##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Documentation: How to setup LDAP Filter when using Organisational Units.
Magnus Ericmats -
r3801:6bad83d2 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,735 +1,742 b''
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Setting up RhodeCode
9 9 --------------------
10 10
11 11 First, you will need to create a RhodeCode configuration file. Run the
12 12 following command to do this::
13 13
14 14 paster make-config RhodeCode production.ini
15 15
16 16 - This will create the file `production.ini` in the current directory. This
17 17 configuration file contains the various settings for RhodeCode, e.g proxy
18 18 port, email settings, usage of static files, cache, celery settings and
19 19 logging.
20 20
21 21
22 22 Next, you need to create the databases used by RhodeCode. I recommend that you
23 23 use postgresql or sqlite (default). If you choose a database other than the
24 24 default ensure you properly adjust the db url in your production.ini
25 25 configuration file to use this other database. RhodeCode currently supports
26 26 postgresql, sqlite and mysql databases. Create the database by running
27 27 the following command::
28 28
29 29 paster setup-rhodecode production.ini
30 30
31 31 This will prompt you for a "root" path. This "root" path is the location where
32 32 RhodeCode will store all of its repositories on the current machine. After
33 33 entering this "root" path ``setup-rhodecode`` will also prompt you for a username
34 34 and password for the initial admin account which ``setup-rhodecode`` sets
35 35 up for you.
36 36
37 37 setup process can be fully automated, example for lazy::
38 38
39 39 paster setup-rhodecode production.ini --user=marcink --password=secret --email=marcin@rhodecode.org --repos=/home/marcink/my_repos
40 40
41 41
42 42 - The ``setup-rhodecode`` command will create all of the needed tables and an
43 43 admin account. When choosing a root path you can either use a new empty
44 44 location, or a location which already contains existing repositories. If you
45 45 choose a location which contains existing repositories RhodeCode will simply
46 46 add all of the repositories at the chosen location to it's database.
47 47 (Note: make sure you specify the correct path to the root).
48 48 - Note: the given path for mercurial_ repositories **must** be write accessible
49 49 for the application. It's very important since the RhodeCode web interface
50 50 will work without write access, but when trying to do a push it will
51 51 eventually fail with permission denied errors unless it has write access.
52 52
53 53 You are now ready to use RhodeCode, to run it simply execute::
54 54
55 55 paster serve production.ini
56 56
57 57 - This command runs the RhodeCode server. The web app should be available at the
58 58 127.0.0.1:5000. This ip and port is configurable via the production.ini
59 59 file created in previous step
60 60 - Use the admin account you created above when running ``setup-rhodecode``
61 61 to login to the web app.
62 62 - The default permissions on each repository is read, and the owner is admin.
63 63 Remember to update these if needed.
64 64 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
65 65 well as edit more advanced options on users and repositories
66 66
67 67 Optionally users can create `rcextensions` package that extends RhodeCode
68 68 functionality. To do this simply execute::
69 69
70 70 paster make-rcext production.ini
71 71
72 72 This will create `rcextensions` package in the same place that your `ini` file
73 73 lives. With `rcextensions` it's possible to add additional mapping for whoosh,
74 74 stats and add additional code into the push/pull/create/delete repo hooks.
75 75 For example for sending signals to build-bots such as jenkins.
76 76 Please see the `__init__.py` file inside `rcextensions` package
77 77 for more details.
78 78
79 79
80 80 Using RhodeCode with SSH
81 81 ------------------------
82 82
83 83 RhodeCode currently only hosts repositories using http and https. (The addition
84 84 of ssh hosting is a planned future feature.) However you can easily use ssh in
85 85 parallel with RhodeCode. (Repository access via ssh is a standard "out of
86 86 the box" feature of mercurial_ and you can use this to access any of the
87 87 repositories that RhodeCode is hosting. See PublishingRepositories_)
88 88
89 89 RhodeCode repository structures are kept in directories with the same name
90 90 as the project. When using repository groups, each group is a subdirectory.
91 91 This allows you to easily use ssh for accessing repositories.
92 92
93 93 In order to use ssh you need to make sure that your web-server and the users
94 94 login accounts have the correct permissions set on the appropriate directories.
95 95 (Note that these permissions are independent of any permissions you have set up
96 96 using the RhodeCode web interface.)
97 97
98 98 If your main directory (the same as set in RhodeCode settings) is for example
99 99 set to **/home/hg** and the repository you are using is named `rhodecode`, then
100 100 to clone via ssh you should run::
101 101
102 102 hg clone ssh://user@server.com/home/hg/rhodecode
103 103
104 104 Using other external tools such as mercurial-server_ or using ssh key based
105 105 authentication is fully supported.
106 106
107 107 Note: In an advanced setup, in order for your ssh access to use the same
108 108 permissions as set up via the RhodeCode web interface, you can create an
109 109 authentication hook to connect to the rhodecode db and runs check functions for
110 110 permissions against that.
111 111
112 112 Setting up Whoosh full text search
113 113 ----------------------------------
114 114
115 115 Starting from version 1.1 the whoosh index can be build by using the paster
116 116 command ``make-index``. To use ``make-index`` you must specify the configuration
117 117 file that stores the location of the index. You may specify the location of the
118 118 repositories (`--repo-location`). If not specified, this value is retrieved
119 119 from the RhodeCode database. This was required prior to 1.2. Starting from
120 120 version 1.2 it is also possible to specify a comma separated list of
121 121 repositories (`--index-only`) to build index only on chooses repositories
122 122 skipping any other found in repos location
123 123
124 124 You may optionally pass the option `-f` to enable a full index rebuild. Without
125 125 the `-f` option, indexing will run always in "incremental" mode.
126 126
127 127 For an incremental index build use::
128 128
129 129 paster make-index production.ini
130 130
131 131 For a full index rebuild use::
132 132
133 133 paster make-index production.ini -f
134 134
135 135
136 136 building index just for chosen repositories is possible with such command::
137 137
138 138 paster make-index production.ini --index-only=vcs,rhodecode
139 139
140 140
141 141 In order to do periodical index builds and keep your index always up to date.
142 142 It's recommended to do a crontab entry for incremental indexing.
143 143 An example entry might look like this::
144 144
145 145 /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini
146 146
147 147 When using incremental mode (the default) whoosh will check the last
148 148 modification date of each file and add it to be reindexed if a newer file is
149 149 available. The indexing daemon checks for any removed files and removes them
150 150 from index.
151 151
152 152 If you want to rebuild index from scratch, you can use the `-f` flag as above,
153 153 or in the admin panel you can check `build from scratch` flag.
154 154
155 155
156 156 Setting up LDAP support
157 157 -----------------------
158 158
159 159 RhodeCode starting from version 1.1 supports ldap authentication. In order
160 160 to use LDAP, you have to install the python-ldap_ package. This package is
161 161 available via pypi, so you can install it by running
162 162
163 163 using easy_install::
164 164
165 165 easy_install python-ldap
166 166
167 167 using pip::
168 168
169 169 pip install python-ldap
170 170
171 171 .. note::
172 172 python-ldap requires some certain libs on your system, so before installing
173 173 it check that you have at least `openldap`, and `sasl` libraries.
174 174
175 175 LDAP settings are located in admin->ldap section,
176 176
177 177 Here's a typical ldap setup::
178 178
179 179 Connection settings
180 180 Enable LDAP = checked
181 181 Host = host.example.org
182 182 Port = 389
183 183 Account = <account>
184 184 Password = <password>
185 185 Connection Security = LDAPS connection
186 186 Certificate Checks = DEMAND
187 187
188 188 Search settings
189 189 Base DN = CN=users,DC=host,DC=example,DC=org
190 190 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
191 191 LDAP Search Scope = SUBTREE
192 192
193 193 Attribute mappings
194 194 Login Attribute = uid
195 195 First Name Attribute = firstName
196 196 Last Name Attribute = lastName
197 197 E-mail Attribute = mail
198 198
199 If your user groups are placed in a Organisation Unit (OU) structure the Search Settings configuration differs::
200
201 Search settings
202 Base DN = DC=host,DC=example,DC=org
203 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
204 LDAP Search Scope = SUBTREE
205
199 206 .. _enable_ldap:
200 207
201 208 Enable LDAP : required
202 209 Whether to use LDAP for authenticating users.
203 210
204 211 .. _ldap_host:
205 212
206 213 Host : required
207 214 LDAP server hostname or IP address. Can be also a comma separated
208 215 list of servers to support LDAP fail-over.
209 216
210 217 .. _Port:
211 218
212 219 Port : required
213 220 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
214 221
215 222 .. _ldap_account:
216 223
217 224 Account : optional
218 225 Only required if the LDAP server does not allow anonymous browsing of
219 226 records. This should be a special account for record browsing. This
220 227 will require `LDAP Password`_ below.
221 228
222 229 .. _LDAP Password:
223 230
224 231 Password : optional
225 232 Only required if the LDAP server does not allow anonymous browsing of
226 233 records.
227 234
228 235 .. _Enable LDAPS:
229 236
230 237 Connection Security : required
231 238 Defines the connection to LDAP server
232 239
233 240 No encryption
234 241 Plain non encrypted connection
235 242
236 243 LDAPS connection
237 244 Enable ldaps connection. It will likely require `Port`_ to be set to
238 245 a different value (standard LDAPS port is 636). When LDAPS is enabled
239 246 then `Certificate Checks`_ is required.
240 247
241 248 START_TLS on LDAP connection
242 249 START TLS connection
243 250
244 251 .. _Certificate Checks:
245 252
246 253 Certificate Checks : optional
247 254 How SSL certificates verification is handled - this is only useful when
248 255 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
249 256 while the other options are susceptible to man-in-the-middle attacks. SSL
250 257 certificates can be installed to /etc/openldap/cacerts so that the
251 258 DEMAND or HARD options can be used with self-signed certificates or
252 259 certificates that do not have traceable certificates of authority.
253 260
254 261 NEVER
255 262 A serve certificate will never be requested or checked.
256 263
257 264 ALLOW
258 265 A server certificate is requested. Failure to provide a
259 266 certificate or providing a bad certificate will not terminate the
260 267 session.
261 268
262 269 TRY
263 270 A server certificate is requested. Failure to provide a
264 271 certificate does not halt the session; providing a bad certificate
265 272 halts the session.
266 273
267 274 DEMAND
268 275 A server certificate is requested and must be provided and
269 276 authenticated for the session to proceed.
270 277
271 278 HARD
272 279 The same as DEMAND.
273 280
274 281 .. _Base DN:
275 282
276 283 Base DN : required
277 284 The Distinguished Name (DN) where searches for users will be performed.
278 285 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
279 286
280 287 .. _LDAP Filter:
281 288
282 289 LDAP Filter : optional
283 290 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
284 291 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
285 292 which LDAP objects are identified as representing Users for
286 293 authentication. The filter is augmented by `Login Attribute`_ below.
287 294 This can commonly be left blank.
288 295
289 296 .. _LDAP Search Scope:
290 297
291 298 LDAP Search Scope : required
292 299 This limits how far LDAP will search for a matching object.
293 300
294 301 BASE
295 302 Only allows searching of `Base DN`_ and is usually not what you
296 303 want.
297 304
298 305 ONELEVEL
299 306 Searches all entries under `Base DN`_, but not Base DN itself.
300 307
301 308 SUBTREE
302 309 Searches all entries below `Base DN`_, but not Base DN itself.
303 310 When using SUBTREE `LDAP Filter`_ is useful to limit object
304 311 location.
305 312
306 313 .. _Login Attribute:
307 314
308 315 Login Attribute : required
309 316 The LDAP record attribute that will be matched as the USERNAME or
310 317 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
311 318 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
312 319 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
313 320 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
314 321 ::
315 322
316 323 (&(LDAPFILTER)(uid=jsmith))
317 324
318 325 .. _ldap_attr_firstname:
319 326
320 327 First Name Attribute : required
321 328 The LDAP record attribute which represents the user's first name.
322 329
323 330 .. _ldap_attr_lastname:
324 331
325 332 Last Name Attribute : required
326 333 The LDAP record attribute which represents the user's last name.
327 334
328 335 .. _ldap_attr_email:
329 336
330 337 Email Attribute : required
331 338 The LDAP record attribute which represents the user's email address.
332 339
333 340 If all data are entered correctly, and python-ldap_ is properly installed
334 341 users should be granted access to RhodeCode with ldap accounts. At this
335 342 time user information is copied from LDAP into the RhodeCode user database.
336 343 This means that updates of an LDAP user object may not be reflected as a
337 344 user update in RhodeCode.
338 345
339 346 If You have problems with LDAP access and believe You entered correct
340 347 information check out the RhodeCode logs, any error messages sent from LDAP
341 348 will be saved there.
342 349
343 350 Active Directory
344 351 ''''''''''''''''
345 352
346 353 RhodeCode can use Microsoft Active Directory for user authentication. This
347 354 is done through an LDAP or LDAPS connection to Active Directory. The
348 355 following LDAP configuration settings are typical for using Active
349 356 Directory ::
350 357
351 358 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
352 359 Login Attribute = sAMAccountName
353 360 First Name Attribute = givenName
354 361 Last Name Attribute = sn
355 362 E-mail Attribute = mail
356 363
357 364 All other LDAP settings will likely be site-specific and should be
358 365 appropriately configured.
359 366
360 367
361 368 Authentication by container or reverse-proxy
362 369 --------------------------------------------
363 370
364 371 Starting with version 1.3, RhodeCode supports delegating the authentication
365 372 of users to its WSGI container, or to a reverse-proxy server through which all
366 373 clients access the application.
367 374
368 375 When these authentication methods are enabled in RhodeCode, it uses the
369 376 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't
370 377 perform the authentication itself. The authorization, however, is still done by
371 378 RhodeCode according to its settings.
372 379
373 380 When a user logs in for the first time using these authentication methods,
374 381 a matching user account is created in RhodeCode with default permissions. An
375 382 administrator can then modify it using RhodeCode's admin interface.
376 383 It's also possible for an administrator to create accounts and configure their
377 384 permissions before the user logs in for the first time.
378 385
379 386 Container-based authentication
380 387 ''''''''''''''''''''''''''''''
381 388
382 389 In a container-based authentication setup, RhodeCode reads the user name from
383 390 the ``REMOTE_USER`` server variable provided by the WSGI container.
384 391
385 392 After setting up your container (see `Apache's WSGI config`_), you'd need
386 393 to configure it to require authentication on the location configured for
387 394 RhodeCode.
388 395
389 396 In order for RhodeCode to start using the provided username, you should set the
390 397 following in the [app:main] section of your .ini file::
391 398
392 399 container_auth_enabled = true
393 400
394 401
395 402 Proxy pass-through authentication
396 403 '''''''''''''''''''''''''''''''''
397 404
398 405 In a proxy pass-through authentication setup, RhodeCode reads the user name
399 406 from the ``X-Forwarded-User`` request header, which should be configured to be
400 407 sent by the reverse-proxy server.
401 408
402 409 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
403 410 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to
404 411 configure the authentication and add the username in a request header named
405 412 ``X-Forwarded-User``.
406 413
407 414 For example, the following config section for Apache sets a subdirectory in a
408 415 reverse-proxy setup with basic auth::
409 416
410 417 <Location /<someprefix> >
411 418 ProxyPass http://127.0.0.1:5000/<someprefix>
412 419 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
413 420 SetEnvIf X-Url-Scheme https HTTPS=1
414 421
415 422 AuthType Basic
416 423 AuthName "RhodeCode authentication"
417 424 AuthUserFile /home/web/rhodecode/.htpasswd
418 425 require valid-user
419 426
420 427 RequestHeader unset X-Forwarded-User
421 428
422 429 RewriteEngine On
423 430 RewriteCond %{LA-U:REMOTE_USER} (.+)
424 431 RewriteRule .* - [E=RU:%1]
425 432 RequestHeader set X-Forwarded-User %{RU}e
426 433 </Location>
427 434
428 435 In order for RhodeCode to start using the forwarded username, you should set
429 436 the following in the [app:main] section of your .ini file::
430 437
431 438 proxypass_auth_enabled = true
432 439
433 440 .. note::
434 441 If you enable proxy pass-through authentication, make sure your server is
435 442 only accessible through the proxy. Otherwise, any client would be able to
436 443 forge the authentication header and could effectively become authenticated
437 444 using any account of their liking.
438 445
439 446 Integration with Issue trackers
440 447 -------------------------------
441 448
442 449 RhodeCode provides a simple integration with issue trackers. It's possible
443 450 to define a regular expression that will fetch issue id stored in commit
444 451 messages and replace that with an url to this issue. To enable this simply
445 452 uncomment following variables in the ini file::
446 453
447 454 url_pat = (?:^#|\s#)(\w+)
448 455 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
449 456 issue_prefix = #
450 457
451 458 `url_pat` is the regular expression that will fetch issues from commit messages.
452 459 Default regex will match issues in format of #<number> eg. #300.
453 460
454 461 Matched issues will be replace with the link specified as `issue_server_link`
455 462 {id} will be replaced with issue id, and {repo} with repository name.
456 463 Since the # is striped `issue_prefix` is added as a prefix to url.
457 464 `issue_prefix` can be something different than # if you pass
458 465 ISSUE- as issue prefix this will generate an url in format::
459 466
460 467 <a href="https://myissueserver.com/example_repo/issue/300">ISSUE-300</a>
461 468
462 469 Hook management
463 470 ---------------
464 471
465 472 Hooks can be managed in similar way to this used in .hgrc files.
466 473 To access hooks setting click `advanced setup` on Hooks section of Mercurial
467 474 Settings in Admin.
468 475
469 476 There are 4 built in hooks that cannot be changed (only enable/disable by
470 477 checkboxes on previos section).
471 478 To add another custom hook simply fill in first section with
472 479 <name>.<hook_type> and the second one with hook path. Example hooks
473 480 can be found at *rhodecode.lib.hooks*.
474 481
475 482
476 483 Changing default encoding
477 484 -------------------------
478 485
479 486 By default RhodeCode uses utf8 encoding, starting from 1.3 series this
480 487 can be changed, simply edit default_encoding in .ini file to desired one.
481 488 This affects many parts in rhodecode including committers names, filenames,
482 489 encoding of commit messages. In addition RhodeCode can detect if `chardet`
483 490 library is installed. If `chardet` is detected RhodeCode will fallback to it
484 491 when there are encode/decode errors.
485 492
486 493
487 494 Setting Up Celery
488 495 -----------------
489 496
490 497 Since version 1.1 celery is configured by the rhodecode ini configuration files.
491 498 Simply set use_celery=true in the ini file then add / change the configuration
492 499 variables inside the ini file.
493 500
494 501 Remember that the ini files use the format with '.' not with '_' like celery.
495 502 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
496 503 the config file.
497 504
498 505 In order to start using celery run::
499 506
500 507 paster celeryd <configfile.ini>
501 508
502 509
503 510 .. note::
504 511 Make sure you run this command from the same virtualenv, and with the same
505 512 user that rhodecode runs.
506 513
507 514 HTTPS support
508 515 -------------
509 516
510 517 There are two ways to enable https:
511 518
512 519 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
513 520 recognize this headers and make proper https redirections
514 521 - Alternatively, change the `force_https = true` flag in the ini configuration
515 522 to force using https, no headers are needed than to enable https
516 523
517 524
518 525 Nginx virtual host example
519 526 --------------------------
520 527
521 528 Sample config for nginx using proxy::
522 529
523 530 upstream rc {
524 531 server 127.0.0.1:5000;
525 532 # add more instances for load balancing
526 533 #server 127.0.0.1:5001;
527 534 #server 127.0.0.1:5002;
528 535 }
529 536
530 537 server {
531 538 listen 443;
532 539 server_name rhodecode.myserver.com;
533 540 access_log /var/log/nginx/rhodecode.access.log;
534 541 error_log /var/log/nginx/rhodecode.error.log;
535 542
536 543 ssl on;
537 544 ssl_certificate rhodecode.myserver.com.crt;
538 545 ssl_certificate_key rhodecode.myserver.com.key;
539 546
540 547 ssl_session_timeout 5m;
541 548
542 549 ssl_protocols SSLv3 TLSv1;
543 550 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
544 551 ssl_prefer_server_ciphers on;
545 552
546 553 # uncomment if you have nginx with chunking module compiled
547 554 # fixes the issues of having to put postBuffer data for large git
548 555 # pushes
549 556 #chunkin on;
550 557 #error_page 411 = @my_411_error;
551 558 #location @my_411_error {
552 559 # chunkin_resume;
553 560 #}
554 561
555 562 # uncomment if you want to serve static files by nginx
556 563 #root /path/to/installation/rhodecode/public;
557 564
558 565 location / {
559 566 try_files $uri @rhode;
560 567 }
561 568
562 569 location @rhode {
563 570 proxy_pass http://rc;
564 571 include /etc/nginx/proxy.conf;
565 572 }
566 573
567 574 }
568 575
569 576 Here's the proxy.conf. It's tuned so it will not timeout on long
570 577 pushes or large pushes::
571 578
572 579 proxy_redirect off;
573 580 proxy_set_header Host $host;
574 581 proxy_set_header X-Url-Scheme $scheme;
575 582 proxy_set_header X-Host $http_host;
576 583 proxy_set_header X-Real-IP $remote_addr;
577 584 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
578 585 proxy_set_header Proxy-host $proxy_host;
579 586 client_max_body_size 400m;
580 587 client_body_buffer_size 128k;
581 588 proxy_buffering off;
582 589 proxy_connect_timeout 7200;
583 590 proxy_send_timeout 7200;
584 591 proxy_read_timeout 7200;
585 592 proxy_buffers 8 32k;
586 593
587 594 Also, when using root path with nginx you might set the static files to false
588 595 in the production.ini file::
589 596
590 597 [app:main]
591 598 use = egg:rhodecode
592 599 full_stack = true
593 600 static_files = false
594 601 lang=en
595 602 cache_dir = %(here)s/data
596 603
597 604 In order to not have the statics served by the application. This improves speed.
598 605
599 606
600 607 Apache virtual host reverse proxy example
601 608 -----------------------------------------
602 609
603 610 Here is a sample configuration file for apache using proxy::
604 611
605 612 <VirtualHost *:80>
606 613 ServerName hg.myserver.com
607 614 ServerAlias hg.myserver.com
608 615
609 616 <Proxy *>
610 617 Order allow,deny
611 618 Allow from all
612 619 </Proxy>
613 620
614 621 #important !
615 622 #Directive to properly generate url (clone url) for pylons
616 623 ProxyPreserveHost On
617 624
618 625 #rhodecode instance
619 626 ProxyPass / http://127.0.0.1:5000/
620 627 ProxyPassReverse / http://127.0.0.1:5000/
621 628
622 629 #to enable https use line below
623 630 #SetEnvIf X-Url-Scheme https HTTPS=1
624 631
625 632 </VirtualHost>
626 633
627 634
628 635 Additional tutorial
629 636 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
630 637
631 638
632 639 Apache as subdirectory
633 640 ----------------------
634 641
635 642 Apache subdirectory part::
636 643
637 644 <Location /<someprefix> >
638 645 ProxyPass http://127.0.0.1:5000/<someprefix>
639 646 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
640 647 SetEnvIf X-Url-Scheme https HTTPS=1
641 648 </Location>
642 649
643 650 Besides the regular apache setup you will need to add the following line
644 651 into [app:main] section of your .ini file::
645 652
646 653 filter-with = proxy-prefix
647 654
648 655 Add the following at the end of the .ini file::
649 656
650 657 [filter:proxy-prefix]
651 658 use = egg:PasteDeploy#prefix
652 659 prefix = /<someprefix>
653 660
654 661
655 662 then change <someprefix> into your chosen prefix
656 663
657 664 Apache's WSGI config
658 665 --------------------
659 666
660 667 Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For
661 668 that, you'll need to:
662 669
663 670 - Install mod_wsgi. If using a Debian-based distro, you can install
664 671 the package libapache2-mod-wsgi::
665 672
666 673 aptitude install libapache2-mod-wsgi
667 674
668 675 - Enable mod_wsgi::
669 676
670 677 a2enmod wsgi
671 678
672 679 - Create a wsgi dispatch script, like the one below. Make sure you
673 680 check the paths correctly point to where you installed RhodeCode
674 681 and its Python Virtual Environment.
675 682 - Enable the WSGIScriptAlias directive for the wsgi dispatch script,
676 683 as in the following example. Once again, check the paths are
677 684 correctly specified.
678 685
679 686 Here is a sample excerpt from an Apache Virtual Host configuration file::
680 687
681 688 WSGIDaemonProcess pylons \
682 689 threads=4 \
683 690 python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages
684 691 WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi
685 692 WSGIPassAuthorization On
686 693
687 694 .. note::
688 695 when running apache as root please add: `user=www-data group=www-data`
689 696 into above configuration
690 697
691 698 .. note::
692 699 Running RhodeCode in multiprocess mode in apache is not supported,
693 700 make sure you don't specify `processes=num` directive in the config
694 701
695 702
696 703 Example wsgi dispatch script::
697 704
698 705 import os
699 706 os.environ["HGENCODING"] = "UTF-8"
700 707 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
701 708
702 709 # sometimes it's needed to set the curent dir
703 710 os.chdir('/home/web/rhodecode/')
704 711
705 712 import site
706 713 site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages")
707 714
708 715 from paste.deploy import loadapp
709 716 from paste.script.util.logging_config import fileConfig
710 717
711 718 fileConfig('/home/web/rhodecode/production.ini')
712 719 application = loadapp('config:/home/web/rhodecode/production.ini')
713 720
714 721 Note: when using mod_wsgi you'll need to install the same version of
715 722 Mercurial that's inside RhodeCode's virtualenv also on the system's Python
716 723 environment.
717 724
718 725
719 726 Other configuration files
720 727 -------------------------
721 728
722 729 Some example init.d scripts can be found in init.d directory::
723 730
724 731 https://secure.rhodecode.org/rhodecode/files/beta/init.d
725 732
726 733 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
727 734 .. _python: http://www.python.org/
728 735 .. _mercurial: http://mercurial.selenic.com/
729 736 .. _celery: http://celeryproject.org/
730 737 .. _rabbitmq: http://www.rabbitmq.com/
731 738 .. _python-ldap: http://www.python-ldap.org/
732 739 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
733 740 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
734 741 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
735 742 .. _google group rhodecode: http://groups.google.com/group/rhodecode
General Comments 0
You need to be logged in to leave comments. Login now