upstream/kallithea Commit - r5579:57bae44f

1

.. _setup:

1

.. _setup:

2

3

=====

3

=====

4

Setup

4

Setup

5

=====

5

=====

6

7

8

Setting up Kallithea

8

Setting up Kallithea

9

--------------------

9

--------------------

10

11

First, you will need to create a Kallithea configuration file. Run the

11

First, you will need to create a Kallithea configuration file. Run the

12

following command to do so::

12

following command to do so::

13

14

paster make-config Kallithea my.ini

14

paster make-config Kallithea my.ini

15

16

This will create the file ``my.ini`` in the current directory. This

16

This will create the file ``my.ini`` in the current directory. This

17

configuration file contains the various settings for Kallithea, e.g.

17

configuration file contains the various settings for Kallithea, e.g.

18

proxy port, email settings, usage of static files, cache, Celery

18

proxy port, email settings, usage of static files, cache, Celery

19

settings, and logging.

19

settings, and logging.

20

21

Next, you need to create the databases used by Kallithea. It is recommended to

21

Next, you need to create the databases used by Kallithea. It is recommended to

22

use PostgreSQL or SQLite (default). If you choose a database other than the

22

use PostgreSQL or SQLite (default). If you choose a database other than the

23

default, ensure you properly adjust the database URL in your ``my.ini``

23

default, ensure you properly adjust the database URL in your ``my.ini``

24

configuration file to use this other database. Kallithea currently supports

24

configuration file to use this other database. Kallithea currently supports

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

26

the following command::

26

the following command::

27

28

paster setup-db my.ini

28

paster setup-db my.ini

29

30

This will prompt you for a "root" path. This "root" path is the location where

30

This will prompt you for a "root" path. This "root" path is the location where

31

Kallithea will store all of its repositories on the current machine. After

31

Kallithea will store all of its repositories on the current machine. After

32

entering this "root" path ``setup-db`` will also prompt you for a username

32

entering this "root" path ``setup-db`` will also prompt you for a username

33

and password for the initial admin account which ``setup-db`` sets

33

and password for the initial admin account which ``setup-db`` sets

34

up for you.

34

up for you.

35

36

The ``setup-db`` values can also be given on the command line.

36

The ``setup-db`` values can also be given on the command line.

37

Example::

37

Example::

38

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

40

41

The ``setup-db`` command will create all needed tables and an

41

The ``setup-db`` command will create all needed tables and an

42

admin account. When choosing a root path you can either use a new

42

admin account. When choosing a root path you can either use a new

43

empty location, or a location which already contains existing

43

empty location, or a location which already contains existing

44

repositories. If you choose a location which contains existing

44

repositories. If you choose a location which contains existing

45

repositories Kallithea will add all of the repositories at the chosen

45

repositories Kallithea will add all of the repositories at the chosen

46

location to its database. (Note: make sure you specify the correct

46

location to its database. (Note: make sure you specify the correct

47

path to the root).

47

path to the root).

48

49

.. note:: the given path for Mercurial_ repositories **must** be write

49

.. note:: the given path for Mercurial_ repositories **must** be write

50

accessible for the application. It's very important since

50

accessible for the application. It's very important since

51

the Kallithea web interface will work without write access,

51

the Kallithea web interface will work without write access,

52

but when trying to do a push it will fail with permission

52

but when trying to do a push it will fail with permission

53

denied errors unless it has write access.

53

denied errors unless it has write access.

54

55

You are now ready to use Kallithea. To run it simply execute::

55

You are now ready to use Kallithea. To run it simply execute::

56

57

paster serve my.ini

57

paster serve my.ini

58

59

- This command runs the Kallithea server. The web app should be available at

59

- This command runs the Kallithea server. The web app should be available at

60

http://127.0.0.1:5000. The IP address and port is configurable via the

60

http://127.0.0.1:5000. The IP address and port is configurable via the

61

configuration file created in the previous step.

61

configuration file created in the previous step.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

63

- The default permissions on each repository is read, and the owner is admin.

63

- The default permissions on each repository is read, and the owner is admin.

64

Remember to update these if needed.

64

Remember to update these if needed.

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

66

settings, as well as edit more advanced options on users and

66

settings, as well as edit more advanced options on users and

67

repositories.

67

repositories.

68

69

70

Extensions

70

Extensions

71

----------

71

----------

72

73

Optionally one can create an ``rcextensions`` package that extends Kallithea

73

Optionally one can create an ``rcextensions`` package that extends Kallithea

74

functionality.

74

functionality.

75

To generate a skeleton extensions package, run::

75

To generate a skeleton extensions package, run::

76

77

paster make-rcext my.ini

77

paster make-rcext my.ini

78

79

This will create an ``rcextensions`` package next to the specified ``ini`` file.

79

This will create an ``rcextensions`` package next to the specified ``ini`` file.

80

With ``rcextensions`` it's possible to add additional mapping for whoosh,

80

With ``rcextensions`` it's possible to add additional mapping for whoosh,

81

stats and add additional code into the push/pull/create/delete repo hooks,

81

stats and add additional code into the push/pull/create/delete repo hooks,

82

for example for sending signals to build-bots such as Jenkins.

82

for example for sending signals to build-bots such as Jenkins.

83

84

See the ``__init__.py`` file inside the generated ``rcextensions`` package

84

See the ``__init__.py`` file inside the generated ``rcextensions`` package

85

for more details.

85

for more details.

86

87

88

Using Kallithea with SSH

88

Using Kallithea with SSH

89

------------------------

89

------------------------

90

91

Kallithea currently only hosts repositories using http and https. (The addition

91

Kallithea currently only hosts repositories using http and https. (The addition

92

of ssh hosting is a planned future feature.) However you can easily use ssh in

92

of ssh hosting is a planned future feature.) However you can easily use ssh in

93

parallel with Kallithea. (Repository access via ssh is a standard "out of

93

parallel with Kallithea. (Repository access via ssh is a standard "out of

94

the box" feature of Mercurial_ and you can use this to access any of the

94

the box" feature of Mercurial_ and you can use this to access any of the

95

repositories that Kallithea is hosting. See PublishingRepositories_)

95

repositories that Kallithea is hosting. See PublishingRepositories_)

96

97

Kallithea repository structures are kept in directories with the same name

97

Kallithea repository structures are kept in directories with the same name

98

as the project. When using repository groups, each group is a subdirectory.

98

as the project. When using repository groups, each group is a subdirectory.

99

This allows you to easily use ssh for accessing repositories.

99

This allows you to easily use ssh for accessing repositories.

100

101

In order to use ssh you need to make sure that your web server and the users'

101

In order to use ssh you need to make sure that your web server and the users'

102

login accounts have the correct permissions set on the appropriate directories.

102

login accounts have the correct permissions set on the appropriate directories.

103

104

.. note:: These permissions are independent of any permissions you

104

.. note:: These permissions are independent of any permissions you

105

have set up using the Kallithea web interface.

105

have set up using the Kallithea web interface.

106

107

If your main directory (the same as set in Kallithea settings) is for

107

If your main directory (the same as set in Kallithea settings) is for

108

example set to ``/srv/repos`` and the repository you are using is

108

example set to ``/srv/repos`` and the repository you are using is

109

named ``kallithea``, then to clone via ssh you should run::

109

named ``kallithea``, then to clone via ssh you should run::

110

111

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

111

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

112

113

Using other external tools such as mercurial-server_ or using ssh key-based

113

Using other external tools such as mercurial-server_ or using ssh key-based

114

authentication is fully supported.

114

authentication is fully supported.

115

116

.. note:: In an advanced setup, in order for your ssh access to use

116

.. note:: In an advanced setup, in order for your ssh access to use

117

the same permissions as set up via the Kallithea web

117

the same permissions as set up via the Kallithea web

118

interface, you can create an authentication hook to connect

118

interface, you can create an authentication hook to connect

119

to the Kallithea db and run check functions for permissions

119

to the Kallithea db and run check functions for permissions

120

against that.

120

against that.

121

122

123

Setting up Whoosh full text search

123

Setting up Whoosh full text search

124

----------------------------------

124

----------------------------------

125

126

Kallithea provides full text search of repositories using `Whoosh`__.

126

Kallithea provides full text search of repositories using `Whoosh`__.

127

128

.. __: https://pythonhosted.org/Whoosh/

128

.. __: https://pythonhosted.org/Whoosh/

129

130

For an incremental index build, run::

130

For an incremental index build, run::

131

132

paster make-index my.ini

132

paster make-index my.ini

133

134

For a full index rebuild, run::

134

For a full index rebuild, run::

135

136

paster make-index my.ini -f

136

paster make-index my.ini -f

137

138

The ``--repo-location`` option allows the location of the repositories to be overriden;

138

The ``--repo-location`` option allows the location of the repositories to be overriden;

139

usually, the location is retrieved from the Kallithea database.

139

usually, the location is retrieved from the Kallithea database.

140

141

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

141

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

142

143

paster make-index my.ini --index-only=vcs,kallithea

143

paster make-index my.ini --index-only=vcs,kallithea

144

145

To keep your index up-to-date it is necessary to do periodic index builds;

145

To keep your index up-to-date it is necessary to do periodic index builds;

146

for this, it is recommended to use a crontab entry. Example::

146

for this, it is recommended to use a crontab entry. Example::

147

148

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

148

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

149

150

When using incremental mode (the default), Whoosh will check the last

150

When using incremental mode (the default), Whoosh will check the last

151

modification date of each file and add it to be reindexed if a newer file is

151

modification date of each file and add it to be reindexed if a newer file is

152

available. The indexing daemon checks for any removed files and removes them

152

available. The indexing daemon checks for any removed files and removes them

153

from index.

153

from index.

154

155

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

155

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

156

or in the admin panel you can check the "build from scratch" checkbox.

156

or in the admin panel you can check the "build from scratch" checkbox.

157

158

159

Setting up LDAP support

159

Setting up LDAP support

160

-----------------------

160

-----------------------

161

162

Kallithea supports LDAP authentication. In order

162

Kallithea supports LDAP authentication. In order

163

to use LDAP, you have to install the python-ldap_ package. This package is

163

to use LDAP, you have to install the python-ldap_ package. This package is

164

available via PyPI, so you can install it by running::

164

available via PyPI, so you can install it by running::

165

166

pip install python-ldap

166

pip install python-ldap

167

168

.. note:: ``python-ldap`` requires some libraries to be installed on

168

.. note:: ``python-ldap`` requires some libraries to be installed on

169

your system, so before installing it check that you have at

169

your system, so before installing it check that you have at

170

least the ``openldap`` and ``sasl`` libraries.

170

least the ``openldap`` and ``sasl`` libraries.

171

172

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

172

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

173

and then *Save*, to enable the LDAP plugin and configure its settings.

173

and then *Save*, to enable the LDAP plugin and configure its settings.

174

175

Here's a typical LDAP setup::

175

Here's a typical LDAP setup::

176

177

Connection settings

177

Connection settings

178

Enable LDAP = checked

178

Enable LDAP = checked

179

Host = host.example.com

179

Host = host.example.com

180

Port = 389

180

Port = 389

181

Account = <account>

181

Account = <account>

182

Password = <password>

182

Password = <password>

183

Connection Security = LDAPS connection

183

Connection Security = LDAPS connection

184

Certificate Checks = DEMAND

184

Certificate Checks = DEMAND

185

186

Search settings

186

Search settings

187

Base DN = CN=users,DC=host,DC=example,DC=org

187

Base DN = CN=users,DC=host,DC=example,DC=org

188

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

188

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

189

LDAP Search Scope = SUBTREE

189

LDAP Search Scope = SUBTREE

190

191

Attribute mappings

191

Attribute mappings

192

Login Attribute = uid

192

Login Attribute = uid

193

First Name Attribute = firstName

193

First Name Attribute = firstName

194

Last Name Attribute = lastName

194

Last Name Attribute = lastName

195

Email Attribute = mail

195

Email Attribute = mail

196

197

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

197

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

198

199

Search settings

199

Search settings

200

Base DN = DC=host,DC=example,DC=org

200

Base DN = DC=host,DC=example,DC=org

201

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

201

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

202

LDAP Search Scope = SUBTREE

202

LDAP Search Scope = SUBTREE

203

204

.. _enable_ldap:

204

.. _enable_ldap:

205

206

Enable LDAP : required

206

Enable LDAP : required

207

Whether to use LDAP for authenticating users.

207

Whether to use LDAP for authenticating users.

208

209

.. _ldap_host:

209

.. _ldap_host:

210

211

Host : required

211

Host : required

212

LDAP server hostname or IP address. Can be also a comma separated

212

LDAP server hostname or IP address. Can be also a comma separated

213

list of servers to support LDAP fail-over.

213

list of servers to support LDAP fail-over.

214

215

.. _Port:

215

.. _Port:

216

217

Port : required

217

Port : required

218

389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

218

389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

219

220

.. _ldap_account:

220

.. _ldap_account:

221

222

Account : optional

222

Account : optional

223

Only required if the LDAP server does not allow anonymous browsing of

223

Only required if the LDAP server does not allow anonymous browsing of

224

records. This should be a special account for record browsing. This

224

records. This should be a special account for record browsing. This

225

will require `LDAP Password`_ below.

225

will require `LDAP Password`_ below.

226

227

.. _LDAP Password:

227

.. _LDAP Password:

228

229

Password : optional

229

Password : optional

230

Only required if the LDAP server does not allow anonymous browsing of

230

Only required if the LDAP server does not allow anonymous browsing of

231

records.

231

records.

232

233

.. _Enable LDAPS:

233

.. _Enable LDAPS:

234

235

Connection Security : required

235

Connection Security : required

236

Defines the connection to LDAP server

236

Defines the connection to LDAP server

237

238

No encryption

238

No encryption

239

Plain non encrypted connection

239

Plain non encrypted connection

240

241

LDAPS connection

241

LDAPS connection

242

Enable LDAPS connections. It will likely require `Port`_ to be set to

242

Enable LDAPS connections. It will likely require `Port`_ to be set to

243

a different value (standard LDAPS port is 636). When LDAPS is enabled

243

a different value (standard LDAPS port is 636). When LDAPS is enabled

244

then `Certificate Checks`_ is required.

244

then `Certificate Checks`_ is required.

245

246

START_TLS on LDAP connection

246

START_TLS on LDAP connection

247

START TLS connection

247

START TLS connection

248

249

.. _Certificate Checks:

249

.. _Certificate Checks:

250

251

Certificate Checks : optional

251

Certificate Checks : optional

252

How SSL certificates verification is handled -- this is only useful when

252

How SSL certificates verification is handled -- this is only useful when

253

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

253

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

254

while the other options are susceptible to man-in-the-middle attacks. SSL

254

while the other options are susceptible to man-in-the-middle attacks. SSL

255

certificates can be installed to /etc/openldap/cacerts so that the

255

certificates can be installed to /etc/openldap/cacerts so that the

256

DEMAND or HARD options can be used with self-signed certificates or

256

DEMAND or HARD options can be used with self-signed certificates or

257

certificates that do not have traceable certificates of authority.

257

certificates that do not have traceable certificates of authority.

258

259

NEVER

259

NEVER

260

A serve certificate will never be requested or checked.

260

A serve certificate will never be requested or checked.

261

262

ALLOW

262

ALLOW

263

A server certificate is requested. Failure to provide a

263

A server certificate is requested. Failure to provide a

264

certificate or providing a bad certificate will not terminate the

264

certificate or providing a bad certificate will not terminate the

265

session.

265

session.

266

267

TRY

267

TRY

268

A server certificate is requested. Failure to provide a

268

A server certificate is requested. Failure to provide a

269

certificate does not halt the session; providing a bad certificate

269

certificate does not halt the session; providing a bad certificate

270

halts the session.

270

halts the session.

271

272

DEMAND

272

DEMAND

273

A server certificate is requested and must be provided and

273

A server certificate is requested and must be provided and

274

authenticated for the session to proceed.

274

authenticated for the session to proceed.

275

276

HARD

276

HARD

277

The same as DEMAND.

277

The same as DEMAND.

278

279

.. _Base DN:

279

.. _Base DN:

280

281

Base DN : required

281

Base DN : required

282

The Distinguished Name (DN) where searches for users will be performed.

282

The Distinguished Name (DN) where searches for users will be performed.

283

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

283

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

284

285

.. _LDAP Filter:

285

.. _LDAP Filter:

286

287

LDAP Filter : optional

287

LDAP Filter : optional

288

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

288

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

289

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

289

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

290

which LDAP objects are identified as representing Users for

290

which LDAP objects are identified as representing Users for

291

authentication. The filter is augmented by `Login Attribute`_ below.

291

authentication. The filter is augmented by `Login Attribute`_ below.

292

This can commonly be left blank.

292

This can commonly be left blank.

293

294

.. _LDAP Search Scope:

294

.. _LDAP Search Scope:

295

296

LDAP Search Scope : required

296

LDAP Search Scope : required

297

This limits how far LDAP will search for a matching object.

297

This limits how far LDAP will search for a matching object.

298

299

BASE

299

BASE

300

Only allows searching of `Base DN`_ and is usually not what you

300

Only allows searching of `Base DN`_ and is usually not what you

301

want.

301

want.

302

303

ONELEVEL

303

ONELEVEL

304

Searches all entries under `Base DN`_, but not Base DN itself.

304

Searches all entries under `Base DN`_, but not Base DN itself.

305

306

SUBTREE

306

SUBTREE

307

Searches all entries below `Base DN`_, but not Base DN itself.

307

Searches all entries below `Base DN`_, but not Base DN itself.

308

When using SUBTREE `LDAP Filter`_ is useful to limit object

308

When using SUBTREE `LDAP Filter`_ is useful to limit object

309

location.

309

location.

310

311

.. _Login Attribute:

311

.. _Login Attribute:

312

313

Login Attribute : required

313

Login Attribute : required

314

The LDAP record attribute that will be matched as the USERNAME or

314

The LDAP record attribute that will be matched as the USERNAME or

315

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

315

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

316

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

316

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

317

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

317

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

318

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

318

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

319

::

319

::

320

321

(&(LDAPFILTER)(uid=jsmith))

321

(&(LDAPFILTER)(uid=jsmith))

322

323

.. _ldap_attr_firstname:

323

.. _ldap_attr_firstname:

324

325

First Name Attribute : required

325

First Name Attribute : required

326

The LDAP record attribute which represents the user's first name.

326

The LDAP record attribute which represents the user's first name.

327

328

.. _ldap_attr_lastname:

328

.. _ldap_attr_lastname:

329

330

Last Name Attribute : required

330

Last Name Attribute : required

331

The LDAP record attribute which represents the user's last name.

331

The LDAP record attribute which represents the user's last name.

332

333

.. _ldap_attr_email:

333

.. _ldap_attr_email:

334

335

Email Attribute : required

335

Email Attribute : required

336

The LDAP record attribute which represents the user's email address.

336

The LDAP record attribute which represents the user's email address.

337

338

If all data are entered correctly, and python-ldap_ is properly installed

338

If all data are entered correctly, and python-ldap_ is properly installed

339

users should be granted access to Kallithea with LDAP accounts. At this

339

users should be granted access to Kallithea with LDAP accounts. At this

340

time user information is copied from LDAP into the Kallithea user database.

340

time user information is copied from LDAP into the Kallithea user database.

341

This means that updates of an LDAP user object may not be reflected as a

341

This means that updates of an LDAP user object may not be reflected as a

342

user update in Kallithea.

342

user update in Kallithea.

343

344

If You have problems with LDAP access and believe You entered correct

344

If You have problems with LDAP access and believe You entered correct

345

information check out the Kallithea logs, any error messages sent from LDAP

345

information check out the Kallithea logs, any error messages sent from LDAP

346

will be saved there.

346

will be saved there.

347

348

Active Directory

348

Active Directory

349

''''''''''''''''

349

''''''''''''''''

350

351

Kallithea can use Microsoft Active Directory for user authentication. This

351

Kallithea can use Microsoft Active Directory for user authentication. This

352

is done through an LDAP or LDAPS connection to Active Directory. The

352

is done through an LDAP or LDAPS connection to Active Directory. The

353

following LDAP configuration settings are typical for using Active

353

following LDAP configuration settings are typical for using Active

354

Directory ::

354

Directory ::

355

356

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

356

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

357

Login Attribute = sAMAccountName

357

Login Attribute = sAMAccountName

358

First Name Attribute = givenName

358

First Name Attribute = givenName

359

Last Name Attribute = sn

359

Last Name Attribute = sn

360

Email Attribute = mail

360

Email Attribute = mail

361

362

All other LDAP settings will likely be site-specific and should be

362

All other LDAP settings will likely be site-specific and should be

363

appropriately configured.

363

appropriately configured.

364

365

366

Authentication by container or reverse-proxy

366

Authentication by container or reverse-proxy

367

--------------------------------------------

367

--------------------------------------------

368

369

Kallithea supports delegating the authentication

369

Kallithea supports delegating the authentication

370

of users to its WSGI container, or to a reverse-proxy server through which all

370

of users to its WSGI container, or to a reverse-proxy server through which all

371

clients access the application.

371

clients access the application.

372

373

When these authentication methods are enabled in Kallithea, it uses the

373

When these authentication methods are enabled in Kallithea, it uses the

374

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

374

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

375

perform the authentication itself. The authorization, however, is still done by

375

perform the authentication itself. The authorization, however, is still done by

376

Kallithea according to its settings.

376

Kallithea according to its settings.

377

378

When a user logs in for the first time using these authentication methods,

378

When a user logs in for the first time using these authentication methods,

379

a matching user account is created in Kallithea with default permissions. An

379

a matching user account is created in Kallithea with default permissions. An

380

administrator can then modify it using Kallithea's admin interface.

380

administrator can then modify it using Kallithea's admin interface.

381

382

It's also possible for an administrator to create accounts and configure their

382

It's also possible for an administrator to create accounts and configure their

383

permissions before the user logs in for the first time, using the :ref:`create-user` API.

383

permissions before the user logs in for the first time, using the :ref:`create-user` API.

384

385

Container-based authentication

385

Container-based authentication

386

''''''''''''''''''''''''''''''

386

''''''''''''''''''''''''''''''

387

388

In a container-based authentication setup, Kallithea reads the user name from

388

In a container-based authentication setup, Kallithea reads the user name from

389

the ``REMOTE_USER`` server variable provided by the WSGI container.

389

the ``REMOTE_USER`` server variable provided by the WSGI container.

390

391

After setting up your container (see `Apache with mod_wsgi`_), you'll need

391

After setting up your container (see `Apache with mod_wsgi`_), you'll need

392

to configure it to require authentication on the location configured for

392

to configure it to require authentication on the location configured for

393

Kallithea.

393

Kallithea.

394

395

Proxy pass-through authentication

395

Proxy pass-through authentication

396

'''''''''''''''''''''''''''''''''

396

'''''''''''''''''''''''''''''''''

397

398

In a proxy pass-through authentication setup, Kallithea reads the user name

398

In a proxy pass-through authentication setup, Kallithea reads the user name

399

from the ``X-Forwarded-User`` request header, which should be configured to be

399

from the ``X-Forwarded-User`` request header, which should be configured to be

400

sent by the reverse-proxy server.

400

sent by the reverse-proxy server.

401

402

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

402

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

403

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

403

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

404

configure the authentication and add the username in a request header named

404

configure the authentication and add the username in a request header named

405

``X-Forwarded-User``.

405

``X-Forwarded-User``.

406

407

For example, the following config section for Apache sets a subdirectory in a

407

For example, the following config section for Apache sets a subdirectory in a

408

reverse-proxy setup with basic auth:

408

reverse-proxy setup with basic auth:

409

410

.. code-block:: apache

410

.. code-block:: apache

411

412

412

413

ProxyPass http://127.0.0.1:5000/someprefix

413

ProxyPass http://127.0.0.1:5000/someprefix

414

ProxyPassReverse http://127.0.0.1:5000/someprefix

414

ProxyPassReverse http://127.0.0.1:5000/someprefix

415

SetEnvIf X-Url-Scheme https HTTPS=1

415

SetEnvIf X-Url-Scheme https HTTPS=1

416

417

AuthType Basic

417

AuthType Basic

418

AuthName "Kallithea authentication"

418

AuthName "Kallithea authentication"

419

AuthUserFile /srv/kallithea/.htpasswd

419

AuthUserFile /srv/kallithea/.htpasswd

420

Require valid-user

420

Require valid-user

421

422

RequestHeader unset X-Forwarded-User

422

RequestHeader unset X-Forwarded-User

423

424

RewriteEngine On

424

RewriteEngine On

425

RewriteCond %{LA-U:REMOTE_USER} (.+)

425

RewriteCond %{LA-U:REMOTE_USER} (.+)

426

RewriteRule .* - [E=RU:%1]

426

RewriteRule .* - [E=RU:%1]

427

RequestHeader set X-Forwarded-User %{RU}e

427

RequestHeader set X-Forwarded-User %{RU}e

428

</Location>

428

</Location>

429

430

.. note::

430

.. note::

431

If you enable proxy pass-through authentication, make sure your server is

431

If you enable proxy pass-through authentication, make sure your server is

432

only accessible through the proxy. Otherwise, any client would be able to

432

only accessible through the proxy. Otherwise, any client would be able to

433

forge the authentication header and could effectively become authenticated

433

forge the authentication header and could effectively become authenticated

434

using any account of their liking.

434

using any account of their liking.

435

436

437

Integration with issue trackers

437

Integration with issue trackers

438

-------------------------------

438

-------------------------------

439

440

Kallithea provides a simple integration with issue trackers. It's possible

440

Kallithea provides a simple integration with issue trackers. It's possible

441

to define a regular expression that will match an issue ID in commit messages,

441

to define a regular expression that will match an issue ID in commit messages,

442

and have that replaced with a URL to the issue. To enable this simply

442

and have that replaced with a URL to the issue. To enable this simply

443

uncomment the following variables in the ini file::

443

uncomment the following variables in the ini file::

444

445

issue_pat = (?:^#|\s#)(\w+)

445

issue_pat = (?:^#|\s#)(\w+)

446

issue_server_link = https://issues.example.com/{repo}/issue/{id}

446

issue_server_link = https://issues.example.com/{repo}/issue/{id}

447

issue_prefix = #

447

issue_prefix = #

448

449

``issue_pat`` is the regular expression describing which strings in

449

``issue_pat`` is the regular expression describing which strings in

450

commit messages will be treated as issue references. A match group in

450

commit messages will be treated as issue references. A match group in

451

parentheses should be used to specify the actual issue id.

451

parentheses should be used to specify the actual issue id.

452

453

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

453

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

454

455

Matched issue references are replaced with the link specified in

455

Matched issue references are replaced with the link specified in

456

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

456

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

457

``{repo}`` with the repository name. Since the # is stripped away,

457

``{repo}`` with the repository name. Since the # is stripped away,

458

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

458

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

459

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

459

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

460

generate a URL in the format:

460

generate a URL in the format:

461

462

.. code-block:: html

462

.. code-block:: html

463

464

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

464

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

465

466

If needed, more than one pattern can be specified by appending a unique suffix to

466

If needed, more than one pattern can be specified by appending a unique suffix to

467

the variables. For example::

467

the variables. For example::

468

469

issue_pat_wiki = (?:wiki-)(.+)

469

issue_pat_wiki = (?:wiki-)(.+)

470

issue_server_link_wiki = https://wiki.example.com/{id}

470

issue_server_link_wiki = https://wiki.example.com/{id}

471

issue_prefix_wiki = WIKI-

471

issue_prefix_wiki = WIKI-

472

473

With these settings, wiki pages can be referenced as wiki-some-id, and every

473

With these settings, wiki pages can be referenced as wiki-some-id, and every

474

such reference will be transformed into:

474

such reference will be transformed into:

475

476

.. code-block:: html

476

.. code-block:: html

477

478

478

479

480

481

Hook management

481

Hook management

482

---------------

482

---------------

483

484

Hooks can be managed in similar way to that used in ``.hgrc`` files.

484

Hooks can be managed in similar way to that used in ``.hgrc`` files.

485

To manage hooks, choose *Admin > Settings > Hooks*.

485

To manage hooks, choose *Admin > Settings > Hooks*.

486

487

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

487

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

488

489

To add another custom hook simply fill in the first textbox with

489

To add another custom hook simply fill in the first textbox with

490

``<name>.<hook_type>`` and the second with the hook path. Example hooks

490

``<name>.<hook_type>`` and the second with the hook path. Example hooks

491

can be found in ``kallithea.lib.hooks``.

491

can be found in ``kallithea.lib.hooks``.

492

493

494

Changing default encoding

494

Changing default encoding

495

-------------------------

495

-------------------------

496

497

By default, Kallithea uses UTF-8 encoding.

497

By default, Kallithea uses UTF-8 encoding.

498

This is configurable as ``default_encoding`` in the .ini file.

498

This is configurable as ``default_encoding`` in the .ini file.

499

This affects many parts in Kallithea including user names, filenames, and

499

This affects many parts in Kallithea including user names, filenames, and

500

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

500

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

501

library is installed. If ``chardet`` is detected Kallithea will fallback to it

501

library is installed. If ``chardet`` is detected Kallithea will fallback to it

502

when there are encode/decode errors.

502

when there are encode/decode errors.

503

504

505

Celery configuration

505

Celery configuration

506

--------------------

506

--------------------

507

508

Kallithea can use the distributed task queue system Celery_ to run tasks like

508

Kallithea can use the distributed task queue system Celery_ to run tasks like

509

cloning repositories or sending emails.

509

cloning repositories or sending emails.

510

511

Kallithea will in most setups work perfectly fine out of the box (without

511

Kallithea will in most setups work perfectly fine out of the box (without

512

Celery), executing all tasks in the web server process. Some tasks can however

512

Celery), executing all tasks in the web server process. Some tasks can however

513

take some time to run and it can be better to run such tasks asynchronously in

513

take some time to run and it can be better to run such tasks asynchronously in

514

a separate process so the web server can focus on serving web requests.

514

a separate process so the web server can focus on serving web requests.

515

516

For installation and configuration of Celery, see the `Celery documentation`_.

516

For installation and configuration of Celery, see the `Celery documentation`_.

517

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

517

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

518

or Redis_.

518

or Redis_.

519

520

The use of Celery is configured in the Kallithea ini configuration file.

520

The use of Celery is configured in the Kallithea ini configuration file.

521

To enable it, simply set::

521

To enable it, simply set::

522

523

use_celery = true

523

use_celery = true

524

525

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

525

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

526

527

Remember that the ini files use the format with '.' and not with '_' like

527

Remember that the ini files use the format with '.' and not with '_' like

528

Celery. So for example setting `BROKER_HOST` in Celery means setting

528

Celery. So for example setting `BROKER_HOST` in Celery means setting

529

`broker.host` in the configuration file.

529

`broker.host` in the configuration file.

530

531

To start the Celery process, run::

531

To start the Celery process, run::

532

533

paster celeryd <configfile.ini>

533

paster celeryd <configfile.ini>

534

535

.. note::

535

.. note::

536

Make sure you run this command from the same virtualenv, and with the same

536

Make sure you run this command from the same virtualenv, and with the same

537

user that Kallithea runs.

537

user that Kallithea runs.

538

539

540

HTTPS support

540

HTTPS support

541

-------------

541

-------------

542

543

Kallithea will by default generate URLs based on the WSGI environment.

543

Kallithea will by default generate URLs based on the WSGI environment.

544

545

Alternatively, you can use some special configuration settings to control

545

Alternatively, you can use some special configuration settings to control

546

directly which scheme/protocol Kallithea will use when generating URLs:

546

directly which scheme/protocol Kallithea will use when generating URLs:

547

548

- With ``https_fixup = true``, the scheme will be taken from the

548

- With ``https_fixup = true``, the scheme will be taken from the

549

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

549

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

550

(default ``http``).

550

(default ``http``).

551

- With ``force_https = true`` the default will be ``https``.

551

- With ``force_https = true`` the default will be ``https``.

552

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

552

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

553

554

555

Nginx virtual host example

555

Nginx virtual host example

556

--------------------------

556

--------------------------

557

558

Sample config for Nginx using proxy:

558

Sample config for Nginx using proxy:

559

560

.. code-block:: nginx

560

.. code-block:: nginx

561

562

upstream kallithea {

562

upstream kallithea {

563

server 127.0.0.1:5000;

563

server 127.0.0.1:5000;

564

# add more instances for load balancing

564

# add more instances for load balancing

565

#server 127.0.0.1:5001;

565

#server 127.0.0.1:5001;

566

#server 127.0.0.1:5002;

566

#server 127.0.0.1:5002;

567

}

567

}

568

569

## gist alias

569

## gist alias

570

server {

570

server {

571

listen 443;

571

listen 443;

572

server_name gist.example.com;

572

server_name gist.example.com;

573

access_log /var/log/nginx/gist.access.log;

573

access_log /var/log/nginx/gist.access.log;

574

error_log /var/log/nginx/gist.error.log;

574

error_log /var/log/nginx/gist.error.log;

575

576

ssl on;

576

ssl on;

577

ssl_certificate gist.your.kallithea.server.crt;

577

ssl_certificate gist.your.kallithea.server.crt;

578

ssl_certificate_key gist.your.kallithea.server.key;

578

ssl_certificate_key gist.your.kallithea.server.key;

579

580

ssl_session_timeout 5m;

580

ssl_session_timeout 5m;

581

582

ssl_protocols SSLv3 TLSv1;

582

ssl_protocols SSLv3 TLSv1;

583

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

583

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

584

ssl_prefer_server_ciphers on;

584

ssl_prefer_server_ciphers on;

585

586

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

586

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

587

rewrite (.*) https://kallithea.example.com/_admin/gists;

587

rewrite (.*) https://kallithea.example.com/_admin/gists;

588

}

588

}

589

590

server {

590

server {

591

listen 443;

591

listen 443;

592

server_name kallithea.example.com

592

server_name kallithea.example.com

593

access_log /var/log/nginx/kallithea.access.log;

593

access_log /var/log/nginx/kallithea.access.log;

594

error_log /var/log/nginx/kallithea.error.log;

594

error_log /var/log/nginx/kallithea.error.log;

595

596

ssl on;

596

ssl on;

597

ssl_certificate your.kallithea.server.crt;

597

ssl_certificate your.kallithea.server.crt;

598

ssl_certificate_key your.kallithea.server.key;

598

ssl_certificate_key your.kallithea.server.key;

599

600

ssl_session_timeout 5m;

600

ssl_session_timeout 5m;

601

602

ssl_protocols SSLv3 TLSv1;

602

ssl_protocols SSLv3 TLSv1;

603

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

603

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

604

ssl_prefer_server_ciphers on;

604

ssl_prefer_server_ciphers on;

605

606

## uncomment root directive if you want to serve static files by nginx

606

## uncomment root directive if you want to serve static files by nginx

607

## requires static_files = false in .ini file

607

## requires static_files = false in .ini file

608

#root /path/to/installation/kallithea/public;

608

#root /path/to/installation/kallithea/public;

609

include /etc/nginx/proxy.conf;

609

include /etc/nginx/proxy.conf;

610

location / {

610

location / {

611

try_files $uri @kallithea;

611

try_files $uri @kallithea;

612

}

612

}

613

614

location @kallithea {

614

location @kallithea {

615

proxy_pass http://127.0.0.1:5000;

615

proxy_pass http://127.0.0.1:5000;

616

}

616

}

617

618

}

618

}

619

620

Here's the proxy.conf. It's tuned so it will not timeout on long

620

Here's the proxy.conf. It's tuned so it will not timeout on long

621

pushes or large pushes::

621

pushes or large pushes::

622

623

proxy_redirect off;

623

proxy_redirect off;

624

proxy_set_header Host $host;

624

proxy_set_header Host $host;

625

## needed for container auth

625

## needed for container auth

626

#proxy_set_header REMOTE_USER $remote_user;

626

#proxy_set_header REMOTE_USER $remote_user;

627

#proxy_set_header X-Forwarded-User $remote_user;

627

#proxy_set_header X-Forwarded-User $remote_user;

628

proxy_set_header X-Url-Scheme $scheme;

628

proxy_set_header X-Url-Scheme $scheme;

629

proxy_set_header X-Host $http_host;

629

proxy_set_header X-Host $http_host;

630

proxy_set_header X-Real-IP $remote_addr;

630

proxy_set_header X-Real-IP $remote_addr;

631

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

631

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

632

proxy_set_header Proxy-host $proxy_host;

632

proxy_set_header Proxy-host $proxy_host;

633

proxy_buffering off;

633

proxy_buffering off;

634

proxy_connect_timeout 7200;

634

proxy_connect_timeout 7200;

635

proxy_send_timeout 7200;

635

proxy_send_timeout 7200;

636

proxy_read_timeout 7200;

636

proxy_read_timeout 7200;

637

proxy_buffers 8 32k;

637

proxy_buffers 8 32k;

638

client_max_body_size 1024m;

638

client_max_body_size 1024m;

639

client_body_buffer_size 128k;

639

client_body_buffer_size 128k;

640

large_client_header_buffers 8 64k;

640

large_client_header_buffers 8 64k;

641

642

643

Apache virtual host reverse proxy example

643

Apache virtual host reverse proxy example

644

-----------------------------------------

644

-----------------------------------------

645

646

Here is a sample configuration file for Apache using proxy:

646

Here is a sample configuration file for Apache using proxy:

647

648

.. code-block:: apache

648

.. code-block:: apache

649

650

650

651

ServerName kallithea.example.com

651

ServerName kallithea.example.com

652

653

653

654

# For Apache 2.4 and later:

654

# For Apache 2.4 and later:

655

Require all granted

655

Require all granted

656

657

# For Apache 2.2 and earlier, instead use:

657

# For Apache 2.2 and earlier, instead use:

658

# Order allow,deny

658

# Order allow,deny

659

# Allow from all

659

# Allow from all

660

</Proxy>

660

</Proxy>

661

662

#important !

662

#important !

663

#Directive to properly generate url (clone url) for pylons

663

#Directive to properly generate url (clone url) for pylons

664

ProxyPreserveHost On

664

ProxyPreserveHost On

665

666

#kallithea instance

666

#kallithea instance

667

ProxyPass / http://127.0.0.1:5000/

667

ProxyPass / http://127.0.0.1:5000/

668

ProxyPassReverse / http://127.0.0.1:5000/

668

ProxyPassReverse / http://127.0.0.1:5000/

669

670

#to enable https use line below

670

#to enable https use line below

671

#SetEnvIf X-Url-Scheme https HTTPS=1

671

#SetEnvIf X-Url-Scheme https HTTPS=1

672

</VirtualHost>

672

</VirtualHost>

673

674

Additional tutorial

674

Additional tutorial

675

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

675

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

676

677

678

Apache as subdirectory

678

Apache as subdirectory

679

----------------------

679

----------------------

680

681

Apache subdirectory part:

681

Apache subdirectory part:

682

683

.. code-block:: apache

683

.. code-block:: apache

684

685

685

686

ProxyPass http://127.0.0.1:5000/<someprefix>

686

ProxyPass http://127.0.0.1:5000/<someprefix>

687

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

687

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

688

SetEnvIf X-Url-Scheme https HTTPS=1

688

SetEnvIf X-Url-Scheme https HTTPS=1

689

</Location>

689

</Location>

690

691

Besides the regular apache setup you will need to add the following line

691

Besides the regular apache setup you will need to add the following line

692

into ``[app:main]`` section of your .ini file::

692

into ``[app:main]`` section of your .ini file::

693

694

filter-with = proxy-prefix

694

filter-with = proxy-prefix

695

696

Add the following at the end of the .ini file::

696

Add the following at the end of the .ini file::

697

698

[filter:proxy-prefix]

698

[filter:proxy-prefix]

699

use = egg:PasteDeploy#prefix

699

use = egg:PasteDeploy#prefix

700

prefix = /<someprefix>

700

prefix = /<someprefix>

701

702

then change ``<someprefix>`` into your chosen prefix

702

then change ``<someprefix>`` into your chosen prefix

703

704

705

Apache with mod_wsgi

705

Apache with mod_wsgi

706

--------------------

706

--------------------

707

708

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

708

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

709

that, you'll need to:

709

that, you'll need to:

710

711

- Install mod_wsgi. If using a Debian-based distro, you can install

711

- Install mod_wsgi. If using a Debian-based distro, you can install

712

the package libapache2-mod-wsgi::

712

the package libapache2-mod-wsgi::

713

714

aptitude install libapache2-mod-wsgi

714

aptitude install libapache2-mod-wsgi

715

716

- Enable mod_wsgi::

716

- Enable mod_wsgi::

717

718

a2enmod wsgi

718

a2enmod wsgi

719

720

- Create a wsgi dispatch script, like the one below. Make sure you

720

- Create a wsgi dispatch script, like the one below. Make sure you

721

check that the paths correctly point to where you installed Kallithea

721

check that the paths correctly point to where you installed Kallithea

722

and its Python Virtual Environment.

722

and its Python Virtual Environment.

723

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

723

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

724

as in the following example. Once again, check the paths are

724

as in the following example. Once again, check the paths are

725

correctly specified.

725

correctly specified.

726

727

Here is a sample excerpt from an Apache Virtual Host configuration file:

727

Here is a sample excerpt from an Apache Virtual Host configuration file:

728

729

.. code-block:: apache

729

.. code-block:: apache

730

731

WSGIDaemonProcess kallithea \

731

WSGIDaemonProcess kallithea \

732

processes=1 threads=4 \

732

processes=1 threads=4 \

733

python-path=/srv/kallithea/pyenv/lib/python2.7/site-packages

733

python-path=/srv/kallithea/venv/lib/python2.7/site-packages

734

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

734

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

735

WSGIPassAuthorization On

735

WSGIPassAuthorization On

736

737

Or if using a dispatcher WSGI script with proper virtualenv activation:

737

Or if using a dispatcher WSGI script with proper virtualenv activation:

738

739

.. code-block:: apache

739

.. code-block:: apache

740

741

WSGIDaemonProcess kallithea processes=1 threads=4

741

WSGIDaemonProcess kallithea processes=1 threads=4

742

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

742

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

743

WSGIPassAuthorization On

743

WSGIPassAuthorization On

744

745

.. note::

745

.. note::

746

When running apache as root, please make sure it doesn't run Kallithea as

746

When running apache as root, please make sure it doesn't run Kallithea as

747

root, for examply by adding: ``user=www-data group=www-data`` to the configuration.

747

root, for examply by adding: ``user=www-data group=www-data`` to the configuration.

748

749

.. note::

749

.. note::

750

If running Kallithea in multiprocess mode,

750

If running Kallithea in multiprocess mode,

751

make sure you set ``instance_id = *`` in the configuration so each process

751

make sure you set ``instance_id = *`` in the configuration so each process

752

gets it's own cache invalidation key.

752

gets it's own cache invalidation key.

753

754

Example WSGI dispatch script:

754

Example WSGI dispatch script:

755

756

.. code-block:: python

756

.. code-block:: python

757

758

import os

758

import os

759

os.environ["HGENCODING"] = "UTF-8"

759

os.environ["HGENCODING"] = "UTF-8"

760

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

760

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

761

762

# sometimes it's needed to set the curent dir

762

# sometimes it's needed to set the curent dir

763

os.chdir('/srv/kallithea/')

763

os.chdir('/srv/kallithea/')

764

765

import site

765

import site

766

site.addsitedir("/srv/kallithea/pyenv/lib/python2.7/site-packages")

766

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

767

768

from paste.deploy import loadapp

768

from paste.deploy import loadapp

769

from paste.script.util.logging_config import fileConfig

769

from paste.script.util.logging_config import fileConfig

770

771

fileConfig('/srv/kallithea/my.ini')

771

fileConfig('/srv/kallithea/my.ini')

772

application = loadapp('config:/srv/kallithea/my.ini')

772

application = loadapp('config:/srv/kallithea/my.ini')

773

774

Or using proper virtualenv activation:

774

Or using proper virtualenv activation:

775

776

.. code-block:: python

776

.. code-block:: python

777

778

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

778

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

779

execfile(activate_this, dict(__file__=activate_this))

779

execfile(activate_this, dict(__file__=activate_this))

780

781

import os

781

import os

782

os.environ['HOME'] = '/srv/kallithea'

782

os.environ['HOME'] = '/srv/kallithea'

783

784

ini = '/srv/kallithea/kallithea.ini'

784

ini = '/srv/kallithea/kallithea.ini'

785

from paste.script.util.logging_config import fileConfig

785

from paste.script.util.logging_config import fileConfig

786

fileConfig(ini)

786

fileConfig(ini)

787

from paste.deploy import loadapp

787

from paste.deploy import loadapp

788

application = loadapp('config:' + ini)

788

application = loadapp('config:' + ini)

789

790

791

Other configuration files

791

Other configuration files

792

-------------------------

792

-------------------------

793

794

A number of `example init.d scripts`__ can be found in

794

A number of `example init.d scripts`__ can be found in

795

the ``init.d`` directory of the Kallithea source.

795

the ``init.d`` directory of the Kallithea source.

796

797

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

797

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

798

799

800

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

800

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

801

.. _python: http://www.python.org/

801

.. _python: http://www.python.org/

802

.. _Mercurial: http://mercurial.selenic.com/

802

.. _Mercurial: http://mercurial.selenic.com/

803

.. _Celery: http://celeryproject.org/

803

.. _Celery: http://celeryproject.org/

804

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

804

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

805

.. _RabbitMQ: http://www.rabbitmq.com/

805

.. _RabbitMQ: http://www.rabbitmq.com/

806

.. _Redis: http://redis.io/

806

.. _Redis: http://redis.io/

807

.. _python-ldap: http://www.python-ldap.org/

807

.. _python-ldap: http://www.python-ldap.org/

808

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

808

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

809

.. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories

809

.. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             .. _setup:
             =====
             Setup
             =====
             Setting up Kallithea
             --------------------
             First, you will need to create a Kallithea configuration file. Run the
             following command to do so::
                 paster make-config Kallithea my.ini
             This will create the file ``my.ini`` in the current directory. This
             configuration file contains the various settings for Kallithea, e.g.
             proxy port, email settings, usage of static files, cache, Celery
             settings, and logging.
             Next, you need to create the databases used by Kallithea. It is recommended to
             use PostgreSQL or SQLite (default). If you choose a database other than the
             default, ensure you properly adjust the database URL in your ``my.ini``
             configuration file to use this other database. Kallithea currently supports
             PostgreSQL, SQLite and MySQL databases. Create the database by running
             the following command::
                 paster setup-db my.ini
             This will prompt you for a "root" path. This "root" path is the location where
             Kallithea will store all of its repositories on the current machine. After
             entering this "root" path ``setup-db`` will also prompt you for a username
             and password for the initial admin account which ``setup-db`` sets
             up for you.
             The ``setup-db`` values can also be given on the command line.
             Example::
                 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
             The ``setup-db`` command will create all needed tables and an
             admin account. When choosing a root path you can either use a new
             empty location, or a location which already contains existing
             repositories. If you choose a location which contains existing
             repositories Kallithea will add all of the repositories at the chosen
             location to its database.  (Note: make sure you specify the correct
             path to the root).
             .. note:: the given path for Mercurial_ repositories **must** be write
                       accessible for the application. It's very important since
                       the Kallithea web interface will work without write access,
                       but when trying to do a push it will fail with permission
                       denied errors unless it has write access.
             You are now ready to use Kallithea. To run it simply execute::
                 paster serve my.ini
             - This command runs the Kallithea server. The web app should be available at
               http://127.0.0.1:5000. The IP address and port is configurable via the
               configuration file created in the previous step.
             - Log in to Kallithea using the admin account created when running ``setup-db``.
             - The default permissions on each repository is read, and the owner is admin.
               Remember to update these if needed.
             - In the admin panel you can toggle LDAP, anonymous, and permissions
               settings, as well as edit more advanced options on users and
               repositories.
             Extensions
             ----------
             Optionally one can create an ``rcextensions`` package that extends Kallithea
             functionality.
             To generate a skeleton extensions package, run::
                 paster make-rcext my.ini
             This will create an ``rcextensions`` package next to the specified ``ini`` file.
             With ``rcextensions`` it's possible to add additional mapping for whoosh,
             stats and add additional code into the push/pull/create/delete repo hooks,
             for example for sending signals to build-bots such as Jenkins.
             See the ``__init__.py`` file inside the generated ``rcextensions`` package
             for more details.
             Using Kallithea with SSH
             ------------------------
             Kallithea currently only hosts repositories using http and https. (The addition
             of ssh hosting is a planned future feature.) However you can easily use ssh in
             parallel with Kallithea. (Repository access via ssh is a standard "out of
             the box" feature of Mercurial_ and you can use this to access any of the
             repositories that Kallithea is hosting. See PublishingRepositories_)
             Kallithea repository structures are kept in directories with the same name
             as the project. When using repository groups, each group is a subdirectory.
             This allows you to easily use ssh for accessing repositories.
             In order to use ssh you need to make sure that your web server and the users'
             login accounts have the correct permissions set on the appropriate directories.
             .. note:: These permissions are independent of any permissions you
                       have set up using the Kallithea web interface.
             If your main directory (the same as set in Kallithea settings) is for
             example set to ``/srv/repos`` and the repository you are using is
             named ``kallithea``, then to clone via ssh you should run::
                 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
             Using other external tools such as mercurial-server_ or using ssh key-based
             authentication is fully supported.
             .. note:: In an advanced setup, in order for your ssh access to use
                       the same permissions as set up via the Kallithea web
                       interface, you can create an authentication hook to connect
                       to the Kallithea db and run check functions for permissions
                       against that.
             Setting up Whoosh full text search
             ----------------------------------
             Kallithea provides full text search of repositories using `Whoosh`__.
             .. __: https://pythonhosted.org/Whoosh/
             For an incremental index build, run::
                 paster make-index my.ini
             For a full index rebuild, run::
                 paster make-index my.ini -f
             The ``--repo-location`` option allows the location of the repositories to be overriden;
             usually, the location is retrieved from the Kallithea database.
             The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
                 paster make-index my.ini --index-only=vcs,kallithea
             To keep your index up-to-date it is necessary to do periodic index builds;
             for this, it is recommended to use a crontab entry. Example::
 3  *  *  *  /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
             When using incremental mode (the default), Whoosh will check the last
             modification date of each file and add it to be reindexed if a newer file is
             available. The indexing daemon checks for any removed files and removes them
             from index.
             If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
             or in the admin panel you can check the "build from scratch" checkbox.
             Setting up LDAP support
             -----------------------
             Kallithea supports LDAP authentication. In order
             to use LDAP, you have to install the python-ldap_ package. This package is
             available via PyPI, so you can install it by running::
                 pip install python-ldap
             .. note:: ``python-ldap`` requires some libraries to be installed on
                       your system, so before installing it check that you have at
                       least the ``openldap`` and ``sasl`` libraries.
             Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
             and then *Save*, to enable the LDAP plugin and configure its settings.
             Here's a typical LDAP setup::
              Connection settings
              Enable LDAP          = checked
              Host                 = host.example.com
              Port                 = 389
              Account              = <account>
              Password             = <password>
              Connection Security  = LDAPS connection
              Certificate Checks   = DEMAND
              Search settings
              Base DN              = CN=users,DC=host,DC=example,DC=org
              LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))
              LDAP Search Scope    = SUBTREE
              Attribute mappings
              Login Attribute      = uid
              First Name Attribute = firstName
              Last Name Attribute  = lastName
              Email Attribute      = mail
             If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
              Search settings
              Base DN              = DC=host,DC=example,DC=org
              LDAP Filter          = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
              LDAP Search Scope    = SUBTREE
             .. _enable_ldap:
             Enable LDAP : required
                 Whether to use LDAP for authenticating users.
             .. _ldap_host:
             Host : required
                 LDAP server hostname or IP address. Can be also a comma separated
                 list of servers to support LDAP fail-over.
             .. _Port:
             Port : required
 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
             .. _ldap_account:
             Account : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.  This should be a special account for record browsing.  This
                 will require `LDAP Password`_ below.
             .. _LDAP Password:
             Password : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.
             .. _Enable LDAPS:
             Connection Security : required
                 Defines the connection to LDAP server
                 No encryption
                     Plain non encrypted connection
                 LDAPS connection
                     Enable LDAPS connections. It will likely require `Port`_ to be set to
                     a different value (standard LDAPS port is 636). When LDAPS is enabled
                     then `Certificate Checks`_ is required.
                 START_TLS on LDAP connection
                     START TLS connection
             .. _Certificate Checks:
             Certificate Checks : optional
                 How SSL certificates verification is handled -- this is only useful when
                 `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security
                 while the other options are susceptible to man-in-the-middle attacks.  SSL
                 certificates can be installed to /etc/openldap/cacerts so that the
                 DEMAND or HARD options can be used with self-signed certificates or
                 certificates that do not have traceable certificates of authority.
                 NEVER
                     A serve certificate will never be requested or checked.
                 ALLOW
                     A server certificate is requested.  Failure to provide a
                     certificate or providing a bad certificate will not terminate the
                     session.
                 TRY
                     A server certificate is requested.  Failure to provide a
                     certificate does not halt the session; providing a bad certificate
                     halts the session.
                 DEMAND
                     A server certificate is requested and must be provided and
                     authenticated for the session to proceed.
                 HARD
                     The same as DEMAND.
             .. _Base DN:
             Base DN : required
                 The Distinguished Name (DN) where searches for users will be performed.
                 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
             .. _LDAP Filter:
             LDAP Filter : optional
                 A LDAP filter defined by RFC 2254.  This is more useful when `LDAP
                 Search Scope`_ is set to SUBTREE.  The filter is useful for limiting
                 which LDAP objects are identified as representing Users for
                 authentication.  The filter is augmented by `Login Attribute`_ below.
                 This can commonly be left blank.
             .. _LDAP Search Scope:
             LDAP Search Scope : required
                 This limits how far LDAP will search for a matching object.
                 BASE
                     Only allows searching of `Base DN`_ and is usually not what you
                     want.
                 ONELEVEL
                     Searches all entries under `Base DN`_, but not Base DN itself.
                 SUBTREE
                     Searches all entries below `Base DN`_, but not Base DN itself.
                     When using SUBTREE `LDAP Filter`_ is useful to limit object
                     location.
             .. _Login Attribute:
             Login Attribute : required
                 The LDAP record attribute that will be matched as the USERNAME or
                 ACCOUNT used to connect to Kallithea.  This will be added to `LDAP
                 Filter`_ for locating the User object.  If `LDAP Filter`_ is specified as
                 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
                 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
                 ::
                     (&(LDAPFILTER)(uid=jsmith))
             .. _ldap_attr_firstname:
             First Name Attribute : required
                 The LDAP record attribute which represents the user's first name.
             .. _ldap_attr_lastname:
             Last Name Attribute : required
                 The LDAP record attribute which represents the user's last name.
             .. _ldap_attr_email:
             Email Attribute : required
                 The LDAP record attribute which represents the user's email address.
             If all data are entered correctly, and python-ldap_ is properly installed
             users should be granted access to Kallithea with LDAP accounts.  At this
             time user information is copied from LDAP into the Kallithea user database.
             This means that updates of an LDAP user object may not be reflected as a
             user update in Kallithea.
             If You have problems with LDAP access and believe You entered correct
             information check out the Kallithea logs, any error messages sent from LDAP
             will be saved there.
             Active Directory
             ''''''''''''''''
             Kallithea can use Microsoft Active Directory for user authentication.  This
             is done through an LDAP or LDAPS connection to Active Directory.  The
             following LDAP configuration settings are typical for using Active
             Directory ::
              Base DN              = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
              Login Attribute      = sAMAccountName
              First Name Attribute = givenName
              Last Name Attribute  = sn
              Email Attribute     = mail
             All other LDAP settings will likely be site-specific and should be
             appropriately configured.
             Authentication by container or reverse-proxy
             --------------------------------------------
             Kallithea supports delegating the authentication
             of users to its WSGI container, or to a reverse-proxy server through which all
             clients access the application.
             When these authentication methods are enabled in Kallithea, it uses the
             username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
             perform the authentication itself. The authorization, however, is still done by
             Kallithea according to its settings.
             When a user logs in for the first time using these authentication methods,
             a matching user account is created in Kallithea with default permissions. An
             administrator can then modify it using Kallithea's admin interface.
             It's also possible for an administrator to create accounts and configure their
             permissions before the user logs in for the first time, using the :ref:`create-user` API.
             Container-based authentication
             ''''''''''''''''''''''''''''''
             In a container-based authentication setup, Kallithea reads the user name from
             the ``REMOTE_USER`` server variable provided by the WSGI container.
             After setting up your container (see `Apache with mod_wsgi`_), you'll need
             to configure it to require authentication on the location configured for
             Kallithea.
             Proxy pass-through authentication
             '''''''''''''''''''''''''''''''''
             In a proxy pass-through authentication setup, Kallithea reads the user name
             from the ``X-Forwarded-User`` request header, which should be configured to be
             sent by the reverse-proxy server.
             After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
             `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
             configure the authentication and add the username in a request header named
             ``X-Forwarded-User``.
             For example, the following config section for Apache sets a subdirectory in a
             reverse-proxy setup with basic auth:
             .. code-block:: apache
                 <Location /someprefix>
                   ProxyPass http://127.0.0.1:5000/someprefix
                   ProxyPassReverse http://127.0.0.1:5000/someprefix
                   SetEnvIf X-Url-Scheme https HTTPS=1
                   AuthType Basic
                   AuthName "Kallithea authentication"
                   AuthUserFile /srv/kallithea/.htpasswd
                   Require valid-user
                   RequestHeader unset X-Forwarded-User
                   RewriteEngine On
                   RewriteCond %{LA-U:REMOTE_USER} (.+)
                   RewriteRule .* - [E=RU:%1]
                   RequestHeader set X-Forwarded-User %{RU}e
                 </Location>
             .. note::
                If you enable proxy pass-through authentication, make sure your server is
                only accessible through the proxy. Otherwise, any client would be able to
                forge the authentication header and could effectively become authenticated
                using any account of their liking.
             Integration with issue trackers
             -------------------------------
             Kallithea provides a simple integration with issue trackers. It's possible
             to define a regular expression that will match an issue ID in commit messages,
             and have that replaced with a URL to the issue. To enable this simply
             uncomment the following variables in the ini file::
                 issue_pat = (?:^#|\s#)(\w+)
                 issue_server_link = https://issues.example.com/{repo}/issue/{id}
                 issue_prefix = #
             ``issue_pat`` is the regular expression describing which strings in
             commit messages will be treated as issue references. A match group in
             parentheses should be used to specify the actual issue id.
             The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
             Matched issue references are replaced with the link specified in
             ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
             ``{repo}`` with the repository name.  Since the # is stripped away,
             ``issue_prefix`` is prepended to the link text.  ``issue_prefix`` doesn't
             necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
             generate a URL in the format:
             .. code-block:: html
               <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
             If needed, more than one pattern can be specified by appending a unique suffix to
             the variables. For example::
                 issue_pat_wiki = (?:wiki-)(.+)
                 issue_server_link_wiki = https://wiki.example.com/{id}
                 issue_prefix_wiki = WIKI-
             With these settings, wiki pages can be referenced as wiki-some-id, and every
             such reference will be transformed into:
             .. code-block:: html
               <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
             Hook management
             ---------------
             Hooks can be managed in similar way to that used in ``.hgrc`` files.
             To manage hooks, choose *Admin > Settings > Hooks*.
             The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
             To add another custom hook simply fill in the first textbox with
             ``<name>.<hook_type>`` and the second with the hook path. Example hooks
             can be found in ``kallithea.lib.hooks``.
             Changing default encoding
             -------------------------
             By default, Kallithea uses UTF-8 encoding.
             This is configurable as ``default_encoding`` in the .ini file.
             This affects many parts in Kallithea including user names, filenames, and
             encoding of commit messages. In addition Kallithea can detect if the ``chardet``
             library is installed. If ``chardet`` is detected Kallithea will fallback to it
             when there are encode/decode errors.
             Celery configuration
             --------------------
             Kallithea can use the distributed task queue system Celery_ to run tasks like
             cloning repositories or sending emails.
             Kallithea will in most setups work perfectly fine out of the box (without
             Celery), executing all tasks in the web server process. Some tasks can however
             take some time to run and it can be better to run such tasks asynchronously in
             a separate process so the web server can focus on serving web requests.
             For installation and configuration of Celery, see the `Celery documentation`_.
             Note that Celery requires a message broker service like RabbitMQ_ (recommended)
             or Redis_.
             The use of Celery is configured in the Kallithea ini configuration file.
             To enable it, simply set::
               use_celery = true
             and add or change the ``celery.*`` and ``broker.*`` configuration variables.
             Remember that the ini files use the format with '.' and not with '_' like
             Celery. So for example setting `BROKER_HOST` in Celery means setting
             `broker.host` in the configuration file.
             To start the Celery process, run::
              paster celeryd <configfile.ini>
             .. note::
                Make sure you run this command from the same virtualenv, and with the same
                user that Kallithea runs.
             HTTPS support
             -------------
             Kallithea will by default generate URLs based on the WSGI environment.
             Alternatively, you can use some special configuration settings to control
             directly which scheme/protocol Kallithea will use when generating URLs:
             - With ``https_fixup = true``, the scheme will be taken from the
               ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
               (default ``http``).
             - With ``force_https = true`` the default will be ``https``.
             - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
             Nginx virtual host example
             --------------------------
             Sample config for Nginx using proxy:
             .. code-block:: nginx
                 upstream kallithea {
                     server 127.0.0.1:5000;
                     # add more instances for load balancing
                     #server 127.0.0.1:5001;
                     #server 127.0.0.1:5002;
                 }
                 ## gist alias
                 server {
                    listen          443;
                    server_name     gist.example.com;
                    access_log      /var/log/nginx/gist.access.log;
                    error_log       /var/log/nginx/gist.error.log;
                    ssl on;
                    ssl_certificate     gist.your.kallithea.server.crt;
                    ssl_certificate_key gist.your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
                    rewrite (.*)    https://kallithea.example.com/_admin/gists;
                 }
                 server {
                    listen          443;
                    server_name     kallithea.example.com
                    access_log      /var/log/nginx/kallithea.access.log;
                    error_log       /var/log/nginx/kallithea.error.log;
                    ssl on;
                    ssl_certificate     your.kallithea.server.crt;
                    ssl_certificate_key your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    ## uncomment root directive if you want to serve static files by nginx
                    ## requires static_files = false in .ini file
                    #root /path/to/installation/kallithea/public;
                    include         /etc/nginx/proxy.conf;
                    location / {
                         try_files $uri @kallithea;
                    }
                    location @kallithea {
                         proxy_pass      http://127.0.0.1:5000;
                    }
                 }
             Here's the proxy.conf. It's tuned so it will not timeout on long
             pushes or large pushes::
                 proxy_redirect              off;
                 proxy_set_header            Host $host;
                 ## needed for container auth
                 #proxy_set_header            REMOTE_USER $remote_user;
                 #proxy_set_header            X-Forwarded-User $remote_user;
                 proxy_set_header            X-Url-Scheme $scheme;
                 proxy_set_header            X-Host $http_host;
                 proxy_set_header            X-Real-IP $remote_addr;
                 proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header            Proxy-host $proxy_host;
                 proxy_buffering             off;
                 proxy_connect_timeout       7200;
                 proxy_send_timeout          7200;
                 proxy_read_timeout          7200;
                 proxy_buffers               8 32k;
                 client_max_body_size        1024m;
                 client_body_buffer_size     128k;
                 large_client_header_buffers 8 64k;
             Apache virtual host reverse proxy example
             -----------------------------------------
             Here is a sample configuration file for Apache using proxy:
             .. code-block:: apache
                 <VirtualHost *:80>
                         ServerName kallithea.example.com
                         <Proxy *>
                           # For Apache 2.4 and later:
                           Require all granted
                           # For Apache 2.2 and earlier, instead use:
                           # Order allow,deny
                           # Allow from all
                         </Proxy>
                         #important !
                         #Directive to properly generate url (clone url) for pylons
                         ProxyPreserveHost On
                         #kallithea instance
                         ProxyPass / http://127.0.0.1:5000/
                         ProxyPassReverse / http://127.0.0.1:5000/
                         #to enable https use line below
                         #SetEnvIf X-Url-Scheme https HTTPS=1
                 </VirtualHost>
             Additional tutorial
             http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
             Apache as subdirectory
             ----------------------
             Apache subdirectory part:
             .. code-block:: apache
                 <Location /<someprefix> >
                   ProxyPass http://127.0.0.1:5000/<someprefix>
                   ProxyPassReverse http://127.0.0.1:5000/<someprefix>
                   SetEnvIf X-Url-Scheme https HTTPS=1
                 </Location>
             Besides the regular apache setup you will need to add the following line
             into ``[app:main]`` section of your .ini file::
                 filter-with = proxy-prefix
             Add the following at the end of the .ini file::
                 [filter:proxy-prefix]
                 use = egg:PasteDeploy#prefix
                 prefix = /<someprefix>
             then change ``<someprefix>`` into your chosen prefix
             Apache with mod_wsgi
             --------------------
             Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
             that, you'll need to:
             - Install mod_wsgi. If using a Debian-based distro, you can install
               the package libapache2-mod-wsgi::
                 aptitude install libapache2-mod-wsgi
             - Enable mod_wsgi::
                 a2enmod wsgi
             - Create a wsgi dispatch script, like the one below. Make sure you
               check that the paths correctly point to where you installed Kallithea
               and its Python Virtual Environment.
             - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
               as in the following example. Once again, check the paths are
               correctly specified.
             Here is a sample excerpt from an Apache Virtual Host configuration file:
             .. code-block:: apache
                 WSGIDaemonProcess kallithea \
                     processes=1 threads=4 \
-                    python-path=/srv/kallithea/pyenv/lib/python2.7/site-packages
+                    python-path=/srv/kallithea/venv/lib/python2.7/site-packages
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
             Or if using a dispatcher WSGI script with proper virtualenv activation:
             .. code-block:: apache
                 WSGIDaemonProcess kallithea processes=1 threads=4
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
             .. note::
                When running apache as root, please make sure it doesn't run Kallithea as
                root, for examply by adding: ``user=www-data group=www-data`` to the configuration.
             .. note::
                If running Kallithea in multiprocess mode,
                make sure you set ``instance_id = *`` in the configuration so each process
                gets it's own cache invalidation key.
             Example WSGI dispatch script:
             .. code-block:: python
                 import os
                 os.environ["HGENCODING"] = "UTF-8"
                 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
                 # sometimes it's needed to set the curent dir
                 os.chdir('/srv/kallithea/')
                 import site
-                site.addsitedir("/srv/kallithea/pyenv/lib/python2.7/site-packages")
+                site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
                 from paste.deploy import loadapp
                 from paste.script.util.logging_config import fileConfig
                 fileConfig('/srv/kallithea/my.ini')
                 application = loadapp('config:/srv/kallithea/my.ini')
             Or using proper virtualenv activation:
             .. code-block:: python
                 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
                 execfile(activate_this, dict(__file__=activate_this))
                 import os
                 os.environ['HOME'] = '/srv/kallithea'
                 ini = '/srv/kallithea/kallithea.ini'
                 from paste.script.util.logging_config import fileConfig
                 fileConfig(ini)
                 from paste.deploy import loadapp
                 application = loadapp('config:' + ini)
             Other configuration files
             -------------------------
             A number of `example init.d scripts`__ can be found in
             the ``init.d`` directory of the Kallithea source.
             .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
             .. _Mercurial: http://mercurial.selenic.com/
             .. _Celery: http://celeryproject.org/
             .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
             .. _RabbitMQ: http://www.rabbitmq.com/
             .. _Redis: http://redis.io/
             .. _python-ldap: http://www.python-ldap.org/
             .. _mercurial-server: http://www.lshift.net/mercurial-server.html
             .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories