Show More
@@ -1,743 +1,742 b'' | |||
|
1 | 1 | .. _setup: |
|
2 | 2 | |
|
3 | 3 | ===== |
|
4 | 4 | Setup |
|
5 | 5 | ===== |
|
6 | 6 | |
|
7 | 7 | |
|
8 | 8 | Setting up RhodeCode |
|
9 | 9 | -------------------- |
|
10 | 10 | |
|
11 | 11 | First, you will need to create a RhodeCode configuration file. Run the |
|
12 | 12 | following command to do this:: |
|
13 | 13 | |
|
14 | 14 | paster make-config RhodeCode production.ini |
|
15 | 15 | |
|
16 | 16 | - This will create the file `production.ini` in the current directory. This |
|
17 | 17 | configuration file contains the various settings for RhodeCode, e.g proxy |
|
18 | 18 | port, email settings, usage of static files, cache, celery settings and |
|
19 | 19 | logging. |
|
20 | 20 | |
|
21 | 21 | |
|
22 | 22 | Next, you need to create the databases used by RhodeCode. I recommend that you |
|
23 | 23 | use postgresql or sqlite (default). If you choose a database other than the |
|
24 | 24 | default ensure you properly adjust the db url in your production.ini |
|
25 | 25 | configuration file to use this other database. RhodeCode currently supports |
|
26 | 26 | postgresql, sqlite and mysql databases. Create the database by running |
|
27 | 27 | the following command:: |
|
28 | 28 | |
|
29 | 29 | paster setup-rhodecode production.ini |
|
30 | 30 | |
|
31 | 31 | This will prompt you for a "root" path. This "root" path is the location where |
|
32 | 32 | RhodeCode will store all of its repositories on the current machine. After |
|
33 | 33 | entering this "root" path ``setup-rhodecode`` will also prompt you for a username |
|
34 | 34 | and password for the initial admin account which ``setup-rhodecode`` sets |
|
35 | 35 | up for you. |
|
36 | 36 | |
|
37 | 37 | setup process can be fully automated, example for lazy:: |
|
38 | 38 | |
|
39 | 39 | paster setup-rhodecode production.ini --user=marcink --password=secret --email=marcin@rhodecode.org --repos=/home/marcink/my_repos |
|
40 | 40 | |
|
41 | 41 | |
|
42 | 42 | - The ``setup-rhodecode`` command will create all of the needed tables and an |
|
43 | 43 | admin account. When choosing a root path you can either use a new empty |
|
44 | 44 | location, or a location which already contains existing repositories. If you |
|
45 | 45 | choose a location which contains existing repositories RhodeCode will simply |
|
46 | 46 | add all of the repositories at the chosen location to it's database. |
|
47 | 47 | (Note: make sure you specify the correct path to the root). |
|
48 | 48 | - Note: the given path for mercurial_ repositories **must** be write accessible |
|
49 | 49 | for the application. It's very important since the RhodeCode web interface |
|
50 | 50 | will work without write access, but when trying to do a push it will |
|
51 | 51 | eventually fail with permission denied errors unless it has write access. |
|
52 | 52 | |
|
53 | 53 | You are now ready to use RhodeCode, to run it simply execute:: |
|
54 | 54 | |
|
55 | 55 | paster serve production.ini |
|
56 | 56 | |
|
57 | 57 | - This command runs the RhodeCode server. The web app should be available at the |
|
58 | 58 | 127.0.0.1:5000. This ip and port is configurable via the production.ini |
|
59 | 59 | file created in previous step |
|
60 | 60 | - Use the admin account you created above when running ``setup-rhodecode`` |
|
61 | 61 | to login to the web app. |
|
62 | 62 | - The default permissions on each repository is read, and the owner is admin. |
|
63 | 63 | Remember to update these if needed. |
|
64 | 64 | - In the admin panel you can toggle ldap, anonymous, permissions settings. As |
|
65 | 65 | well as edit more advanced options on users and repositories |
|
66 | 66 | |
|
67 | 67 | Optionally users can create `rcextensions` package that extends RhodeCode |
|
68 | 68 | functionality. To do this simply execute:: |
|
69 | 69 | |
|
70 | 70 | paster make-rcext production.ini |
|
71 | 71 | |
|
72 | 72 | This will create `rcextensions` package in the same place that your `ini` file |
|
73 | 73 | lives. With `rcextensions` it's possible to add additional mapping for whoosh, |
|
74 | 74 | stats and add additional code into the push/pull/create/delete repo hooks. |
|
75 | 75 | For example for sending signals to build-bots such as jenkins. |
|
76 | 76 | Please see the `__init__.py` file inside `rcextensions` package |
|
77 | 77 | for more details. |
|
78 | 78 | |
|
79 | 79 | |
|
80 | 80 | Using RhodeCode with SSH |
|
81 | 81 | ------------------------ |
|
82 | 82 | |
|
83 | 83 | RhodeCode currently only hosts repositories using http and https. (The addition |
|
84 | 84 | of ssh hosting is a planned future feature.) However you can easily use ssh in |
|
85 | 85 | parallel with RhodeCode. (Repository access via ssh is a standard "out of |
|
86 | 86 | the box" feature of mercurial_ and you can use this to access any of the |
|
87 | 87 | repositories that RhodeCode is hosting. See PublishingRepositories_) |
|
88 | 88 | |
|
89 | 89 | RhodeCode repository structures are kept in directories with the same name |
|
90 | 90 | as the project. When using repository groups, each group is a subdirectory. |
|
91 | 91 | This allows you to easily use ssh for accessing repositories. |
|
92 | 92 | |
|
93 | 93 | In order to use ssh you need to make sure that your web-server and the users |
|
94 | 94 | login accounts have the correct permissions set on the appropriate directories. |
|
95 | 95 | (Note that these permissions are independent of any permissions you have set up |
|
96 | 96 | using the RhodeCode web interface.) |
|
97 | 97 | |
|
98 | 98 | If your main directory (the same as set in RhodeCode settings) is for example |
|
99 | 99 | set to **/home/hg** and the repository you are using is named `rhodecode`, then |
|
100 | 100 | to clone via ssh you should run:: |
|
101 | 101 | |
|
102 | 102 | hg clone ssh://user@server.com/home/hg/rhodecode |
|
103 | 103 | |
|
104 | 104 | Using other external tools such as mercurial-server_ or using ssh key based |
|
105 | 105 | authentication is fully supported. |
|
106 | 106 | |
|
107 | 107 | Note: In an advanced setup, in order for your ssh access to use the same |
|
108 | 108 | permissions as set up via the RhodeCode web interface, you can create an |
|
109 | 109 | authentication hook to connect to the rhodecode db and runs check functions for |
|
110 | 110 | permissions against that. |
|
111 | 111 | |
|
112 | 112 | Setting up Whoosh full text search |
|
113 | 113 | ---------------------------------- |
|
114 | 114 | |
|
115 | 115 | Starting from version 1.1 the whoosh index can be build by using the paster |
|
116 | 116 | command ``make-index``. To use ``make-index`` you must specify the configuration |
|
117 | 117 | file that stores the location of the index. You may specify the location of the |
|
118 | 118 | repositories (`--repo-location`). If not specified, this value is retrieved |
|
119 | 119 | from the RhodeCode database. This was required prior to 1.2. Starting from |
|
120 | 120 | version 1.2 it is also possible to specify a comma separated list of |
|
121 | 121 | repositories (`--index-only`) to build index only on chooses repositories |
|
122 | 122 | skipping any other found in repos location |
|
123 | 123 | |
|
124 | 124 | You may optionally pass the option `-f` to enable a full index rebuild. Without |
|
125 | 125 | the `-f` option, indexing will run always in "incremental" mode. |
|
126 | 126 | |
|
127 | 127 | For an incremental index build use:: |
|
128 | 128 | |
|
129 | 129 | paster make-index production.ini |
|
130 | 130 | |
|
131 | 131 | For a full index rebuild use:: |
|
132 | 132 | |
|
133 | 133 | paster make-index production.ini -f |
|
134 | 134 | |
|
135 | 135 | |
|
136 | 136 | building index just for chosen repositories is possible with such command:: |
|
137 | 137 | |
|
138 | 138 | paster make-index production.ini --index-only=vcs,rhodecode |
|
139 | 139 | |
|
140 | 140 | |
|
141 | 141 | In order to do periodical index builds and keep your index always up to date. |
|
142 | 142 | It's recommended to do a crontab entry for incremental indexing. |
|
143 | 143 | An example entry might look like this:: |
|
144 | 144 | |
|
145 | 145 | /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini |
|
146 | 146 | |
|
147 | 147 | When using incremental mode (the default) whoosh will check the last |
|
148 | 148 | modification date of each file and add it to be reindexed if a newer file is |
|
149 | 149 | available. The indexing daemon checks for any removed files and removes them |
|
150 | 150 | from index. |
|
151 | 151 | |
|
152 | 152 | If you want to rebuild index from scratch, you can use the `-f` flag as above, |
|
153 | 153 | or in the admin panel you can check `build from scratch` flag. |
|
154 | 154 | |
|
155 | 155 | |
|
156 | 156 | Setting up LDAP support |
|
157 | 157 | ----------------------- |
|
158 | 158 | |
|
159 | 159 | RhodeCode starting from version 1.1 supports ldap authentication. In order |
|
160 | 160 | to use LDAP, you have to install the python-ldap_ package. This package is |
|
161 | 161 | available via pypi, so you can install it by running |
|
162 | 162 | |
|
163 | 163 | using easy_install:: |
|
164 | 164 | |
|
165 | 165 | easy_install python-ldap |
|
166 | 166 | |
|
167 | 167 | using pip:: |
|
168 | 168 | |
|
169 | 169 | pip install python-ldap |
|
170 | 170 | |
|
171 | 171 | .. note:: |
|
172 | 172 | python-ldap requires some certain libs on your system, so before installing |
|
173 | 173 | it check that you have at least `openldap`, and `sasl` libraries. |
|
174 | 174 | |
|
175 | 175 | LDAP settings are located in admin->ldap section, |
|
176 | 176 | |
|
177 | 177 | Here's a typical ldap setup:: |
|
178 | 178 | |
|
179 | 179 | Connection settings |
|
180 | 180 | Enable LDAP = checked |
|
181 | 181 | Host = host.example.org |
|
182 | 182 | Port = 389 |
|
183 | 183 | Account = <account> |
|
184 | 184 | Password = <password> |
|
185 | 185 | Connection Security = LDAPS connection |
|
186 | 186 | Certificate Checks = DEMAND |
|
187 | 187 | |
|
188 | 188 | Search settings |
|
189 | 189 | Base DN = CN=users,DC=host,DC=example,DC=org |
|
190 | 190 | LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) |
|
191 | 191 | LDAP Search Scope = SUBTREE |
|
192 | 192 | |
|
193 | 193 | Attribute mappings |
|
194 | 194 | Login Attribute = uid |
|
195 | 195 | First Name Attribute = firstName |
|
196 | 196 | Last Name Attribute = lastName |
|
197 | 197 | E-mail Attribute = mail |
|
198 | 198 | |
|
199 | 199 | If your user groups are placed in a Organisation Unit (OU) structure the Search Settings configuration differs:: |
|
200 | 200 | |
|
201 | 201 | Search settings |
|
202 | 202 | Base DN = DC=host,DC=example,DC=org |
|
203 | 203 | LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user)) |
|
204 | 204 | LDAP Search Scope = SUBTREE |
|
205 | 205 | |
|
206 | 206 | .. _enable_ldap: |
|
207 | 207 | |
|
208 | 208 | Enable LDAP : required |
|
209 | 209 | Whether to use LDAP for authenticating users. |
|
210 | 210 | |
|
211 | 211 | .. _ldap_host: |
|
212 | 212 | |
|
213 | 213 | Host : required |
|
214 | 214 | LDAP server hostname or IP address. Can be also a comma separated |
|
215 | 215 | list of servers to support LDAP fail-over. |
|
216 | 216 | |
|
217 | 217 | .. _Port: |
|
218 | 218 | |
|
219 | 219 | Port : required |
|
220 | 220 | 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP. |
|
221 | 221 | |
|
222 | 222 | .. _ldap_account: |
|
223 | 223 | |
|
224 | 224 | Account : optional |
|
225 | 225 | Only required if the LDAP server does not allow anonymous browsing of |
|
226 | 226 | records. This should be a special account for record browsing. This |
|
227 | 227 | will require `LDAP Password`_ below. |
|
228 | 228 | |
|
229 | 229 | .. _LDAP Password: |
|
230 | 230 | |
|
231 | 231 | Password : optional |
|
232 | 232 | Only required if the LDAP server does not allow anonymous browsing of |
|
233 | 233 | records. |
|
234 | 234 | |
|
235 | 235 | .. _Enable LDAPS: |
|
236 | 236 | |
|
237 | 237 | Connection Security : required |
|
238 | 238 | Defines the connection to LDAP server |
|
239 | 239 | |
|
240 | 240 | No encryption |
|
241 | 241 | Plain non encrypted connection |
|
242 | 242 | |
|
243 | 243 | LDAPS connection |
|
244 | 244 | Enable ldaps connection. It will likely require `Port`_ to be set to |
|
245 | 245 | a different value (standard LDAPS port is 636). When LDAPS is enabled |
|
246 | 246 | then `Certificate Checks`_ is required. |
|
247 | 247 | |
|
248 | 248 | START_TLS on LDAP connection |
|
249 | 249 | START TLS connection |
|
250 | 250 | |
|
251 | 251 | .. _Certificate Checks: |
|
252 | 252 | |
|
253 | 253 | Certificate Checks : optional |
|
254 | 254 | How SSL certificates verification is handled - this is only useful when |
|
255 | 255 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security |
|
256 | 256 | while the other options are susceptible to man-in-the-middle attacks. SSL |
|
257 | 257 | certificates can be installed to /etc/openldap/cacerts so that the |
|
258 | 258 | DEMAND or HARD options can be used with self-signed certificates or |
|
259 | 259 | certificates that do not have traceable certificates of authority. |
|
260 | 260 | |
|
261 | 261 | NEVER |
|
262 | 262 | A serve certificate will never be requested or checked. |
|
263 | 263 | |
|
264 | 264 | ALLOW |
|
265 | 265 | A server certificate is requested. Failure to provide a |
|
266 | 266 | certificate or providing a bad certificate will not terminate the |
|
267 | 267 | session. |
|
268 | 268 | |
|
269 | 269 | TRY |
|
270 | 270 | A server certificate is requested. Failure to provide a |
|
271 | 271 | certificate does not halt the session; providing a bad certificate |
|
272 | 272 | halts the session. |
|
273 | 273 | |
|
274 | 274 | DEMAND |
|
275 | 275 | A server certificate is requested and must be provided and |
|
276 | 276 | authenticated for the session to proceed. |
|
277 | 277 | |
|
278 | 278 | HARD |
|
279 | 279 | The same as DEMAND. |
|
280 | 280 | |
|
281 | 281 | .. _Base DN: |
|
282 | 282 | |
|
283 | 283 | Base DN : required |
|
284 | 284 | The Distinguished Name (DN) where searches for users will be performed. |
|
285 | 285 | Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. |
|
286 | 286 | |
|
287 | 287 | .. _LDAP Filter: |
|
288 | 288 | |
|
289 | 289 | LDAP Filter : optional |
|
290 | 290 | A LDAP filter defined by RFC 2254. This is more useful when `LDAP |
|
291 | 291 | Search Scope`_ is set to SUBTREE. The filter is useful for limiting |
|
292 | 292 | which LDAP objects are identified as representing Users for |
|
293 | 293 | authentication. The filter is augmented by `Login Attribute`_ below. |
|
294 | 294 | This can commonly be left blank. |
|
295 | 295 | |
|
296 | 296 | .. _LDAP Search Scope: |
|
297 | 297 | |
|
298 | 298 | LDAP Search Scope : required |
|
299 | 299 | This limits how far LDAP will search for a matching object. |
|
300 | 300 | |
|
301 | 301 | BASE |
|
302 | 302 | Only allows searching of `Base DN`_ and is usually not what you |
|
303 | 303 | want. |
|
304 | 304 | |
|
305 | 305 | ONELEVEL |
|
306 | 306 | Searches all entries under `Base DN`_, but not Base DN itself. |
|
307 | 307 | |
|
308 | 308 | SUBTREE |
|
309 | 309 | Searches all entries below `Base DN`_, but not Base DN itself. |
|
310 | 310 | When using SUBTREE `LDAP Filter`_ is useful to limit object |
|
311 | 311 | location. |
|
312 | 312 | |
|
313 | 313 | .. _Login Attribute: |
|
314 | 314 | |
|
315 | 315 | Login Attribute : required |
|
316 | 316 | The LDAP record attribute that will be matched as the USERNAME or |
|
317 | 317 | ACCOUNT used to connect to RhodeCode. This will be added to `LDAP |
|
318 | 318 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as |
|
319 | 319 | "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has |
|
320 | 320 | connected as "jsmith" then the `LDAP Filter`_ will be augmented as below |
|
321 | 321 | :: |
|
322 | 322 | |
|
323 | 323 | (&(LDAPFILTER)(uid=jsmith)) |
|
324 | 324 | |
|
325 | 325 | .. _ldap_attr_firstname: |
|
326 | 326 | |
|
327 | 327 | First Name Attribute : required |
|
328 | 328 | The LDAP record attribute which represents the user's first name. |
|
329 | 329 | |
|
330 | 330 | .. _ldap_attr_lastname: |
|
331 | 331 | |
|
332 | 332 | Last Name Attribute : required |
|
333 | 333 | The LDAP record attribute which represents the user's last name. |
|
334 | 334 | |
|
335 | 335 | .. _ldap_attr_email: |
|
336 | 336 | |
|
337 | 337 | Email Attribute : required |
|
338 | 338 | The LDAP record attribute which represents the user's email address. |
|
339 | 339 | |
|
340 | 340 | If all data are entered correctly, and python-ldap_ is properly installed |
|
341 | 341 | users should be granted access to RhodeCode with ldap accounts. At this |
|
342 | 342 | time user information is copied from LDAP into the RhodeCode user database. |
|
343 | 343 | This means that updates of an LDAP user object may not be reflected as a |
|
344 | 344 | user update in RhodeCode. |
|
345 | 345 | |
|
346 | 346 | If You have problems with LDAP access and believe You entered correct |
|
347 | 347 | information check out the RhodeCode logs, any error messages sent from LDAP |
|
348 | 348 | will be saved there. |
|
349 | 349 | |
|
350 | 350 | Active Directory |
|
351 | 351 | '''''''''''''''' |
|
352 | 352 | |
|
353 | 353 | RhodeCode can use Microsoft Active Directory for user authentication. This |
|
354 | 354 | is done through an LDAP or LDAPS connection to Active Directory. The |
|
355 | 355 | following LDAP configuration settings are typical for using Active |
|
356 | 356 | Directory :: |
|
357 | 357 | |
|
358 | 358 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local |
|
359 | 359 | Login Attribute = sAMAccountName |
|
360 | 360 | First Name Attribute = givenName |
|
361 | 361 | Last Name Attribute = sn |
|
362 | 362 | E-mail Attribute = mail |
|
363 | 363 | |
|
364 | 364 | All other LDAP settings will likely be site-specific and should be |
|
365 | 365 | appropriately configured. |
|
366 | 366 | |
|
367 | 367 | |
|
368 | 368 | Authentication by container or reverse-proxy |
|
369 | 369 | -------------------------------------------- |
|
370 | 370 | |
|
371 | 371 | Starting with version 1.3, RhodeCode supports delegating the authentication |
|
372 | 372 | of users to its WSGI container, or to a reverse-proxy server through which all |
|
373 | 373 | clients access the application. |
|
374 | 374 | |
|
375 | 375 | When these authentication methods are enabled in RhodeCode, it uses the |
|
376 | 376 | username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't |
|
377 | 377 | perform the authentication itself. The authorization, however, is still done by |
|
378 | 378 | RhodeCode according to its settings. |
|
379 | 379 | |
|
380 | 380 | When a user logs in for the first time using these authentication methods, |
|
381 | 381 | a matching user account is created in RhodeCode with default permissions. An |
|
382 | 382 | administrator can then modify it using RhodeCode's admin interface. |
|
383 | 383 | It's also possible for an administrator to create accounts and configure their |
|
384 | 384 | permissions before the user logs in for the first time. |
|
385 | 385 | |
|
386 | 386 | Container-based authentication |
|
387 | 387 | '''''''''''''''''''''''''''''' |
|
388 | 388 | |
|
389 | 389 | In a container-based authentication setup, RhodeCode reads the user name from |
|
390 | 390 | the ``REMOTE_USER`` server variable provided by the WSGI container. |
|
391 | 391 | |
|
392 | 392 | After setting up your container (see `Apache's WSGI config`_), you'd need |
|
393 | 393 | to configure it to require authentication on the location configured for |
|
394 | 394 | RhodeCode. |
|
395 | 395 | |
|
396 | 396 | In order for RhodeCode to start using the provided username, you should set the |
|
397 | 397 | following in the [app:main] section of your .ini file:: |
|
398 | 398 | |
|
399 | 399 | container_auth_enabled = true |
|
400 | 400 | |
|
401 | 401 | |
|
402 | 402 | Proxy pass-through authentication |
|
403 | 403 | ''''''''''''''''''''''''''''''''' |
|
404 | 404 | |
|
405 | 405 | In a proxy pass-through authentication setup, RhodeCode reads the user name |
|
406 | 406 | from the ``X-Forwarded-User`` request header, which should be configured to be |
|
407 | 407 | sent by the reverse-proxy server. |
|
408 | 408 | |
|
409 | 409 | After setting up your proxy solution (see `Apache virtual host reverse proxy example`_, |
|
410 | 410 | `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to |
|
411 | 411 | configure the authentication and add the username in a request header named |
|
412 | 412 | ``X-Forwarded-User``. |
|
413 | 413 | |
|
414 | 414 | For example, the following config section for Apache sets a subdirectory in a |
|
415 | 415 | reverse-proxy setup with basic auth:: |
|
416 | 416 | |
|
417 | 417 | <Location /<someprefix> > |
|
418 | 418 | ProxyPass http://127.0.0.1:5000/<someprefix> |
|
419 | 419 | ProxyPassReverse http://127.0.0.1:5000/<someprefix> |
|
420 | 420 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
421 | 421 | |
|
422 | 422 | AuthType Basic |
|
423 | 423 | AuthName "RhodeCode authentication" |
|
424 | 424 | AuthUserFile /home/web/rhodecode/.htpasswd |
|
425 | 425 | require valid-user |
|
426 | 426 | |
|
427 | 427 | RequestHeader unset X-Forwarded-User |
|
428 | 428 | |
|
429 | 429 | RewriteEngine On |
|
430 | 430 | RewriteCond %{LA-U:REMOTE_USER} (.+) |
|
431 | 431 | RewriteRule .* - [E=RU:%1] |
|
432 | 432 | RequestHeader set X-Forwarded-User %{RU}e |
|
433 | 433 | </Location> |
|
434 | 434 | |
|
435 | 435 | In order for RhodeCode to start using the forwarded username, you should set |
|
436 | 436 | the following in the [app:main] section of your .ini file:: |
|
437 | 437 | |
|
438 | 438 | proxypass_auth_enabled = true |
|
439 | 439 | |
|
440 | 440 | .. note:: |
|
441 | 441 | If you enable proxy pass-through authentication, make sure your server is |
|
442 | 442 | only accessible through the proxy. Otherwise, any client would be able to |
|
443 | 443 | forge the authentication header and could effectively become authenticated |
|
444 | 444 | using any account of their liking. |
|
445 | 445 | |
|
446 | 446 | Integration with Issue trackers |
|
447 | 447 | ------------------------------- |
|
448 | 448 | |
|
449 | 449 | RhodeCode provides a simple integration with issue trackers. It's possible |
|
450 | 450 | to define a regular expression that will fetch issue id stored in commit |
|
451 | 451 | messages and replace that with an url to this issue. To enable this simply |
|
452 | 452 | uncomment following variables in the ini file:: |
|
453 | 453 | |
|
454 | 454 | url_pat = (?:^#|\s#)(\w+) |
|
455 | 455 | issue_server_link = https://myissueserver.com/{repo}/issue/{id} |
|
456 | 456 | issue_prefix = # |
|
457 | 457 | |
|
458 | 458 | `url_pat` is the regular expression that will fetch issues from commit messages. |
|
459 | 459 | Default regex will match issues in format of #<number> eg. #300. |
|
460 | 460 | |
|
461 | 461 | Matched issues will be replace with the link specified as `issue_server_link` |
|
462 | 462 | {id} will be replaced with issue id, and {repo} with repository name. |
|
463 | 463 | Since the # is striped `issue_prefix` is added as a prefix to url. |
|
464 | 464 | `issue_prefix` can be something different than # if you pass |
|
465 | 465 | ISSUE- as issue prefix this will generate an url in format:: |
|
466 | 466 | |
|
467 | 467 | <a href="https://myissueserver.com/example_repo/issue/300">ISSUE-300</a> |
|
468 | 468 | |
|
469 | 469 | Hook management |
|
470 | 470 | --------------- |
|
471 | 471 | |
|
472 | 472 | Hooks can be managed in similar way to this used in .hgrc files. |
|
473 | 473 | To access hooks setting click `advanced setup` on Hooks section of Mercurial |
|
474 | 474 | Settings in Admin. |
|
475 | 475 | |
|
476 | 476 | There are 4 built in hooks that cannot be changed (only enable/disable by |
|
477 | 477 | checkboxes on previos section). |
|
478 | 478 | To add another custom hook simply fill in first section with |
|
479 | 479 | <name>.<hook_type> and the second one with hook path. Example hooks |
|
480 | 480 | can be found at *rhodecode.lib.hooks*. |
|
481 | 481 | |
|
482 | 482 | |
|
483 | 483 | Changing default encoding |
|
484 | 484 | ------------------------- |
|
485 | 485 | |
|
486 | 486 | By default RhodeCode uses utf8 encoding, starting from 1.3 series this |
|
487 | 487 | can be changed, simply edit default_encoding in .ini file to desired one. |
|
488 | 488 | This affects many parts in rhodecode including committers names, filenames, |
|
489 | 489 | encoding of commit messages. In addition RhodeCode can detect if `chardet` |
|
490 | 490 | library is installed. If `chardet` is detected RhodeCode will fallback to it |
|
491 | 491 | when there are encode/decode errors. |
|
492 | 492 | |
|
493 | 493 | |
|
494 | 494 | Setting Up Celery |
|
495 | 495 | ----------------- |
|
496 | 496 | |
|
497 | 497 | Since version 1.1 celery is configured by the rhodecode ini configuration files. |
|
498 | 498 | Simply set use_celery=true in the ini file then add / change the configuration |
|
499 | 499 | variables inside the ini file. |
|
500 | 500 | |
|
501 | 501 | Remember that the ini files use the format with '.' not with '_' like celery. |
|
502 | 502 | So for example setting `BROKER_HOST` in celery means setting `broker.host` in |
|
503 | 503 | the config file. |
|
504 | 504 | |
|
505 | 505 | In order to start using celery run:: |
|
506 | 506 | |
|
507 | 507 | paster celeryd <configfile.ini> |
|
508 | 508 | |
|
509 | 509 | |
|
510 | 510 | .. note:: |
|
511 | 511 | Make sure you run this command from the same virtualenv, and with the same |
|
512 | 512 | user that rhodecode runs. |
|
513 | 513 | |
|
514 | 514 | HTTPS support |
|
515 | 515 | ------------- |
|
516 | 516 | |
|
517 | 517 | There are two ways to enable https: |
|
518 | 518 | |
|
519 | 519 | - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will |
|
520 | 520 | recognize this headers and make proper https redirections |
|
521 | 521 | - Alternatively, change the `force_https = true` flag in the ini configuration |
|
522 | 522 | to force using https, no headers are needed than to enable https |
|
523 | 523 | |
|
524 | 524 | |
|
525 | 525 | Nginx virtual host example |
|
526 | 526 | -------------------------- |
|
527 | 527 | |
|
528 | 528 | Sample config for nginx using proxy:: |
|
529 | 529 | |
|
530 | 530 | upstream rc { |
|
531 | 531 | server 127.0.0.1:5000; |
|
532 | 532 | # add more instances for load balancing |
|
533 | 533 | #server 127.0.0.1:5001; |
|
534 | 534 | #server 127.0.0.1:5002; |
|
535 | 535 | } |
|
536 | 536 | |
|
537 | 537 | ## gist alias |
|
538 | 538 | server { |
|
539 | 539 | listen 443; |
|
540 | 540 | server_name gist.myserver.com; |
|
541 | 541 | access_log /var/log/nginx/gist.access.log; |
|
542 | 542 | error_log /var/log/nginx/gist.error.log; |
|
543 | 543 | |
|
544 | 544 | ssl on; |
|
545 | 545 | ssl_certificate gist.rhodecode.myserver.com.crt; |
|
546 | 546 | ssl_certificate_key gist.rhodecode.myserver.com.key; |
|
547 | 547 | |
|
548 | 548 | ssl_session_timeout 5m; |
|
549 | 549 | |
|
550 | 550 | ssl_protocols SSLv3 TLSv1; |
|
551 | 551 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
552 | 552 | ssl_prefer_server_ciphers on; |
|
553 | 553 | |
|
554 | 554 | rewrite ^/(.+)$ https://rhodecode.myserver.com/_admin/gists/$1; |
|
555 | 555 | rewrite (.*) https://rhodecode.myserver.org/_admin/gists; |
|
556 | 556 | } |
|
557 | 557 | |
|
558 | 558 | server { |
|
559 | 559 | listen 443; |
|
560 | 560 | server_name rhodecode.myserver.com; |
|
561 | 561 | access_log /var/log/nginx/rhodecode.access.log; |
|
562 | 562 | error_log /var/log/nginx/rhodecode.error.log; |
|
563 | 563 | |
|
564 | 564 | ssl on; |
|
565 | 565 | ssl_certificate rhodecode.myserver.com.crt; |
|
566 | 566 | ssl_certificate_key rhodecode.myserver.com.key; |
|
567 | 567 | |
|
568 | 568 | ssl_session_timeout 5m; |
|
569 | 569 | |
|
570 | 570 | ssl_protocols SSLv3 TLSv1; |
|
571 | 571 | ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5; |
|
572 | 572 | ssl_prefer_server_ciphers on; |
|
573 | 573 | |
|
574 | 574 | ## uncomment root directive if you want to serve static files by nginx |
|
575 | 575 | ## requires static_files = false in .ini file |
|
576 | 576 | #root /path/to/installation/rhodecode/public; |
|
577 | ||
|
577 | include /etc/nginx/proxy.conf; | |
|
578 | 578 | location / { |
|
579 | 579 | try_files $uri @rhode; |
|
580 | 580 | } |
|
581 | 581 | |
|
582 | 582 | location @rhode { |
|
583 | 583 | proxy_pass http://rc; |
|
584 | include /etc/nginx/proxy.conf; | |
|
585 | 584 | } |
|
586 | 585 | |
|
587 | 586 | } |
|
588 | 587 | |
|
589 | 588 | Here's the proxy.conf. It's tuned so it will not timeout on long |
|
590 | 589 | pushes or large pushes:: |
|
591 | 590 | |
|
592 | 591 | proxy_redirect off; |
|
593 | 592 | proxy_set_header Host $host; |
|
594 | 593 | proxy_set_header X-Url-Scheme $scheme; |
|
595 | 594 | proxy_set_header X-Host $http_host; |
|
596 | 595 | proxy_set_header X-Real-IP $remote_addr; |
|
597 | 596 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
598 | 597 | proxy_set_header Proxy-host $proxy_host; |
|
599 | 598 | client_max_body_size 400m; |
|
600 | 599 | client_body_buffer_size 128k; |
|
601 | 600 | proxy_buffering off; |
|
602 | 601 | proxy_connect_timeout 7200; |
|
603 | 602 | proxy_send_timeout 7200; |
|
604 | 603 | proxy_read_timeout 7200; |
|
605 | 604 | proxy_buffers 8 32k; |
|
606 | 605 | |
|
607 | 606 | |
|
608 | 607 | Apache virtual host reverse proxy example |
|
609 | 608 | ----------------------------------------- |
|
610 | 609 | |
|
611 | 610 | Here is a sample configuration file for apache using proxy:: |
|
612 | 611 | |
|
613 | 612 | <VirtualHost *:80> |
|
614 | 613 | ServerName hg.myserver.com |
|
615 | 614 | ServerAlias hg.myserver.com |
|
616 | 615 | |
|
617 | 616 | <Proxy *> |
|
618 | 617 | Order allow,deny |
|
619 | 618 | Allow from all |
|
620 | 619 | </Proxy> |
|
621 | 620 | |
|
622 | 621 | #important ! |
|
623 | 622 | #Directive to properly generate url (clone url) for pylons |
|
624 | 623 | ProxyPreserveHost On |
|
625 | 624 | |
|
626 | 625 | #rhodecode instance |
|
627 | 626 | ProxyPass / http://127.0.0.1:5000/ |
|
628 | 627 | ProxyPassReverse / http://127.0.0.1:5000/ |
|
629 | 628 | |
|
630 | 629 | #to enable https use line below |
|
631 | 630 | #SetEnvIf X-Url-Scheme https HTTPS=1 |
|
632 | 631 | |
|
633 | 632 | </VirtualHost> |
|
634 | 633 | |
|
635 | 634 | |
|
636 | 635 | Additional tutorial |
|
637 | 636 | http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons |
|
638 | 637 | |
|
639 | 638 | |
|
640 | 639 | Apache as subdirectory |
|
641 | 640 | ---------------------- |
|
642 | 641 | |
|
643 | 642 | Apache subdirectory part:: |
|
644 | 643 | |
|
645 | 644 | <Location /<someprefix> > |
|
646 | 645 | ProxyPass http://127.0.0.1:5000/<someprefix> |
|
647 | 646 | ProxyPassReverse http://127.0.0.1:5000/<someprefix> |
|
648 | 647 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
649 | 648 | </Location> |
|
650 | 649 | |
|
651 | 650 | Besides the regular apache setup you will need to add the following line |
|
652 | 651 | into [app:main] section of your .ini file:: |
|
653 | 652 | |
|
654 | 653 | filter-with = proxy-prefix |
|
655 | 654 | |
|
656 | 655 | Add the following at the end of the .ini file:: |
|
657 | 656 | |
|
658 | 657 | [filter:proxy-prefix] |
|
659 | 658 | use = egg:PasteDeploy#prefix |
|
660 | 659 | prefix = /<someprefix> |
|
661 | 660 | |
|
662 | 661 | |
|
663 | 662 | then change <someprefix> into your chosen prefix |
|
664 | 663 | |
|
665 | 664 | Apache's WSGI config |
|
666 | 665 | -------------------- |
|
667 | 666 | |
|
668 | 667 | Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For |
|
669 | 668 | that, you'll need to: |
|
670 | 669 | |
|
671 | 670 | - Install mod_wsgi. If using a Debian-based distro, you can install |
|
672 | 671 | the package libapache2-mod-wsgi:: |
|
673 | 672 | |
|
674 | 673 | aptitude install libapache2-mod-wsgi |
|
675 | 674 | |
|
676 | 675 | - Enable mod_wsgi:: |
|
677 | 676 | |
|
678 | 677 | a2enmod wsgi |
|
679 | 678 | |
|
680 | 679 | - Create a wsgi dispatch script, like the one below. Make sure you |
|
681 | 680 | check the paths correctly point to where you installed RhodeCode |
|
682 | 681 | and its Python Virtual Environment. |
|
683 | 682 | - Enable the WSGIScriptAlias directive for the wsgi dispatch script, |
|
684 | 683 | as in the following example. Once again, check the paths are |
|
685 | 684 | correctly specified. |
|
686 | 685 | |
|
687 | 686 | Here is a sample excerpt from an Apache Virtual Host configuration file:: |
|
688 | 687 | |
|
689 | 688 | WSGIDaemonProcess pylons \ |
|
690 | 689 | threads=4 \ |
|
691 | 690 | python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages |
|
692 | 691 | WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi |
|
693 | 692 | WSGIPassAuthorization On |
|
694 | 693 | |
|
695 | 694 | .. note:: |
|
696 | 695 | when running apache as root please add: `user=www-data group=www-data` |
|
697 | 696 | into above configuration |
|
698 | 697 | |
|
699 | 698 | .. note:: |
|
700 | 699 | Running RhodeCode in multiprocess mode in apache is not supported, |
|
701 | 700 | make sure you don't specify `processes=num` directive in the config |
|
702 | 701 | |
|
703 | 702 | |
|
704 | 703 | Example wsgi dispatch script:: |
|
705 | 704 | |
|
706 | 705 | import os |
|
707 | 706 | os.environ["HGENCODING"] = "UTF-8" |
|
708 | 707 | os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache' |
|
709 | 708 | |
|
710 | 709 | # sometimes it's needed to set the curent dir |
|
711 | 710 | os.chdir('/home/web/rhodecode/') |
|
712 | 711 | |
|
713 | 712 | import site |
|
714 | 713 | site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages") |
|
715 | 714 | |
|
716 | 715 | from paste.deploy import loadapp |
|
717 | 716 | from paste.script.util.logging_config import fileConfig |
|
718 | 717 | |
|
719 | 718 | fileConfig('/home/web/rhodecode/production.ini') |
|
720 | 719 | application = loadapp('config:/home/web/rhodecode/production.ini') |
|
721 | 720 | |
|
722 | 721 | Note: when using mod_wsgi you'll need to install the same version of |
|
723 | 722 | Mercurial that's inside RhodeCode's virtualenv also on the system's Python |
|
724 | 723 | environment. |
|
725 | 724 | |
|
726 | 725 | |
|
727 | 726 | Other configuration files |
|
728 | 727 | ------------------------- |
|
729 | 728 | |
|
730 | 729 | Some example init.d scripts can be found in init.d directory:: |
|
731 | 730 | |
|
732 | 731 | https://secure.rhodecode.org/rhodecode/files/beta/init.d |
|
733 | 732 | |
|
734 | 733 | .. _virtualenv: http://pypi.python.org/pypi/virtualenv |
|
735 | 734 | .. _python: http://www.python.org/ |
|
736 | 735 | .. _mercurial: http://mercurial.selenic.com/ |
|
737 | 736 | .. _celery: http://celeryproject.org/ |
|
738 | 737 | .. _rabbitmq: http://www.rabbitmq.com/ |
|
739 | 738 | .. _python-ldap: http://www.python-ldap.org/ |
|
740 | 739 | .. _mercurial-server: http://www.lshift.net/mercurial-server.html |
|
741 | 740 | .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories |
|
742 | 741 | .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues |
|
743 | 742 | .. _google group rhodecode: http://groups.google.com/group/rhodecode |
General Comments 0
You need to be logged in to leave comments.
Login now