modification date of each file and add it to be reindexed if a newer file is
168 168 available. The indexing daemon checks for any removed files and removes them
169 169 from index.
170 170
171 171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 172 or in the admin panel you can check the "build from scratch" checkbox.
173 173
174 .. _ldap-setup:
175
176
177 Setting up LDAP support
178 -----------------------
179
180 Kallithea supports LDAP authentication. In order
181 to use LDAP, you have to install the python-ldap_ package. This package is
182 available via PyPI, so you can install it by running::
183
184 pip install python-ldap
185
186 .. note:: ``python-ldap`` requires some libraries to be installed on
187 your system, so before installing it check that you have at
188 least the ``openldap`` and ``sasl`` libraries.
189
190 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191 and then *Save*, to enable the LDAP plugin and configure its settings.
192
193 Here's a typical LDAP setup::
194
195 Connection settings
196 Enable LDAP = checked
197 Host = host.example.com
198 Account = <account>
199 Password = <password>
200 Connection Security = LDAPS
201 Certificate Checks = DEMAND
202
203 Search settings
204 Base DN = CN=users,DC=host,DC=example,DC=org
205 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206 LDAP Search Scope = SUBTREE
207
208 Attribute mappings
209 Login Attribute = uid
210 First Name Attribute = firstName
211 Last Name Attribute = lastName
212 Email Attribute = mail
213
214 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215
216 Search settings
217 Base DN = DC=host,DC=example,DC=org
218 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219 LDAP Search Scope = SUBTREE
220
221 .. _enable_ldap:
222
223 Enable LDAP : required
224 Whether to use LDAP for authenticating users.
225
226 .. _ldap_host:
227
228 Host : required
229 LDAP server hostname or IP address. Can be also a comma separated
230 list of servers to support LDAP fail-over.
231
232 .. _Port:
233
234 Port : optional
235 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236 Defaults to 636 for LDAPS.
237
238 .. _ldap_account:
239
240 Account : optional
241 Only required if the LDAP server does not allow anonymous browsing of
242 records. This should be a special account for record browsing. This
243 will require `LDAP Password`_ below.
244
245 .. _LDAP Password:
246
247 Password : optional
248 Only required if the LDAP server does not allow anonymous browsing of
249 records.
250
251 .. _Enable LDAPS:
252
253 Connection Security : required
254 Defines the connection to LDAP server
255
256 PLAIN
257 Plain unencrypted LDAP connection.
258 This will by default use `Port`_ 389.
259
260 LDAPS
261 Use secure LDAPS connections according to `Certificate
262 Checks`_ configuration.
263 This will by default use `Port`_ 636.
264
265 START_TLS
266 Use START TLS according to `Certificate Checks`_ configuration on an
267 apparently "plain" LDAP connection.
268 This will by default use `Port`_ 389.
269
270 .. _Certificate Checks:
271
272 Certificate Checks : optional
273 How SSL certificates verification is handled -- this is only useful when
274 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275 with mandatory certificate validation, while the other options are
276 susceptible to man-in-the-middle attacks.
277
278 NEVER
279 A serve certificate will never be requested or checked.
280
281 ALLOW
282 A server certificate is requested. Failure to provide a
283 certificate or providing a bad certificate will not terminate the
284 session.
285
286 TRY
287 A server certificate is requested. Failure to provide a
288 certificate does not halt the session; providing a bad certificate
289 halts the session.
290
291 DEMAND
292 A server certificate is requested and must be provided and
293 authenticated for the session to proceed.
294
295 HARD
296 The same as DEMAND.
297
298 .. _Custom CA Certificates:
299
300 Custom CA Certificates : optional
301 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302 Python 2.7.10 and later default to using the system certificate store, and
303 this should thus not be necessary when using certificates signed by a CA
304 trusted by the system.
305 It can be set to something like `/etc/openldap/cacerts` on older systems or
306 if using self-signed certificates.
307
308 .. _Base DN:
309
310 Base DN : required
311 The Distinguished Name (DN) where searches for users will be performed.
312 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313
314 .. _LDAP Filter:
315
316 LDAP Filter : optional
317 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319 which LDAP objects are identified as representing Users for
320 authentication. The filter is augmented by `Login Attribute`_ below.
321 This can commonly be left blank.
322
323 .. _LDAP Search Scope:
324
325 LDAP Search Scope : required
326 This limits how far LDAP will search for a matching object.
327
328 BASE
329 Only allows searching of `Base DN`_ and is usually not what you
330 want.
331
332 ONELEVEL
333 Searches all entries under `Base DN`_, but not Base DN itself.
334
335 SUBTREE
336 Searches all entries below `Base DN`_, but not Base DN itself.
337 When using SUBTREE `LDAP Filter`_ is useful to limit object
338 location.
339
340 .. _Login Attribute:
341
342 Login Attribute : required
343 The LDAP record attribute that will be matched as the USERNAME or
344 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348 ::
349
350 (&(LDAPFILTER)(uid=jsmith))
351
352 .. _ldap_attr_firstname:
353
354 First Name Attribute : required
355 The LDAP record attribute which represents the user's first name.
356
357 .. _ldap_attr_lastname:
358
359 Last Name Attribute : required
360 The LDAP record attribute which represents the user's last name.
361
362 .. _ldap_attr_email:
363
364 Email Attribute : required
365 The LDAP record attribute which represents the user's email address.
366
367 If all data are entered correctly, and python-ldap_ is properly installed
368 users should be granted access to Kallithea with LDAP accounts. At this
369 time user information is copied from LDAP into the Kallithea user database.
370 This means that updates of an LDAP user object may not be reflected as a
371 user update in Kallithea.
372
373 If You have problems with LDAP access and believe You entered correct
374 information check out the Kallithea logs, any error messages sent from LDAP
375 will be saved there.
376
377 Active Directory
378 ^^^^^^^^^^^^^^^^
379
380 Kallithea can use Microsoft Active Directory for user authentication. This
381 is done through an LDAP or LDAPS connection to Active Directory. The
382 following LDAP configuration settings are typical for using Active
383 Directory ::
384
385 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386 Login Attribute = sAMAccountName
387 First Name Attribute = givenName
388 Last Name Attribute = sn
389 Email Attribute = mail
390
391 All other LDAP settings will likely be site-specific and should be
392 appropriately configured.
393
394
395 Authentication by container or reverse-proxy
396 --------------------------------------------
397
398 Kallithea supports delegating the authentication
399 of users to its WSGI container, or to a reverse-proxy server through which all
400 clients access the application.
401
402 When these authentication methods are enabled in Kallithea, it uses the
403 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404 perform the authentication itself. The authorization, however, is still done by
405 Kallithea according to its settings.
406
407 When a user logs in for the first time using these authentication methods,
408 a matching user account is created in Kallithea with default permissions. An
409 administrator can then modify it using Kallithea's admin interface.
410
411 It's also possible for an administrator to create accounts and configure their
412 permissions before the user logs in for the first time, using the :ref:`create-user` API.
413
414 Container-based authentication
415 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416
417 In a container-based authentication setup, Kallithea reads the user name from
418 the ``REMOTE_USER`` server variable provided by the WSGI container.
419
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
421 to configure it to require authentication on the location configured for
422 Kallithea.
423
424 Proxy pass-through authentication
425 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426
427 In a proxy pass-through authentication setup, Kallithea reads the user name
428 from the ``X-Forwarded-User`` request header, which should be configured to be
429 sent by the reverse-proxy server.
430
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
433 configure the authentication and add the username in a request header named
434 ``X-Forwarded-User``.
435
436 For example, the following config section for Apache sets a subdirectory in a
437 reverse-proxy setup with basic auth:
438
439 .. code-block:: apache
440
441 <Location /someprefix>
442 ProxyPass http://127.0.0.1:5000/someprefix
443 ProxyPassReverse http://127.0.0.1:5000/someprefix
444 SetEnvIf X-Url-Scheme https HTTPS=1
445
446 AuthType Basic
447 AuthName "Kallithea authentication"
448 AuthUserFile /srv/kallithea/.htpasswd
449 Require valid-user
450
451 RequestHeader unset X-Forwarded-User
452
453 RewriteEngine On
454 RewriteCond %{LA-U:REMOTE_USER} (.+)
455 RewriteRule .* - [E=RU:%1]
456 RequestHeader set X-Forwarded-User %{RU}e
457 </Location>
458
459 Setting metadata in container/reverse-proxy
460 """""""""""""""""""""""""""""""""""""""""""
461 When a new user account is created on the first login, Kallithea has no information about
462 the user's email and full name. So you can set some additional request headers like in the
463 example below. In this example the user is authenticated via Kerberos and an Apache
464 mod_python fixup handler is used to get the user information from a LDAP server. But you
465 could set the request headers however you want.
466
467 .. code-block:: apache
468
469 <Location /someprefix>
470 ProxyPass http://127.0.0.1:5000/someprefix
471 ProxyPassReverse http://127.0.0.1:5000/someprefix
472 SetEnvIf X-Url-Scheme https HTTPS=1
473
474 AuthName "Kerberos Login"
475 AuthType Kerberos
476 Krb5Keytab /etc/apache2/http.keytab
477 KrbMethodK5Passwd off
478 KrbVerifyKDC on
479 Require valid-user
480
481 PythonFixupHandler ldapmetadata
482
483 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487 </Location>
488
489 .. code-block:: python
490
491 from mod_python import apache
492 import ldap
493
494 LDAP_SERVER = "ldaps://server.mydomain.com:636"
495 LDAP_USER = ""
496 LDAP_PASS = ""
497 LDAP_ROOT = "dc=mydomain,dc=com"
498 LDAP_FILTER = "sAMAccountName=%s"
499 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500
501 def fixuphandler(req):
502 if req.user is None:
503 # no user to search for
504 return apache.OK
505 else:
506 try:
507 if('\\' in req.user):
508 username = req.user.split('\\')[1]
509 elif('@' in req.user):
510 username = req.user.split('@')[0]
511 else:
512 username = req.user
513 l = ldap.initialize(LDAP_SERVER)
514 l.simple_bind_s(LDAP_USER, LDAP_PASS)
515 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516
517 req.subprocess_env['X_REMOTE_USER'] = username
518 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521 except Exception, e:
522 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523
524 return apache.OK
525
526 .. note::
527 If you enable proxy pass-through authentication, make sure your server is
528 only accessible through the proxy. Otherwise, any client would be able to
529 forge the authentication header and could effectively become authenticated
530 using any account of their liking.
531
532 174
533 175 Integration with issue trackers
534 176 -------------------------------
535 177
536 178 Kallithea provides a simple integration with issue trackers. It's possible
537 179 to define a regular expression that will match an issue ID in commit messages,
538 180 and have that replaced with a URL to the issue.
539 181
540 182 This is achieved with following three variables in the ini file::
541 183
542 184 issue_pat = #(\d+)
543 185 issue_server_link = https://issues.example.com/{repo}/issue/\1
544 186 issue_sub =
545 187
546 188 ``issue_pat`` is the regular expression describing which strings in
547 189 commit messages will be treated as issue references. The expression can/should
548 190 have one or more parenthesized groups that can later be referred to in
549 191 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
550 192 can be used instead of simple parenthesized groups.
551 193
552 194 If the pattern should only match if it is preceded by whitespace, add the
553 195 following string before the actual pattern: ``(?:^|(?<=\s))``.
554 196 If the pattern should only match if it is followed by whitespace, add the
555 197 following string after the actual pattern: ``(?:$|(?=\s))``.
556 198 These expressions use lookbehind and lookahead assertions of the Python regular
557 199 expression module to avoid the whitespace to be part of the actual pattern,
558 200 otherwise the link text will also contain that whitespace.
559 201
560 202 Matched issue references are replaced with the link specified in
561 203 ``issue_server_link``, in which any backreferences are resolved. Backreferences
562 204 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
563 205 The special token ``{repo}`` is replaced with the full repository path
564 206 (including repository groups), while token ``{repo_name}`` is replaced with the
565 207 repository name (without repository groups).
566 208
567 209 The link text is determined by ``issue_sub``, which can be a string containing
568 210 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
569 211 empty, then the text matched by ``issue_pat`` is used verbatim.
570 212
571 213 The example settings shown above match issues in the format ``#<number>``.
572 214 This will cause the text ``#300`` to be transformed into a link:
573 215
574 216 .. code-block:: html
575 217
576 218 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
577 219
578 220 The following example transforms a text starting with either of 'pullrequest',
579 221 'pull request' or 'PR', followed by an optional space, then a pound character
580 222 (#) and one or more digits, into a link with the text 'PR #' followed by the
581 223 digits::
582 224
583 225 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
584 226 issue_server_link = https://issues.example.com/\2
585 227 issue_sub = PR #\2
586 228
587 229 The following example demonstrates how to require whitespace before the issue
588 230 reference in order for it to be recognized, such that the text ``issue#123`` will
589 231 not cause a match, but ``issue #123`` will::
590 232
591 233 issue_pat = (?:^|(?<=\s))#(\d+)
592 234 issue_server_link = https://issues.example.com/\1
593 235 issue_sub =
594 236
595 237 If needed, more than one pattern can be specified by appending a unique suffix to
596 238 the variables. For example, also demonstrating the use of named groups::
597 239
598 240 issue_pat_wiki = wiki-(?P<pagename>\S+)
599 241 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
600 242 issue_sub_wiki = WIKI-\g<pagename>
601 243
602 244 With these settings, wiki pages can be referenced as wiki-some-id, and every
603 245 such reference will be transformed into:
604 246
605 247 .. code-block:: html
606 248
607 249 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
608 250
609 251 Refer to the `Python regular expression documentation`_ for more details about
610 252 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
611 253
612 254
613 255 Hook management
614 256 ---------------
615 257
616 258 Hooks can be managed in similar way to that used in ``.hgrc`` files.
617 259 To manage hooks, choose *Admin > Settings > Hooks*.
618 260
619 261 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
620 262
621 263 To add another custom hook simply fill in the first textbox with
622 264 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
623 265 can be found in ``kallithea.lib.hooks``.
624 266
625 267
626 268 Changing default encoding
627 269 -------------------------
628 270
629 271 By default, Kallithea uses UTF-8 encoding.
630 272 This is configurable as ``default_encoding`` in the .ini file.
631 273 This affects many parts in Kallithea including user names, filenames, and
632 274 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
633 275 library is installed. If ``chardet`` is detected Kallithea will fallback to it
634 276 when there are encode/decode errors.
635 277
636 278 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
637 279 setting the ``HGENCODING`` environment variable, but will override it.
638 280
639 281
640 282 Celery configuration
641 283 --------------------
642 284
643 285 Kallithea can use the distributed task queue system Celery_ to run tasks like
644 286 cloning repositories or sending emails.
645 287
646 288 Kallithea will in most setups work perfectly fine out of the box (without
647 289 Celery), executing all tasks in the web server process. Some tasks can however
648 290 take some time to run and it can be better to run such tasks asynchronously in
649 291 a separate process so the web server can focus on serving web requests.
650 292
651 293 For installation and configuration of Celery, see the `Celery documentation`_.
652 294 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
653 295 or Redis_.
654 296
655 297 The use of Celery is configured in the Kallithea ini configuration file.
656 298 To enable it, simply set::
657 299
658 300 use_celery = true
659 301
660 302 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
661 303
662 304 Remember that the ini files use the format with '.' and not with '_' like
663 305 Celery. So for example setting `BROKER_HOST` in Celery means setting
664 306 `broker.host` in the configuration file.
665 307
666 308 To start the Celery process, run::
667 309
668 310 gearbox celeryd -c <configfile.ini>
669 311
670 312 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
671 313 for more info.
672 314
673 315 .. note::
674 316 Make sure you run this command from the same virtualenv, and with the same
675 317 user that Kallithea runs.
676 318
677 319
678 320 HTTPS support
679 321 -------------
680 322
681 323 Kallithea will by default generate URLs based on the WSGI environment.
682 324
683 325 Alternatively, you can use some special configuration settings to control
684 326 directly which scheme/protocol Kallithea will use when generating URLs:
685 327
686 328 - With ``https_fixup = true``, the scheme will be taken from the
687 329 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
688 330 (default ``http``).
689 331 - With ``force_https = true`` the default will be ``https``.
690 332 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691 333
334 .. _nginx_virtual_host:
335
692 336
693 337 Nginx virtual host example
694 338 --------------------------
695 339
696 340 Sample config for Nginx using proxy:
697 341
698 342 .. code-block:: nginx
699 343
700 344 upstream kallithea {
701 345 server 127.0.0.1:5000;
702 346 # add more instances for load balancing
703 347 #server 127.0.0.1:5001;
704 348 #server 127.0.0.1:5002;
705 349 }
706 350
707 351 ## gist alias
708 352 server {
709 353 listen 443;
710 354 server_name gist.example.com;
711 355 access_log /var/log/nginx/gist.access.log;
712 356 error_log /var/log/nginx/gist.error.log;
713 357
714 358 ssl on;
715 359 ssl_certificate gist.your.kallithea.server.crt;
716 360 ssl_certificate_key gist.your.kallithea.server.key;
717 361
718 362 ssl_session_timeout 5m;
719 363
720 364 ssl_protocols SSLv3 TLSv1;
721 365 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
722 366 ssl_prefer_server_ciphers on;
723 367
724 368 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
725 369 rewrite (.*) https://kallithea.example.com/_admin/gists;
726 370 }
727 371
728 372 server {
729 373 listen 443;
730 374 server_name kallithea.example.com
731 375 access_log /var/log/nginx/kallithea.access.log;
732 376 error_log /var/log/nginx/kallithea.error.log;
733 377
734 378 ssl on;
735 379 ssl_certificate your.kallithea.server.crt;
736 380 ssl_certificate_key your.kallithea.server.key;
737 381
738 382 ssl_session_timeout 5m;
739 383
740 384 ssl_protocols SSLv3 TLSv1;
741 385 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
742 386 ssl_prefer_server_ciphers on;
743 387
744 388 ## uncomment root directive if you want to serve static files by nginx
745 389 ## requires static_files = false in .ini file
746 390 #root /srv/kallithea/kallithea/kallithea/public;
747 391 include /etc/nginx/proxy.conf;
748 392 location / {
749 393 try_files $uri @kallithea;
750 394 }
751 395
752 396 location @kallithea {
753 397 proxy_pass http://127.0.0.1:5000;
754 398 }
755 399
756 400 }
757 401
758 402 Here's the proxy.conf. It's tuned so it will not timeout on long
759 403 pushes or large pushes::
760 404
761 405 proxy_redirect off;
762 406 proxy_set_header Host $host;
763 407 ## needed for container auth
764 408 #proxy_set_header REMOTE_USER $remote_user;
765 409 #proxy_set_header X-Forwarded-User $remote_user;
766 410 proxy_set_header X-Url-Scheme $scheme;
767 411 proxy_set_header X-Host $http_host;
768 412 proxy_set_header X-Real-IP $remote_addr;
769 413 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
770 414 proxy_set_header Proxy-host $proxy_host;
771 415 proxy_buffering off;
772 416 proxy_connect_timeout 7200;
773 417 proxy_send_timeout 7200;
774 418 proxy_read_timeout 7200;
775 419 proxy_buffers 8 32k;
776 420 client_max_body_size 1024m;
777 421 client_body_buffer_size 128k;
778 422 large_client_header_buffers 8 64k;
779 423
424 .. _apache_virtual_host_reverse_proxy:
425
780 426
781 427 Apache virtual host reverse proxy example
782 428 -----------------------------------------
783 429
784 430 Here is a sample configuration file for Apache using proxy:
785 431
786 432 .. code-block:: apache
787 433
788 434 <VirtualHost *:80>
789 435 ServerName kallithea.example.com
790 436
791 437 <Proxy *>
792 438 # For Apache 2.4 and later:
793 439 Require all granted
794 440
795 441 # For Apache 2.2 and earlier, instead use:
796 442 # Order allow,deny
797 443 # Allow from all
798 444 </Proxy>
799 445
800 446 #important !
801 447 #Directive to properly generate url (clone url) for Kallithea
802 448 ProxyPreserveHost On
803 449
804 450 #kallithea instance
805 451 ProxyPass / http://127.0.0.1:5000/
806 452 ProxyPassReverse / http://127.0.0.1:5000/
807 453
808 454 #to enable https use line below
809 455 #SetEnvIf X-Url-Scheme https HTTPS=1
810 456 </VirtualHost>
811 457
812 458 Additional tutorial
813 459 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814 460
461 .. _apache_subdirectory:
462
815 463
816 464 Apache as subdirectory
817 465 ----------------------
818 466
819 467 Apache subdirectory part:
820 468
821 469 .. code-block:: apache
822 470
823 471 <Location /PREFIX >
824 472 ProxyPass http://127.0.0.1:5000/PREFIX
825 473 ProxyPassReverse http://127.0.0.1:5000/PREFIX
826 474 SetEnvIf X-Url-Scheme https HTTPS=1
827 475 </Location>
828 476
829 477 Besides the regular apache setup you will need to add the following line
830 478 into ``[app:main]`` section of your .ini file::
831 479
832 480 filter-with = proxy-prefix
833 481
834 482 Add the following at the end of the .ini file::
835 483
836 484 [filter:proxy-prefix]
837 485 use = egg:PasteDeploy#prefix
838 486 prefix = /PREFIX
839 487
840 488 then change ``PREFIX`` into your chosen prefix
841 489
490 .. _apache_mod_wsgi:
491
842 492
843 493 Apache with mod_wsgi
844 494 --------------------
845 495
846 496 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
847 497 that, you'll need to:
848 498
849 499 - Install mod_wsgi. If using a Debian-based distro, you can install
850 500 the package libapache2-mod-wsgi::
851 501
852 502 aptitude install libapache2-mod-wsgi
853 503
854 504 - Enable mod_wsgi::
855 505
856 506 a2enmod wsgi
857 507
858 508 - Add global Apache configuration to tell mod_wsgi that Python only will be
859 509 used in the WSGI processes and shouldn't be initialized in the Apache
860 510 processes::
861 511
862 512 WSGIRestrictEmbedded On
863 513
864 514 - Create a wsgi dispatch script, like the one below. Make sure you
865 515 check that the paths correctly point to where you installed Kallithea
866 516 and its Python Virtual Environment.
867 517 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
868 518 as in the following example. Once again, check the paths are
869 519 correctly specified.
870 520
871 521 Here is a sample excerpt from an Apache Virtual Host configuration file:
872 522
873 523 .. code-block:: apache
874 524
875 525 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
876 526 python-home=/srv/kallithea/venv
877 527 WSGIProcessGroup kallithea
878 528 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
879 529 WSGIPassAuthorization On
880 530
881 531 Or if using a dispatcher WSGI script with proper virtualenv activation:
882 532
883 533 .. code-block:: apache
884 534
885 535 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
886 536 WSGIProcessGroup kallithea
887 537 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
888 538 WSGIPassAuthorization On
889 539
890 540 Apache will by default run as a special Apache user, on Linux systems
891 541 usually ``www-data`` or ``apache``. If you need to have the repositories
892 542 directory owned by a different user, use the user and group options to
893 543 WSGIDaemonProcess to set the name of the user and group.
894 544
895 545 Example WSGI dispatch script:
896 546
897 547 .. code-block:: python
898 548
899 549 import os
900 550 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
901 551
902 552 # sometimes it's needed to set the current dir
903 553 os.chdir('/srv/kallithea/')
904 554
905 555 import site
906 556 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
907 557
908 558 ini = '/srv/kallithea/my.ini'
909 559 from paste.script.util.logging_config import fileConfig
910 560 fileConfig(ini)
911 561 from paste.deploy import loadapp
912 562 application = loadapp('config:' + ini)
913 563
914 564 Or using proper virtualenv activation:
915 565
916 566 .. code-block:: python
917 567
918 568 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
919 569 execfile(activate_this, dict(__file__=activate_this))
920 570
921 571 import os
922 572 os.environ['HOME'] = '/srv/kallithea'
923 573
924 574 ini = '/srv/kallithea/kallithea.ini'
925 575 from paste.script.util.logging_config import fileConfig
926 576 fileConfig(ini)
927 577 from paste.deploy import loadapp
928 578 application = loadapp('config:' + ini)
929 579
930 580
931 581 Other configuration files
932 582 -------------------------
933 583
934 584 A number of `example init.d scripts`__ can be found in
935 585 the ``init.d`` directory of the Kallithea source.
936 586
937 587 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
938 588
939 589
940 590 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
941 591 .. _python: http://www.python.org/
942 592 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
943 593 .. _Mercurial: https://www.mercurial-scm.org/
944 594 .. _Celery: http://celeryproject.org/
945 595 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 596 .. _RabbitMQ: http://www.rabbitmq.com/
947 597 .. _Redis: http://redis.io/
948 .. _python-ldap: http://www.python-ldap.org/
949 598 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 599 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now