##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

docs/setup: heading whitespace cleanup...
Thomas De Schampheleire -
r6687:793ea782 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,892 +1,893 b''
1 .. _setup:
1 .. _setup:
2
2
3 =====
3 =====
4 Setup
4 Setup
5 =====
5 =====
6
6
7
7
8 Setting up Kallithea
8 Setting up Kallithea
9 --------------------
9 --------------------
10
10
11 First, you will need to create a Kallithea configuration file. Run the
11 First, you will need to create a Kallithea configuration file. Run the
12 following command to do so::
12 following command to do so::
13
13
14 gearbox make-config my.ini
14 gearbox make-config my.ini
15
15
16 This will create the file ``my.ini`` in the current directory. This
16 This will create the file ``my.ini`` in the current directory. This
17 configuration file contains the various settings for Kallithea, e.g.
17 configuration file contains the various settings for Kallithea, e.g.
18 proxy port, email settings, usage of static files, cache, Celery
18 proxy port, email settings, usage of static files, cache, Celery
19 settings, and logging.
19 settings, and logging.
20
20
21 Next, you need to create the databases used by Kallithea. It is recommended to
21 Next, you need to create the databases used by Kallithea. It is recommended to
22 use PostgreSQL or SQLite (default). If you choose a database other than the
22 use PostgreSQL or SQLite (default). If you choose a database other than the
23 default, ensure you properly adjust the database URL in your ``my.ini``
23 default, ensure you properly adjust the database URL in your ``my.ini``
24 configuration file to use this other database. Kallithea currently supports
24 configuration file to use this other database. Kallithea currently supports
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 the following command::
26 the following command::
27
27
28 gearbox setup-db -c my.ini
28 gearbox setup-db -c my.ini
29
29
30 This will prompt you for a "root" path. This "root" path is the location where
30 This will prompt you for a "root" path. This "root" path is the location where
31 Kallithea will store all of its repositories on the current machine. After
31 Kallithea will store all of its repositories on the current machine. After
32 entering this "root" path ``setup-db`` will also prompt you for a username
32 entering this "root" path ``setup-db`` will also prompt you for a username
33 and password for the initial admin account which ``setup-db`` sets
33 and password for the initial admin account which ``setup-db`` sets
34 up for you.
34 up for you.
35
35
36 The ``setup-db`` values can also be given on the command line.
36 The ``setup-db`` values can also be given on the command line.
37 Example::
37 Example::
38
38
39 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
39 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40
40
41 The ``setup-db`` command will create all needed tables and an
41 The ``setup-db`` command will create all needed tables and an
42 admin account. When choosing a root path you can either use a new
42 admin account. When choosing a root path you can either use a new
43 empty location, or a location which already contains existing
43 empty location, or a location which already contains existing
44 repositories. If you choose a location which contains existing
44 repositories. If you choose a location which contains existing
45 repositories Kallithea will add all of the repositories at the chosen
45 repositories Kallithea will add all of the repositories at the chosen
46 location to its database. (Note: make sure you specify the correct
46 location to its database. (Note: make sure you specify the correct
47 path to the root).
47 path to the root).
48
48
49 .. note:: the given path for Mercurial_ repositories **must** be write
49 .. note:: the given path for Mercurial_ repositories **must** be write
50 accessible for the application. It's very important since
50 accessible for the application. It's very important since
51 the Kallithea web interface will work without write access,
51 the Kallithea web interface will work without write access,
52 but when trying to do a push it will fail with permission
52 but when trying to do a push it will fail with permission
53 denied errors unless it has write access.
53 denied errors unless it has write access.
54
54
55 You are now ready to use Kallithea. To run it simply execute::
55 You are now ready to use Kallithea. To run it simply execute::
56
56
57 gearbox serve -c my.ini
57 gearbox serve -c my.ini
58
58
59 - This command runs the Kallithea server. The web app should be available at
59 - This command runs the Kallithea server. The web app should be available at
60 http://127.0.0.1:5000. The IP address and port is configurable via the
60 http://127.0.0.1:5000. The IP address and port is configurable via the
61 configuration file created in the previous step.
61 configuration file created in the previous step.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 - The default permissions on each repository is read, and the owner is admin.
63 - The default permissions on each repository is read, and the owner is admin.
64 Remember to update these if needed.
64 Remember to update these if needed.
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 settings, as well as edit more advanced options on users and
66 settings, as well as edit more advanced options on users and
67 repositories.
67 repositories.
68
68
69
69
70 Internationalization (i18n support)
70 Internationalization (i18n support)
71 -----------------------------------
71 -----------------------------------
72
72 The Kallithea web interface is automatically displayed in the user's preferred
73 The Kallithea web interface is automatically displayed in the user's preferred
73 language, as indicated by the browser. Thus, different users may see the
74 language, as indicated by the browser. Thus, different users may see the
74 application in different languages. If the requested language is not available
75 application in different languages. If the requested language is not available
75 (because the translation file for that language does not yet exist or is
76 (because the translation file for that language does not yet exist or is
76 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
77 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
77 configuration file is used as fallback. If no fallback language is explicitly
78 configuration file is used as fallback. If no fallback language is explicitly
78 specified, English is used.
79 specified, English is used.
79
80
80 If you want to disable automatic language detection and instead configure a
81 If you want to disable automatic language detection and instead configure a
81 fixed language regardless of user preference, set ``i18n.enabled = false`` and
82 fixed language regardless of user preference, set ``i18n.enabled = false`` and
82 set ``i18n.lang`` to the desired language (or leave empty for English).
83 set ``i18n.lang`` to the desired language (or leave empty for English).
83
84
84
85
85 Using Kallithea with SSH
86 Using Kallithea with SSH
86 ------------------------
87 ------------------------
87
88
88 Kallithea currently only hosts repositories using http and https. (The addition
89 Kallithea currently only hosts repositories using http and https. (The addition
89 of ssh hosting is a planned future feature.) However you can easily use ssh in
90 of ssh hosting is a planned future feature.) However you can easily use ssh in
90 parallel with Kallithea. (Repository access via ssh is a standard "out of
91 parallel with Kallithea. (Repository access via ssh is a standard "out of
91 the box" feature of Mercurial_ and you can use this to access any of the
92 the box" feature of Mercurial_ and you can use this to access any of the
92 repositories that Kallithea is hosting. See PublishingRepositories_)
93 repositories that Kallithea is hosting. See PublishingRepositories_)
93
94
94 Kallithea repository structures are kept in directories with the same name
95 Kallithea repository structures are kept in directories with the same name
95 as the project. When using repository groups, each group is a subdirectory.
96 as the project. When using repository groups, each group is a subdirectory.
96 This allows you to easily use ssh for accessing repositories.
97 This allows you to easily use ssh for accessing repositories.
97
98
98 In order to use ssh you need to make sure that your web server and the users'
99 In order to use ssh you need to make sure that your web server and the users'
99 login accounts have the correct permissions set on the appropriate directories.
100 login accounts have the correct permissions set on the appropriate directories.
100
101
101 .. note:: These permissions are independent of any permissions you
102 .. note:: These permissions are independent of any permissions you
102 have set up using the Kallithea web interface.
103 have set up using the Kallithea web interface.
103
104
104 If your main directory (the same as set in Kallithea settings) is for
105 If your main directory (the same as set in Kallithea settings) is for
105 example set to ``/srv/repos`` and the repository you are using is
106 example set to ``/srv/repos`` and the repository you are using is
106 named ``kallithea``, then to clone via ssh you should run::
107 named ``kallithea``, then to clone via ssh you should run::
107
108
108 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
109 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
109
110
110 Using other external tools such as mercurial-server_ or using ssh key-based
111 Using other external tools such as mercurial-server_ or using ssh key-based
111 authentication is fully supported.
112 authentication is fully supported.
112
113
113 .. note:: In an advanced setup, in order for your ssh access to use
114 .. note:: In an advanced setup, in order for your ssh access to use
114 the same permissions as set up via the Kallithea web
115 the same permissions as set up via the Kallithea web
115 interface, you can create an authentication hook to connect
116 interface, you can create an authentication hook to connect
116 to the Kallithea db and run check functions for permissions
117 to the Kallithea db and run check functions for permissions
117 against that.
118 against that.
118
119
119
120
120 Setting up Whoosh full text search
121 Setting up Whoosh full text search
121 ----------------------------------
122 ----------------------------------
122
123
123 Kallithea provides full text search of repositories using `Whoosh`__.
124 Kallithea provides full text search of repositories using `Whoosh`__.
124
125
125 .. __: https://pythonhosted.org/Whoosh/
126 .. __: https://pythonhosted.org/Whoosh/
126
127
127 For an incremental index build, run::
128 For an incremental index build, run::
128
129
129 gearbox make-index -c my.ini
130 gearbox make-index -c my.ini
130
131
131 For a full index rebuild, run::
132 For a full index rebuild, run::
132
133
133 gearbox make-index -c my.ini -f
134 gearbox make-index -c my.ini -f
134
135
135 The ``--repo-location`` option allows the location of the repositories to be overridden;
136 The ``--repo-location`` option allows the location of the repositories to be overridden;
136 usually, the location is retrieved from the Kallithea database.
137 usually, the location is retrieved from the Kallithea database.
137
138
138 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
139 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
139
140
140 gearbox make-index -c my.ini --index-only=vcs,kallithea
141 gearbox make-index -c my.ini --index-only=vcs,kallithea
141
142
142 To keep your index up-to-date it is necessary to do periodic index builds;
143 To keep your index up-to-date it is necessary to do periodic index builds;
143 for this, it is recommended to use a crontab entry. Example::
144 for this, it is recommended to use a crontab entry. Example::
144
145
145 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
146 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
146
147
147 When using incremental mode (the default), Whoosh will check the last
148 When using incremental mode (the default), Whoosh will check the last
148 modification date of each file and add it to be reindexed if a newer file is
149 modification date of each file and add it to be reindexed if a newer file is
149 available. The indexing daemon checks for any removed files and removes them
150 available. The indexing daemon checks for any removed files and removes them
150 from index.
151 from index.
151
152
152 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
153 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
153 or in the admin panel you can check the "build from scratch" checkbox.
154 or in the admin panel you can check the "build from scratch" checkbox.
154
155
155 .. _ldap-setup:
156 .. _ldap-setup:
156
157
157
158
158 Setting up LDAP support
159 Setting up LDAP support
159 -----------------------
160 -----------------------
160
161
161 Kallithea supports LDAP authentication. In order
162 Kallithea supports LDAP authentication. In order
162 to use LDAP, you have to install the python-ldap_ package. This package is
163 to use LDAP, you have to install the python-ldap_ package. This package is
163 available via PyPI, so you can install it by running::
164 available via PyPI, so you can install it by running::
164
165
165 pip install python-ldap
166 pip install python-ldap
166
167
167 .. note:: ``python-ldap`` requires some libraries to be installed on
168 .. note:: ``python-ldap`` requires some libraries to be installed on
168 your system, so before installing it check that you have at
169 your system, so before installing it check that you have at
169 least the ``openldap`` and ``sasl`` libraries.
170 least the ``openldap`` and ``sasl`` libraries.
170
171
171 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
172 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
172 and then *Save*, to enable the LDAP plugin and configure its settings.
173 and then *Save*, to enable the LDAP plugin and configure its settings.
173
174
174 Here's a typical LDAP setup::
175 Here's a typical LDAP setup::
175
176
176 Connection settings
177 Connection settings
177 Enable LDAP = checked
178 Enable LDAP = checked
178 Host = host.example.com
179 Host = host.example.com
179 Account = <account>
180 Account = <account>
180 Password = <password>
181 Password = <password>
181 Connection Security = LDAPS
182 Connection Security = LDAPS
182 Certificate Checks = DEMAND
183 Certificate Checks = DEMAND
183
184
184 Search settings
185 Search settings
185 Base DN = CN=users,DC=host,DC=example,DC=org
186 Base DN = CN=users,DC=host,DC=example,DC=org
186 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
187 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
187 LDAP Search Scope = SUBTREE
188 LDAP Search Scope = SUBTREE
188
189
189 Attribute mappings
190 Attribute mappings
190 Login Attribute = uid
191 Login Attribute = uid
191 First Name Attribute = firstName
192 First Name Attribute = firstName
192 Last Name Attribute = lastName
193 Last Name Attribute = lastName
193 Email Attribute = mail
194 Email Attribute = mail
194
195
195 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
196 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
196
197
197 Search settings
198 Search settings
198 Base DN = DC=host,DC=example,DC=org
199 Base DN = DC=host,DC=example,DC=org
199 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
200 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
200 LDAP Search Scope = SUBTREE
201 LDAP Search Scope = SUBTREE
201
202
202 .. _enable_ldap:
203 .. _enable_ldap:
203
204
204 Enable LDAP : required
205 Enable LDAP : required
205 Whether to use LDAP for authenticating users.
206 Whether to use LDAP for authenticating users.
206
207
207 .. _ldap_host:
208 .. _ldap_host:
208
209
209 Host : required
210 Host : required
210 LDAP server hostname or IP address. Can be also a comma separated
211 LDAP server hostname or IP address. Can be also a comma separated
211 list of servers to support LDAP fail-over.
212 list of servers to support LDAP fail-over.
212
213
213 .. _Port:
214 .. _Port:
214
215
215 Port : optional
216 Port : optional
216 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
217 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
217 Defaults to 636 for LDAPS.
218 Defaults to 636 for LDAPS.
218
219
219 .. _ldap_account:
220 .. _ldap_account:
220
221
221 Account : optional
222 Account : optional
222 Only required if the LDAP server does not allow anonymous browsing of
223 Only required if the LDAP server does not allow anonymous browsing of
223 records. This should be a special account for record browsing. This
224 records. This should be a special account for record browsing. This
224 will require `LDAP Password`_ below.
225 will require `LDAP Password`_ below.
225
226
226 .. _LDAP Password:
227 .. _LDAP Password:
227
228
228 Password : optional
229 Password : optional
229 Only required if the LDAP server does not allow anonymous browsing of
230 Only required if the LDAP server does not allow anonymous browsing of
230 records.
231 records.
231
232
232 .. _Enable LDAPS:
233 .. _Enable LDAPS:
233
234
234 Connection Security : required
235 Connection Security : required
235 Defines the connection to LDAP server
236 Defines the connection to LDAP server
236
237
237 PLAIN
238 PLAIN
238 Plain unencrypted LDAP connection.
239 Plain unencrypted LDAP connection.
239 This will by default use `Port`_ 389.
240 This will by default use `Port`_ 389.
240
241
241 LDAPS
242 LDAPS
242 Use secure LDAPS connections according to `Certificate
243 Use secure LDAPS connections according to `Certificate
243 Checks`_ configuration.
244 Checks`_ configuration.
244 This will by default use `Port`_ 636.
245 This will by default use `Port`_ 636.
245
246
246 START_TLS
247 START_TLS
247 Use START TLS according to `Certificate Checks`_ configuration on an
248 Use START TLS according to `Certificate Checks`_ configuration on an
248 apparently "plain" LDAP connection.
249 apparently "plain" LDAP connection.
249 This will by default use `Port`_ 389.
250 This will by default use `Port`_ 389.
250
251
251 .. _Certificate Checks:
252 .. _Certificate Checks:
252
253
253 Certificate Checks : optional
254 Certificate Checks : optional
254 How SSL certificates verification is handled -- this is only useful when
255 How SSL certificates verification is handled -- this is only useful when
255 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
256 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
256 with mandatory certificate validation, while the other options are
257 with mandatory certificate validation, while the other options are
257 susceptible to man-in-the-middle attacks.
258 susceptible to man-in-the-middle attacks.
258
259
259 NEVER
260 NEVER
260 A serve certificate will never be requested or checked.
261 A serve certificate will never be requested or checked.
261
262
262 ALLOW
263 ALLOW
263 A server certificate is requested. Failure to provide a
264 A server certificate is requested. Failure to provide a
264 certificate or providing a bad certificate will not terminate the
265 certificate or providing a bad certificate will not terminate the
265 session.
266 session.
266
267
267 TRY
268 TRY
268 A server certificate is requested. Failure to provide a
269 A server certificate is requested. Failure to provide a
269 certificate does not halt the session; providing a bad certificate
270 certificate does not halt the session; providing a bad certificate
270 halts the session.
271 halts the session.
271
272
272 DEMAND
273 DEMAND
273 A server certificate is requested and must be provided and
274 A server certificate is requested and must be provided and
274 authenticated for the session to proceed.
275 authenticated for the session to proceed.
275
276
276 HARD
277 HARD
277 The same as DEMAND.
278 The same as DEMAND.
278
279
279 .. _Custom CA Certificates:
280 .. _Custom CA Certificates:
280
281
281 Custom CA Certificates : optional
282 Custom CA Certificates : optional
282 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
283 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
283 Python 2.7.10 and later default to using the system certificate store, and
284 Python 2.7.10 and later default to using the system certificate store, and
284 this should thus not be necessary when using certificates signed by a CA
285 this should thus not be necessary when using certificates signed by a CA
285 trusted by the system.
286 trusted by the system.
286 It can be set to something like `/etc/openldap/cacerts` on older systems or
287 It can be set to something like `/etc/openldap/cacerts` on older systems or
287 if using self-signed certificates.
288 if using self-signed certificates.
288
289
289 .. _Base DN:
290 .. _Base DN:
290
291
291 Base DN : required
292 Base DN : required
292 The Distinguished Name (DN) where searches for users will be performed.
293 The Distinguished Name (DN) where searches for users will be performed.
293 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
294 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
294
295
295 .. _LDAP Filter:
296 .. _LDAP Filter:
296
297
297 LDAP Filter : optional
298 LDAP Filter : optional
298 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
299 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
299 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
300 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
300 which LDAP objects are identified as representing Users for
301 which LDAP objects are identified as representing Users for
301 authentication. The filter is augmented by `Login Attribute`_ below.
302 authentication. The filter is augmented by `Login Attribute`_ below.
302 This can commonly be left blank.
303 This can commonly be left blank.
303
304
304 .. _LDAP Search Scope:
305 .. _LDAP Search Scope:
305
306
306 LDAP Search Scope : required
307 LDAP Search Scope : required
307 This limits how far LDAP will search for a matching object.
308 This limits how far LDAP will search for a matching object.
308
309
309 BASE
310 BASE
310 Only allows searching of `Base DN`_ and is usually not what you
311 Only allows searching of `Base DN`_ and is usually not what you
311 want.
312 want.
312
313
313 ONELEVEL
314 ONELEVEL
314 Searches all entries under `Base DN`_, but not Base DN itself.
315 Searches all entries under `Base DN`_, but not Base DN itself.
315
316
316 SUBTREE
317 SUBTREE
317 Searches all entries below `Base DN`_, but not Base DN itself.
318 Searches all entries below `Base DN`_, but not Base DN itself.
318 When using SUBTREE `LDAP Filter`_ is useful to limit object
319 When using SUBTREE `LDAP Filter`_ is useful to limit object
319 location.
320 location.
320
321
321 .. _Login Attribute:
322 .. _Login Attribute:
322
323
323 Login Attribute : required
324 Login Attribute : required
324 The LDAP record attribute that will be matched as the USERNAME or
325 The LDAP record attribute that will be matched as the USERNAME or
325 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
326 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
326 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
327 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
327 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
328 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
328 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
329 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
329 ::
330 ::
330
331
331 (&(LDAPFILTER)(uid=jsmith))
332 (&(LDAPFILTER)(uid=jsmith))
332
333
333 .. _ldap_attr_firstname:
334 .. _ldap_attr_firstname:
334
335
335 First Name Attribute : required
336 First Name Attribute : required
336 The LDAP record attribute which represents the user's first name.
337 The LDAP record attribute which represents the user's first name.
337
338
338 .. _ldap_attr_lastname:
339 .. _ldap_attr_lastname:
339
340
340 Last Name Attribute : required
341 Last Name Attribute : required
341 The LDAP record attribute which represents the user's last name.
342 The LDAP record attribute which represents the user's last name.
342
343
343 .. _ldap_attr_email:
344 .. _ldap_attr_email:
344
345
345 Email Attribute : required
346 Email Attribute : required
346 The LDAP record attribute which represents the user's email address.
347 The LDAP record attribute which represents the user's email address.
347
348
348 If all data are entered correctly, and python-ldap_ is properly installed
349 If all data are entered correctly, and python-ldap_ is properly installed
349 users should be granted access to Kallithea with LDAP accounts. At this
350 users should be granted access to Kallithea with LDAP accounts. At this
350 time user information is copied from LDAP into the Kallithea user database.
351 time user information is copied from LDAP into the Kallithea user database.
351 This means that updates of an LDAP user object may not be reflected as a
352 This means that updates of an LDAP user object may not be reflected as a
352 user update in Kallithea.
353 user update in Kallithea.
353
354
354 If You have problems with LDAP access and believe You entered correct
355 If You have problems with LDAP access and believe You entered correct
355 information check out the Kallithea logs, any error messages sent from LDAP
356 information check out the Kallithea logs, any error messages sent from LDAP
356 will be saved there.
357 will be saved there.
357
358
358 Active Directory
359 Active Directory
359 ^^^^^^^^^^^^^^^^
360 ^^^^^^^^^^^^^^^^
360
361
361 Kallithea can use Microsoft Active Directory for user authentication. This
362 Kallithea can use Microsoft Active Directory for user authentication. This
362 is done through an LDAP or LDAPS connection to Active Directory. The
363 is done through an LDAP or LDAPS connection to Active Directory. The
363 following LDAP configuration settings are typical for using Active
364 following LDAP configuration settings are typical for using Active
364 Directory ::
365 Directory ::
365
366
366 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
367 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
367 Login Attribute = sAMAccountName
368 Login Attribute = sAMAccountName
368 First Name Attribute = givenName
369 First Name Attribute = givenName
369 Last Name Attribute = sn
370 Last Name Attribute = sn
370 Email Attribute = mail
371 Email Attribute = mail
371
372
372 All other LDAP settings will likely be site-specific and should be
373 All other LDAP settings will likely be site-specific and should be
373 appropriately configured.
374 appropriately configured.
374
375
375
376
376 Authentication by container or reverse-proxy
377 Authentication by container or reverse-proxy
377 --------------------------------------------
378 --------------------------------------------
378
379
379 Kallithea supports delegating the authentication
380 Kallithea supports delegating the authentication
380 of users to its WSGI container, or to a reverse-proxy server through which all
381 of users to its WSGI container, or to a reverse-proxy server through which all
381 clients access the application.
382 clients access the application.
382
383
383 When these authentication methods are enabled in Kallithea, it uses the
384 When these authentication methods are enabled in Kallithea, it uses the
384 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
385 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
385 perform the authentication itself. The authorization, however, is still done by
386 perform the authentication itself. The authorization, however, is still done by
386 Kallithea according to its settings.
387 Kallithea according to its settings.
387
388
388 When a user logs in for the first time using these authentication methods,
389 When a user logs in for the first time using these authentication methods,
389 a matching user account is created in Kallithea with default permissions. An
390 a matching user account is created in Kallithea with default permissions. An
390 administrator can then modify it using Kallithea's admin interface.
391 administrator can then modify it using Kallithea's admin interface.
391
392
392 It's also possible for an administrator to create accounts and configure their
393 It's also possible for an administrator to create accounts and configure their
393 permissions before the user logs in for the first time, using the :ref:`create-user` API.
394 permissions before the user logs in for the first time, using the :ref:`create-user` API.
394
395
395 Container-based authentication
396 Container-based authentication
396 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
397 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
397
398
398 In a container-based authentication setup, Kallithea reads the user name from
399 In a container-based authentication setup, Kallithea reads the user name from
399 the ``REMOTE_USER`` server variable provided by the WSGI container.
400 the ``REMOTE_USER`` server variable provided by the WSGI container.
400
401
401 After setting up your container (see `Apache with mod_wsgi`_), you'll need
402 After setting up your container (see `Apache with mod_wsgi`_), you'll need
402 to configure it to require authentication on the location configured for
403 to configure it to require authentication on the location configured for
403 Kallithea.
404 Kallithea.
404
405
405 Proxy pass-through authentication
406 Proxy pass-through authentication
406 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
407 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
407
408
408 In a proxy pass-through authentication setup, Kallithea reads the user name
409 In a proxy pass-through authentication setup, Kallithea reads the user name
409 from the ``X-Forwarded-User`` request header, which should be configured to be
410 from the ``X-Forwarded-User`` request header, which should be configured to be
410 sent by the reverse-proxy server.
411 sent by the reverse-proxy server.
411
412
412 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
413 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
413 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
414 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
414 configure the authentication and add the username in a request header named
415 configure the authentication and add the username in a request header named
415 ``X-Forwarded-User``.
416 ``X-Forwarded-User``.
416
417
417 For example, the following config section for Apache sets a subdirectory in a
418 For example, the following config section for Apache sets a subdirectory in a
418 reverse-proxy setup with basic auth:
419 reverse-proxy setup with basic auth:
419
420
420 .. code-block:: apache
421 .. code-block:: apache
421
422
422 <Location /someprefix>
423 <Location /someprefix>
423 ProxyPass http://127.0.0.1:5000/someprefix
424 ProxyPass http://127.0.0.1:5000/someprefix
424 ProxyPassReverse http://127.0.0.1:5000/someprefix
425 ProxyPassReverse http://127.0.0.1:5000/someprefix
425 SetEnvIf X-Url-Scheme https HTTPS=1
426 SetEnvIf X-Url-Scheme https HTTPS=1
426
427
427 AuthType Basic
428 AuthType Basic
428 AuthName "Kallithea authentication"
429 AuthName "Kallithea authentication"
429 AuthUserFile /srv/kallithea/.htpasswd
430 AuthUserFile /srv/kallithea/.htpasswd
430 Require valid-user
431 Require valid-user
431
432
432 RequestHeader unset X-Forwarded-User
433 RequestHeader unset X-Forwarded-User
433
434
434 RewriteEngine On
435 RewriteEngine On
435 RewriteCond %{LA-U:REMOTE_USER} (.+)
436 RewriteCond %{LA-U:REMOTE_USER} (.+)
436 RewriteRule .* - [E=RU:%1]
437 RewriteRule .* - [E=RU:%1]
437 RequestHeader set X-Forwarded-User %{RU}e
438 RequestHeader set X-Forwarded-User %{RU}e
438 </Location>
439 </Location>
439
440
440 Setting metadata in container/reverse-proxy
441 Setting metadata in container/reverse-proxy
441 """""""""""""""""""""""""""""""""""""""""""
442 """""""""""""""""""""""""""""""""""""""""""
442 When a new user account is created on the first login, Kallithea has no information about
443 When a new user account is created on the first login, Kallithea has no information about
443 the user's email and full name. So you can set some additional request headers like in the
444 the user's email and full name. So you can set some additional request headers like in the
444 example below. In this example the user is authenticated via Kerberos and an Apache
445 example below. In this example the user is authenticated via Kerberos and an Apache
445 mod_python fixup handler is used to get the user information from a LDAP server. But you
446 mod_python fixup handler is used to get the user information from a LDAP server. But you
446 could set the request headers however you want.
447 could set the request headers however you want.
447
448
448 .. code-block:: apache
449 .. code-block:: apache
449
450
450 <Location /someprefix>
451 <Location /someprefix>
451 ProxyPass http://127.0.0.1:5000/someprefix
452 ProxyPass http://127.0.0.1:5000/someprefix
452 ProxyPassReverse http://127.0.0.1:5000/someprefix
453 ProxyPassReverse http://127.0.0.1:5000/someprefix
453 SetEnvIf X-Url-Scheme https HTTPS=1
454 SetEnvIf X-Url-Scheme https HTTPS=1
454
455
455 AuthName "Kerberos Login"
456 AuthName "Kerberos Login"
456 AuthType Kerberos
457 AuthType Kerberos
457 Krb5Keytab /etc/apache2/http.keytab
458 Krb5Keytab /etc/apache2/http.keytab
458 KrbMethodK5Passwd off
459 KrbMethodK5Passwd off
459 KrbVerifyKDC on
460 KrbVerifyKDC on
460 Require valid-user
461 Require valid-user
461
462
462 PythonFixupHandler ldapmetadata
463 PythonFixupHandler ldapmetadata
463
464
464 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
465 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
465 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
466 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
466 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
467 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
467 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
468 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
468 </Location>
469 </Location>
469
470
470 .. code-block:: python
471 .. code-block:: python
471
472
472 from mod_python import apache
473 from mod_python import apache
473 import ldap
474 import ldap
474
475
475 LDAP_SERVER = "ldaps://server.mydomain.com:636"
476 LDAP_SERVER = "ldaps://server.mydomain.com:636"
476 LDAP_USER = ""
477 LDAP_USER = ""
477 LDAP_PASS = ""
478 LDAP_PASS = ""
478 LDAP_ROOT = "dc=mydomain,dc=com"
479 LDAP_ROOT = "dc=mydomain,dc=com"
479 LDAP_FILTER = "sAMAccountName=%s"
480 LDAP_FILTER = "sAMAccountName=%s"
480 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
481 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
481
482
482 def fixuphandler(req):
483 def fixuphandler(req):
483 if req.user is None:
484 if req.user is None:
484 # no user to search for
485 # no user to search for
485 return apache.OK
486 return apache.OK
486 else:
487 else:
487 try:
488 try:
488 if('\\' in req.user):
489 if('\\' in req.user):
489 username = req.user.split('\\')[1]
490 username = req.user.split('\\')[1]
490 elif('@' in req.user):
491 elif('@' in req.user):
491 username = req.user.split('@')[0]
492 username = req.user.split('@')[0]
492 else:
493 else:
493 username = req.user
494 username = req.user
494 l = ldap.initialize(LDAP_SERVER)
495 l = ldap.initialize(LDAP_SERVER)
495 l.simple_bind_s(LDAP_USER, LDAP_PASS)
496 l.simple_bind_s(LDAP_USER, LDAP_PASS)
496 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
497 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
497
498
498 req.subprocess_env['X_REMOTE_USER'] = username
499 req.subprocess_env['X_REMOTE_USER'] = username
499 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
500 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
500 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
501 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
501 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
502 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
502 except Exception, e:
503 except Exception, e:
503 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
504 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
504
505
505 return apache.OK
506 return apache.OK
506
507
507 .. note::
508 .. note::
508 If you enable proxy pass-through authentication, make sure your server is
509 If you enable proxy pass-through authentication, make sure your server is
509 only accessible through the proxy. Otherwise, any client would be able to
510 only accessible through the proxy. Otherwise, any client would be able to
510 forge the authentication header and could effectively become authenticated
511 forge the authentication header and could effectively become authenticated
511 using any account of their liking.
512 using any account of their liking.
512
513
513
514
514 Integration with issue trackers
515 Integration with issue trackers
515 -------------------------------
516 -------------------------------
516
517
517 Kallithea provides a simple integration with issue trackers. It's possible
518 Kallithea provides a simple integration with issue trackers. It's possible
518 to define a regular expression that will match an issue ID in commit messages,
519 to define a regular expression that will match an issue ID in commit messages,
519 and have that replaced with a URL to the issue. To enable this simply
520 and have that replaced with a URL to the issue. To enable this simply
520 uncomment the following variables in the ini file::
521 uncomment the following variables in the ini file::
521
522
522 issue_pat = (?:^#|\s#)(\w+)
523 issue_pat = (?:^#|\s#)(\w+)
523 issue_server_link = https://issues.example.com/{repo}/issue/{id}
524 issue_server_link = https://issues.example.com/{repo}/issue/{id}
524 issue_prefix = #
525 issue_prefix = #
525
526
526 ``issue_pat`` is the regular expression describing which strings in
527 ``issue_pat`` is the regular expression describing which strings in
527 commit messages will be treated as issue references. A match group in
528 commit messages will be treated as issue references. A match group in
528 parentheses should be used to specify the actual issue id.
529 parentheses should be used to specify the actual issue id.
529
530
530 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
531 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
531
532
532 Matched issue references are replaced with the link specified in
533 Matched issue references are replaced with the link specified in
533 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
534 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
534 ``{repo}`` with the repository name. Since the # is stripped away,
535 ``{repo}`` with the repository name. Since the # is stripped away,
535 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
536 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
536 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
537 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
537 generate a URL in the format:
538 generate a URL in the format:
538
539
539 .. code-block:: html
540 .. code-block:: html
540
541
541 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
542 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
542
543
543 If needed, more than one pattern can be specified by appending a unique suffix to
544 If needed, more than one pattern can be specified by appending a unique suffix to
544 the variables. For example::
545 the variables. For example::
545
546
546 issue_pat_wiki = (?:wiki-)(.+)
547 issue_pat_wiki = (?:wiki-)(.+)
547 issue_server_link_wiki = https://wiki.example.com/{id}
548 issue_server_link_wiki = https://wiki.example.com/{id}
548 issue_prefix_wiki = WIKI-
549 issue_prefix_wiki = WIKI-
549
550
550 With these settings, wiki pages can be referenced as wiki-some-id, and every
551 With these settings, wiki pages can be referenced as wiki-some-id, and every
551 such reference will be transformed into:
552 such reference will be transformed into:
552
553
553 .. code-block:: html
554 .. code-block:: html
554
555
555 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
556 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
556
557
557
558
558 Hook management
559 Hook management
559 ---------------
560 ---------------
560
561
561 Hooks can be managed in similar way to that used in ``.hgrc`` files.
562 Hooks can be managed in similar way to that used in ``.hgrc`` files.
562 To manage hooks, choose *Admin > Settings > Hooks*.
563 To manage hooks, choose *Admin > Settings > Hooks*.
563
564
564 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
565 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
565
566
566 To add another custom hook simply fill in the first textbox with
567 To add another custom hook simply fill in the first textbox with
567 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
568 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
568 can be found in ``kallithea.lib.hooks``.
569 can be found in ``kallithea.lib.hooks``.
569
570
570
571
571 Changing default encoding
572 Changing default encoding
572 -------------------------
573 -------------------------
573
574
574 By default, Kallithea uses UTF-8 encoding.
575 By default, Kallithea uses UTF-8 encoding.
575 This is configurable as ``default_encoding`` in the .ini file.
576 This is configurable as ``default_encoding`` in the .ini file.
576 This affects many parts in Kallithea including user names, filenames, and
577 This affects many parts in Kallithea including user names, filenames, and
577 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
578 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
578 library is installed. If ``chardet`` is detected Kallithea will fallback to it
579 library is installed. If ``chardet`` is detected Kallithea will fallback to it
579 when there are encode/decode errors.
580 when there are encode/decode errors.
580
581
581
582
582 Celery configuration
583 Celery configuration
583 --------------------
584 --------------------
584
585
585 Kallithea can use the distributed task queue system Celery_ to run tasks like
586 Kallithea can use the distributed task queue system Celery_ to run tasks like
586 cloning repositories or sending emails.
587 cloning repositories or sending emails.
587
588
588 Kallithea will in most setups work perfectly fine out of the box (without
589 Kallithea will in most setups work perfectly fine out of the box (without
589 Celery), executing all tasks in the web server process. Some tasks can however
590 Celery), executing all tasks in the web server process. Some tasks can however
590 take some time to run and it can be better to run such tasks asynchronously in
591 take some time to run and it can be better to run such tasks asynchronously in
591 a separate process so the web server can focus on serving web requests.
592 a separate process so the web server can focus on serving web requests.
592
593
593 For installation and configuration of Celery, see the `Celery documentation`_.
594 For installation and configuration of Celery, see the `Celery documentation`_.
594 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
595 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
595 or Redis_.
596 or Redis_.
596
597
597 The use of Celery is configured in the Kallithea ini configuration file.
598 The use of Celery is configured in the Kallithea ini configuration file.
598 To enable it, simply set::
599 To enable it, simply set::
599
600
600 use_celery = true
601 use_celery = true
601
602
602 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
603 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
603
604
604 Remember that the ini files use the format with '.' and not with '_' like
605 Remember that the ini files use the format with '.' and not with '_' like
605 Celery. So for example setting `BROKER_HOST` in Celery means setting
606 Celery. So for example setting `BROKER_HOST` in Celery means setting
606 `broker.host` in the configuration file.
607 `broker.host` in the configuration file.
607
608
608 To start the Celery process, run::
609 To start the Celery process, run::
609
610
610 gearbox celeryd -c <configfile.ini>
611 gearbox celeryd -c <configfile.ini>
611
612
612 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
613 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
613 for more info.
614 for more info.
614
615
615 .. note::
616 .. note::
616 Make sure you run this command from the same virtualenv, and with the same
617 Make sure you run this command from the same virtualenv, and with the same
617 user that Kallithea runs.
618 user that Kallithea runs.
618
619
619
620
620 HTTPS support
621 HTTPS support
621 -------------
622 -------------
622
623
623 Kallithea will by default generate URLs based on the WSGI environment.
624 Kallithea will by default generate URLs based on the WSGI environment.
624
625
625 Alternatively, you can use some special configuration settings to control
626 Alternatively, you can use some special configuration settings to control
626 directly which scheme/protocol Kallithea will use when generating URLs:
627 directly which scheme/protocol Kallithea will use when generating URLs:
627
628
628 - With ``https_fixup = true``, the scheme will be taken from the
629 - With ``https_fixup = true``, the scheme will be taken from the
629 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
630 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
630 (default ``http``).
631 (default ``http``).
631 - With ``force_https = true`` the default will be ``https``.
632 - With ``force_https = true`` the default will be ``https``.
632 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
633 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
633
634
634
635
635 Nginx virtual host example
636 Nginx virtual host example
636 --------------------------
637 --------------------------
637
638
638 Sample config for Nginx using proxy:
639 Sample config for Nginx using proxy:
639
640
640 .. code-block:: nginx
641 .. code-block:: nginx
641
642
642 upstream kallithea {
643 upstream kallithea {
643 server 127.0.0.1:5000;
644 server 127.0.0.1:5000;
644 # add more instances for load balancing
645 # add more instances for load balancing
645 #server 127.0.0.1:5001;
646 #server 127.0.0.1:5001;
646 #server 127.0.0.1:5002;
647 #server 127.0.0.1:5002;
647 }
648 }
648
649
649 ## gist alias
650 ## gist alias
650 server {
651 server {
651 listen 443;
652 listen 443;
652 server_name gist.example.com;
653 server_name gist.example.com;
653 access_log /var/log/nginx/gist.access.log;
654 access_log /var/log/nginx/gist.access.log;
654 error_log /var/log/nginx/gist.error.log;
655 error_log /var/log/nginx/gist.error.log;
655
656
656 ssl on;
657 ssl on;
657 ssl_certificate gist.your.kallithea.server.crt;
658 ssl_certificate gist.your.kallithea.server.crt;
658 ssl_certificate_key gist.your.kallithea.server.key;
659 ssl_certificate_key gist.your.kallithea.server.key;
659
660
660 ssl_session_timeout 5m;
661 ssl_session_timeout 5m;
661
662
662 ssl_protocols SSLv3 TLSv1;
663 ssl_protocols SSLv3 TLSv1;
663 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
664 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
664 ssl_prefer_server_ciphers on;
665 ssl_prefer_server_ciphers on;
665
666
666 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
667 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
667 rewrite (.*) https://kallithea.example.com/_admin/gists;
668 rewrite (.*) https://kallithea.example.com/_admin/gists;
668 }
669 }
669
670
670 server {
671 server {
671 listen 443;
672 listen 443;
672 server_name kallithea.example.com
673 server_name kallithea.example.com
673 access_log /var/log/nginx/kallithea.access.log;
674 access_log /var/log/nginx/kallithea.access.log;
674 error_log /var/log/nginx/kallithea.error.log;
675 error_log /var/log/nginx/kallithea.error.log;
675
676
676 ssl on;
677 ssl on;
677 ssl_certificate your.kallithea.server.crt;
678 ssl_certificate your.kallithea.server.crt;
678 ssl_certificate_key your.kallithea.server.key;
679 ssl_certificate_key your.kallithea.server.key;
679
680
680 ssl_session_timeout 5m;
681 ssl_session_timeout 5m;
681
682
682 ssl_protocols SSLv3 TLSv1;
683 ssl_protocols SSLv3 TLSv1;
683 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
684 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
684 ssl_prefer_server_ciphers on;
685 ssl_prefer_server_ciphers on;
685
686
686 ## uncomment root directive if you want to serve static files by nginx
687 ## uncomment root directive if you want to serve static files by nginx
687 ## requires static_files = false in .ini file
688 ## requires static_files = false in .ini file
688 #root /srv/kallithea/kallithea/kallithea/public;
689 #root /srv/kallithea/kallithea/kallithea/public;
689 include /etc/nginx/proxy.conf;
690 include /etc/nginx/proxy.conf;
690 location / {
691 location / {
691 try_files $uri @kallithea;
692 try_files $uri @kallithea;
692 }
693 }
693
694
694 location @kallithea {
695 location @kallithea {
695 proxy_pass http://127.0.0.1:5000;
696 proxy_pass http://127.0.0.1:5000;
696 }
697 }
697
698
698 }
699 }
699
700
700 Here's the proxy.conf. It's tuned so it will not timeout on long
701 Here's the proxy.conf. It's tuned so it will not timeout on long
701 pushes or large pushes::
702 pushes or large pushes::
702
703
703 proxy_redirect off;
704 proxy_redirect off;
704 proxy_set_header Host $host;
705 proxy_set_header Host $host;
705 ## needed for container auth
706 ## needed for container auth
706 #proxy_set_header REMOTE_USER $remote_user;
707 #proxy_set_header REMOTE_USER $remote_user;
707 #proxy_set_header X-Forwarded-User $remote_user;
708 #proxy_set_header X-Forwarded-User $remote_user;
708 proxy_set_header X-Url-Scheme $scheme;
709 proxy_set_header X-Url-Scheme $scheme;
709 proxy_set_header X-Host $http_host;
710 proxy_set_header X-Host $http_host;
710 proxy_set_header X-Real-IP $remote_addr;
711 proxy_set_header X-Real-IP $remote_addr;
711 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
712 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
712 proxy_set_header Proxy-host $proxy_host;
713 proxy_set_header Proxy-host $proxy_host;
713 proxy_buffering off;
714 proxy_buffering off;
714 proxy_connect_timeout 7200;
715 proxy_connect_timeout 7200;
715 proxy_send_timeout 7200;
716 proxy_send_timeout 7200;
716 proxy_read_timeout 7200;
717 proxy_read_timeout 7200;
717 proxy_buffers 8 32k;
718 proxy_buffers 8 32k;
718 client_max_body_size 1024m;
719 client_max_body_size 1024m;
719 client_body_buffer_size 128k;
720 client_body_buffer_size 128k;
720 large_client_header_buffers 8 64k;
721 large_client_header_buffers 8 64k;
721
722
722
723
723 Apache virtual host reverse proxy example
724 Apache virtual host reverse proxy example
724 -----------------------------------------
725 -----------------------------------------
725
726
726 Here is a sample configuration file for Apache using proxy:
727 Here is a sample configuration file for Apache using proxy:
727
728
728 .. code-block:: apache
729 .. code-block:: apache
729
730
730 <VirtualHost *:80>
731 <VirtualHost *:80>
731 ServerName kallithea.example.com
732 ServerName kallithea.example.com
732
733
733 <Proxy *>
734 <Proxy *>
734 # For Apache 2.4 and later:
735 # For Apache 2.4 and later:
735 Require all granted
736 Require all granted
736
737
737 # For Apache 2.2 and earlier, instead use:
738 # For Apache 2.2 and earlier, instead use:
738 # Order allow,deny
739 # Order allow,deny
739 # Allow from all
740 # Allow from all
740 </Proxy>
741 </Proxy>
741
742
742 #important !
743 #important !
743 #Directive to properly generate url (clone url) for Kallithea
744 #Directive to properly generate url (clone url) for Kallithea
744 ProxyPreserveHost On
745 ProxyPreserveHost On
745
746
746 #kallithea instance
747 #kallithea instance
747 ProxyPass / http://127.0.0.1:5000/
748 ProxyPass / http://127.0.0.1:5000/
748 ProxyPassReverse / http://127.0.0.1:5000/
749 ProxyPassReverse / http://127.0.0.1:5000/
749
750
750 #to enable https use line below
751 #to enable https use line below
751 #SetEnvIf X-Url-Scheme https HTTPS=1
752 #SetEnvIf X-Url-Scheme https HTTPS=1
752 </VirtualHost>
753 </VirtualHost>
753
754
754 Additional tutorial
755 Additional tutorial
755 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
756 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
756
757
757
758
758 Apache as subdirectory
759 Apache as subdirectory
759 ----------------------
760 ----------------------
760
761
761 Apache subdirectory part:
762 Apache subdirectory part:
762
763
763 .. code-block:: apache
764 .. code-block:: apache
764
765
765 <Location /<someprefix> >
766 <Location /<someprefix> >
766 ProxyPass http://127.0.0.1:5000/<someprefix>
767 ProxyPass http://127.0.0.1:5000/<someprefix>
767 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
768 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
768 SetEnvIf X-Url-Scheme https HTTPS=1
769 SetEnvIf X-Url-Scheme https HTTPS=1
769 </Location>
770 </Location>
770
771
771 Besides the regular apache setup you will need to add the following line
772 Besides the regular apache setup you will need to add the following line
772 into ``[app:main]`` section of your .ini file::
773 into ``[app:main]`` section of your .ini file::
773
774
774 filter-with = proxy-prefix
775 filter-with = proxy-prefix
775
776
776 Add the following at the end of the .ini file::
777 Add the following at the end of the .ini file::
777
778
778 [filter:proxy-prefix]
779 [filter:proxy-prefix]
779 use = egg:PasteDeploy#prefix
780 use = egg:PasteDeploy#prefix
780 prefix = /<someprefix>
781 prefix = /<someprefix>
781
782
782 then change ``<someprefix>`` into your chosen prefix
783 then change ``<someprefix>`` into your chosen prefix
783
784
784
785
785 Apache with mod_wsgi
786 Apache with mod_wsgi
786 --------------------
787 --------------------
787
788
788 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
789 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
789 that, you'll need to:
790 that, you'll need to:
790
791
791 - Install mod_wsgi. If using a Debian-based distro, you can install
792 - Install mod_wsgi. If using a Debian-based distro, you can install
792 the package libapache2-mod-wsgi::
793 the package libapache2-mod-wsgi::
793
794
794 aptitude install libapache2-mod-wsgi
795 aptitude install libapache2-mod-wsgi
795
796
796 - Enable mod_wsgi::
797 - Enable mod_wsgi::
797
798
798 a2enmod wsgi
799 a2enmod wsgi
799
800
800 - Add global Apache configuration to tell mod_wsgi that Python only will be
801 - Add global Apache configuration to tell mod_wsgi that Python only will be
801 used in the WSGI processes and shouldn't be initialized in the Apache
802 used in the WSGI processes and shouldn't be initialized in the Apache
802 processes::
803 processes::
803
804
804 WSGIRestrictEmbedded On
805 WSGIRestrictEmbedded On
805
806
806 - Create a wsgi dispatch script, like the one below. Make sure you
807 - Create a wsgi dispatch script, like the one below. Make sure you
807 check that the paths correctly point to where you installed Kallithea
808 check that the paths correctly point to where you installed Kallithea
808 and its Python Virtual Environment.
809 and its Python Virtual Environment.
809 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
810 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
810 as in the following example. Once again, check the paths are
811 as in the following example. Once again, check the paths are
811 correctly specified.
812 correctly specified.
812
813
813 Here is a sample excerpt from an Apache Virtual Host configuration file:
814 Here is a sample excerpt from an Apache Virtual Host configuration file:
814
815
815 .. code-block:: apache
816 .. code-block:: apache
816
817
817 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
818 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
818 python-home=/srv/kallithea/venv
819 python-home=/srv/kallithea/venv
819 WSGIProcessGroup kallithea
820 WSGIProcessGroup kallithea
820 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
821 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
821 WSGIPassAuthorization On
822 WSGIPassAuthorization On
822
823
823 Or if using a dispatcher WSGI script with proper virtualenv activation:
824 Or if using a dispatcher WSGI script with proper virtualenv activation:
824
825
825 .. code-block:: apache
826 .. code-block:: apache
826
827
827 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
828 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
828 WSGIProcessGroup kallithea
829 WSGIProcessGroup kallithea
829 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
830 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
830 WSGIPassAuthorization On
831 WSGIPassAuthorization On
831
832
832 Apache will by default run as a special Apache user, on Linux systems
833 Apache will by default run as a special Apache user, on Linux systems
833 usually ``www-data`` or ``apache``. If you need to have the repositories
834 usually ``www-data`` or ``apache``. If you need to have the repositories
834 directory owned by a different user, use the user and group options to
835 directory owned by a different user, use the user and group options to
835 WSGIDaemonProcess to set the name of the user and group.
836 WSGIDaemonProcess to set the name of the user and group.
836
837
837 Example WSGI dispatch script:
838 Example WSGI dispatch script:
838
839
839 .. code-block:: python
840 .. code-block:: python
840
841
841 import os
842 import os
842 os.environ["HGENCODING"] = "UTF-8"
843 os.environ["HGENCODING"] = "UTF-8"
843 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
844 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
844
845
845 # sometimes it's needed to set the current dir
846 # sometimes it's needed to set the current dir
846 os.chdir('/srv/kallithea/')
847 os.chdir('/srv/kallithea/')
847
848
848 import site
849 import site
849 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
850 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
850
851
851 ini = '/srv/kallithea/my.ini'
852 ini = '/srv/kallithea/my.ini'
852 from paste.script.util.logging_config import fileConfig
853 from paste.script.util.logging_config import fileConfig
853 fileConfig(ini)
854 fileConfig(ini)
854 from paste.deploy import loadapp
855 from paste.deploy import loadapp
855 application = loadapp('config:' + ini)
856 application = loadapp('config:' + ini)
856
857
857 Or using proper virtualenv activation:
858 Or using proper virtualenv activation:
858
859
859 .. code-block:: python
860 .. code-block:: python
860
861
861 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
862 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
862 execfile(activate_this, dict(__file__=activate_this))
863 execfile(activate_this, dict(__file__=activate_this))
863
864
864 import os
865 import os
865 os.environ['HOME'] = '/srv/kallithea'
866 os.environ['HOME'] = '/srv/kallithea'
866
867
867 ini = '/srv/kallithea/kallithea.ini'
868 ini = '/srv/kallithea/kallithea.ini'
868 from paste.script.util.logging_config import fileConfig
869 from paste.script.util.logging_config import fileConfig
869 fileConfig(ini)
870 fileConfig(ini)
870 from paste.deploy import loadapp
871 from paste.deploy import loadapp
871 application = loadapp('config:' + ini)
872 application = loadapp('config:' + ini)
872
873
873
874
874 Other configuration files
875 Other configuration files
875 -------------------------
876 -------------------------
876
877
877 A number of `example init.d scripts`__ can be found in
878 A number of `example init.d scripts`__ can be found in
878 the ``init.d`` directory of the Kallithea source.
879 the ``init.d`` directory of the Kallithea source.
879
880
880 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
881 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
881
882
882
883
883 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
884 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
884 .. _python: http://www.python.org/
885 .. _python: http://www.python.org/
885 .. _Mercurial: https://www.mercurial-scm.org/
886 .. _Mercurial: https://www.mercurial-scm.org/
886 .. _Celery: http://celeryproject.org/
887 .. _Celery: http://celeryproject.org/
887 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
888 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
888 .. _RabbitMQ: http://www.rabbitmq.com/
889 .. _RabbitMQ: http://www.rabbitmq.com/
889 .. _Redis: http://redis.io/
890 .. _Redis: http://redis.io/
890 .. _python-ldap: http://www.python-ldap.org/
891 .. _python-ldap: http://www.python-ldap.org/
891 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
892 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
892 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
893 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now