##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

docs: move authentication info to separate file...
Thomas De Schampheleire -
r7262:2898ea3f default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
This diff has been collapsed as it changes many lines, (604 lines changed) Show them Hide them
@@ -1,950 +1,368 b''
1 .. _setup:
1 .. _authentication:
2
2 Authentication setup
3 =====
3 ====================
4 Setup
5 =====
6
7
8 Preparing front-end
9 -------------------
10
11 Temporarily, in the current Kallithea version, some extra steps are required to
12 build front-end files:
13
14 Find the right ``kallithea/public/less`` path with::
15
16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
17
18 Then run::
19
20 npm install
21 npm run less
22
23
24 Setting up Kallithea
25 --------------------
26
27 First, you will need to create a Kallithea configuration file. Run the
28 following command to do so::
29
30 gearbox make-config my.ini
31
32 This will create the file ``my.ini`` in the current directory. This
33 configuration file contains the various settings for Kallithea, e.g.
34 proxy port, email settings, usage of static files, cache, Celery
35 settings, and logging. Extra settings can be specified like::
36
37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
38
39 Next, you need to create the databases used by Kallithea. It is recommended to
40 use PostgreSQL or SQLite (default). If you choose a database other than the
41 default, ensure you properly adjust the database URL in your ``my.ini``
42 configuration file to use this other database. Kallithea currently supports
43 PostgreSQL, SQLite and MySQL databases. Create the database by running
44 the following command::
45
46 gearbox setup-db -c my.ini
47
48 This will prompt you for a "root" path. This "root" path is the location where
49 Kallithea will store all of its repositories on the current machine. After
50 entering this "root" path ``setup-db`` will also prompt you for a username
51 and password for the initial admin account which ``setup-db`` sets
52 up for you.
53
54 The ``setup-db`` values can also be given on the command line.
55 Example::
56
57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
58
59 The ``setup-db`` command will create all needed tables and an
60 admin account. When choosing a root path you can either use a new
61 empty location, or a location which already contains existing
62 repositories. If you choose a location which contains existing
63 repositories Kallithea will add all of the repositories at the chosen
64 location to its database. (Note: make sure you specify the correct
65 path to the root).
66
67 .. note:: the given path for Mercurial_ repositories **must** be write
68 accessible for the application. It's very important since
69 the Kallithea web interface will work without write access,
70 but when trying to do a push it will fail with permission
71 denied errors unless it has write access.
72
73 You are now ready to use Kallithea. To run it simply execute::
74
75 gearbox serve -c my.ini
76
77 - This command runs the Kallithea server. The web app should be available at
78 http://127.0.0.1:5000. The IP address and port is configurable via the
79 configuration file created in the previous step.
80 - Log in to Kallithea using the admin account created when running ``setup-db``.
81 - The default permissions on each repository is read, and the owner is admin.
82 Remember to update these if needed.
83 - In the admin panel you can toggle LDAP, anonymous, and permissions
84 settings, as well as edit more advanced options on users and
85 repositories.
86
4
87
5 Users can be authenticated in different ways. By default, Kallithea
88 Internationalization (i18n support)
6 uses its internal user database. Alternative authentication
89 -----------------------------------
7 methods include LDAP, PAM, Crowd, and container-based authentication.
90
91 The Kallithea web interface is automatically displayed in the user's preferred
92 language, as indicated by the browser. Thus, different users may see the
93 application in different languages. If the requested language is not available
94 (because the translation file for that language does not yet exist or is
95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
96 configuration file is used as fallback. If no fallback language is explicitly
97 specified, English is used.
98
99 If you want to disable automatic language detection and instead configure a
100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
101 set ``i18n.lang`` to the desired language (or leave empty for English).
102
103
104 Using Kallithea with SSH
105 ------------------------
106
107 Kallithea currently only hosts repositories using http and https. (The addition
108 of ssh hosting is a planned future feature.) However you can easily use ssh in
109 parallel with Kallithea. (Repository access via ssh is a standard "out of
110 the box" feature of Mercurial_ and you can use this to access any of the
111 repositories that Kallithea is hosting. See PublishingRepositories_)
112
113 Kallithea repository structures are kept in directories with the same name
114 as the project. When using repository groups, each group is a subdirectory.
115 This allows you to easily use ssh for accessing repositories.
116
117 In order to use ssh you need to make sure that your web server and the users'
118 login accounts have the correct permissions set on the appropriate directories.
119
120 .. note:: These permissions are independent of any permissions you
121 have set up using the Kallithea web interface.
122
123 If your main directory (the same as set in Kallithea settings) is for
124 example set to ``/srv/repos`` and the repository you are using is
125 named ``kallithea``, then to clone via ssh you should run::
126
127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
128
129 Using other external tools such as mercurial-server_ or using ssh key-based
130 authentication is fully supported.
131
132 .. note:: In an advanced setup, in order for your ssh access to use
133 the same permissions as set up via the Kallithea web
134 interface, you can create an authentication hook to connect
135 to the Kallithea db and run check functions for permissions
136 against that.
137
138
139 Setting up Whoosh full text search
140 ----------------------------------
141
142 Kallithea provides full text search of repositories using `Whoosh`__.
143
144 .. __: https://whoosh.readthedocs.io/en/latest/
145
146 For an incremental index build, run::
147
148 gearbox make-index -c my.ini
149
150 For a full index rebuild, run::
151
152 gearbox make-index -c my.ini -f
153
154 The ``--repo-location`` option allows the location of the repositories to be overridden;
155 usually, the location is retrieved from the Kallithea database.
156
157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
158
159 gearbox make-index -c my.ini --index-only=vcs,kallithea
160
161 To keep your index up-to-date it is necessary to do periodic index builds;
162 for this, it is recommended to use a crontab entry. Example::
163
164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
165
166 When using incremental mode (the default), Whoosh will check the last
167 modification date of each file and add it to be reindexed if a newer file is
168 available. The indexing daemon checks for any removed files and removes them
169 from index.
170
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 or in the admin panel you can check the "build from scratch" checkbox.
173
8
174 .. _ldap-setup:
9 .. _ldap-setup:
175
10
176
11
177 Setting up LDAP support
12 LDAP Authentication
178 -----------------------
13 -------------------
179
14
180 Kallithea supports LDAP authentication. In order
15 Kallithea supports LDAP authentication. In order
181 to use LDAP, you have to install the python-ldap_ package. This package is
16 to use LDAP, you have to install the python-ldap_ package. This package is
182 available via PyPI, so you can install it by running::
17 available via PyPI, so you can install it by running::
183
18
184 pip install python-ldap
19 pip install python-ldap
185
20
186 .. note:: ``python-ldap`` requires some libraries to be installed on
21 .. note:: ``python-ldap`` requires some libraries to be installed on
187 your system, so before installing it check that you have at
22 your system, so before installing it check that you have at
188 least the ``openldap`` and ``sasl`` libraries.
23 least the ``openldap`` and ``sasl`` libraries.
189
24
190 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
25 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191 and then *Save*, to enable the LDAP plugin and configure its settings.
26 and then *Save*, to enable the LDAP plugin and configure its settings.
192
27
193 Here's a typical LDAP setup::
28 Here's a typical LDAP setup::
194
29
195 Connection settings
30 Connection settings
196 Enable LDAP = checked
31 Enable LDAP = checked
197 Host = host.example.com
32 Host = host.example.com
198 Account = <account>
33 Account = <account>
199 Password = <password>
34 Password = <password>
200 Connection Security = LDAPS
35 Connection Security = LDAPS
201 Certificate Checks = DEMAND
36 Certificate Checks = DEMAND
202
37
203 Search settings
38 Search settings
204 Base DN = CN=users,DC=host,DC=example,DC=org
39 Base DN = CN=users,DC=host,DC=example,DC=org
205 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
40 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206 LDAP Search Scope = SUBTREE
41 LDAP Search Scope = SUBTREE
207
42
208 Attribute mappings
43 Attribute mappings
209 Login Attribute = uid
44 Login Attribute = uid
210 First Name Attribute = firstName
45 First Name Attribute = firstName
211 Last Name Attribute = lastName
46 Last Name Attribute = lastName
212 Email Attribute = mail
47 Email Attribute = mail
213
48
214 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
49 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215
50
216 Search settings
51 Search settings
217 Base DN = DC=host,DC=example,DC=org
52 Base DN = DC=host,DC=example,DC=org
218 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
53 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219 LDAP Search Scope = SUBTREE
54 LDAP Search Scope = SUBTREE
220
55
221 .. _enable_ldap:
56 .. _enable_ldap:
222
57
223 Enable LDAP : required
58 Enable LDAP : required
224 Whether to use LDAP for authenticating users.
59 Whether to use LDAP for authenticating users.
225
60
226 .. _ldap_host:
61 .. _ldap_host:
227
62
228 Host : required
63 Host : required
229 LDAP server hostname or IP address. Can be also a comma separated
64 LDAP server hostname or IP address. Can be also a comma separated
230 list of servers to support LDAP fail-over.
65 list of servers to support LDAP fail-over.
231
66
232 .. _Port:
67 .. _Port:
233
68
234 Port : optional
69 Port : optional
235 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
70 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236 Defaults to 636 for LDAPS.
71 Defaults to 636 for LDAPS.
237
72
238 .. _ldap_account:
73 .. _ldap_account:
239
74
240 Account : optional
75 Account : optional
241 Only required if the LDAP server does not allow anonymous browsing of
76 Only required if the LDAP server does not allow anonymous browsing of
242 records. This should be a special account for record browsing. This
77 records. This should be a special account for record browsing. This
243 will require `LDAP Password`_ below.
78 will require `LDAP Password`_ below.
244
79
245 .. _LDAP Password:
80 .. _LDAP Password:
246
81
247 Password : optional
82 Password : optional
248 Only required if the LDAP server does not allow anonymous browsing of
83 Only required if the LDAP server does not allow anonymous browsing of
249 records.
84 records.
250
85
251 .. _Enable LDAPS:
86 .. _Enable LDAPS:
252
87
253 Connection Security : required
88 Connection Security : required
254 Defines the connection to LDAP server
89 Defines the connection to LDAP server
255
90
256 PLAIN
91 PLAIN
257 Plain unencrypted LDAP connection.
92 Plain unencrypted LDAP connection.
258 This will by default use `Port`_ 389.
93 This will by default use `Port`_ 389.
259
94
260 LDAPS
95 LDAPS
261 Use secure LDAPS connections according to `Certificate
96 Use secure LDAPS connections according to `Certificate
262 Checks`_ configuration.
97 Checks`_ configuration.
263 This will by default use `Port`_ 636.
98 This will by default use `Port`_ 636.
264
99
265 START_TLS
100 START_TLS
266 Use START TLS according to `Certificate Checks`_ configuration on an
101 Use START TLS according to `Certificate Checks`_ configuration on an
267 apparently "plain" LDAP connection.
102 apparently "plain" LDAP connection.
268 This will by default use `Port`_ 389.
103 This will by default use `Port`_ 389.
269
104
270 .. _Certificate Checks:
105 .. _Certificate Checks:
271
106
272 Certificate Checks : optional
107 Certificate Checks : optional
273 How SSL certificates verification is handled -- this is only useful when
108 How SSL certificates verification is handled -- this is only useful when
274 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
109 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275 with mandatory certificate validation, while the other options are
110 with mandatory certificate validation, while the other options are
276 susceptible to man-in-the-middle attacks.
111 susceptible to man-in-the-middle attacks.
277
112
278 NEVER
113 NEVER
279 A serve certificate will never be requested or checked.
114 A serve certificate will never be requested or checked.
280
115
281 ALLOW
116 ALLOW
282 A server certificate is requested. Failure to provide a
117 A server certificate is requested. Failure to provide a
283 certificate or providing a bad certificate will not terminate the
118 certificate or providing a bad certificate will not terminate the
284 session.
119 session.
285
120
286 TRY
121 TRY
287 A server certificate is requested. Failure to provide a
122 A server certificate is requested. Failure to provide a
288 certificate does not halt the session; providing a bad certificate
123 certificate does not halt the session; providing a bad certificate
289 halts the session.
124 halts the session.
290
125
291 DEMAND
126 DEMAND
292 A server certificate is requested and must be provided and
127 A server certificate is requested and must be provided and
293 authenticated for the session to proceed.
128 authenticated for the session to proceed.
294
129
295 HARD
130 HARD
296 The same as DEMAND.
131 The same as DEMAND.
297
132
298 .. _Custom CA Certificates:
133 .. _Custom CA Certificates:
299
134
300 Custom CA Certificates : optional
135 Custom CA Certificates : optional
301 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
136 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302 Python 2.7.10 and later default to using the system certificate store, and
137 Python 2.7.10 and later default to using the system certificate store, and
303 this should thus not be necessary when using certificates signed by a CA
138 this should thus not be necessary when using certificates signed by a CA
304 trusted by the system.
139 trusted by the system.
305 It can be set to something like `/etc/openldap/cacerts` on older systems or
140 It can be set to something like `/etc/openldap/cacerts` on older systems or
306 if using self-signed certificates.
141 if using self-signed certificates.
307
142
308 .. _Base DN:
143 .. _Base DN:
309
144
310 Base DN : required
145 Base DN : required
311 The Distinguished Name (DN) where searches for users will be performed.
146 The Distinguished Name (DN) where searches for users will be performed.
312 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
147 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313
148
314 .. _LDAP Filter:
149 .. _LDAP Filter:
315
150
316 LDAP Filter : optional
151 LDAP Filter : optional
317 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
152 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
153 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319 which LDAP objects are identified as representing Users for
154 which LDAP objects are identified as representing Users for
320 authentication. The filter is augmented by `Login Attribute`_ below.
155 authentication. The filter is augmented by `Login Attribute`_ below.
321 This can commonly be left blank.
156 This can commonly be left blank.
322
157
323 .. _LDAP Search Scope:
158 .. _LDAP Search Scope:
324
159
325 LDAP Search Scope : required
160 LDAP Search Scope : required
326 This limits how far LDAP will search for a matching object.
161 This limits how far LDAP will search for a matching object.
327
162
328 BASE
163 BASE
329 Only allows searching of `Base DN`_ and is usually not what you
164 Only allows searching of `Base DN`_ and is usually not what you
330 want.
165 want.
331
166
332 ONELEVEL
167 ONELEVEL
333 Searches all entries under `Base DN`_, but not Base DN itself.
168 Searches all entries under `Base DN`_, but not Base DN itself.
334
169
335 SUBTREE
170 SUBTREE
336 Searches all entries below `Base DN`_, but not Base DN itself.
171 Searches all entries below `Base DN`_, but not Base DN itself.
337 When using SUBTREE `LDAP Filter`_ is useful to limit object
172 When using SUBTREE `LDAP Filter`_ is useful to limit object
338 location.
173 location.
339
174
340 .. _Login Attribute:
175 .. _Login Attribute:
341
176
342 Login Attribute : required
177 Login Attribute : required
343 The LDAP record attribute that will be matched as the USERNAME or
178 The LDAP record attribute that will be matched as the USERNAME or
344 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
179 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
180 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
181 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
182 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348 ::
183 ::
349
184
350 (&(LDAPFILTER)(uid=jsmith))
185 (&(LDAPFILTER)(uid=jsmith))
351
186
352 .. _ldap_attr_firstname:
187 .. _ldap_attr_firstname:
353
188
354 First Name Attribute : required
189 First Name Attribute : required
355 The LDAP record attribute which represents the user's first name.
190 The LDAP record attribute which represents the user's first name.
356
191
357 .. _ldap_attr_lastname:
192 .. _ldap_attr_lastname:
358
193
359 Last Name Attribute : required
194 Last Name Attribute : required
360 The LDAP record attribute which represents the user's last name.
195 The LDAP record attribute which represents the user's last name.
361
196
362 .. _ldap_attr_email:
197 .. _ldap_attr_email:
363
198
364 Email Attribute : required
199 Email Attribute : required
365 The LDAP record attribute which represents the user's email address.
200 The LDAP record attribute which represents the user's email address.
366
201
367 If all data are entered correctly, and python-ldap_ is properly installed
202 If all data are entered correctly, and python-ldap_ is properly installed
368 users should be granted access to Kallithea with LDAP accounts. At this
203 users should be granted access to Kallithea with LDAP accounts. At this
369 time user information is copied from LDAP into the Kallithea user database.
204 time user information is copied from LDAP into the Kallithea user database.
370 This means that updates of an LDAP user object may not be reflected as a
205 This means that updates of an LDAP user object may not be reflected as a
371 user update in Kallithea.
206 user update in Kallithea.
372
207
373 If You have problems with LDAP access and believe You entered correct
208 If You have problems with LDAP access and believe You entered correct
374 information check out the Kallithea logs, any error messages sent from LDAP
209 information check out the Kallithea logs, any error messages sent from LDAP
375 will be saved there.
210 will be saved there.
376
211
377 Active Directory
212 Active Directory
378 ^^^^^^^^^^^^^^^^
213 ^^^^^^^^^^^^^^^^
379
214
380 Kallithea can use Microsoft Active Directory for user authentication. This
215 Kallithea can use Microsoft Active Directory for user authentication. This
381 is done through an LDAP or LDAPS connection to Active Directory. The
216 is done through an LDAP or LDAPS connection to Active Directory. The
382 following LDAP configuration settings are typical for using Active
217 following LDAP configuration settings are typical for using Active
383 Directory ::
218 Directory ::
384
219
385 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
220 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386 Login Attribute = sAMAccountName
221 Login Attribute = sAMAccountName
387 First Name Attribute = givenName
222 First Name Attribute = givenName
388 Last Name Attribute = sn
223 Last Name Attribute = sn
389 Email Attribute = mail
224 Email Attribute = mail
390
225
391 All other LDAP settings will likely be site-specific and should be
226 All other LDAP settings will likely be site-specific and should be
392 appropriately configured.
227 appropriately configured.
393
228
394
229
395 Authentication by container or reverse-proxy
230 Authentication by container or reverse-proxy
396 --------------------------------------------
231 --------------------------------------------
397
232
398 Kallithea supports delegating the authentication
233 Kallithea supports delegating the authentication
399 of users to its WSGI container, or to a reverse-proxy server through which all
234 of users to its WSGI container, or to a reverse-proxy server through which all
400 clients access the application.
235 clients access the application.
401
236
402 When these authentication methods are enabled in Kallithea, it uses the
237 When these authentication methods are enabled in Kallithea, it uses the
403 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
238 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404 perform the authentication itself. The authorization, however, is still done by
239 perform the authentication itself. The authorization, however, is still done by
405 Kallithea according to its settings.
240 Kallithea according to its settings.
406
241
407 When a user logs in for the first time using these authentication methods,
242 When a user logs in for the first time using these authentication methods,
408 a matching user account is created in Kallithea with default permissions. An
243 a matching user account is created in Kallithea with default permissions. An
409 administrator can then modify it using Kallithea's admin interface.
244 administrator can then modify it using Kallithea's admin interface.
410
245
411 It's also possible for an administrator to create accounts and configure their
246 It's also possible for an administrator to create accounts and configure their
412 permissions before the user logs in for the first time, using the :ref:`create-user` API.
247 permissions before the user logs in for the first time, using the :ref:`create-user` API.
413
248
414 Container-based authentication
249 Container-based authentication
415 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
250 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416
251
417 In a container-based authentication setup, Kallithea reads the user name from
252 In a container-based authentication setup, Kallithea reads the user name from
418 the ``REMOTE_USER`` server variable provided by the WSGI container.
253 the ``REMOTE_USER`` server variable provided by the WSGI container.
419
254
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
255 After setting up your container (see :ref:`apache_mod_wsgi`), you'll need
421 to configure it to require authentication on the location configured for
256 to configure it to require authentication on the location configured for
422 Kallithea.
257 Kallithea.
423
258
424 Proxy pass-through authentication
259 Proxy pass-through authentication
425 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
260 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426
261
427 In a proxy pass-through authentication setup, Kallithea reads the user name
262 In a proxy pass-through authentication setup, Kallithea reads the user name
428 from the ``X-Forwarded-User`` request header, which should be configured to be
263 from the ``X-Forwarded-User`` request header, which should be configured to be
429 sent by the reverse-proxy server.
264 sent by the reverse-proxy server.
430
265
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
266 After setting up your proxy solution (see :ref:`apache_virtual_host_reverse_proxy`,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
267 :ref:`apache_subdirectory` or :ref:`nginx_virtual_host`), you'll need to
433 configure the authentication and add the username in a request header named
268 configure the authentication and add the username in a request header named
434 ``X-Forwarded-User``.
269 ``X-Forwarded-User``.
435
270
436 For example, the following config section for Apache sets a subdirectory in a
271 For example, the following config section for Apache sets a subdirectory in a
437 reverse-proxy setup with basic auth:
272 reverse-proxy setup with basic auth:
438
273
439 .. code-block:: apache
274 .. code-block:: apache
440
275
441 <Location /someprefix>
276 <Location /someprefix>
442 ProxyPass http://127.0.0.1:5000/someprefix
277 ProxyPass http://127.0.0.1:5000/someprefix
443 ProxyPassReverse http://127.0.0.1:5000/someprefix
278 ProxyPassReverse http://127.0.0.1:5000/someprefix
444 SetEnvIf X-Url-Scheme https HTTPS=1
279 SetEnvIf X-Url-Scheme https HTTPS=1
445
280
446 AuthType Basic
281 AuthType Basic
447 AuthName "Kallithea authentication"
282 AuthName "Kallithea authentication"
448 AuthUserFile /srv/kallithea/.htpasswd
283 AuthUserFile /srv/kallithea/.htpasswd
449 Require valid-user
284 Require valid-user
450
285
451 RequestHeader unset X-Forwarded-User
286 RequestHeader unset X-Forwarded-User
452
287
453 RewriteEngine On
288 RewriteEngine On
454 RewriteCond %{LA-U:REMOTE_USER} (.+)
289 RewriteCond %{LA-U:REMOTE_USER} (.+)
455 RewriteRule .* - [E=RU:%1]
290 RewriteRule .* - [E=RU:%1]
456 RequestHeader set X-Forwarded-User %{RU}e
291 RequestHeader set X-Forwarded-User %{RU}e
457 </Location>
292 </Location>
458
293
459 Setting metadata in container/reverse-proxy
294 Setting metadata in container/reverse-proxy
460 """""""""""""""""""""""""""""""""""""""""""
295 """""""""""""""""""""""""""""""""""""""""""
461 When a new user account is created on the first login, Kallithea has no information about
296 When a new user account is created on the first login, Kallithea has no information about
462 the user's email and full name. So you can set some additional request headers like in the
297 the user's email and full name. So you can set some additional request headers like in the
463 example below. In this example the user is authenticated via Kerberos and an Apache
298 example below. In this example the user is authenticated via Kerberos and an Apache
464 mod_python fixup handler is used to get the user information from a LDAP server. But you
299 mod_python fixup handler is used to get the user information from a LDAP server. But you
465 could set the request headers however you want.
300 could set the request headers however you want.
466
301
467 .. code-block:: apache
302 .. code-block:: apache
468
303
469 <Location /someprefix>
304 <Location /someprefix>
470 ProxyPass http://127.0.0.1:5000/someprefix
305 ProxyPass http://127.0.0.1:5000/someprefix
471 ProxyPassReverse http://127.0.0.1:5000/someprefix
306 ProxyPassReverse http://127.0.0.1:5000/someprefix
472 SetEnvIf X-Url-Scheme https HTTPS=1
307 SetEnvIf X-Url-Scheme https HTTPS=1
473
308
474 AuthName "Kerberos Login"
309 AuthName "Kerberos Login"
475 AuthType Kerberos
310 AuthType Kerberos
476 Krb5Keytab /etc/apache2/http.keytab
311 Krb5Keytab /etc/apache2/http.keytab
477 KrbMethodK5Passwd off
312 KrbMethodK5Passwd off
478 KrbVerifyKDC on
313 KrbVerifyKDC on
479 Require valid-user
314 Require valid-user
480
315
481 PythonFixupHandler ldapmetadata
316 PythonFixupHandler ldapmetadata
482
317
483 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
318 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
319 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
320 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
321 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487 </Location>
322 </Location>
488
323
489 .. code-block:: python
324 .. code-block:: python
490
325
491 from mod_python import apache
326 from mod_python import apache
492 import ldap
327 import ldap
493
328
494 LDAP_SERVER = "ldaps://server.mydomain.com:636"
329 LDAP_SERVER = "ldaps://server.mydomain.com:636"
495 LDAP_USER = ""
330 LDAP_USER = ""
496 LDAP_PASS = ""
331 LDAP_PASS = ""
497 LDAP_ROOT = "dc=mydomain,dc=com"
332 LDAP_ROOT = "dc=mydomain,dc=com"
498 LDAP_FILTER = "sAMAccountName=%s"
333 LDAP_FILTER = "sAMAccountName=%s"
499 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
334 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500
335
501 def fixuphandler(req):
336 def fixuphandler(req):
502 if req.user is None:
337 if req.user is None:
503 # no user to search for
338 # no user to search for
504 return apache.OK
339 return apache.OK
505 else:
340 else:
506 try:
341 try:
507 if('\\' in req.user):
342 if('\\' in req.user):
508 username = req.user.split('\\')[1]
343 username = req.user.split('\\')[1]
509 elif('@' in req.user):
344 elif('@' in req.user):
510 username = req.user.split('@')[0]
345 username = req.user.split('@')[0]
511 else:
346 else:
512 username = req.user
347 username = req.user
513 l = ldap.initialize(LDAP_SERVER)
348 l = ldap.initialize(LDAP_SERVER)
514 l.simple_bind_s(LDAP_USER, LDAP_PASS)
349 l.simple_bind_s(LDAP_USER, LDAP_PASS)
515 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
350 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516
351
517 req.subprocess_env['X_REMOTE_USER'] = username
352 req.subprocess_env['X_REMOTE_USER'] = username
518 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
353 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
354 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
355 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521 except Exception, e:
356 except Exception, e:
522 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
357 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523
358
524 return apache.OK
359 return apache.OK
525
360
526 .. note::
361 .. note::
527 If you enable proxy pass-through authentication, make sure your server is
362 If you enable proxy pass-through authentication, make sure your server is
528 only accessible through the proxy. Otherwise, any client would be able to
363 only accessible through the proxy. Otherwise, any client would be able to
529 forge the authentication header and could effectively become authenticated
364 forge the authentication header and could effectively become authenticated
530 using any account of their liking.
365 using any account of their liking.
531
366
532
367
533 Integration with issue trackers
534 -------------------------------
535
536 Kallithea provides a simple integration with issue trackers. It's possible
537 to define a regular expression that will match an issue ID in commit messages,
538 and have that replaced with a URL to the issue.
539
540 This is achieved with following three variables in the ini file::
541
542 issue_pat = #(\d+)
543 issue_server_link = https://issues.example.com/{repo}/issue/\1
544 issue_sub =
545
546 ``issue_pat`` is the regular expression describing which strings in
547 commit messages will be treated as issue references. The expression can/should
548 have one or more parenthesized groups that can later be referred to in
549 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
550 can be used instead of simple parenthesized groups.
551
552 If the pattern should only match if it is preceded by whitespace, add the
553 following string before the actual pattern: ``(?:^|(?<=\s))``.
554 If the pattern should only match if it is followed by whitespace, add the
555 following string after the actual pattern: ``(?:$|(?=\s))``.
556 These expressions use lookbehind and lookahead assertions of the Python regular
557 expression module to avoid the whitespace to be part of the actual pattern,
558 otherwise the link text will also contain that whitespace.
559
560 Matched issue references are replaced with the link specified in
561 ``issue_server_link``, in which any backreferences are resolved. Backreferences
562 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
563 The special token ``{repo}`` is replaced with the full repository path
564 (including repository groups), while token ``{repo_name}`` is replaced with the
565 repository name (without repository groups).
566
567 The link text is determined by ``issue_sub``, which can be a string containing
568 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
569 empty, then the text matched by ``issue_pat`` is used verbatim.
570
571 The example settings shown above match issues in the format ``#<number>``.
572 This will cause the text ``#300`` to be transformed into a link:
573
574 .. code-block:: html
575
576 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
577
578 The following example transforms a text starting with either of 'pullrequest',
579 'pull request' or 'PR', followed by an optional space, then a pound character
580 (#) and one or more digits, into a link with the text 'PR #' followed by the
581 digits::
582
583 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
584 issue_server_link = https://issues.example.com/\2
585 issue_sub = PR #\2
586
587 The following example demonstrates how to require whitespace before the issue
588 reference in order for it to be recognized, such that the text ``issue#123`` will
589 not cause a match, but ``issue #123`` will::
590
591 issue_pat = (?:^|(?<=\s))#(\d+)
592 issue_server_link = https://issues.example.com/\1
593 issue_sub =
594
595 If needed, more than one pattern can be specified by appending a unique suffix to
596 the variables. For example, also demonstrating the use of named groups::
597
598 issue_pat_wiki = wiki-(?P<pagename>\S+)
599 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
600 issue_sub_wiki = WIKI-\g<pagename>
601
602 With these settings, wiki pages can be referenced as wiki-some-id, and every
603 such reference will be transformed into:
604
605 .. code-block:: html
606
607 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
608
609 Refer to the `Python regular expression documentation`_ for more details about
610 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
611
612
613 Hook management
614 ---------------
615
616 Hooks can be managed in similar way to that used in ``.hgrc`` files.
617 To manage hooks, choose *Admin > Settings > Hooks*.
618
619 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
620
621 To add another custom hook simply fill in the first textbox with
622 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
623 can be found in ``kallithea.lib.hooks``.
624
625
626 Changing default encoding
627 -------------------------
628
629 By default, Kallithea uses UTF-8 encoding.
630 This is configurable as ``default_encoding`` in the .ini file.
631 This affects many parts in Kallithea including user names, filenames, and
632 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
633 library is installed. If ``chardet`` is detected Kallithea will fallback to it
634 when there are encode/decode errors.
635
636 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
637 setting the ``HGENCODING`` environment variable, but will override it.
638
639
640 Celery configuration
641 --------------------
642
643 Kallithea can use the distributed task queue system Celery_ to run tasks like
644 cloning repositories or sending emails.
645
646 Kallithea will in most setups work perfectly fine out of the box (without
647 Celery), executing all tasks in the web server process. Some tasks can however
648 take some time to run and it can be better to run such tasks asynchronously in
649 a separate process so the web server can focus on serving web requests.
650
651 For installation and configuration of Celery, see the `Celery documentation`_.
652 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
653 or Redis_.
654
655 The use of Celery is configured in the Kallithea ini configuration file.
656 To enable it, simply set::
657
658 use_celery = true
659
660 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
661
662 Remember that the ini files use the format with '.' and not with '_' like
663 Celery. So for example setting `BROKER_HOST` in Celery means setting
664 `broker.host` in the configuration file.
665
666 To start the Celery process, run::
667
668 gearbox celeryd -c <configfile.ini>
669
670 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
671 for more info.
672
673 .. note::
674 Make sure you run this command from the same virtualenv, and with the same
675 user that Kallithea runs.
676
677
678 HTTPS support
679 -------------
680
681 Kallithea will by default generate URLs based on the WSGI environment.
682
683 Alternatively, you can use some special configuration settings to control
684 directly which scheme/protocol Kallithea will use when generating URLs:
685
686 - With ``https_fixup = true``, the scheme will be taken from the
687 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
688 (default ``http``).
689 - With ``force_https = true`` the default will be ``https``.
690 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691
692
693 Nginx virtual host example
694 --------------------------
695
696 Sample config for Nginx using proxy:
697
698 .. code-block:: nginx
699
700 upstream kallithea {
701 server 127.0.0.1:5000;
702 # add more instances for load balancing
703 #server 127.0.0.1:5001;
704 #server 127.0.0.1:5002;
705 }
706
707 ## gist alias
708 server {
709 listen 443;
710 server_name gist.example.com;
711 access_log /var/log/nginx/gist.access.log;
712 error_log /var/log/nginx/gist.error.log;
713
714 ssl on;
715 ssl_certificate gist.your.kallithea.server.crt;
716 ssl_certificate_key gist.your.kallithea.server.key;
717
718 ssl_session_timeout 5m;
719
720 ssl_protocols SSLv3 TLSv1;
721 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
722 ssl_prefer_server_ciphers on;
723
724 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
725 rewrite (.*) https://kallithea.example.com/_admin/gists;
726 }
727
728 server {
729 listen 443;
730 server_name kallithea.example.com
731 access_log /var/log/nginx/kallithea.access.log;
732 error_log /var/log/nginx/kallithea.error.log;
733
734 ssl on;
735 ssl_certificate your.kallithea.server.crt;
736 ssl_certificate_key your.kallithea.server.key;
737
738 ssl_session_timeout 5m;
739
740 ssl_protocols SSLv3 TLSv1;
741 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
742 ssl_prefer_server_ciphers on;
743
744 ## uncomment root directive if you want to serve static files by nginx
745 ## requires static_files = false in .ini file
746 #root /srv/kallithea/kallithea/kallithea/public;
747 include /etc/nginx/proxy.conf;
748 location / {
749 try_files $uri @kallithea;
750 }
751
752 location @kallithea {
753 proxy_pass http://127.0.0.1:5000;
754 }
755
756 }
757
758 Here's the proxy.conf. It's tuned so it will not timeout on long
759 pushes or large pushes::
760
761 proxy_redirect off;
762 proxy_set_header Host $host;
763 ## needed for container auth
764 #proxy_set_header REMOTE_USER $remote_user;
765 #proxy_set_header X-Forwarded-User $remote_user;
766 proxy_set_header X-Url-Scheme $scheme;
767 proxy_set_header X-Host $http_host;
768 proxy_set_header X-Real-IP $remote_addr;
769 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
770 proxy_set_header Proxy-host $proxy_host;
771 proxy_buffering off;
772 proxy_connect_timeout 7200;
773 proxy_send_timeout 7200;
774 proxy_read_timeout 7200;
775 proxy_buffers 8 32k;
776 client_max_body_size 1024m;
777 client_body_buffer_size 128k;
778 large_client_header_buffers 8 64k;
779
780
781 Apache virtual host reverse proxy example
782 -----------------------------------------
783
784 Here is a sample configuration file for Apache using proxy:
785
786 .. code-block:: apache
787
788 <VirtualHost *:80>
789 ServerName kallithea.example.com
790
791 <Proxy *>
792 # For Apache 2.4 and later:
793 Require all granted
794
795 # For Apache 2.2 and earlier, instead use:
796 # Order allow,deny
797 # Allow from all
798 </Proxy>
799
800 #important !
801 #Directive to properly generate url (clone url) for Kallithea
802 ProxyPreserveHost On
803
804 #kallithea instance
805 ProxyPass / http://127.0.0.1:5000/
806 ProxyPassReverse / http://127.0.0.1:5000/
807
808 #to enable https use line below
809 #SetEnvIf X-Url-Scheme https HTTPS=1
810 </VirtualHost>
811
812 Additional tutorial
813 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814
815
816 Apache as subdirectory
817 ----------------------
818
819 Apache subdirectory part:
820
821 .. code-block:: apache
822
823 <Location /PREFIX >
824 ProxyPass http://127.0.0.1:5000/PREFIX
825 ProxyPassReverse http://127.0.0.1:5000/PREFIX
826 SetEnvIf X-Url-Scheme https HTTPS=1
827 </Location>
828
829 Besides the regular apache setup you will need to add the following line
830 into ``[app:main]`` section of your .ini file::
831
832 filter-with = proxy-prefix
833
834 Add the following at the end of the .ini file::
835
836 [filter:proxy-prefix]
837 use = egg:PasteDeploy#prefix
838 prefix = /PREFIX
839
840 then change ``PREFIX`` into your chosen prefix
841
842
843 Apache with mod_wsgi
844 --------------------
845
846 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
847 that, you'll need to:
848
849 - Install mod_wsgi. If using a Debian-based distro, you can install
850 the package libapache2-mod-wsgi::
851
852 aptitude install libapache2-mod-wsgi
853
854 - Enable mod_wsgi::
855
856 a2enmod wsgi
857
858 - Add global Apache configuration to tell mod_wsgi that Python only will be
859 used in the WSGI processes and shouldn't be initialized in the Apache
860 processes::
861
862 WSGIRestrictEmbedded On
863
864 - Create a wsgi dispatch script, like the one below. Make sure you
865 check that the paths correctly point to where you installed Kallithea
866 and its Python Virtual Environment.
867 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
868 as in the following example. Once again, check the paths are
869 correctly specified.
870
871 Here is a sample excerpt from an Apache Virtual Host configuration file:
872
873 .. code-block:: apache
874
875 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
876 python-home=/srv/kallithea/venv
877 WSGIProcessGroup kallithea
878 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
879 WSGIPassAuthorization On
880
881 Or if using a dispatcher WSGI script with proper virtualenv activation:
882
883 .. code-block:: apache
884
885 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
886 WSGIProcessGroup kallithea
887 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
888 WSGIPassAuthorization On
889
890 Apache will by default run as a special Apache user, on Linux systems
891 usually ``www-data`` or ``apache``. If you need to have the repositories
892 directory owned by a different user, use the user and group options to
893 WSGIDaemonProcess to set the name of the user and group.
894
895 Example WSGI dispatch script:
896
897 .. code-block:: python
898
899 import os
900 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
901
902 # sometimes it's needed to set the current dir
903 os.chdir('/srv/kallithea/')
904
905 import site
906 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
907
908 ini = '/srv/kallithea/my.ini'
909 from paste.script.util.logging_config import fileConfig
910 fileConfig(ini)
911 from paste.deploy import loadapp
912 application = loadapp('config:' + ini)
913
914 Or using proper virtualenv activation:
915
916 .. code-block:: python
917
918 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
919 execfile(activate_this, dict(__file__=activate_this))
920
921 import os
922 os.environ['HOME'] = '/srv/kallithea'
923
924 ini = '/srv/kallithea/kallithea.ini'
925 from paste.script.util.logging_config import fileConfig
926 fileConfig(ini)
927 from paste.deploy import loadapp
928 application = loadapp('config:' + ini)
929
930
931 Other configuration files
932 -------------------------
933
934 A number of `example init.d scripts`__ can be found in
935 the ``init.d`` directory of the Kallithea source.
936
937 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
938
939
940 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
941 .. _python: http://www.python.org/
942 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
943 .. _Mercurial: https://www.mercurial-scm.org/
944 .. _Celery: http://celeryproject.org/
945 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 .. _RabbitMQ: http://www.rabbitmq.com/
947 .. _Redis: http://redis.io/
948 .. _python-ldap: http://www.python-ldap.org/
368 .. _python-ldap: http://www.python-ldap.org/
949 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
Show file before | Show file after | Hide comments
@@ -1,90 +1,91 b''
1 .. _index:
1 .. _index:
2
2
3 #######################
3 #######################
4 Kallithea Documentation
4 Kallithea Documentation
5 #######################
5 #######################
6
6
7 * :ref:`genindex`
7 * :ref:`genindex`
8 * :ref:`search`
8 * :ref:`search`
9
9
10
10
11 Readme
11 Readme
12 ******
12 ******
13
13
14 .. toctree::
14 .. toctree::
15 :maxdepth: 1
15 :maxdepth: 1
16
16
17 readme
17 readme
18
18
19
19
20 Administrator guide
20 Administrator guide
21 *******************
21 *******************
22
22
23 **Installation and upgrade**
23 **Installation and upgrade**
24
24
25 .. toctree::
25 .. toctree::
26 :maxdepth: 1
26 :maxdepth: 1
27
27
28 overview
28 overview
29 installation
29 installation
30 installation_win
30 installation_win
31 installation_win_old
31 installation_win_old
32 installation_iis
32 installation_iis
33 installation_puppet
33 installation_puppet
34 upgrade
34 upgrade
35
35
36 **Setup and configuration**
36 **Setup and configuration**
37
37
38 .. toctree::
38 .. toctree::
39 :maxdepth: 1
39 :maxdepth: 1
40
40
41 setup
41 setup
42 administrator_guide/auth
42 administrator_guide/vcs_setup
43 administrator_guide/vcs_setup
43 usage/email
44 usage/email
44 usage/customization
45 usage/customization
45
46
46 **Maintenance**
47 **Maintenance**
47
48
48 .. toctree::
49 .. toctree::
49 :maxdepth: 1
50 :maxdepth: 1
50
51
51 usage/backup
52 usage/backup
52 usage/performance
53 usage/performance
53 usage/debugging
54 usage/debugging
54 usage/troubleshooting
55 usage/troubleshooting
55
56
56
57
57 User guide
58 User guide
58 **********
59 **********
59
60
60 .. toctree::
61 .. toctree::
61 :maxdepth: 1
62 :maxdepth: 1
62
63
63 usage/general
64 usage/general
64 usage/vcs_notes
65 usage/vcs_notes
65 usage/locking
66 usage/locking
66 usage/statistics
67 usage/statistics
67 api/api
68 api/api
68
69
69
70
70 Developer guide
71 Developer guide
71 ***************
72 ***************
72
73
73 .. toctree::
74 .. toctree::
74 :maxdepth: 1
75 :maxdepth: 1
75
76
76 contributing
77 contributing
77 dev/translation
78 dev/translation
78 dev/dbmigrations
79 dev/dbmigrations
79
80
80
81
81 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
82 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
82 .. _python: http://www.python.org/
83 .. _python: http://www.python.org/
83 .. _django: http://www.djangoproject.com/
84 .. _django: http://www.djangoproject.com/
84 .. _mercurial: https://www.mercurial-scm.org/
85 .. _mercurial: https://www.mercurial-scm.org/
85 .. _bitbucket: http://bitbucket.org/
86 .. _bitbucket: http://bitbucket.org/
86 .. _subversion: http://subversion.tigris.org/
87 .. _subversion: http://subversion.tigris.org/
87 .. _git: http://git-scm.com/
88 .. _git: http://git-scm.com/
88 .. _celery: http://celeryproject.org/
89 .. _celery: http://celeryproject.org/
89 .. _Sphinx: http://sphinx.pocoo.org/
90 .. _Sphinx: http://sphinx.pocoo.org/
90 .. _vcs: http://pypi.python.org/pypi/vcs
91 .. _vcs: http://pypi.python.org/pypi/vcs
Show file before | Show file after | Hide comments
@@ -1,950 +1,599 b''
1 .. _setup:
1 .. _setup:
2
2
3 =====
3 =====
4 Setup
4 Setup
5 =====
5 =====
6
6
7
7
8 Preparing front-end
8 Preparing front-end
9 -------------------
9 -------------------
10
10
11 Temporarily, in the current Kallithea version, some extra steps are required to
11 Temporarily, in the current Kallithea version, some extra steps are required to
12 build front-end files:
12 build front-end files:
13
13
14 Find the right ``kallithea/public/less`` path with::
14 Find the right ``kallithea/public/less`` path with::
15
15
16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
17
17
18 Then run::
18 Then run::
19
19
20 npm install
20 npm install
21 npm run less
21 npm run less
22
22
23
23
24 Setting up Kallithea
24 Setting up Kallithea
25 --------------------
25 --------------------
26
26
27 First, you will need to create a Kallithea configuration file. Run the
27 First, you will need to create a Kallithea configuration file. Run the
28 following command to do so::
28 following command to do so::
29
29
30 gearbox make-config my.ini
30 gearbox make-config my.ini
31
31
32 This will create the file ``my.ini`` in the current directory. This
32 This will create the file ``my.ini`` in the current directory. This
33 configuration file contains the various settings for Kallithea, e.g.
33 configuration file contains the various settings for Kallithea, e.g.
34 proxy port, email settings, usage of static files, cache, Celery
34 proxy port, email settings, usage of static files, cache, Celery
35 settings, and logging. Extra settings can be specified like::
35 settings, and logging. Extra settings can be specified like::
36
36
37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
38
38
39 Next, you need to create the databases used by Kallithea. It is recommended to
39 Next, you need to create the databases used by Kallithea. It is recommended to
40 use PostgreSQL or SQLite (default). If you choose a database other than the
40 use PostgreSQL or SQLite (default). If you choose a database other than the
41 default, ensure you properly adjust the database URL in your ``my.ini``
41 default, ensure you properly adjust the database URL in your ``my.ini``
42 configuration file to use this other database. Kallithea currently supports
42 configuration file to use this other database. Kallithea currently supports
43 PostgreSQL, SQLite and MySQL databases. Create the database by running
43 PostgreSQL, SQLite and MySQL databases. Create the database by running
44 the following command::
44 the following command::
45
45
46 gearbox setup-db -c my.ini
46 gearbox setup-db -c my.ini
47
47
48 This will prompt you for a "root" path. This "root" path is the location where
48 This will prompt you for a "root" path. This "root" path is the location where
49 Kallithea will store all of its repositories on the current machine. After
49 Kallithea will store all of its repositories on the current machine. After
50 entering this "root" path ``setup-db`` will also prompt you for a username
50 entering this "root" path ``setup-db`` will also prompt you for a username
51 and password for the initial admin account which ``setup-db`` sets
51 and password for the initial admin account which ``setup-db`` sets
52 up for you.
52 up for you.
53
53
54 The ``setup-db`` values can also be given on the command line.
54 The ``setup-db`` values can also be given on the command line.
55 Example::
55 Example::
56
56
57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
58
58
59 The ``setup-db`` command will create all needed tables and an
59 The ``setup-db`` command will create all needed tables and an
60 admin account. When choosing a root path you can either use a new
60 admin account. When choosing a root path you can either use a new
61 empty location, or a location which already contains existing
61 empty location, or a location which already contains existing
62 repositories. If you choose a location which contains existing
62 repositories. If you choose a location which contains existing
63 repositories Kallithea will add all of the repositories at the chosen
63 repositories Kallithea will add all of the repositories at the chosen
64 location to its database. (Note: make sure you specify the correct
64 location to its database. (Note: make sure you specify the correct
65 path to the root).
65 path to the root).
66
66
67 .. note:: the given path for Mercurial_ repositories **must** be write
67 .. note:: the given path for Mercurial_ repositories **must** be write
68 accessible for the application. It's very important since
68 accessible for the application. It's very important since
69 the Kallithea web interface will work without write access,
69 the Kallithea web interface will work without write access,
70 but when trying to do a push it will fail with permission
70 but when trying to do a push it will fail with permission
71 denied errors unless it has write access.
71 denied errors unless it has write access.
72
72
73 You are now ready to use Kallithea. To run it simply execute::
73 You are now ready to use Kallithea. To run it simply execute::
74
74
75 gearbox serve -c my.ini
75 gearbox serve -c my.ini
76
76
77 - This command runs the Kallithea server. The web app should be available at
77 - This command runs the Kallithea server. The web app should be available at
78 http://127.0.0.1:5000. The IP address and port is configurable via the
78 http://127.0.0.1:5000. The IP address and port is configurable via the
79 configuration file created in the previous step.
79 configuration file created in the previous step.
80 - Log in to Kallithea using the admin account created when running ``setup-db``.
80 - Log in to Kallithea using the admin account created when running ``setup-db``.
81 - The default permissions on each repository is read, and the owner is admin.
81 - The default permissions on each repository is read, and the owner is admin.
82 Remember to update these if needed.
82 Remember to update these if needed.
83 - In the admin panel you can toggle LDAP, anonymous, and permissions
83 - In the admin panel you can toggle LDAP, anonymous, and permissions
84 settings, as well as edit more advanced options on users and
84 settings, as well as edit more advanced options on users and
85 repositories.
85 repositories.
86
86
87
87
88 Internationalization (i18n support)
88 Internationalization (i18n support)
89 -----------------------------------
89 -----------------------------------
90
90
91 The Kallithea web interface is automatically displayed in the user's preferred
91 The Kallithea web interface is automatically displayed in the user's preferred
92 language, as indicated by the browser. Thus, different users may see the
92 language, as indicated by the browser. Thus, different users may see the
93 application in different languages. If the requested language is not available
93 application in different languages. If the requested language is not available
94 (because the translation file for that language does not yet exist or is
94 (because the translation file for that language does not yet exist or is
95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
96 configuration file is used as fallback. If no fallback language is explicitly
96 configuration file is used as fallback. If no fallback language is explicitly
97 specified, English is used.
97 specified, English is used.
98
98
99 If you want to disable automatic language detection and instead configure a
99 If you want to disable automatic language detection and instead configure a
100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
101 set ``i18n.lang`` to the desired language (or leave empty for English).
101 set ``i18n.lang`` to the desired language (or leave empty for English).
102
102
103
103
104 Using Kallithea with SSH
104 Using Kallithea with SSH
105 ------------------------
105 ------------------------
106
106
107 Kallithea currently only hosts repositories using http and https. (The addition
107 Kallithea currently only hosts repositories using http and https. (The addition
108 of ssh hosting is a planned future feature.) However you can easily use ssh in
108 of ssh hosting is a planned future feature.) However you can easily use ssh in
109 parallel with Kallithea. (Repository access via ssh is a standard "out of
109 parallel with Kallithea. (Repository access via ssh is a standard "out of
110 the box" feature of Mercurial_ and you can use this to access any of the
110 the box" feature of Mercurial_ and you can use this to access any of the
111 repositories that Kallithea is hosting. See PublishingRepositories_)
111 repositories that Kallithea is hosting. See PublishingRepositories_)
112
112
113 Kallithea repository structures are kept in directories with the same name
113 Kallithea repository structures are kept in directories with the same name
114 as the project. When using repository groups, each group is a subdirectory.
114 as the project. When using repository groups, each group is a subdirectory.
115 This allows you to easily use ssh for accessing repositories.
115 This allows you to easily use ssh for accessing repositories.
116
116
117 In order to use ssh you need to make sure that your web server and the users'
117 In order to use ssh you need to make sure that your web server and the users'
118 login accounts have the correct permissions set on the appropriate directories.
118 login accounts have the correct permissions set on the appropriate directories.
119
119
120 .. note:: These permissions are independent of any permissions you
120 .. note:: These permissions are independent of any permissions you
121 have set up using the Kallithea web interface.
121 have set up using the Kallithea web interface.
122
122
123 If your main directory (the same as set in Kallithea settings) is for
123 If your main directory (the same as set in Kallithea settings) is for
124 example set to ``/srv/repos`` and the repository you are using is
124 example set to ``/srv/repos`` and the repository you are using is
125 named ``kallithea``, then to clone via ssh you should run::
125 named ``kallithea``, then to clone via ssh you should run::
126
126
127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
128
128
129 Using other external tools such as mercurial-server_ or using ssh key-based
129 Using other external tools such as mercurial-server_ or using ssh key-based
130 authentication is fully supported.
130 authentication is fully supported.
131
131
132 .. note:: In an advanced setup, in order for your ssh access to use
132 .. note:: In an advanced setup, in order for your ssh access to use
133 the same permissions as set up via the Kallithea web
133 the same permissions as set up via the Kallithea web
134 interface, you can create an authentication hook to connect
134 interface, you can create an authentication hook to connect
135 to the Kallithea db and run check functions for permissions
135 to the Kallithea db and run check functions for permissions
136 against that.
136 against that.
137
137
138
138
139 Setting up Whoosh full text search
139 Setting up Whoosh full text search
140 ----------------------------------
140 ----------------------------------
141
141
142 Kallithea provides full text search of repositories using `Whoosh`__.
142 Kallithea provides full text search of repositories using `Whoosh`__.
143
143
144 .. __: https://whoosh.readthedocs.io/en/latest/
144 .. __: https://whoosh.readthedocs.io/en/latest/
145
145
146 For an incremental index build, run::
146 For an incremental index build, run::
147
147
148 gearbox make-index -c my.ini
148 gearbox make-index -c my.ini
149
149
150 For a full index rebuild, run::
150 For a full index rebuild, run::
151
151
152 gearbox make-index -c my.ini -f
152 gearbox make-index -c my.ini -f
153
153
154 The ``--repo-location`` option allows the location of the repositories to be overridden;
154 The ``--repo-location`` option allows the location of the repositories to be overridden;
155 usually, the location is retrieved from the Kallithea database.
155 usually, the location is retrieved from the Kallithea database.
156
156
157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
158
158
159 gearbox make-index -c my.ini --index-only=vcs,kallithea
159 gearbox make-index -c my.ini --index-only=vcs,kallithea
160
160
161 To keep your index up-to-date it is necessary to do periodic index builds;
161 To keep your index up-to-date it is necessary to do periodic index builds;
162 for this, it is recommended to use a crontab entry. Example::
162 for this, it is recommended to use a crontab entry. Example::
163
163
164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
165
165
166 When using incremental mode (the default), Whoosh will check the last
166 When using incremental mode (the default), Whoosh will check the last
167 modification date of each file and add it to be reindexed if a newer file is
167 modification date of each file and add it to be reindexed if a newer file is
168 available. The indexing daemon checks for any removed files and removes them
168 available. The indexing daemon checks for any removed files and removes them
169 from index.
169 from index.
170
170
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 or in the admin panel you can check the "build from scratch" checkbox.
172 or in the admin panel you can check the "build from scratch" checkbox.
173
173
174 .. _ldap-setup:
175
176
177 Setting up LDAP support
178 -----------------------
179
180 Kallithea supports LDAP authentication. In order
181 to use LDAP, you have to install the python-ldap_ package. This package is
182 available via PyPI, so you can install it by running::
183
184 pip install python-ldap
185
186 .. note:: ``python-ldap`` requires some libraries to be installed on
187 your system, so before installing it check that you have at
188 least the ``openldap`` and ``sasl`` libraries.
189
190 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191 and then *Save*, to enable the LDAP plugin and configure its settings.
192
193 Here's a typical LDAP setup::
194
195 Connection settings
196 Enable LDAP = checked
197 Host = host.example.com
198 Account = <account>
199 Password = <password>
200 Connection Security = LDAPS
201 Certificate Checks = DEMAND
202
203 Search settings
204 Base DN = CN=users,DC=host,DC=example,DC=org
205 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206 LDAP Search Scope = SUBTREE
207
208 Attribute mappings
209 Login Attribute = uid
210 First Name Attribute = firstName
211 Last Name Attribute = lastName
212 Email Attribute = mail
213
214 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215
216 Search settings
217 Base DN = DC=host,DC=example,DC=org
218 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219 LDAP Search Scope = SUBTREE
220
221 .. _enable_ldap:
222
223 Enable LDAP : required
224 Whether to use LDAP for authenticating users.
225
226 .. _ldap_host:
227
228 Host : required
229 LDAP server hostname or IP address. Can be also a comma separated
230 list of servers to support LDAP fail-over.
231
232 .. _Port:
233
234 Port : optional
235 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236 Defaults to 636 for LDAPS.
237
238 .. _ldap_account:
239
240 Account : optional
241 Only required if the LDAP server does not allow anonymous browsing of
242 records. This should be a special account for record browsing. This
243 will require `LDAP Password`_ below.
244
245 .. _LDAP Password:
246
247 Password : optional
248 Only required if the LDAP server does not allow anonymous browsing of
249 records.
250
251 .. _Enable LDAPS:
252
253 Connection Security : required
254 Defines the connection to LDAP server
255
256 PLAIN
257 Plain unencrypted LDAP connection.
258 This will by default use `Port`_ 389.
259
260 LDAPS
261 Use secure LDAPS connections according to `Certificate
262 Checks`_ configuration.
263 This will by default use `Port`_ 636.
264
265 START_TLS
266 Use START TLS according to `Certificate Checks`_ configuration on an
267 apparently "plain" LDAP connection.
268 This will by default use `Port`_ 389.
269
270 .. _Certificate Checks:
271
272 Certificate Checks : optional
273 How SSL certificates verification is handled -- this is only useful when
274 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275 with mandatory certificate validation, while the other options are
276 susceptible to man-in-the-middle attacks.
277
278 NEVER
279 A serve certificate will never be requested or checked.
280
281 ALLOW
282 A server certificate is requested. Failure to provide a
283 certificate or providing a bad certificate will not terminate the
284 session.
285
286 TRY
287 A server certificate is requested. Failure to provide a
288 certificate does not halt the session; providing a bad certificate
289 halts the session.
290
291 DEMAND
292 A server certificate is requested and must be provided and
293 authenticated for the session to proceed.
294
295 HARD
296 The same as DEMAND.
297
298 .. _Custom CA Certificates:
299
300 Custom CA Certificates : optional
301 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302 Python 2.7.10 and later default to using the system certificate store, and
303 this should thus not be necessary when using certificates signed by a CA
304 trusted by the system.
305 It can be set to something like `/etc/openldap/cacerts` on older systems or
306 if using self-signed certificates.
307
308 .. _Base DN:
309
310 Base DN : required
311 The Distinguished Name (DN) where searches for users will be performed.
312 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313
314 .. _LDAP Filter:
315
316 LDAP Filter : optional
317 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319 which LDAP objects are identified as representing Users for
320 authentication. The filter is augmented by `Login Attribute`_ below.
321 This can commonly be left blank.
322
323 .. _LDAP Search Scope:
324
325 LDAP Search Scope : required
326 This limits how far LDAP will search for a matching object.
327
328 BASE
329 Only allows searching of `Base DN`_ and is usually not what you
330 want.
331
332 ONELEVEL
333 Searches all entries under `Base DN`_, but not Base DN itself.
334
335 SUBTREE
336 Searches all entries below `Base DN`_, but not Base DN itself.
337 When using SUBTREE `LDAP Filter`_ is useful to limit object
338 location.
339
340 .. _Login Attribute:
341
342 Login Attribute : required
343 The LDAP record attribute that will be matched as the USERNAME or
344 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348 ::
349
350 (&(LDAPFILTER)(uid=jsmith))
351
352 .. _ldap_attr_firstname:
353
354 First Name Attribute : required
355 The LDAP record attribute which represents the user's first name.
356
357 .. _ldap_attr_lastname:
358
359 Last Name Attribute : required
360 The LDAP record attribute which represents the user's last name.
361
362 .. _ldap_attr_email:
363
364 Email Attribute : required
365 The LDAP record attribute which represents the user's email address.
366
367 If all data are entered correctly, and python-ldap_ is properly installed
368 users should be granted access to Kallithea with LDAP accounts. At this
369 time user information is copied from LDAP into the Kallithea user database.
370 This means that updates of an LDAP user object may not be reflected as a
371 user update in Kallithea.
372
373 If You have problems with LDAP access and believe You entered correct
374 information check out the Kallithea logs, any error messages sent from LDAP
375 will be saved there.
376
377 Active Directory
378 ^^^^^^^^^^^^^^^^
379
380 Kallithea can use Microsoft Active Directory for user authentication. This
381 is done through an LDAP or LDAPS connection to Active Directory. The
382 following LDAP configuration settings are typical for using Active
383 Directory ::
384
385 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386 Login Attribute = sAMAccountName
387 First Name Attribute = givenName
388 Last Name Attribute = sn
389 Email Attribute = mail
390
391 All other LDAP settings will likely be site-specific and should be
392 appropriately configured.
393
394
395 Authentication by container or reverse-proxy
396 --------------------------------------------
397
398 Kallithea supports delegating the authentication
399 of users to its WSGI container, or to a reverse-proxy server through which all
400 clients access the application.
401
402 When these authentication methods are enabled in Kallithea, it uses the
403 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404 perform the authentication itself. The authorization, however, is still done by
405 Kallithea according to its settings.
406
407 When a user logs in for the first time using these authentication methods,
408 a matching user account is created in Kallithea with default permissions. An
409 administrator can then modify it using Kallithea's admin interface.
410
411 It's also possible for an administrator to create accounts and configure their
412 permissions before the user logs in for the first time, using the :ref:`create-user` API.
413
414 Container-based authentication
415 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416
417 In a container-based authentication setup, Kallithea reads the user name from
418 the ``REMOTE_USER`` server variable provided by the WSGI container.
419
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
421 to configure it to require authentication on the location configured for
422 Kallithea.
423
424 Proxy pass-through authentication
425 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426
427 In a proxy pass-through authentication setup, Kallithea reads the user name
428 from the ``X-Forwarded-User`` request header, which should be configured to be
429 sent by the reverse-proxy server.
430
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
433 configure the authentication and add the username in a request header named
434 ``X-Forwarded-User``.
435
436 For example, the following config section for Apache sets a subdirectory in a
437 reverse-proxy setup with basic auth:
438
439 .. code-block:: apache
440
441 <Location /someprefix>
442 ProxyPass http://127.0.0.1:5000/someprefix
443 ProxyPassReverse http://127.0.0.1:5000/someprefix
444 SetEnvIf X-Url-Scheme https HTTPS=1
445
446 AuthType Basic
447 AuthName "Kallithea authentication"
448 AuthUserFile /srv/kallithea/.htpasswd
449 Require valid-user
450
451 RequestHeader unset X-Forwarded-User
452
453 RewriteEngine On
454 RewriteCond %{LA-U:REMOTE_USER} (.+)
455 RewriteRule .* - [E=RU:%1]
456 RequestHeader set X-Forwarded-User %{RU}e
457 </Location>
458
459 Setting metadata in container/reverse-proxy
460 """""""""""""""""""""""""""""""""""""""""""
461 When a new user account is created on the first login, Kallithea has no information about
462 the user's email and full name. So you can set some additional request headers like in the
463 example below. In this example the user is authenticated via Kerberos and an Apache
464 mod_python fixup handler is used to get the user information from a LDAP server. But you
465 could set the request headers however you want.
466
467 .. code-block:: apache
468
469 <Location /someprefix>
470 ProxyPass http://127.0.0.1:5000/someprefix
471 ProxyPassReverse http://127.0.0.1:5000/someprefix
472 SetEnvIf X-Url-Scheme https HTTPS=1
473
474 AuthName "Kerberos Login"
475 AuthType Kerberos
476 Krb5Keytab /etc/apache2/http.keytab
477 KrbMethodK5Passwd off
478 KrbVerifyKDC on
479 Require valid-user
480
481 PythonFixupHandler ldapmetadata
482
483 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487 </Location>
488
489 .. code-block:: python
490
491 from mod_python import apache
492 import ldap
493
494 LDAP_SERVER = "ldaps://server.mydomain.com:636"
495 LDAP_USER = ""
496 LDAP_PASS = ""
497 LDAP_ROOT = "dc=mydomain,dc=com"
498 LDAP_FILTER = "sAMAccountName=%s"
499 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500
501 def fixuphandler(req):
502 if req.user is None:
503 # no user to search for
504 return apache.OK
505 else:
506 try:
507 if('\\' in req.user):
508 username = req.user.split('\\')[1]
509 elif('@' in req.user):
510 username = req.user.split('@')[0]
511 else:
512 username = req.user
513 l = ldap.initialize(LDAP_SERVER)
514 l.simple_bind_s(LDAP_USER, LDAP_PASS)
515 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516
517 req.subprocess_env['X_REMOTE_USER'] = username
518 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521 except Exception, e:
522 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523
524 return apache.OK
525
526 .. note::
527 If you enable proxy pass-through authentication, make sure your server is
528 only accessible through the proxy. Otherwise, any client would be able to
529 forge the authentication header and could effectively become authenticated
530 using any account of their liking.
531
532
174
533 Integration with issue trackers
175 Integration with issue trackers
534 -------------------------------
176 -------------------------------
535
177
536 Kallithea provides a simple integration with issue trackers. It's possible
178 Kallithea provides a simple integration with issue trackers. It's possible
537 to define a regular expression that will match an issue ID in commit messages,
179 to define a regular expression that will match an issue ID in commit messages,
538 and have that replaced with a URL to the issue.
180 and have that replaced with a URL to the issue.
539
181
540 This is achieved with following three variables in the ini file::
182 This is achieved with following three variables in the ini file::
541
183
542 issue_pat = #(\d+)
184 issue_pat = #(\d+)
543 issue_server_link = https://issues.example.com/{repo}/issue/\1
185 issue_server_link = https://issues.example.com/{repo}/issue/\1
544 issue_sub =
186 issue_sub =
545
187
546 ``issue_pat`` is the regular expression describing which strings in
188 ``issue_pat`` is the regular expression describing which strings in
547 commit messages will be treated as issue references. The expression can/should
189 commit messages will be treated as issue references. The expression can/should
548 have one or more parenthesized groups that can later be referred to in
190 have one or more parenthesized groups that can later be referred to in
549 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
191 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
550 can be used instead of simple parenthesized groups.
192 can be used instead of simple parenthesized groups.
551
193
552 If the pattern should only match if it is preceded by whitespace, add the
194 If the pattern should only match if it is preceded by whitespace, add the
553 following string before the actual pattern: ``(?:^|(?<=\s))``.
195 following string before the actual pattern: ``(?:^|(?<=\s))``.
554 If the pattern should only match if it is followed by whitespace, add the
196 If the pattern should only match if it is followed by whitespace, add the
555 following string after the actual pattern: ``(?:$|(?=\s))``.
197 following string after the actual pattern: ``(?:$|(?=\s))``.
556 These expressions use lookbehind and lookahead assertions of the Python regular
198 These expressions use lookbehind and lookahead assertions of the Python regular
557 expression module to avoid the whitespace to be part of the actual pattern,
199 expression module to avoid the whitespace to be part of the actual pattern,
558 otherwise the link text will also contain that whitespace.
200 otherwise the link text will also contain that whitespace.
559
201
560 Matched issue references are replaced with the link specified in
202 Matched issue references are replaced with the link specified in
561 ``issue_server_link``, in which any backreferences are resolved. Backreferences
203 ``issue_server_link``, in which any backreferences are resolved. Backreferences
562 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
204 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
563 The special token ``{repo}`` is replaced with the full repository path
205 The special token ``{repo}`` is replaced with the full repository path
564 (including repository groups), while token ``{repo_name}`` is replaced with the
206 (including repository groups), while token ``{repo_name}`` is replaced with the
565 repository name (without repository groups).
207 repository name (without repository groups).
566
208
567 The link text is determined by ``issue_sub``, which can be a string containing
209 The link text is determined by ``issue_sub``, which can be a string containing
568 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
210 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
569 empty, then the text matched by ``issue_pat`` is used verbatim.
211 empty, then the text matched by ``issue_pat`` is used verbatim.
570
212
571 The example settings shown above match issues in the format ``#<number>``.
213 The example settings shown above match issues in the format ``#<number>``.
572 This will cause the text ``#300`` to be transformed into a link:
214 This will cause the text ``#300`` to be transformed into a link:
573
215
574 .. code-block:: html
216 .. code-block:: html
575
217
576 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
218 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
577
219
578 The following example transforms a text starting with either of 'pullrequest',
220 The following example transforms a text starting with either of 'pullrequest',
579 'pull request' or 'PR', followed by an optional space, then a pound character
221 'pull request' or 'PR', followed by an optional space, then a pound character
580 (#) and one or more digits, into a link with the text 'PR #' followed by the
222 (#) and one or more digits, into a link with the text 'PR #' followed by the
581 digits::
223 digits::
582
224
583 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
225 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
584 issue_server_link = https://issues.example.com/\2
226 issue_server_link = https://issues.example.com/\2
585 issue_sub = PR #\2
227 issue_sub = PR #\2
586
228
587 The following example demonstrates how to require whitespace before the issue
229 The following example demonstrates how to require whitespace before the issue
588 reference in order for it to be recognized, such that the text ``issue#123`` will
230 reference in order for it to be recognized, such that the text ``issue#123`` will
589 not cause a match, but ``issue #123`` will::
231 not cause a match, but ``issue #123`` will::
590
232
591 issue_pat = (?:^|(?<=\s))#(\d+)
233 issue_pat = (?:^|(?<=\s))#(\d+)
592 issue_server_link = https://issues.example.com/\1
234 issue_server_link = https://issues.example.com/\1
593 issue_sub =
235 issue_sub =
594
236
595 If needed, more than one pattern can be specified by appending a unique suffix to
237 If needed, more than one pattern can be specified by appending a unique suffix to
596 the variables. For example, also demonstrating the use of named groups::
238 the variables. For example, also demonstrating the use of named groups::
597
239
598 issue_pat_wiki = wiki-(?P<pagename>\S+)
240 issue_pat_wiki = wiki-(?P<pagename>\S+)
599 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
241 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
600 issue_sub_wiki = WIKI-\g<pagename>
242 issue_sub_wiki = WIKI-\g<pagename>
601
243
602 With these settings, wiki pages can be referenced as wiki-some-id, and every
244 With these settings, wiki pages can be referenced as wiki-some-id, and every
603 such reference will be transformed into:
245 such reference will be transformed into:
604
246
605 .. code-block:: html
247 .. code-block:: html
606
248
607 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
249 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
608
250
609 Refer to the `Python regular expression documentation`_ for more details about
251 Refer to the `Python regular expression documentation`_ for more details about
610 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
252 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
611
253
612
254
613 Hook management
255 Hook management
614 ---------------
256 ---------------
615
257
616 Hooks can be managed in similar way to that used in ``.hgrc`` files.
258 Hooks can be managed in similar way to that used in ``.hgrc`` files.
617 To manage hooks, choose *Admin > Settings > Hooks*.
259 To manage hooks, choose *Admin > Settings > Hooks*.
618
260
619 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
261 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
620
262
621 To add another custom hook simply fill in the first textbox with
263 To add another custom hook simply fill in the first textbox with
622 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
264 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
623 can be found in ``kallithea.lib.hooks``.
265 can be found in ``kallithea.lib.hooks``.
624
266
625
267
626 Changing default encoding
268 Changing default encoding
627 -------------------------
269 -------------------------
628
270
629 By default, Kallithea uses UTF-8 encoding.
271 By default, Kallithea uses UTF-8 encoding.
630 This is configurable as ``default_encoding`` in the .ini file.
272 This is configurable as ``default_encoding`` in the .ini file.
631 This affects many parts in Kallithea including user names, filenames, and
273 This affects many parts in Kallithea including user names, filenames, and
632 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
274 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
633 library is installed. If ``chardet`` is detected Kallithea will fallback to it
275 library is installed. If ``chardet`` is detected Kallithea will fallback to it
634 when there are encode/decode errors.
276 when there are encode/decode errors.
635
277
636 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
278 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
637 setting the ``HGENCODING`` environment variable, but will override it.
279 setting the ``HGENCODING`` environment variable, but will override it.
638
280
639
281
640 Celery configuration
282 Celery configuration
641 --------------------
283 --------------------
642
284
643 Kallithea can use the distributed task queue system Celery_ to run tasks like
285 Kallithea can use the distributed task queue system Celery_ to run tasks like
644 cloning repositories or sending emails.
286 cloning repositories or sending emails.
645
287
646 Kallithea will in most setups work perfectly fine out of the box (without
288 Kallithea will in most setups work perfectly fine out of the box (without
647 Celery), executing all tasks in the web server process. Some tasks can however
289 Celery), executing all tasks in the web server process. Some tasks can however
648 take some time to run and it can be better to run such tasks asynchronously in
290 take some time to run and it can be better to run such tasks asynchronously in
649 a separate process so the web server can focus on serving web requests.
291 a separate process so the web server can focus on serving web requests.
650
292
651 For installation and configuration of Celery, see the `Celery documentation`_.
293 For installation and configuration of Celery, see the `Celery documentation`_.
652 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
294 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
653 or Redis_.
295 or Redis_.
654
296
655 The use of Celery is configured in the Kallithea ini configuration file.
297 The use of Celery is configured in the Kallithea ini configuration file.
656 To enable it, simply set::
298 To enable it, simply set::
657
299
658 use_celery = true
300 use_celery = true
659
301
660 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
302 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
661
303
662 Remember that the ini files use the format with '.' and not with '_' like
304 Remember that the ini files use the format with '.' and not with '_' like
663 Celery. So for example setting `BROKER_HOST` in Celery means setting
305 Celery. So for example setting `BROKER_HOST` in Celery means setting
664 `broker.host` in the configuration file.
306 `broker.host` in the configuration file.
665
307
666 To start the Celery process, run::
308 To start the Celery process, run::
667
309
668 gearbox celeryd -c <configfile.ini>
310 gearbox celeryd -c <configfile.ini>
669
311
670 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
312 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
671 for more info.
313 for more info.
672
314
673 .. note::
315 .. note::
674 Make sure you run this command from the same virtualenv, and with the same
316 Make sure you run this command from the same virtualenv, and with the same
675 user that Kallithea runs.
317 user that Kallithea runs.
676
318
677
319
678 HTTPS support
320 HTTPS support
679 -------------
321 -------------
680
322
681 Kallithea will by default generate URLs based on the WSGI environment.
323 Kallithea will by default generate URLs based on the WSGI environment.
682
324
683 Alternatively, you can use some special configuration settings to control
325 Alternatively, you can use some special configuration settings to control
684 directly which scheme/protocol Kallithea will use when generating URLs:
326 directly which scheme/protocol Kallithea will use when generating URLs:
685
327
686 - With ``https_fixup = true``, the scheme will be taken from the
328 - With ``https_fixup = true``, the scheme will be taken from the
687 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
329 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
688 (default ``http``).
330 (default ``http``).
689 - With ``force_https = true`` the default will be ``https``.
331 - With ``force_https = true`` the default will be ``https``.
690 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
332 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691
333
334 .. _nginx_virtual_host:
335
692
336
693 Nginx virtual host example
337 Nginx virtual host example
694 --------------------------
338 --------------------------
695
339
696 Sample config for Nginx using proxy:
340 Sample config for Nginx using proxy:
697
341
698 .. code-block:: nginx
342 .. code-block:: nginx
699
343
700 upstream kallithea {
344 upstream kallithea {
701 server 127.0.0.1:5000;
345 server 127.0.0.1:5000;
702 # add more instances for load balancing
346 # add more instances for load balancing
703 #server 127.0.0.1:5001;
347 #server 127.0.0.1:5001;
704 #server 127.0.0.1:5002;
348 #server 127.0.0.1:5002;
705 }
349 }
706
350
707 ## gist alias
351 ## gist alias
708 server {
352 server {
709 listen 443;
353 listen 443;
710 server_name gist.example.com;
354 server_name gist.example.com;
711 access_log /var/log/nginx/gist.access.log;
355 access_log /var/log/nginx/gist.access.log;
712 error_log /var/log/nginx/gist.error.log;
356 error_log /var/log/nginx/gist.error.log;
713
357
714 ssl on;
358 ssl on;
715 ssl_certificate gist.your.kallithea.server.crt;
359 ssl_certificate gist.your.kallithea.server.crt;
716 ssl_certificate_key gist.your.kallithea.server.key;
360 ssl_certificate_key gist.your.kallithea.server.key;
717
361
718 ssl_session_timeout 5m;
362 ssl_session_timeout 5m;
719
363
720 ssl_protocols SSLv3 TLSv1;
364 ssl_protocols SSLv3 TLSv1;
721 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
365 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
722 ssl_prefer_server_ciphers on;
366 ssl_prefer_server_ciphers on;
723
367
724 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
368 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
725 rewrite (.*) https://kallithea.example.com/_admin/gists;
369 rewrite (.*) https://kallithea.example.com/_admin/gists;
726 }
370 }
727
371
728 server {
372 server {
729 listen 443;
373 listen 443;
730 server_name kallithea.example.com
374 server_name kallithea.example.com
731 access_log /var/log/nginx/kallithea.access.log;
375 access_log /var/log/nginx/kallithea.access.log;
732 error_log /var/log/nginx/kallithea.error.log;
376 error_log /var/log/nginx/kallithea.error.log;
733
377
734 ssl on;
378 ssl on;
735 ssl_certificate your.kallithea.server.crt;
379 ssl_certificate your.kallithea.server.crt;
736 ssl_certificate_key your.kallithea.server.key;
380 ssl_certificate_key your.kallithea.server.key;
737
381
738 ssl_session_timeout 5m;
382 ssl_session_timeout 5m;
739
383
740 ssl_protocols SSLv3 TLSv1;
384 ssl_protocols SSLv3 TLSv1;
741 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
385 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
742 ssl_prefer_server_ciphers on;
386 ssl_prefer_server_ciphers on;
743
387
744 ## uncomment root directive if you want to serve static files by nginx
388 ## uncomment root directive if you want to serve static files by nginx
745 ## requires static_files = false in .ini file
389 ## requires static_files = false in .ini file
746 #root /srv/kallithea/kallithea/kallithea/public;
390 #root /srv/kallithea/kallithea/kallithea/public;
747 include /etc/nginx/proxy.conf;
391 include /etc/nginx/proxy.conf;
748 location / {
392 location / {
749 try_files $uri @kallithea;
393 try_files $uri @kallithea;
750 }
394 }
751
395
752 location @kallithea {
396 location @kallithea {
753 proxy_pass http://127.0.0.1:5000;
397 proxy_pass http://127.0.0.1:5000;
754 }
398 }
755
399
756 }
400 }
757
401
758 Here's the proxy.conf. It's tuned so it will not timeout on long
402 Here's the proxy.conf. It's tuned so it will not timeout on long
759 pushes or large pushes::
403 pushes or large pushes::
760
404
761 proxy_redirect off;
405 proxy_redirect off;
762 proxy_set_header Host $host;
406 proxy_set_header Host $host;
763 ## needed for container auth
407 ## needed for container auth
764 #proxy_set_header REMOTE_USER $remote_user;
408 #proxy_set_header REMOTE_USER $remote_user;
765 #proxy_set_header X-Forwarded-User $remote_user;
409 #proxy_set_header X-Forwarded-User $remote_user;
766 proxy_set_header X-Url-Scheme $scheme;
410 proxy_set_header X-Url-Scheme $scheme;
767 proxy_set_header X-Host $http_host;
411 proxy_set_header X-Host $http_host;
768 proxy_set_header X-Real-IP $remote_addr;
412 proxy_set_header X-Real-IP $remote_addr;
769 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
413 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
770 proxy_set_header Proxy-host $proxy_host;
414 proxy_set_header Proxy-host $proxy_host;
771 proxy_buffering off;
415 proxy_buffering off;
772 proxy_connect_timeout 7200;
416 proxy_connect_timeout 7200;
773 proxy_send_timeout 7200;
417 proxy_send_timeout 7200;
774 proxy_read_timeout 7200;
418 proxy_read_timeout 7200;
775 proxy_buffers 8 32k;
419 proxy_buffers 8 32k;
776 client_max_body_size 1024m;
420 client_max_body_size 1024m;
777 client_body_buffer_size 128k;
421 client_body_buffer_size 128k;
778 large_client_header_buffers 8 64k;
422 large_client_header_buffers 8 64k;
779
423
424 .. _apache_virtual_host_reverse_proxy:
425
780
426
781 Apache virtual host reverse proxy example
427 Apache virtual host reverse proxy example
782 -----------------------------------------
428 -----------------------------------------
783
429
784 Here is a sample configuration file for Apache using proxy:
430 Here is a sample configuration file for Apache using proxy:
785
431
786 .. code-block:: apache
432 .. code-block:: apache
787
433
788 <VirtualHost *:80>
434 <VirtualHost *:80>
789 ServerName kallithea.example.com
435 ServerName kallithea.example.com
790
436
791 <Proxy *>
437 <Proxy *>
792 # For Apache 2.4 and later:
438 # For Apache 2.4 and later:
793 Require all granted
439 Require all granted
794
440
795 # For Apache 2.2 and earlier, instead use:
441 # For Apache 2.2 and earlier, instead use:
796 # Order allow,deny
442 # Order allow,deny
797 # Allow from all
443 # Allow from all
798 </Proxy>
444 </Proxy>
799
445
800 #important !
446 #important !
801 #Directive to properly generate url (clone url) for Kallithea
447 #Directive to properly generate url (clone url) for Kallithea
802 ProxyPreserveHost On
448 ProxyPreserveHost On
803
449
804 #kallithea instance
450 #kallithea instance
805 ProxyPass / http://127.0.0.1:5000/
451 ProxyPass / http://127.0.0.1:5000/
806 ProxyPassReverse / http://127.0.0.1:5000/
452 ProxyPassReverse / http://127.0.0.1:5000/
807
453
808 #to enable https use line below
454 #to enable https use line below
809 #SetEnvIf X-Url-Scheme https HTTPS=1
455 #SetEnvIf X-Url-Scheme https HTTPS=1
810 </VirtualHost>
456 </VirtualHost>
811
457
812 Additional tutorial
458 Additional tutorial
813 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
459 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814
460
461 .. _apache_subdirectory:
462
815
463
816 Apache as subdirectory
464 Apache as subdirectory
817 ----------------------
465 ----------------------
818
466
819 Apache subdirectory part:
467 Apache subdirectory part:
820
468
821 .. code-block:: apache
469 .. code-block:: apache
822
470
823 <Location /PREFIX >
471 <Location /PREFIX >
824 ProxyPass http://127.0.0.1:5000/PREFIX
472 ProxyPass http://127.0.0.1:5000/PREFIX
825 ProxyPassReverse http://127.0.0.1:5000/PREFIX
473 ProxyPassReverse http://127.0.0.1:5000/PREFIX
826 SetEnvIf X-Url-Scheme https HTTPS=1
474 SetEnvIf X-Url-Scheme https HTTPS=1
827 </Location>
475 </Location>
828
476
829 Besides the regular apache setup you will need to add the following line
477 Besides the regular apache setup you will need to add the following line
830 into ``[app:main]`` section of your .ini file::
478 into ``[app:main]`` section of your .ini file::
831
479
832 filter-with = proxy-prefix
480 filter-with = proxy-prefix
833
481
834 Add the following at the end of the .ini file::
482 Add the following at the end of the .ini file::
835
483
836 [filter:proxy-prefix]
484 [filter:proxy-prefix]
837 use = egg:PasteDeploy#prefix
485 use = egg:PasteDeploy#prefix
838 prefix = /PREFIX
486 prefix = /PREFIX
839
487
840 then change ``PREFIX`` into your chosen prefix
488 then change ``PREFIX`` into your chosen prefix
841
489
490 .. _apache_mod_wsgi:
491
842
492
843 Apache with mod_wsgi
493 Apache with mod_wsgi
844 --------------------
494 --------------------
845
495
846 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
496 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
847 that, you'll need to:
497 that, you'll need to:
848
498
849 - Install mod_wsgi. If using a Debian-based distro, you can install
499 - Install mod_wsgi. If using a Debian-based distro, you can install
850 the package libapache2-mod-wsgi::
500 the package libapache2-mod-wsgi::
851
501
852 aptitude install libapache2-mod-wsgi
502 aptitude install libapache2-mod-wsgi
853
503
854 - Enable mod_wsgi::
504 - Enable mod_wsgi::
855
505
856 a2enmod wsgi
506 a2enmod wsgi
857
507
858 - Add global Apache configuration to tell mod_wsgi that Python only will be
508 - Add global Apache configuration to tell mod_wsgi that Python only will be
859 used in the WSGI processes and shouldn't be initialized in the Apache
509 used in the WSGI processes and shouldn't be initialized in the Apache
860 processes::
510 processes::
861
511
862 WSGIRestrictEmbedded On
512 WSGIRestrictEmbedded On
863
513
864 - Create a wsgi dispatch script, like the one below. Make sure you
514 - Create a wsgi dispatch script, like the one below. Make sure you
865 check that the paths correctly point to where you installed Kallithea
515 check that the paths correctly point to where you installed Kallithea
866 and its Python Virtual Environment.
516 and its Python Virtual Environment.
867 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
517 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
868 as in the following example. Once again, check the paths are
518 as in the following example. Once again, check the paths are
869 correctly specified.
519 correctly specified.
870
520
871 Here is a sample excerpt from an Apache Virtual Host configuration file:
521 Here is a sample excerpt from an Apache Virtual Host configuration file:
872
522
873 .. code-block:: apache
523 .. code-block:: apache
874
524
875 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
525 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
876 python-home=/srv/kallithea/venv
526 python-home=/srv/kallithea/venv
877 WSGIProcessGroup kallithea
527 WSGIProcessGroup kallithea
878 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
528 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
879 WSGIPassAuthorization On
529 WSGIPassAuthorization On
880
530
881 Or if using a dispatcher WSGI script with proper virtualenv activation:
531 Or if using a dispatcher WSGI script with proper virtualenv activation:
882
532
883 .. code-block:: apache
533 .. code-block:: apache
884
534
885 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
535 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
886 WSGIProcessGroup kallithea
536 WSGIProcessGroup kallithea
887 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
537 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
888 WSGIPassAuthorization On
538 WSGIPassAuthorization On
889
539
890 Apache will by default run as a special Apache user, on Linux systems
540 Apache will by default run as a special Apache user, on Linux systems
891 usually ``www-data`` or ``apache``. If you need to have the repositories
541 usually ``www-data`` or ``apache``. If you need to have the repositories
892 directory owned by a different user, use the user and group options to
542 directory owned by a different user, use the user and group options to
893 WSGIDaemonProcess to set the name of the user and group.
543 WSGIDaemonProcess to set the name of the user and group.
894
544
895 Example WSGI dispatch script:
545 Example WSGI dispatch script:
896
546
897 .. code-block:: python
547 .. code-block:: python
898
548
899 import os
549 import os
900 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
550 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
901
551
902 # sometimes it's needed to set the current dir
552 # sometimes it's needed to set the current dir
903 os.chdir('/srv/kallithea/')
553 os.chdir('/srv/kallithea/')
904
554
905 import site
555 import site
906 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
556 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
907
557
908 ini = '/srv/kallithea/my.ini'
558 ini = '/srv/kallithea/my.ini'
909 from paste.script.util.logging_config import fileConfig
559 from paste.script.util.logging_config import fileConfig
910 fileConfig(ini)
560 fileConfig(ini)
911 from paste.deploy import loadapp
561 from paste.deploy import loadapp
912 application = loadapp('config:' + ini)
562 application = loadapp('config:' + ini)
913
563
914 Or using proper virtualenv activation:
564 Or using proper virtualenv activation:
915
565
916 .. code-block:: python
566 .. code-block:: python
917
567
918 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
568 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
919 execfile(activate_this, dict(__file__=activate_this))
569 execfile(activate_this, dict(__file__=activate_this))
920
570
921 import os
571 import os
922 os.environ['HOME'] = '/srv/kallithea'
572 os.environ['HOME'] = '/srv/kallithea'
923
573
924 ini = '/srv/kallithea/kallithea.ini'
574 ini = '/srv/kallithea/kallithea.ini'
925 from paste.script.util.logging_config import fileConfig
575 from paste.script.util.logging_config import fileConfig
926 fileConfig(ini)
576 fileConfig(ini)
927 from paste.deploy import loadapp
577 from paste.deploy import loadapp
928 application = loadapp('config:' + ini)
578 application = loadapp('config:' + ini)
929
579
930
580
931 Other configuration files
581 Other configuration files
932 -------------------------
582 -------------------------
933
583
934 A number of `example init.d scripts`__ can be found in
584 A number of `example init.d scripts`__ can be found in
935 the ``init.d`` directory of the Kallithea source.
585 the ``init.d`` directory of the Kallithea source.
936
586
937 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
587 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
938
588
939
589
940 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
590 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
941 .. _python: http://www.python.org/
591 .. _python: http://www.python.org/
942 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
592 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
943 .. _Mercurial: https://www.mercurial-scm.org/
593 .. _Mercurial: https://www.mercurial-scm.org/
944 .. _Celery: http://celeryproject.org/
594 .. _Celery: http://celeryproject.org/
945 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
595 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 .. _RabbitMQ: http://www.rabbitmq.com/
596 .. _RabbitMQ: http://www.rabbitmq.com/
947 .. _Redis: http://redis.io/
597 .. _Redis: http://redis.io/
948 .. _python-ldap: http://www.python-ldap.org/
949 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
598 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
599 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now