##// END OF EJS Templates
Added two headers into example nginx proxy conf that allows container auth...
marcink -
r4073:2c82dd8b default
parent child Browse files
Show More
@@ -1,743 +1,746 b''
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Setting up RhodeCode
9 9 --------------------
10 10
11 11 First, you will need to create a RhodeCode configuration file. Run the
12 12 following command to do this::
13 13
14 14 paster make-config RhodeCode production.ini
15 15
16 16 - This will create the file `production.ini` in the current directory. This
17 17 configuration file contains the various settings for RhodeCode, e.g proxy
18 18 port, email settings, usage of static files, cache, celery settings and
19 19 logging.
20 20
21 21
22 22 Next, you need to create the databases used by RhodeCode. I recommend that you
23 23 use postgresql or sqlite (default). If you choose a database other than the
24 24 default ensure you properly adjust the db url in your production.ini
25 25 configuration file to use this other database. RhodeCode currently supports
26 26 postgresql, sqlite and mysql databases. Create the database by running
27 27 the following command::
28 28
29 29 paster setup-rhodecode production.ini
30 30
31 31 This will prompt you for a "root" path. This "root" path is the location where
32 32 RhodeCode will store all of its repositories on the current machine. After
33 33 entering this "root" path ``setup-rhodecode`` will also prompt you for a username
34 34 and password for the initial admin account which ``setup-rhodecode`` sets
35 35 up for you.
36 36
37 37 setup process can be fully automated, example for lazy::
38 38
39 39 paster setup-rhodecode production.ini --user=marcink --password=secret --email=marcin@rhodecode.org --repos=/home/marcink/my_repos
40 40
41 41
42 42 - The ``setup-rhodecode`` command will create all of the needed tables and an
43 43 admin account. When choosing a root path you can either use a new empty
44 44 location, or a location which already contains existing repositories. If you
45 45 choose a location which contains existing repositories RhodeCode will simply
46 46 add all of the repositories at the chosen location to it's database.
47 47 (Note: make sure you specify the correct path to the root).
48 48 - Note: the given path for mercurial_ repositories **must** be write accessible
49 49 for the application. It's very important since the RhodeCode web interface
50 50 will work without write access, but when trying to do a push it will
51 51 eventually fail with permission denied errors unless it has write access.
52 52
53 53 You are now ready to use RhodeCode, to run it simply execute::
54 54
55 55 paster serve production.ini
56 56
57 57 - This command runs the RhodeCode server. The web app should be available at the
58 58 127.0.0.1:5000. This ip and port is configurable via the production.ini
59 59 file created in previous step
60 60 - Use the admin account you created above when running ``setup-rhodecode``
61 61 to login to the web app.
62 62 - The default permissions on each repository is read, and the owner is admin.
63 63 Remember to update these if needed.
64 64 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
65 65 well as edit more advanced options on users and repositories
66 66
67 67 Optionally users can create `rcextensions` package that extends RhodeCode
68 68 functionality. To do this simply execute::
69 69
70 70 paster make-rcext production.ini
71 71
72 72 This will create `rcextensions` package in the same place that your `ini` file
73 73 lives. With `rcextensions` it's possible to add additional mapping for whoosh,
74 74 stats and add additional code into the push/pull/create/delete repo hooks.
75 75 For example for sending signals to build-bots such as jenkins.
76 76 Please see the `__init__.py` file inside `rcextensions` package
77 77 for more details.
78 78
79 79
80 80 Using RhodeCode with SSH
81 81 ------------------------
82 82
83 83 RhodeCode currently only hosts repositories using http and https. (The addition
84 84 of ssh hosting is a planned future feature.) However you can easily use ssh in
85 85 parallel with RhodeCode. (Repository access via ssh is a standard "out of
86 86 the box" feature of mercurial_ and you can use this to access any of the
87 87 repositories that RhodeCode is hosting. See PublishingRepositories_)
88 88
89 89 RhodeCode repository structures are kept in directories with the same name
90 90 as the project. When using repository groups, each group is a subdirectory.
91 91 This allows you to easily use ssh for accessing repositories.
92 92
93 93 In order to use ssh you need to make sure that your web-server and the users
94 94 login accounts have the correct permissions set on the appropriate directories.
95 95 (Note that these permissions are independent of any permissions you have set up
96 96 using the RhodeCode web interface.)
97 97
98 98 If your main directory (the same as set in RhodeCode settings) is for example
99 99 set to **/home/hg** and the repository you are using is named `rhodecode`, then
100 100 to clone via ssh you should run::
101 101
102 102 hg clone ssh://user@server.com/home/hg/rhodecode
103 103
104 104 Using other external tools such as mercurial-server_ or using ssh key based
105 105 authentication is fully supported.
106 106
107 107 Note: In an advanced setup, in order for your ssh access to use the same
108 108 permissions as set up via the RhodeCode web interface, you can create an
109 109 authentication hook to connect to the rhodecode db and runs check functions for
110 110 permissions against that.
111 111
112 112 Setting up Whoosh full text search
113 113 ----------------------------------
114 114
115 115 Starting from version 1.1 the whoosh index can be build by using the paster
116 116 command ``make-index``. To use ``make-index`` you must specify the configuration
117 117 file that stores the location of the index. You may specify the location of the
118 118 repositories (`--repo-location`). If not specified, this value is retrieved
119 119 from the RhodeCode database. This was required prior to 1.2. Starting from
120 120 version 1.2 it is also possible to specify a comma separated list of
121 121 repositories (`--index-only`) to build index only on chooses repositories
122 122 skipping any other found in repos location
123 123
124 124 You may optionally pass the option `-f` to enable a full index rebuild. Without
125 125 the `-f` option, indexing will run always in "incremental" mode.
126 126
127 127 For an incremental index build use::
128 128
129 129 paster make-index production.ini
130 130
131 131 For a full index rebuild use::
132 132
133 133 paster make-index production.ini -f
134 134
135 135
136 136 building index just for chosen repositories is possible with such command::
137 137
138 138 paster make-index production.ini --index-only=vcs,rhodecode
139 139
140 140
141 141 In order to do periodical index builds and keep your index always up to date.
142 142 It's recommended to do a crontab entry for incremental indexing.
143 143 An example entry might look like this::
144 144
145 145 /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini
146 146
147 147 When using incremental mode (the default) whoosh will check the last
148 148 modification date of each file and add it to be reindexed if a newer file is
149 149 available. The indexing daemon checks for any removed files and removes them
150 150 from index.
151 151
152 152 If you want to rebuild index from scratch, you can use the `-f` flag as above,
153 153 or in the admin panel you can check `build from scratch` flag.
154 154
155 155
156 156 Setting up LDAP support
157 157 -----------------------
158 158
159 159 RhodeCode starting from version 1.1 supports ldap authentication. In order
160 160 to use LDAP, you have to install the python-ldap_ package. This package is
161 161 available via pypi, so you can install it by running
162 162
163 163 using easy_install::
164 164
165 165 easy_install python-ldap
166 166
167 167 using pip::
168 168
169 169 pip install python-ldap
170 170
171 171 .. note::
172 172 python-ldap requires some certain libs on your system, so before installing
173 173 it check that you have at least `openldap`, and `sasl` libraries.
174 174
175 175 LDAP settings are located in admin->ldap section,
176 176
177 177 Here's a typical ldap setup::
178 178
179 179 Connection settings
180 180 Enable LDAP = checked
181 181 Host = host.example.org
182 182 Port = 389
183 183 Account = <account>
184 184 Password = <password>
185 185 Connection Security = LDAPS connection
186 186 Certificate Checks = DEMAND
187 187
188 188 Search settings
189 189 Base DN = CN=users,DC=host,DC=example,DC=org
190 190 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
191 191 LDAP Search Scope = SUBTREE
192 192
193 193 Attribute mappings
194 194 Login Attribute = uid
195 195 First Name Attribute = firstName
196 196 Last Name Attribute = lastName
197 197 E-mail Attribute = mail
198 198
199 199 If your user groups are placed in a Organisation Unit (OU) structure the Search Settings configuration differs::
200 200
201 201 Search settings
202 202 Base DN = DC=host,DC=example,DC=org
203 203 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
204 204 LDAP Search Scope = SUBTREE
205 205
206 206 .. _enable_ldap:
207 207
208 208 Enable LDAP : required
209 209 Whether to use LDAP for authenticating users.
210 210
211 211 .. _ldap_host:
212 212
213 213 Host : required
214 214 LDAP server hostname or IP address. Can be also a comma separated
215 215 list of servers to support LDAP fail-over.
216 216
217 217 .. _Port:
218 218
219 219 Port : required
220 220 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
221 221
222 222 .. _ldap_account:
223 223
224 224 Account : optional
225 225 Only required if the LDAP server does not allow anonymous browsing of
226 226 records. This should be a special account for record browsing. This
227 227 will require `LDAP Password`_ below.
228 228
229 229 .. _LDAP Password:
230 230
231 231 Password : optional
232 232 Only required if the LDAP server does not allow anonymous browsing of
233 233 records.
234 234
235 235 .. _Enable LDAPS:
236 236
237 237 Connection Security : required
238 238 Defines the connection to LDAP server
239 239
240 240 No encryption
241 241 Plain non encrypted connection
242 242
243 243 LDAPS connection
244 244 Enable ldaps connection. It will likely require `Port`_ to be set to
245 245 a different value (standard LDAPS port is 636). When LDAPS is enabled
246 246 then `Certificate Checks`_ is required.
247 247
248 248 START_TLS on LDAP connection
249 249 START TLS connection
250 250
251 251 .. _Certificate Checks:
252 252
253 253 Certificate Checks : optional
254 254 How SSL certificates verification is handled - this is only useful when
255 255 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
256 256 while the other options are susceptible to man-in-the-middle attacks. SSL
257 257 certificates can be installed to /etc/openldap/cacerts so that the
258 258 DEMAND or HARD options can be used with self-signed certificates or
259 259 certificates that do not have traceable certificates of authority.
260 260
261 261 NEVER
262 262 A serve certificate will never be requested or checked.
263 263
264 264 ALLOW
265 265 A server certificate is requested. Failure to provide a
266 266 certificate or providing a bad certificate will not terminate the
267 267 session.
268 268
269 269 TRY
270 270 A server certificate is requested. Failure to provide a
271 271 certificate does not halt the session; providing a bad certificate
272 272 halts the session.
273 273
274 274 DEMAND
275 275 A server certificate is requested and must be provided and
276 276 authenticated for the session to proceed.
277 277
278 278 HARD
279 279 The same as DEMAND.
280 280
281 281 .. _Base DN:
282 282
283 283 Base DN : required
284 284 The Distinguished Name (DN) where searches for users will be performed.
285 285 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
286 286
287 287 .. _LDAP Filter:
288 288
289 289 LDAP Filter : optional
290 290 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
291 291 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
292 292 which LDAP objects are identified as representing Users for
293 293 authentication. The filter is augmented by `Login Attribute`_ below.
294 294 This can commonly be left blank.
295 295
296 296 .. _LDAP Search Scope:
297 297
298 298 LDAP Search Scope : required
299 299 This limits how far LDAP will search for a matching object.
300 300
301 301 BASE
302 302 Only allows searching of `Base DN`_ and is usually not what you
303 303 want.
304 304
305 305 ONELEVEL
306 306 Searches all entries under `Base DN`_, but not Base DN itself.
307 307
308 308 SUBTREE
309 309 Searches all entries below `Base DN`_, but not Base DN itself.
310 310 When using SUBTREE `LDAP Filter`_ is useful to limit object
311 311 location.
312 312
313 313 .. _Login Attribute:
314 314
315 315 Login Attribute : required
316 316 The LDAP record attribute that will be matched as the USERNAME or
317 317 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
318 318 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
319 319 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
320 320 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
321 321 ::
322 322
323 323 (&(LDAPFILTER)(uid=jsmith))
324 324
325 325 .. _ldap_attr_firstname:
326 326
327 327 First Name Attribute : required
328 328 The LDAP record attribute which represents the user's first name.
329 329
330 330 .. _ldap_attr_lastname:
331 331
332 332 Last Name Attribute : required
333 333 The LDAP record attribute which represents the user's last name.
334 334
335 335 .. _ldap_attr_email:
336 336
337 337 Email Attribute : required
338 338 The LDAP record attribute which represents the user's email address.
339 339
340 340 If all data are entered correctly, and python-ldap_ is properly installed
341 341 users should be granted access to RhodeCode with ldap accounts. At this
342 342 time user information is copied from LDAP into the RhodeCode user database.
343 343 This means that updates of an LDAP user object may not be reflected as a
344 344 user update in RhodeCode.
345 345
346 346 If You have problems with LDAP access and believe You entered correct
347 347 information check out the RhodeCode logs, any error messages sent from LDAP
348 348 will be saved there.
349 349
350 350 Active Directory
351 351 ''''''''''''''''
352 352
353 353 RhodeCode can use Microsoft Active Directory for user authentication. This
354 354 is done through an LDAP or LDAPS connection to Active Directory. The
355 355 following LDAP configuration settings are typical for using Active
356 356 Directory ::
357 357
358 358 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
359 359 Login Attribute = sAMAccountName
360 360 First Name Attribute = givenName
361 361 Last Name Attribute = sn
362 362 E-mail Attribute = mail
363 363
364 364 All other LDAP settings will likely be site-specific and should be
365 365 appropriately configured.
366 366
367 367
368 368 Authentication by container or reverse-proxy
369 369 --------------------------------------------
370 370
371 371 Starting with version 1.3, RhodeCode supports delegating the authentication
372 372 of users to its WSGI container, or to a reverse-proxy server through which all
373 373 clients access the application.
374 374
375 375 When these authentication methods are enabled in RhodeCode, it uses the
376 376 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't
377 377 perform the authentication itself. The authorization, however, is still done by
378 378 RhodeCode according to its settings.
379 379
380 380 When a user logs in for the first time using these authentication methods,
381 381 a matching user account is created in RhodeCode with default permissions. An
382 382 administrator can then modify it using RhodeCode's admin interface.
383 383 It's also possible for an administrator to create accounts and configure their
384 384 permissions before the user logs in for the first time.
385 385
386 386 Container-based authentication
387 387 ''''''''''''''''''''''''''''''
388 388
389 389 In a container-based authentication setup, RhodeCode reads the user name from
390 390 the ``REMOTE_USER`` server variable provided by the WSGI container.
391 391
392 392 After setting up your container (see `Apache's WSGI config`_), you'd need
393 393 to configure it to require authentication on the location configured for
394 394 RhodeCode.
395 395
396 396 In order for RhodeCode to start using the provided username, you should set the
397 397 following in the [app:main] section of your .ini file::
398 398
399 399 container_auth_enabled = true
400 400
401 401
402 402 Proxy pass-through authentication
403 403 '''''''''''''''''''''''''''''''''
404 404
405 405 In a proxy pass-through authentication setup, RhodeCode reads the user name
406 406 from the ``X-Forwarded-User`` request header, which should be configured to be
407 407 sent by the reverse-proxy server.
408 408
409 409 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
410 410 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to
411 411 configure the authentication and add the username in a request header named
412 412 ``X-Forwarded-User``.
413 413
414 414 For example, the following config section for Apache sets a subdirectory in a
415 415 reverse-proxy setup with basic auth::
416 416
417 417 <Location /<someprefix> >
418 418 ProxyPass http://127.0.0.1:5000/<someprefix>
419 419 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
420 420 SetEnvIf X-Url-Scheme https HTTPS=1
421 421
422 422 AuthType Basic
423 423 AuthName "RhodeCode authentication"
424 424 AuthUserFile /home/web/rhodecode/.htpasswd
425 425 require valid-user
426 426
427 427 RequestHeader unset X-Forwarded-User
428 428
429 429 RewriteEngine On
430 430 RewriteCond %{LA-U:REMOTE_USER} (.+)
431 431 RewriteRule .* - [E=RU:%1]
432 432 RequestHeader set X-Forwarded-User %{RU}e
433 433 </Location>
434 434
435 435 In order for RhodeCode to start using the forwarded username, you should set
436 436 the following in the [app:main] section of your .ini file::
437 437
438 438 proxypass_auth_enabled = true
439 439
440 440 .. note::
441 441 If you enable proxy pass-through authentication, make sure your server is
442 442 only accessible through the proxy. Otherwise, any client would be able to
443 443 forge the authentication header and could effectively become authenticated
444 444 using any account of their liking.
445 445
446 446 Integration with Issue trackers
447 447 -------------------------------
448 448
449 449 RhodeCode provides a simple integration with issue trackers. It's possible
450 450 to define a regular expression that will fetch issue id stored in commit
451 451 messages and replace that with an url to this issue. To enable this simply
452 452 uncomment following variables in the ini file::
453 453
454 454 issue_pat = (?:^#|\s#)(\w+)
455 455 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
456 456 issue_prefix = #
457 457
458 458 `issue_pat` is the regular expression that will fetch issues from commit messages.
459 459 Default regex will match issues in format of #<number> eg. #300.
460 460
461 461 Matched issues will be replace with the link specified as `issue_server_link`
462 462 {id} will be replaced with issue id, and {repo} with repository name.
463 463 Since the # is striped `issue_prefix` is added as a prefix to url.
464 464 `issue_prefix` can be something different than # if you pass
465 465 ISSUE- as issue prefix this will generate an url in format::
466 466
467 467 <a href="https://myissueserver.com/example_repo/issue/300">ISSUE-300</a>
468 468
469 469 Hook management
470 470 ---------------
471 471
472 472 Hooks can be managed in similar way to this used in .hgrc files.
473 473 To access hooks setting click `advanced setup` on Hooks section of Mercurial
474 474 Settings in Admin.
475 475
476 476 There are 4 built in hooks that cannot be changed (only enable/disable by
477 477 checkboxes on previos section).
478 478 To add another custom hook simply fill in first section with
479 479 <name>.<hook_type> and the second one with hook path. Example hooks
480 480 can be found at *rhodecode.lib.hooks*.
481 481
482 482
483 483 Changing default encoding
484 484 -------------------------
485 485
486 486 By default RhodeCode uses utf8 encoding, starting from 1.3 series this
487 487 can be changed, simply edit default_encoding in .ini file to desired one.
488 488 This affects many parts in rhodecode including committers names, filenames,
489 489 encoding of commit messages. In addition RhodeCode can detect if `chardet`
490 490 library is installed. If `chardet` is detected RhodeCode will fallback to it
491 491 when there are encode/decode errors.
492 492
493 493
494 494 Setting Up Celery
495 495 -----------------
496 496
497 497 Since version 1.1 celery is configured by the rhodecode ini configuration files.
498 498 Simply set use_celery=true in the ini file then add / change the configuration
499 499 variables inside the ini file.
500 500
501 501 Remember that the ini files use the format with '.' not with '_' like celery.
502 502 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
503 503 the config file.
504 504
505 505 In order to start using celery run::
506 506
507 507 paster celeryd <configfile.ini>
508 508
509 509
510 510 .. note::
511 511 Make sure you run this command from the same virtualenv, and with the same
512 512 user that rhodecode runs.
513 513
514 514 HTTPS support
515 515 -------------
516 516
517 517 There are two ways to enable https:
518 518
519 519 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
520 520 recognize this headers and make proper https redirections
521 521 - Alternatively, change the `force_https = true` flag in the ini configuration
522 522 to force using https, no headers are needed than to enable https
523 523
524 524
525 525 Nginx virtual host example
526 526 --------------------------
527 527
528 528 Sample config for nginx using proxy::
529 529
530 530 upstream rc {
531 531 server 127.0.0.1:5000;
532 532 # add more instances for load balancing
533 533 #server 127.0.0.1:5001;
534 534 #server 127.0.0.1:5002;
535 535 }
536 536
537 537 ## gist alias
538 538 server {
539 539 listen 443;
540 540 server_name gist.myserver.com;
541 541 access_log /var/log/nginx/gist.access.log;
542 542 error_log /var/log/nginx/gist.error.log;
543 543
544 544 ssl on;
545 545 ssl_certificate gist.rhodecode.myserver.com.crt;
546 546 ssl_certificate_key gist.rhodecode.myserver.com.key;
547 547
548 548 ssl_session_timeout 5m;
549 549
550 550 ssl_protocols SSLv3 TLSv1;
551 551 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
552 552 ssl_prefer_server_ciphers on;
553 553
554 554 rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1;
555 555 rewrite (.*) https://rhodecode.myserver.com/_admin/gists;
556 556 }
557 557
558 558 server {
559 559 listen 443;
560 560 server_name rhodecode.myserver.com;
561 561 access_log /var/log/nginx/rhodecode.access.log;
562 562 error_log /var/log/nginx/rhodecode.error.log;
563 563
564 564 ssl on;
565 565 ssl_certificate rhodecode.myserver.com.crt;
566 566 ssl_certificate_key rhodecode.myserver.com.key;
567 567
568 568 ssl_session_timeout 5m;
569 569
570 570 ssl_protocols SSLv3 TLSv1;
571 571 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
572 572 ssl_prefer_server_ciphers on;
573 573
574 574 ## uncomment root directive if you want to serve static files by nginx
575 575 ## requires static_files = false in .ini file
576 576 #root /path/to/installation/rhodecode/public;
577 577 include /etc/nginx/proxy.conf;
578 578 location / {
579 579 try_files $uri @rhode;
580 580 }
581 581
582 582 location @rhode {
583 583 proxy_pass http://rc;
584 584 }
585 585
586 586 }
587 587
588 588 Here's the proxy.conf. It's tuned so it will not timeout on long
589 589 pushes or large pushes::
590 590
591 591 proxy_redirect off;
592 592 proxy_set_header Host $host;
593 ## needed for container auth
594 #proxy_set_header REMOTE_USER $remote_user;
595 #proxy_set_header X-Forwarded-User $remote_user;
593 596 proxy_set_header X-Url-Scheme $scheme;
594 597 proxy_set_header X-Host $http_host;
595 598 proxy_set_header X-Real-IP $remote_addr;
596 599 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
597 600 proxy_set_header Proxy-host $proxy_host;
598 601 proxy_buffering off;
599 602 proxy_connect_timeout 7200;
600 603 proxy_send_timeout 7200;
601 604 proxy_read_timeout 7200;
602 605 proxy_buffers 8 32k;
603 606 client_max_body_size 1024m;
604 607 client_body_buffer_size 128k;
605 608 large_client_header_buffers 8 64k;
606 609
607 610
608 611 Apache virtual host reverse proxy example
609 612 -----------------------------------------
610 613
611 614 Here is a sample configuration file for apache using proxy::
612 615
613 616 <VirtualHost *:80>
614 617 ServerName hg.myserver.com
615 618 ServerAlias hg.myserver.com
616 619
617 620 <Proxy *>
618 621 Order allow,deny
619 622 Allow from all
620 623 </Proxy>
621 624
622 625 #important !
623 626 #Directive to properly generate url (clone url) for pylons
624 627 ProxyPreserveHost On
625 628
626 629 #rhodecode instance
627 630 ProxyPass / http://127.0.0.1:5000/
628 631 ProxyPassReverse / http://127.0.0.1:5000/
629 632
630 633 #to enable https use line below
631 634 #SetEnvIf X-Url-Scheme https HTTPS=1
632 635
633 636 </VirtualHost>
634 637
635 638
636 639 Additional tutorial
637 640 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
638 641
639 642
640 643 Apache as subdirectory
641 644 ----------------------
642 645
643 646 Apache subdirectory part::
644 647
645 648 <Location /<someprefix> >
646 649 ProxyPass http://127.0.0.1:5000/<someprefix>
647 650 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
648 651 SetEnvIf X-Url-Scheme https HTTPS=1
649 652 </Location>
650 653
651 654 Besides the regular apache setup you will need to add the following line
652 655 into [app:main] section of your .ini file::
653 656
654 657 filter-with = proxy-prefix
655 658
656 659 Add the following at the end of the .ini file::
657 660
658 661 [filter:proxy-prefix]
659 662 use = egg:PasteDeploy#prefix
660 663 prefix = /<someprefix>
661 664
662 665
663 666 then change <someprefix> into your chosen prefix
664 667
665 668 Apache's WSGI config
666 669 --------------------
667 670
668 671 Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For
669 672 that, you'll need to:
670 673
671 674 - Install mod_wsgi. If using a Debian-based distro, you can install
672 675 the package libapache2-mod-wsgi::
673 676
674 677 aptitude install libapache2-mod-wsgi
675 678
676 679 - Enable mod_wsgi::
677 680
678 681 a2enmod wsgi
679 682
680 683 - Create a wsgi dispatch script, like the one below. Make sure you
681 684 check the paths correctly point to where you installed RhodeCode
682 685 and its Python Virtual Environment.
683 686 - Enable the WSGIScriptAlias directive for the wsgi dispatch script,
684 687 as in the following example. Once again, check the paths are
685 688 correctly specified.
686 689
687 690 Here is a sample excerpt from an Apache Virtual Host configuration file::
688 691
689 692 WSGIDaemonProcess pylons \
690 693 threads=4 \
691 694 python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages
692 695 WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi
693 696 WSGIPassAuthorization On
694 697
695 698 .. note::
696 699 when running apache as root please add: `user=www-data group=www-data`
697 700 into above configuration
698 701
699 702 .. note::
700 703 Running RhodeCode in multiprocess mode in apache is not supported,
701 704 make sure you don't specify `processes=num` directive in the config
702 705
703 706
704 707 Example wsgi dispatch script::
705 708
706 709 import os
707 710 os.environ["HGENCODING"] = "UTF-8"
708 711 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
709 712
710 713 # sometimes it's needed to set the curent dir
711 714 os.chdir('/home/web/rhodecode/')
712 715
713 716 import site
714 717 site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages")
715 718
716 719 from paste.deploy import loadapp
717 720 from paste.script.util.logging_config import fileConfig
718 721
719 722 fileConfig('/home/web/rhodecode/production.ini')
720 723 application = loadapp('config:/home/web/rhodecode/production.ini')
721 724
722 725 Note: when using mod_wsgi you'll need to install the same version of
723 726 Mercurial that's inside RhodeCode's virtualenv also on the system's Python
724 727 environment.
725 728
726 729
727 730 Other configuration files
728 731 -------------------------
729 732
730 733 Some example init.d scripts can be found in init.d directory::
731 734
732 735 https://secure.rhodecode.org/rhodecode/files/beta/init.d
733 736
734 737 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
735 738 .. _python: http://www.python.org/
736 739 .. _mercurial: http://mercurial.selenic.com/
737 740 .. _celery: http://celeryproject.org/
738 741 .. _rabbitmq: http://www.rabbitmq.com/
739 742 .. _python-ldap: http://www.python-ldap.org/
740 743 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
741 744 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
742 745 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
743 746 .. _google group rhodecode: http://groups.google.com/group/rhodecode
General Comments 0
You need to be logged in to leave comments. Login now