upstream/kallithea Commit - r5752:8c479b27

1

.. _setup:

1

.. _setup:

2

3

=====

3

=====

4

Setup

4

Setup

5

=====

5

=====

6

7

8

Setting up Kallithea

8

Setting up Kallithea

9

--------------------

9

--------------------

10

11

First, you will need to create a Kallithea configuration file. Run the

11

First, you will need to create a Kallithea configuration file. Run the

12

following command to do so::

12

following command to do so::

13

14

paster make-config Kallithea my.ini

14

paster make-config Kallithea my.ini

15

16

This will create the file ``my.ini`` in the current directory. This

16

This will create the file ``my.ini`` in the current directory. This

17

configuration file contains the various settings for Kallithea, e.g.

17

configuration file contains the various settings for Kallithea, e.g.

18

proxy port, email settings, usage of static files, cache, Celery

18

proxy port, email settings, usage of static files, cache, Celery

19

settings, and logging.

19

settings, and logging.

20

21

Next, you need to create the databases used by Kallithea. It is recommended to

21

Next, you need to create the databases used by Kallithea. It is recommended to

22

use PostgreSQL or SQLite (default). If you choose a database other than the

22

use PostgreSQL or SQLite (default). If you choose a database other than the

23

default, ensure you properly adjust the database URL in your ``my.ini``

23

default, ensure you properly adjust the database URL in your ``my.ini``

24

configuration file to use this other database. Kallithea currently supports

24

configuration file to use this other database. Kallithea currently supports

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

26

the following command::

26

the following command::

27

28

paster setup-db my.ini

28

paster setup-db my.ini

29

30

This will prompt you for a "root" path. This "root" path is the location where

30

This will prompt you for a "root" path. This "root" path is the location where

31

Kallithea will store all of its repositories on the current machine. After

31

Kallithea will store all of its repositories on the current machine. After

32

entering this "root" path ``setup-db`` will also prompt you for a username

32

entering this "root" path ``setup-db`` will also prompt you for a username

33

and password for the initial admin account which ``setup-db`` sets

33

and password for the initial admin account which ``setup-db`` sets

34

up for you.

34

up for you.

35

36

The ``setup-db`` values can also be given on the command line.

36

The ``setup-db`` values can also be given on the command line.

37

Example::

37

Example::

38

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

40

41

The ``setup-db`` command will create all needed tables and an

41

The ``setup-db`` command will create all needed tables and an

42

admin account. When choosing a root path you can either use a new

42

admin account. When choosing a root path you can either use a new

43

empty location, or a location which already contains existing

43

empty location, or a location which already contains existing

44

repositories. If you choose a location which contains existing

44

repositories. If you choose a location which contains existing

45

repositories Kallithea will add all of the repositories at the chosen

45

repositories Kallithea will add all of the repositories at the chosen

46

location to its database. (Note: make sure you specify the correct

46

location to its database. (Note: make sure you specify the correct

47

path to the root).

47

path to the root).

48

49

.. note:: the given path for Mercurial_ repositories **must** be write

49

.. note:: the given path for Mercurial_ repositories **must** be write

50

accessible for the application. It's very important since

50

accessible for the application. It's very important since

51

the Kallithea web interface will work without write access,

51

the Kallithea web interface will work without write access,

52

but when trying to do a push it will fail with permission

52

but when trying to do a push it will fail with permission

53

denied errors unless it has write access.

53

denied errors unless it has write access.

54

55

You are now ready to use Kallithea. To run it simply execute::

55

You are now ready to use Kallithea. To run it simply execute::

56

57

paster serve my.ini

57

paster serve my.ini

58

59

- This command runs the Kallithea server. The web app should be available at

59

- This command runs the Kallithea server. The web app should be available at

60

http://127.0.0.1:5000. The IP address and port is configurable via the

60

http://127.0.0.1:5000. The IP address and port is configurable via the

61

configuration file created in the previous step.

61

configuration file created in the previous step.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

63

- The default permissions on each repository is read, and the owner is admin.

63

- The default permissions on each repository is read, and the owner is admin.

64

Remember to update these if needed.

64

Remember to update these if needed.

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

66

settings, as well as edit more advanced options on users and

66

settings, as well as edit more advanced options on users and

67

repositories.

67

repositories.

68

69

70

Extensions

70

Extensions

71

----------

71

----------

72

73

Optionally one can create an ``rcextensions`` package that extends Kallithea

73

Optionally one can create an ``rcextensions`` package that extends Kallithea

74

functionality.

74

functionality.

75

To generate a skeleton extensions package, run::

75

To generate a skeleton extensions package, run::

76

77

paster make-rcext my.ini

77

paster make-rcext my.ini

78

79

This will create an ``rcextensions`` package next to the specified ``ini`` file.

79

This will create an ``rcextensions`` package next to the specified ``ini`` file.

80

With ``rcextensions`` it's possible to add additional mapping for whoosh,

80

With ``rcextensions`` it's possible to add additional mapping for whoosh,

81

stats and add additional code into the push/pull/create/delete repo hooks,

81

stats and add additional code into the push/pull/create/delete repo hooks,

82

for example for sending signals to build-bots such as Jenkins.

82

for example for sending signals to build-bots such as Jenkins.

83

84

See the ``__init__.py`` file inside the generated ``rcextensions`` package

84

See the ``__init__.py`` file inside the generated ``rcextensions`` package

85

for more details.

85

for more details.

86

87

88

Using Kallithea with SSH

88

Using Kallithea with SSH

89

------------------------

89

------------------------

90

91

Kallithea currently only hosts repositories using http and https. (The addition

91

Kallithea currently only hosts repositories using http and https. (The addition

92

of ssh hosting is a planned future feature.) However you can easily use ssh in

92

of ssh hosting is a planned future feature.) However you can easily use ssh in

93

parallel with Kallithea. (Repository access via ssh is a standard "out of

93

parallel with Kallithea. (Repository access via ssh is a standard "out of

94

the box" feature of Mercurial_ and you can use this to access any of the

94

the box" feature of Mercurial_ and you can use this to access any of the

95

repositories that Kallithea is hosting. See PublishingRepositories_)

95

repositories that Kallithea is hosting. See PublishingRepositories_)

96

97

Kallithea repository structures are kept in directories with the same name

97

Kallithea repository structures are kept in directories with the same name

98

as the project. When using repository groups, each group is a subdirectory.

98

as the project. When using repository groups, each group is a subdirectory.

99

This allows you to easily use ssh for accessing repositories.

99

This allows you to easily use ssh for accessing repositories.

100

101

In order to use ssh you need to make sure that your web server and the users'

101

In order to use ssh you need to make sure that your web server and the users'

102

login accounts have the correct permissions set on the appropriate directories.

102

login accounts have the correct permissions set on the appropriate directories.

103

104

.. note:: These permissions are independent of any permissions you

104

.. note:: These permissions are independent of any permissions you

105

have set up using the Kallithea web interface.

105

have set up using the Kallithea web interface.

106

107

If your main directory (the same as set in Kallithea settings) is for

107

If your main directory (the same as set in Kallithea settings) is for

108

example set to ``/srv/repos`` and the repository you are using is

108

example set to ``/srv/repos`` and the repository you are using is

109

named ``kallithea``, then to clone via ssh you should run::

109

named ``kallithea``, then to clone via ssh you should run::

110

111

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

111

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

112

113

Using other external tools such as mercurial-server_ or using ssh key-based

113

Using other external tools such as mercurial-server_ or using ssh key-based

114

authentication is fully supported.

114

authentication is fully supported.

115

116

.. note:: In an advanced setup, in order for your ssh access to use

116

.. note:: In an advanced setup, in order for your ssh access to use

117

the same permissions as set up via the Kallithea web

117

the same permissions as set up via the Kallithea web

118

interface, you can create an authentication hook to connect

118

interface, you can create an authentication hook to connect

119

to the Kallithea db and run check functions for permissions

119

to the Kallithea db and run check functions for permissions

120

against that.

120

against that.

121

122

123

Setting up Whoosh full text search

123

Setting up Whoosh full text search

124

----------------------------------

124

----------------------------------

125

126

Kallithea provides full text search of repositories using `Whoosh`__.

126

Kallithea provides full text search of repositories using `Whoosh`__.

127

128

.. __: https://pythonhosted.org/Whoosh/

128

.. __: https://pythonhosted.org/Whoosh/

129

130

For an incremental index build, run::

130

For an incremental index build, run::

131

132

paster make-index my.ini

132

paster make-index my.ini

133

134

For a full index rebuild, run::

134

For a full index rebuild, run::

135

136

paster make-index my.ini -f

136

paster make-index my.ini -f

137

138

The ``--repo-location`` option allows the location of the repositories to be overriden;

138

The ``--repo-location`` option allows the location of the repositories to be overriden;

139

usually, the location is retrieved from the Kallithea database.

139

usually, the location is retrieved from the Kallithea database.

140

141

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

141

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

142

143

paster make-index my.ini --index-only=vcs,kallithea

143

paster make-index my.ini --index-only=vcs,kallithea

144

145

To keep your index up-to-date it is necessary to do periodic index builds;

145

To keep your index up-to-date it is necessary to do periodic index builds;

146

for this, it is recommended to use a crontab entry. Example::

146

for this, it is recommended to use a crontab entry. Example::

147

148

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

148

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

149

150

When using incremental mode (the default), Whoosh will check the last

150

When using incremental mode (the default), Whoosh will check the last

151

modification date of each file and add it to be reindexed if a newer file is

151

modification date of each file and add it to be reindexed if a newer file is

152

available. The indexing daemon checks for any removed files and removes them

152

available. The indexing daemon checks for any removed files and removes them

153

from index.

153

from index.

154

155

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

155

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

156

or in the admin panel you can check the "build from scratch" checkbox.

156

or in the admin panel you can check the "build from scratch" checkbox.

157

158

.. _ldap-setup:

158

.. _ldap-setup:

159

160

Setting up LDAP support

160

Setting up LDAP support

161

-----------------------

161

-----------------------

162

163

Kallithea supports LDAP authentication. In order

163

Kallithea supports LDAP authentication. In order

164

to use LDAP, you have to install the python-ldap_ package. This package is

164

to use LDAP, you have to install the python-ldap_ package. This package is

165

available via PyPI, so you can install it by running::

165

available via PyPI, so you can install it by running::

166

167

pip install python-ldap

167

pip install python-ldap

168

169

.. note:: ``python-ldap`` requires some libraries to be installed on

169

.. note:: ``python-ldap`` requires some libraries to be installed on

170

your system, so before installing it check that you have at

170

your system, so before installing it check that you have at

171

least the ``openldap`` and ``sasl`` libraries.

171

least the ``openldap`` and ``sasl`` libraries.

172

173

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

173

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

174

and then *Save*, to enable the LDAP plugin and configure its settings.

174

and then *Save*, to enable the LDAP plugin and configure its settings.

175

176

Here's a typical LDAP setup::

176

Here's a typical LDAP setup::

177

178

Connection settings

178

Connection settings

179

Enable LDAP = checked

179

Enable LDAP = checked

180

Host = host.example.com

180

Host = host.example.com

181

Port = 389

181

Port = 389

182

Account = <account>

182

Account = <account>

183

Password = <password>

183

Password = <password>

184

Connection Security = LDAPS connection

184

Connection Security = LDAPS connection

185

Certificate Checks = DEMAND

185

Certificate Checks = DEMAND

186

187

Search settings

187

Search settings

188

Base DN = CN=users,DC=host,DC=example,DC=org

188

Base DN = CN=users,DC=host,DC=example,DC=org

189

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

189

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

190

LDAP Search Scope = SUBTREE

190

LDAP Search Scope = SUBTREE

191

192

Attribute mappings

192

Attribute mappings

193

Login Attribute = uid

193

Login Attribute = uid

194

First Name Attribute = firstName

194

First Name Attribute = firstName

195

Last Name Attribute = lastName

195

Last Name Attribute = lastName

196

Email Attribute = mail

196

Email Attribute = mail

197

198

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

198

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

199

200

Search settings

200

Search settings

201

Base DN = DC=host,DC=example,DC=org

201

Base DN = DC=host,DC=example,DC=org

202

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

202

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

203

LDAP Search Scope = SUBTREE

203

LDAP Search Scope = SUBTREE

204

205

.. _enable_ldap:

205

.. _enable_ldap:

206

207

Enable LDAP : required

207

Enable LDAP : required

208

Whether to use LDAP for authenticating users.

208

Whether to use LDAP for authenticating users.

209

210

.. _ldap_host:

210

.. _ldap_host:

211

212

Host : required

212

Host : required

213

LDAP server hostname or IP address. Can be also a comma separated

213

LDAP server hostname or IP address. Can be also a comma separated

214

list of servers to support LDAP fail-over.

214

list of servers to support LDAP fail-over.

215

216

.. _Port:

216

.. _Port:

217

218

Port : required

218

Port : required

219

389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

219

389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

220

221

.. _ldap_account:

221

.. _ldap_account:

222

223

Account : optional

223

Account : optional

224

Only required if the LDAP server does not allow anonymous browsing of

224

Only required if the LDAP server does not allow anonymous browsing of

225

records. This should be a special account for record browsing. This

225

records. This should be a special account for record browsing. This

226

will require `LDAP Password`_ below.

226

will require `LDAP Password`_ below.

227

228

.. _LDAP Password:

228

.. _LDAP Password:

229

230

Password : optional

230

Password : optional

231

Only required if the LDAP server does not allow anonymous browsing of

231

Only required if the LDAP server does not allow anonymous browsing of

232

records.

232

records.

233

234

.. _Enable LDAPS:

234

.. _Enable LDAPS:

235

236

Connection Security : required

236

Connection Security : required

237

Defines the connection to LDAP server

237

Defines the connection to LDAP server

238

239

No encryption

239

No encryption

240

Plain non encrypted connection

240

Plain non encrypted connection

241

242

LDAPS connection

242

LDAPS connection

243

Enable LDAPS connections. It will likely require `Port`_ to be set to

243

Enable LDAPS connections. It will likely require `Port`_ to be set to

244

a different value (standard LDAPS port is 636). When LDAPS is enabled

244

a different value (standard LDAPS port is 636). When LDAPS is enabled

245

then `Certificate Checks`_ is required.

245

then `Certificate Checks`_ is required.

246

247

START_TLS on LDAP connection

247

START_TLS on LDAP connection

248

START TLS connection

248

START TLS connection

249

250

.. _Certificate Checks:

250

.. _Certificate Checks:

251

252

Certificate Checks : optional

252

Certificate Checks : optional

253

How SSL certificates verification is handled -- this is only useful when

253

How SSL certificates verification is handled -- this is only useful when

254

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

254

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

255

while the other options are susceptible to man-in-the-middle attacks. SSL

255

while the other options are susceptible to man-in-the-middle attacks. SSL

256

certificates can be installed to /etc/openldap/cacerts so that the

256

certificates can be installed to /etc/openldap/cacerts so that the

257

DEMAND or HARD options can be used with self-signed certificates or

257

DEMAND or HARD options can be used with self-signed certificates or

258

certificates that do not have traceable certificates of authority.

258

certificates that do not have traceable certificates of authority.

259

260

NEVER

260

NEVER

261

A serve certificate will never be requested or checked.

261

A serve certificate will never be requested or checked.

262

263

ALLOW

263

ALLOW

264

A server certificate is requested. Failure to provide a

264

A server certificate is requested. Failure to provide a

265

certificate or providing a bad certificate will not terminate the

265

certificate or providing a bad certificate will not terminate the

266

session.

266

session.

267

268

TRY

268

TRY

269

A server certificate is requested. Failure to provide a

269

A server certificate is requested. Failure to provide a

270

certificate does not halt the session; providing a bad certificate

270

certificate does not halt the session; providing a bad certificate

271

halts the session.

271

halts the session.

272

273

DEMAND

273

DEMAND

274

A server certificate is requested and must be provided and

274

A server certificate is requested and must be provided and

275

authenticated for the session to proceed.

275

authenticated for the session to proceed.

276

277

HARD

277

HARD

278

The same as DEMAND.

278

The same as DEMAND.

279

280

.. _Base DN:

280

.. _Base DN:

281

282

Base DN : required

282

Base DN : required

283

The Distinguished Name (DN) where searches for users will be performed.

283

The Distinguished Name (DN) where searches for users will be performed.

284

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

284

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

285

286

.. _LDAP Filter:

286

.. _LDAP Filter:

287

288

LDAP Filter : optional

288

LDAP Filter : optional

289

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

289

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

290

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

290

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

291

which LDAP objects are identified as representing Users for

291

which LDAP objects are identified as representing Users for

292

authentication. The filter is augmented by `Login Attribute`_ below.

292

authentication. The filter is augmented by `Login Attribute`_ below.

293

This can commonly be left blank.

293

This can commonly be left blank.

294

295

.. _LDAP Search Scope:

295

.. _LDAP Search Scope:

296

297

LDAP Search Scope : required

297

LDAP Search Scope : required

298

This limits how far LDAP will search for a matching object.

298

This limits how far LDAP will search for a matching object.

299

300

BASE

300

BASE

301

Only allows searching of `Base DN`_ and is usually not what you

301

Only allows searching of `Base DN`_ and is usually not what you

302

want.

302

want.

303

304

ONELEVEL

304

ONELEVEL

305

Searches all entries under `Base DN`_, but not Base DN itself.

305

Searches all entries under `Base DN`_, but not Base DN itself.

306

307

SUBTREE

307

SUBTREE

308

Searches all entries below `Base DN`_, but not Base DN itself.

308

Searches all entries below `Base DN`_, but not Base DN itself.

309

When using SUBTREE `LDAP Filter`_ is useful to limit object

309

When using SUBTREE `LDAP Filter`_ is useful to limit object

310

location.

310

location.

311

312

.. _Login Attribute:

312

.. _Login Attribute:

313

314

Login Attribute : required

314

Login Attribute : required

315

The LDAP record attribute that will be matched as the USERNAME or

315

The LDAP record attribute that will be matched as the USERNAME or

316

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

316

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

317

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

317

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

318

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

318

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

319

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

319

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

320

::

320

::

321

322

(&(LDAPFILTER)(uid=jsmith))

322

(&(LDAPFILTER)(uid=jsmith))

323

324

.. _ldap_attr_firstname:

324

.. _ldap_attr_firstname:

325

326

First Name Attribute : required

326

First Name Attribute : required

327

The LDAP record attribute which represents the user's first name.

327

The LDAP record attribute which represents the user's first name.

328

329

.. _ldap_attr_lastname:

329

.. _ldap_attr_lastname:

330

331

Last Name Attribute : required

331

Last Name Attribute : required

332

The LDAP record attribute which represents the user's last name.

332

The LDAP record attribute which represents the user's last name.

333

334

.. _ldap_attr_email:

334

.. _ldap_attr_email:

335

336

Email Attribute : required

336

Email Attribute : required

337

The LDAP record attribute which represents the user's email address.

337

The LDAP record attribute which represents the user's email address.

338

339

If all data are entered correctly, and python-ldap_ is properly installed

339

If all data are entered correctly, and python-ldap_ is properly installed

340

users should be granted access to Kallithea with LDAP accounts. At this

340

users should be granted access to Kallithea with LDAP accounts. At this

341

time user information is copied from LDAP into the Kallithea user database.

341

time user information is copied from LDAP into the Kallithea user database.

342

This means that updates of an LDAP user object may not be reflected as a

342

This means that updates of an LDAP user object may not be reflected as a

343

user update in Kallithea.

343

user update in Kallithea.

344

345

If You have problems with LDAP access and believe You entered correct

345

If You have problems with LDAP access and believe You entered correct

346

information check out the Kallithea logs, any error messages sent from LDAP

346

information check out the Kallithea logs, any error messages sent from LDAP

347

will be saved there.

347

will be saved there.

348

349

Active Directory

349

Active Directory

350

''''''''''''''''

350

''''''''''''''''

351

352

Kallithea can use Microsoft Active Directory for user authentication. This

352

Kallithea can use Microsoft Active Directory for user authentication. This

353

is done through an LDAP or LDAPS connection to Active Directory. The

353

is done through an LDAP or LDAPS connection to Active Directory. The

354

following LDAP configuration settings are typical for using Active

354

following LDAP configuration settings are typical for using Active

355

Directory ::

355

Directory ::

356

357

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

357

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

358

Login Attribute = sAMAccountName

358

Login Attribute = sAMAccountName

359

First Name Attribute = givenName

359

First Name Attribute = givenName

360

Last Name Attribute = sn

360

Last Name Attribute = sn

361

Email Attribute = mail

361

Email Attribute = mail

362

363

All other LDAP settings will likely be site-specific and should be

363

All other LDAP settings will likely be site-specific and should be

364

appropriately configured.

364

appropriately configured.

365

366

367

Authentication by container or reverse-proxy

367

Authentication by container or reverse-proxy

368

--------------------------------------------

368

--------------------------------------------

369

370

Kallithea supports delegating the authentication

370

Kallithea supports delegating the authentication

371

of users to its WSGI container, or to a reverse-proxy server through which all

371

of users to its WSGI container, or to a reverse-proxy server through which all

372

clients access the application.

372

clients access the application.

373

374

When these authentication methods are enabled in Kallithea, it uses the

374

When these authentication methods are enabled in Kallithea, it uses the

375

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

375

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

376

perform the authentication itself. The authorization, however, is still done by

376

perform the authentication itself. The authorization, however, is still done by

377

Kallithea according to its settings.

377

Kallithea according to its settings.

378

379

When a user logs in for the first time using these authentication methods,

379

When a user logs in for the first time using these authentication methods,

380

a matching user account is created in Kallithea with default permissions. An

380

a matching user account is created in Kallithea with default permissions. An

381

administrator can then modify it using Kallithea's admin interface.

381

administrator can then modify it using Kallithea's admin interface.

382

383

It's also possible for an administrator to create accounts and configure their

383

It's also possible for an administrator to create accounts and configure their

384

permissions before the user logs in for the first time, using the :ref:`create-user` API.

384

permissions before the user logs in for the first time, using the :ref:`create-user` API.

385

386

Container-based authentication

386

Container-based authentication

387

''''''''''''''''''''''''''''''

387

''''''''''''''''''''''''''''''

388

389

In a container-based authentication setup, Kallithea reads the user name from

389

In a container-based authentication setup, Kallithea reads the user name from

390

the ``REMOTE_USER`` server variable provided by the WSGI container.

390

the ``REMOTE_USER`` server variable provided by the WSGI container.

391

392

After setting up your container (see `Apache with mod_wsgi`_), you'll need

392

After setting up your container (see `Apache with mod_wsgi`_), you'll need

393

to configure it to require authentication on the location configured for

393

to configure it to require authentication on the location configured for

394

Kallithea.

394

Kallithea.

395

396

Proxy pass-through authentication

396

Proxy pass-through authentication

397

'''''''''''''''''''''''''''''''''

397

'''''''''''''''''''''''''''''''''

398

399

In a proxy pass-through authentication setup, Kallithea reads the user name

399

In a proxy pass-through authentication setup, Kallithea reads the user name

400

from the ``X-Forwarded-User`` request header, which should be configured to be

400

from the ``X-Forwarded-User`` request header, which should be configured to be

401

sent by the reverse-proxy server.

401

sent by the reverse-proxy server.

402

403

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

403

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

404

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

404

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

405

configure the authentication and add the username in a request header named

405

configure the authentication and add the username in a request header named

406

``X-Forwarded-User``.

406

``X-Forwarded-User``.

407

408

For example, the following config section for Apache sets a subdirectory in a

408

For example, the following config section for Apache sets a subdirectory in a

409

reverse-proxy setup with basic auth:

409

reverse-proxy setup with basic auth:

410

411

.. code-block:: apache

411

.. code-block:: apache

412

413

413

414

ProxyPass http://127.0.0.1:5000/someprefix

414

ProxyPass http://127.0.0.1:5000/someprefix

415

ProxyPassReverse http://127.0.0.1:5000/someprefix

415

ProxyPassReverse http://127.0.0.1:5000/someprefix

416

SetEnvIf X-Url-Scheme https HTTPS=1

416

SetEnvIf X-Url-Scheme https HTTPS=1

417

418

AuthType Basic

418

AuthType Basic

419

AuthName "Kallithea authentication"

419

AuthName "Kallithea authentication"

420

AuthUserFile /srv/kallithea/.htpasswd

420

AuthUserFile /srv/kallithea/.htpasswd

421

Require valid-user

421

Require valid-user

422

423

RequestHeader unset X-Forwarded-User

423

RequestHeader unset X-Forwarded-User

424

425

RewriteEngine On

425

RewriteEngine On

426

RewriteCond %{LA-U:REMOTE_USER} (.+)

426

RewriteCond %{LA-U:REMOTE_USER} (.+)

427

RewriteRule .* - [E=RU:%1]

427

RewriteRule .* - [E=RU:%1]

428

RequestHeader set X-Forwarded-User %{RU}e

428

RequestHeader set X-Forwarded-User %{RU}e

429

</Location>

429

</Location>

430

431

.. note::

431

.. note::

432

If you enable proxy pass-through authentication, make sure your server is

432

If you enable proxy pass-through authentication, make sure your server is

433

only accessible through the proxy. Otherwise, any client would be able to

433

only accessible through the proxy. Otherwise, any client would be able to

434

forge the authentication header and could effectively become authenticated

434

forge the authentication header and could effectively become authenticated

435

using any account of their liking.

435

using any account of their liking.

436

437

438

Integration with issue trackers

438

Integration with issue trackers

439

-------------------------------

439

-------------------------------

440

441

Kallithea provides a simple integration with issue trackers. It's possible

441

Kallithea provides a simple integration with issue trackers. It's possible

442

to define a regular expression that will match an issue ID in commit messages,

442

to define a regular expression that will match an issue ID in commit messages,

443

and have that replaced with a URL to the issue. To enable this simply

443

and have that replaced with a URL to the issue. To enable this simply

444

uncomment the following variables in the ini file::

444

uncomment the following variables in the ini file::

445

446

issue_pat = (?:^#|\s#)(\w+)

446

issue_pat = (?:^#|\s#)(\w+)

447

issue_server_link = https://issues.example.com/{repo}/issue/{id}

447

issue_server_link = https://issues.example.com/{repo}/issue/{id}

448

issue_prefix = #

448

issue_prefix = #

449

450

``issue_pat`` is the regular expression describing which strings in

450

``issue_pat`` is the regular expression describing which strings in

451

commit messages will be treated as issue references. A match group in

451

commit messages will be treated as issue references. A match group in

452

parentheses should be used to specify the actual issue id.

452

parentheses should be used to specify the actual issue id.

453

454

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

454

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

455

456

Matched issue references are replaced with the link specified in

456

Matched issue references are replaced with the link specified in

457

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

457

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

458

``{repo}`` with the repository name. Since the # is stripped away,

458

``{repo}`` with the repository name. Since the # is stripped away,

459

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

459

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

460

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

460

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

461

generate a URL in the format:

461

generate a URL in the format:

462

463

.. code-block:: html

463

.. code-block:: html

464

465

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

465

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

466

467

If needed, more than one pattern can be specified by appending a unique suffix to

467

If needed, more than one pattern can be specified by appending a unique suffix to

468

the variables. For example::

468

the variables. For example::

469

470

issue_pat_wiki = (?:wiki-)(.+)

470

issue_pat_wiki = (?:wiki-)(.+)

471

issue_server_link_wiki = https://wiki.example.com/{id}

471

issue_server_link_wiki = https://wiki.example.com/{id}

472

issue_prefix_wiki = WIKI-

472

issue_prefix_wiki = WIKI-

473

474

With these settings, wiki pages can be referenced as wiki-some-id, and every

474

With these settings, wiki pages can be referenced as wiki-some-id, and every

475

such reference will be transformed into:

475

such reference will be transformed into:

476

477

.. code-block:: html

477

.. code-block:: html

478

479

479

480

481

482

Hook management

482

Hook management

483

---------------

483

---------------

484

485

Hooks can be managed in similar way to that used in ``.hgrc`` files.

485

Hooks can be managed in similar way to that used in ``.hgrc`` files.

486

To manage hooks, choose *Admin > Settings > Hooks*.

486

To manage hooks, choose *Admin > Settings > Hooks*.

487

488

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

488

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

489

490

To add another custom hook simply fill in the first textbox with

490

To add another custom hook simply fill in the first textbox with

491

``<name>.<hook_type>`` and the second with the hook path. Example hooks

491

``<name>.<hook_type>`` and the second with the hook path. Example hooks

492

can be found in ``kallithea.lib.hooks``.

492

can be found in ``kallithea.lib.hooks``.

493

494

495

Changing default encoding

495

Changing default encoding

496

-------------------------

496

-------------------------

497

498

By default, Kallithea uses UTF-8 encoding.

498

By default, Kallithea uses UTF-8 encoding.

499

This is configurable as ``default_encoding`` in the .ini file.

499

This is configurable as ``default_encoding`` in the .ini file.

500

This affects many parts in Kallithea including user names, filenames, and

500

This affects many parts in Kallithea including user names, filenames, and

501

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

501

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

502

library is installed. If ``chardet`` is detected Kallithea will fallback to it

502

library is installed. If ``chardet`` is detected Kallithea will fallback to it

503

when there are encode/decode errors.

503

when there are encode/decode errors.

504

505

506

Celery configuration

506

Celery configuration

507

--------------------

507

--------------------

508

509

Kallithea can use the distributed task queue system Celery_ to run tasks like

509

Kallithea can use the distributed task queue system Celery_ to run tasks like

510

cloning repositories or sending emails.

510

cloning repositories or sending emails.

511

512

Kallithea will in most setups work perfectly fine out of the box (without

512

Kallithea will in most setups work perfectly fine out of the box (without

513

Celery), executing all tasks in the web server process. Some tasks can however

513

Celery), executing all tasks in the web server process. Some tasks can however

514

take some time to run and it can be better to run such tasks asynchronously in

514

take some time to run and it can be better to run such tasks asynchronously in

515

a separate process so the web server can focus on serving web requests.

515

a separate process so the web server can focus on serving web requests.

516

517

For installation and configuration of Celery, see the `Celery documentation`_.

517

For installation and configuration of Celery, see the `Celery documentation`_.

518

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

518

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

519

or Redis_.

519

or Redis_.

520

521

The use of Celery is configured in the Kallithea ini configuration file.

521

The use of Celery is configured in the Kallithea ini configuration file.

522

To enable it, simply set::

522

To enable it, simply set::

523

524

use_celery = true

524

use_celery = true

525

526

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

526

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

527

528

Remember that the ini files use the format with '.' and not with '_' like

528

Remember that the ini files use the format with '.' and not with '_' like

529

Celery. So for example setting `BROKER_HOST` in Celery means setting

529

Celery. So for example setting `BROKER_HOST` in Celery means setting

530

`broker.host` in the configuration file.

530

`broker.host` in the configuration file.

531

532

To start the Celery process, run::

532

To start the Celery process, run::

533

534

paster celeryd <configfile.ini>

534

paster celeryd <configfile.ini>

535

536

.. note::

536

.. note::

537

Make sure you run this command from the same virtualenv, and with the same

537

Make sure you run this command from the same virtualenv, and with the same

538

user that Kallithea runs.

538

user that Kallithea runs.

539

540

541

HTTPS support

541

HTTPS support

542

-------------

542

-------------

543

544

Kallithea will by default generate URLs based on the WSGI environment.

544

Kallithea will by default generate URLs based on the WSGI environment.

545

546

Alternatively, you can use some special configuration settings to control

546

Alternatively, you can use some special configuration settings to control

547

directly which scheme/protocol Kallithea will use when generating URLs:

547

directly which scheme/protocol Kallithea will use when generating URLs:

548

549

- With ``https_fixup = true``, the scheme will be taken from the

549

- With ``https_fixup = true``, the scheme will be taken from the

550

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

550

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

551

(default ``http``).

551

(default ``http``).

552

- With ``force_https = true`` the default will be ``https``.

552

- With ``force_https = true`` the default will be ``https``.

553

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

553

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

554

555

556

Nginx virtual host example

556

Nginx virtual host example

557

--------------------------

557

--------------------------

558

559

Sample config for Nginx using proxy:

559

Sample config for Nginx using proxy:

560

561

.. code-block:: nginx

561

.. code-block:: nginx

562

563

upstream kallithea {

563

upstream kallithea {

564

server 127.0.0.1:5000;

564

server 127.0.0.1:5000;

565

# add more instances for load balancing

565

# add more instances for load balancing

566

#server 127.0.0.1:5001;

566

#server 127.0.0.1:5001;

567

#server 127.0.0.1:5002;

567

#server 127.0.0.1:5002;

568

}

568

}

569

570

## gist alias

570

## gist alias

571

server {

571

server {

572

listen 443;

572

listen 443;

573

server_name gist.example.com;

573

server_name gist.example.com;

574

access_log /var/log/nginx/gist.access.log;

574

access_log /var/log/nginx/gist.access.log;

575

error_log /var/log/nginx/gist.error.log;

575

error_log /var/log/nginx/gist.error.log;

576

577

ssl on;

577

ssl on;

578

ssl_certificate gist.your.kallithea.server.crt;

578

ssl_certificate gist.your.kallithea.server.crt;

579

ssl_certificate_key gist.your.kallithea.server.key;

579

ssl_certificate_key gist.your.kallithea.server.key;

580

581

ssl_session_timeout 5m;

581

ssl_session_timeout 5m;

582

583

ssl_protocols SSLv3 TLSv1;

583

ssl_protocols SSLv3 TLSv1;

584

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

584

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

585

ssl_prefer_server_ciphers on;

585

ssl_prefer_server_ciphers on;

586

587

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

587

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

588

rewrite (.*) https://kallithea.example.com/_admin/gists;

588

rewrite (.*) https://kallithea.example.com/_admin/gists;

589

}

589

}

590

591

server {

591

server {

592

listen 443;

592

listen 443;

593

server_name kallithea.example.com

593

server_name kallithea.example.com

594

access_log /var/log/nginx/kallithea.access.log;

594

access_log /var/log/nginx/kallithea.access.log;

595

error_log /var/log/nginx/kallithea.error.log;

595

error_log /var/log/nginx/kallithea.error.log;

596

597

ssl on;

597

ssl on;

598

ssl_certificate your.kallithea.server.crt;

598

ssl_certificate your.kallithea.server.crt;

599

ssl_certificate_key your.kallithea.server.key;

599

ssl_certificate_key your.kallithea.server.key;

600

601

ssl_session_timeout 5m;

601

ssl_session_timeout 5m;

602

603

ssl_protocols SSLv3 TLSv1;

603

ssl_protocols SSLv3 TLSv1;

604

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

604

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

605

ssl_prefer_server_ciphers on;

605

ssl_prefer_server_ciphers on;

606

607

## uncomment root directive if you want to serve static files by nginx

607

## uncomment root directive if you want to serve static files by nginx

608

## requires static_files = false in .ini file

608

## requires static_files = false in .ini file

609

#root /path/to/installation/kallithea/public;

609

#root /path/to/installation/kallithea/public;

610

include /etc/nginx/proxy.conf;

610

include /etc/nginx/proxy.conf;

611

location / {

611

location / {

612

try_files $uri @kallithea;

612

try_files $uri @kallithea;

613

}

613

}

614

615

location @kallithea {

615

location @kallithea {

616

proxy_pass http://127.0.0.1:5000;

616

proxy_pass http://127.0.0.1:5000;

617

}

617

}

618

619

}

619

}

620

621

Here's the proxy.conf. It's tuned so it will not timeout on long

621

Here's the proxy.conf. It's tuned so it will not timeout on long

622

pushes or large pushes::

622

pushes or large pushes::

623

624

proxy_redirect off;

624

proxy_redirect off;

625

proxy_set_header Host $host;

625

proxy_set_header Host $host;

626

## needed for container auth

626

## needed for container auth

627

#proxy_set_header REMOTE_USER $remote_user;

627

#proxy_set_header REMOTE_USER $remote_user;

628

#proxy_set_header X-Forwarded-User $remote_user;

628

#proxy_set_header X-Forwarded-User $remote_user;

629

proxy_set_header X-Url-Scheme $scheme;

629

proxy_set_header X-Url-Scheme $scheme;

630

proxy_set_header X-Host $http_host;

630

proxy_set_header X-Host $http_host;

631

proxy_set_header X-Real-IP $remote_addr;

631

proxy_set_header X-Real-IP $remote_addr;

632

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

632

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

633

proxy_set_header Proxy-host $proxy_host;

633

proxy_set_header Proxy-host $proxy_host;

634

proxy_buffering off;

634

proxy_buffering off;

635

proxy_connect_timeout 7200;

635

proxy_connect_timeout 7200;

636

proxy_send_timeout 7200;

636

proxy_send_timeout 7200;

637

proxy_read_timeout 7200;

637

proxy_read_timeout 7200;

638

proxy_buffers 8 32k;

638

proxy_buffers 8 32k;

639

client_max_body_size 1024m;

639

client_max_body_size 1024m;

640

client_body_buffer_size 128k;

640

client_body_buffer_size 128k;

641

large_client_header_buffers 8 64k;

641

large_client_header_buffers 8 64k;

642

643

644

Apache virtual host reverse proxy example

644

Apache virtual host reverse proxy example

645

-----------------------------------------

645

-----------------------------------------

646

647

Here is a sample configuration file for Apache using proxy:

647

Here is a sample configuration file for Apache using proxy:

648

649

.. code-block:: apache

649

.. code-block:: apache

650

651

651

652

ServerName kallithea.example.com

652

ServerName kallithea.example.com

653

654

654

655

# For Apache 2.4 and later:

655

# For Apache 2.4 and later:

656

Require all granted

656

Require all granted

657

658

# For Apache 2.2 and earlier, instead use:

658

# For Apache 2.2 and earlier, instead use:

659

# Order allow,deny

659

# Order allow,deny

660

# Allow from all

660

# Allow from all

661

</Proxy>

661

</Proxy>

662

663

#important !

663

#important !

664

#Directive to properly generate url (clone url) for pylons

664

#Directive to properly generate url (clone url) for pylons

665

ProxyPreserveHost On

665

ProxyPreserveHost On

666

667

#kallithea instance

667

#kallithea instance

668

ProxyPass / http://127.0.0.1:5000/

668

ProxyPass / http://127.0.0.1:5000/

669

ProxyPassReverse / http://127.0.0.1:5000/

669

ProxyPassReverse / http://127.0.0.1:5000/

670

671

#to enable https use line below

671

#to enable https use line below

672

#SetEnvIf X-Url-Scheme https HTTPS=1

672

#SetEnvIf X-Url-Scheme https HTTPS=1

673

</VirtualHost>

673

</VirtualHost>

674

675

Additional tutorial

675

Additional tutorial

676

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

676

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

677

678

679

Apache as subdirectory

679

Apache as subdirectory

680

----------------------

680

----------------------

681

682

Apache subdirectory part:

682

Apache subdirectory part:

683

684

.. code-block:: apache

684

.. code-block:: apache

685

686

686

687

ProxyPass http://127.0.0.1:5000/<someprefix>

687

ProxyPass http://127.0.0.1:5000/<someprefix>

688

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

688

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

689

SetEnvIf X-Url-Scheme https HTTPS=1

689

SetEnvIf X-Url-Scheme https HTTPS=1

690

</Location>

690

</Location>

691

692

Besides the regular apache setup you will need to add the following line

692

Besides the regular apache setup you will need to add the following line

693

into ``[app:main]`` section of your .ini file::

693

into ``[app:main]`` section of your .ini file::

694

695

filter-with = proxy-prefix

695

filter-with = proxy-prefix

696

697

Add the following at the end of the .ini file::

697

Add the following at the end of the .ini file::

698

699

[filter:proxy-prefix]

699

[filter:proxy-prefix]

700

use = egg:PasteDeploy#prefix

700

use = egg:PasteDeploy#prefix

701

prefix = /<someprefix>

701

prefix = /<someprefix>

702

703

then change ``<someprefix>`` into your chosen prefix

703

then change ``<someprefix>`` into your chosen prefix

704

705

706

Apache with mod_wsgi

706

Apache with mod_wsgi

707

--------------------

707

--------------------

708

709

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

709

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

710

that, you'll need to:

710

that, you'll need to:

711

712

- Install mod_wsgi. If using a Debian-based distro, you can install

712

- Install mod_wsgi. If using a Debian-based distro, you can install

713

the package libapache2-mod-wsgi::

713

the package libapache2-mod-wsgi::

714

715

aptitude install libapache2-mod-wsgi

715

aptitude install libapache2-mod-wsgi

716

717

- Enable mod_wsgi::

717

- Enable mod_wsgi::

718

719

a2enmod wsgi

719

a2enmod wsgi

720

721

- Add global Apache configuration to tell mod_wsgi that Python only will be

722

used in the WSGI processes and shouldn't be initialized in the Apache

723

processes::

724

725

WSGIRestrictEmbedded On

726

721

- Create a wsgi dispatch script, like the one below. Make sure you

727

- Create a wsgi dispatch script, like the one below. Make sure you

722

check that the paths correctly point to where you installed Kallithea

728

check that the paths correctly point to where you installed Kallithea

723

and its Python Virtual Environment.

729

and its Python Virtual Environment.

724

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

730

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

725

as in the following example. Once again, check the paths are

731

as in the following example. Once again, check the paths are

726

correctly specified.

732

correctly specified.

727

733

728

Here is a sample excerpt from an Apache Virtual Host configuration file:

734

Here is a sample excerpt from an Apache Virtual Host configuration file:

729

735

730

.. code-block:: apache

736

.. code-block:: apache

731

737

732

WSGIDaemonProcess kallithea \

738

WSGIDaemonProcess kallithea \

733

~~processes=1~~ threads=4 \

739

threads=4 \

734

python-~~pat~~h=/srv/kallithea/venv~~/lib/python2.7/site-packages~~

740

python-home=/srv/kallithea/venv

741

WSGIProcessGroup kallithea

735

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

742

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

736

WSGIPassAuthorization On

743

WSGIPassAuthorization On

737

744

738

Or if using a dispatcher WSGI script with proper virtualenv activation:

745

Or if using a dispatcher WSGI script with proper virtualenv activation:

739

746

740

.. code-block:: apache

747

.. code-block:: apache

741

748

742

WSGIDaemonProcess kallithea ~~processes=1~~ threads=4

749

WSGIDaemonProcess kallithea threads=4

750

WSGIProcessGroup kallithea

743

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

751

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

744

WSGIPassAuthorization On

752

WSGIPassAuthorization On

745

753

746

.. note::

754

Apache will by default run as a special Apache user, on Linux systems

747

When running apache as root, please make sure it doesn't run Kallithea as

755

usually ``www-data`` or ``apache``. If you need to have the repositories

748

root, for examply by adding: ``user=www-data group=www-data`` to the configuration.

756

directory owned by a different user, use the user and group options to

757

WSGIDaemonProcess to set the name of the user and group. """

749

758

750

.. note::

759

.. note::

751

If running Kallithea in multiprocess mode,

760

If running Kallithea in multiprocess mode,

752

make sure you set ``instance_id = *`` in the configuration so each process

761

make sure you set ``instance_id = *`` in the configuration so each process

753

gets it's own cache invalidation key.

762

gets it's own cache invalidation key.

754

763

755

Example WSGI dispatch script:

764

Example WSGI dispatch script:

756

765

757

.. code-block:: python

766

.. code-block:: python

758

767

759

import os

768

import os

760

os.environ["HGENCODING"] = "UTF-8"

769

os.environ["HGENCODING"] = "UTF-8"

761

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

770

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

762

771

763

# sometimes it's needed to set the curent dir

772

# sometimes it's needed to set the curent dir

764

os.chdir('/srv/kallithea/')

773

os.chdir('/srv/kallithea/')

765

774

766

import site

775

import site

767

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

776

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

768

777

769

from paste.deploy import loadapp

778

ini = '/srv/kallithea/my.ini'

770

from paste.script.util.logging_config import fileConfig

779

from paste.script.util.logging_config import fileConfig

771

780

fileConfig(ini)

772

fileConfig('/srv/kallithea/my.ini')

781

from paste.deploy import loadapp

773

application = loadapp('config:~~/srv/kallithea/my.ini~~')

782

application = loadapp('config:' + ini)

774

783

775

Or using proper virtualenv activation:

784

Or using proper virtualenv activation:

776

785

777

.. code-block:: python

786

.. code-block:: python

778

787

779

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

788

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

780

execfile(activate_this, dict(__file__=activate_this))

789

execfile(activate_this, dict(__file__=activate_this))

781

790

782

import os

791

import os

783

os.environ['HOME'] = '/srv/kallithea'

792

os.environ['HOME'] = '/srv/kallithea'

784

793

785

ini = '/srv/kallithea/kallithea.ini'

794

ini = '/srv/kallithea/kallithea.ini'

786

from paste.script.util.logging_config import fileConfig

795

from paste.script.util.logging_config import fileConfig

787

fileConfig(ini)

796

fileConfig(ini)

788

from paste.deploy import loadapp

797

from paste.deploy import loadapp

789

application = loadapp('config:' + ini)

798

application = loadapp('config:' + ini)

790

799

791

800

792

Other configuration files

801

Other configuration files

793

-------------------------

802

-------------------------

794

803

795

A number of `example init.d scripts`__ can be found in

804

A number of `example init.d scripts`__ can be found in

796

the ``init.d`` directory of the Kallithea source.

805

the ``init.d`` directory of the Kallithea source.

797

806

798

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

807

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

799

808

800

809

801

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

810

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

802

.. _python: http://www.python.org/

811

.. _python: http://www.python.org/

803

.. _Mercurial: http://mercurial.selenic.com/

812

.. _Mercurial: http://mercurial.selenic.com/

804

.. _Celery: http://celeryproject.org/

813

.. _Celery: http://celeryproject.org/

805

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

814

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

806

.. _RabbitMQ: http://www.rabbitmq.com/

815

.. _RabbitMQ: http://www.rabbitmq.com/

807

.. _Redis: http://redis.io/

816

.. _Redis: http://redis.io/

808

.. _python-ldap: http://www.python-ldap.org/

817

.. _python-ldap: http://www.python-ldap.org/

809

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

818

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

810

.. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories

819

.. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             .. _setup:
             =====
             Setup
             =====
             Setting up Kallithea
             --------------------
             First, you will need to create a Kallithea configuration file. Run the
             following command to do so::
                 paster make-config Kallithea my.ini
             This will create the file ``my.ini`` in the current directory. This
             configuration file contains the various settings for Kallithea, e.g.
             proxy port, email settings, usage of static files, cache, Celery
             settings, and logging.
             Next, you need to create the databases used by Kallithea. It is recommended to
             use PostgreSQL or SQLite (default). If you choose a database other than the
             default, ensure you properly adjust the database URL in your ``my.ini``
             configuration file to use this other database. Kallithea currently supports
             PostgreSQL, SQLite and MySQL databases. Create the database by running
             the following command::
                 paster setup-db my.ini
             This will prompt you for a "root" path. This "root" path is the location where
             Kallithea will store all of its repositories on the current machine. After
             entering this "root" path ``setup-db`` will also prompt you for a username
             and password for the initial admin account which ``setup-db`` sets
             up for you.
             The ``setup-db`` values can also be given on the command line.
             Example::
                 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
             The ``setup-db`` command will create all needed tables and an
             admin account. When choosing a root path you can either use a new
             empty location, or a location which already contains existing
             repositories. If you choose a location which contains existing
             repositories Kallithea will add all of the repositories at the chosen
             location to its database.  (Note: make sure you specify the correct
             path to the root).
             .. note:: the given path for Mercurial_ repositories **must** be write
                       accessible for the application. It's very important since
                       the Kallithea web interface will work without write access,
                       but when trying to do a push it will fail with permission
                       denied errors unless it has write access.
             You are now ready to use Kallithea. To run it simply execute::
                 paster serve my.ini
             - This command runs the Kallithea server. The web app should be available at
               http://127.0.0.1:5000. The IP address and port is configurable via the
               configuration file created in the previous step.
             - Log in to Kallithea using the admin account created when running ``setup-db``.
             - The default permissions on each repository is read, and the owner is admin.
               Remember to update these if needed.
             - In the admin panel you can toggle LDAP, anonymous, and permissions
               settings, as well as edit more advanced options on users and
               repositories.
             Extensions
             ----------
             Optionally one can create an ``rcextensions`` package that extends Kallithea
             functionality.
             To generate a skeleton extensions package, run::
                 paster make-rcext my.ini
             This will create an ``rcextensions`` package next to the specified ``ini`` file.
             With ``rcextensions`` it's possible to add additional mapping for whoosh,
             stats and add additional code into the push/pull/create/delete repo hooks,
             for example for sending signals to build-bots such as Jenkins.
             See the ``__init__.py`` file inside the generated ``rcextensions`` package
             for more details.
             Using Kallithea with SSH
             ------------------------
             Kallithea currently only hosts repositories using http and https. (The addition
             of ssh hosting is a planned future feature.) However you can easily use ssh in
             parallel with Kallithea. (Repository access via ssh is a standard "out of
             the box" feature of Mercurial_ and you can use this to access any of the
             repositories that Kallithea is hosting. See PublishingRepositories_)
             Kallithea repository structures are kept in directories with the same name
             as the project. When using repository groups, each group is a subdirectory.
             This allows you to easily use ssh for accessing repositories.
             In order to use ssh you need to make sure that your web server and the users'
             login accounts have the correct permissions set on the appropriate directories.
             .. note:: These permissions are independent of any permissions you
                       have set up using the Kallithea web interface.
             If your main directory (the same as set in Kallithea settings) is for
             example set to ``/srv/repos`` and the repository you are using is
             named ``kallithea``, then to clone via ssh you should run::
                 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
             Using other external tools such as mercurial-server_ or using ssh key-based
             authentication is fully supported.
             .. note:: In an advanced setup, in order for your ssh access to use
                       the same permissions as set up via the Kallithea web
                       interface, you can create an authentication hook to connect
                       to the Kallithea db and run check functions for permissions
                       against that.
             Setting up Whoosh full text search
             ----------------------------------
             Kallithea provides full text search of repositories using `Whoosh`__.
             .. __: https://pythonhosted.org/Whoosh/
             For an incremental index build, run::
                 paster make-index my.ini
             For a full index rebuild, run::
                 paster make-index my.ini -f
             The ``--repo-location`` option allows the location of the repositories to be overriden;
             usually, the location is retrieved from the Kallithea database.
             The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
                 paster make-index my.ini --index-only=vcs,kallithea
             To keep your index up-to-date it is necessary to do periodic index builds;
             for this, it is recommended to use a crontab entry. Example::
 3  *  *  *  /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
             When using incremental mode (the default), Whoosh will check the last
             modification date of each file and add it to be reindexed if a newer file is
             available. The indexing daemon checks for any removed files and removes them
             from index.
             If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
             or in the admin panel you can check the "build from scratch" checkbox.
             .. _ldap-setup:
             Setting up LDAP support
             -----------------------
             Kallithea supports LDAP authentication. In order
             to use LDAP, you have to install the python-ldap_ package. This package is
             available via PyPI, so you can install it by running::
                 pip install python-ldap
             .. note:: ``python-ldap`` requires some libraries to be installed on
                       your system, so before installing it check that you have at
                       least the ``openldap`` and ``sasl`` libraries.
             Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
             and then *Save*, to enable the LDAP plugin and configure its settings.
             Here's a typical LDAP setup::
              Connection settings
              Enable LDAP          = checked
              Host                 = host.example.com
              Port                 = 389
              Account              = <account>
              Password             = <password>
              Connection Security  = LDAPS connection
              Certificate Checks   = DEMAND
              Search settings
              Base DN              = CN=users,DC=host,DC=example,DC=org
              LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))
              LDAP Search Scope    = SUBTREE
              Attribute mappings
              Login Attribute      = uid
              First Name Attribute = firstName
              Last Name Attribute  = lastName
              Email Attribute      = mail
             If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
              Search settings
              Base DN              = DC=host,DC=example,DC=org
              LDAP Filter          = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
              LDAP Search Scope    = SUBTREE
             .. _enable_ldap:
             Enable LDAP : required
                 Whether to use LDAP for authenticating users.
             .. _ldap_host:
             Host : required
                 LDAP server hostname or IP address. Can be also a comma separated
                 list of servers to support LDAP fail-over.
             .. _Port:
             Port : required
 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
             .. _ldap_account:
             Account : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.  This should be a special account for record browsing.  This
                 will require `LDAP Password`_ below.
             .. _LDAP Password:
             Password : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.
             .. _Enable LDAPS:
             Connection Security : required
                 Defines the connection to LDAP server
                 No encryption
                     Plain non encrypted connection
                 LDAPS connection
                     Enable LDAPS connections. It will likely require `Port`_ to be set to
                     a different value (standard LDAPS port is 636). When LDAPS is enabled
                     then `Certificate Checks`_ is required.
                 START_TLS on LDAP connection
                     START TLS connection
             .. _Certificate Checks:
             Certificate Checks : optional
                 How SSL certificates verification is handled -- this is only useful when
                 `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security
                 while the other options are susceptible to man-in-the-middle attacks.  SSL
                 certificates can be installed to /etc/openldap/cacerts so that the
                 DEMAND or HARD options can be used with self-signed certificates or
                 certificates that do not have traceable certificates of authority.
                 NEVER
                     A serve certificate will never be requested or checked.
                 ALLOW
                     A server certificate is requested.  Failure to provide a
                     certificate or providing a bad certificate will not terminate the
                     session.
                 TRY
                     A server certificate is requested.  Failure to provide a
                     certificate does not halt the session; providing a bad certificate
                     halts the session.
                 DEMAND
                     A server certificate is requested and must be provided and
                     authenticated for the session to proceed.
                 HARD
                     The same as DEMAND.
             .. _Base DN:
             Base DN : required
                 The Distinguished Name (DN) where searches for users will be performed.
                 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
             .. _LDAP Filter:
             LDAP Filter : optional
                 A LDAP filter defined by RFC 2254.  This is more useful when `LDAP
                 Search Scope`_ is set to SUBTREE.  The filter is useful for limiting
                 which LDAP objects are identified as representing Users for
                 authentication.  The filter is augmented by `Login Attribute`_ below.
                 This can commonly be left blank.
             .. _LDAP Search Scope:
             LDAP Search Scope : required
                 This limits how far LDAP will search for a matching object.
                 BASE
                     Only allows searching of `Base DN`_ and is usually not what you
                     want.
                 ONELEVEL
                     Searches all entries under `Base DN`_, but not Base DN itself.
                 SUBTREE
                     Searches all entries below `Base DN`_, but not Base DN itself.
                     When using SUBTREE `LDAP Filter`_ is useful to limit object
                     location.
             .. _Login Attribute:
             Login Attribute : required
                 The LDAP record attribute that will be matched as the USERNAME or
                 ACCOUNT used to connect to Kallithea.  This will be added to `LDAP
                 Filter`_ for locating the User object.  If `LDAP Filter`_ is specified as
                 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
                 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
                 ::
                     (&(LDAPFILTER)(uid=jsmith))
             .. _ldap_attr_firstname:
             First Name Attribute : required
                 The LDAP record attribute which represents the user's first name.
             .. _ldap_attr_lastname:
             Last Name Attribute : required
                 The LDAP record attribute which represents the user's last name.
             .. _ldap_attr_email:
             Email Attribute : required
                 The LDAP record attribute which represents the user's email address.
             If all data are entered correctly, and python-ldap_ is properly installed
             users should be granted access to Kallithea with LDAP accounts.  At this
             time user information is copied from LDAP into the Kallithea user database.
             This means that updates of an LDAP user object may not be reflected as a
             user update in Kallithea.
             If You have problems with LDAP access and believe You entered correct
             information check out the Kallithea logs, any error messages sent from LDAP
             will be saved there.
             Active Directory
             ''''''''''''''''
             Kallithea can use Microsoft Active Directory for user authentication.  This
             is done through an LDAP or LDAPS connection to Active Directory.  The
             following LDAP configuration settings are typical for using Active
             Directory ::
              Base DN              = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
              Login Attribute      = sAMAccountName
              First Name Attribute = givenName
              Last Name Attribute  = sn
              Email Attribute     = mail
             All other LDAP settings will likely be site-specific and should be
             appropriately configured.
             Authentication by container or reverse-proxy
             --------------------------------------------
             Kallithea supports delegating the authentication
             of users to its WSGI container, or to a reverse-proxy server through which all
             clients access the application.
             When these authentication methods are enabled in Kallithea, it uses the
             username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
             perform the authentication itself. The authorization, however, is still done by
             Kallithea according to its settings.
             When a user logs in for the first time using these authentication methods,
             a matching user account is created in Kallithea with default permissions. An
             administrator can then modify it using Kallithea's admin interface.
             It's also possible for an administrator to create accounts and configure their
             permissions before the user logs in for the first time, using the :ref:`create-user` API.
             Container-based authentication
             ''''''''''''''''''''''''''''''
             In a container-based authentication setup, Kallithea reads the user name from
             the ``REMOTE_USER`` server variable provided by the WSGI container.
             After setting up your container (see `Apache with mod_wsgi`_), you'll need
             to configure it to require authentication on the location configured for
             Kallithea.
             Proxy pass-through authentication
             '''''''''''''''''''''''''''''''''
             In a proxy pass-through authentication setup, Kallithea reads the user name
             from the ``X-Forwarded-User`` request header, which should be configured to be
             sent by the reverse-proxy server.
             After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
             `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
             configure the authentication and add the username in a request header named
             ``X-Forwarded-User``.
             For example, the following config section for Apache sets a subdirectory in a
             reverse-proxy setup with basic auth:
             .. code-block:: apache
                 <Location /someprefix>
                   ProxyPass http://127.0.0.1:5000/someprefix
                   ProxyPassReverse http://127.0.0.1:5000/someprefix
                   SetEnvIf X-Url-Scheme https HTTPS=1
                   AuthType Basic
                   AuthName "Kallithea authentication"
                   AuthUserFile /srv/kallithea/.htpasswd
                   Require valid-user
                   RequestHeader unset X-Forwarded-User
                   RewriteEngine On
                   RewriteCond %{LA-U:REMOTE_USER} (.+)
                   RewriteRule .* - [E=RU:%1]
                   RequestHeader set X-Forwarded-User %{RU}e
                 </Location>
             .. note::
                If you enable proxy pass-through authentication, make sure your server is
                only accessible through the proxy. Otherwise, any client would be able to
                forge the authentication header and could effectively become authenticated
                using any account of their liking.
             Integration with issue trackers
             -------------------------------
             Kallithea provides a simple integration with issue trackers. It's possible
             to define a regular expression that will match an issue ID in commit messages,
             and have that replaced with a URL to the issue. To enable this simply
             uncomment the following variables in the ini file::
                 issue_pat = (?:^#|\s#)(\w+)
                 issue_server_link = https://issues.example.com/{repo}/issue/{id}
                 issue_prefix = #
             ``issue_pat`` is the regular expression describing which strings in
             commit messages will be treated as issue references. A match group in
             parentheses should be used to specify the actual issue id.
             The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
             Matched issue references are replaced with the link specified in
             ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
             ``{repo}`` with the repository name.  Since the # is stripped away,
             ``issue_prefix`` is prepended to the link text.  ``issue_prefix`` doesn't
             necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
             generate a URL in the format:
             .. code-block:: html
               <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
             If needed, more than one pattern can be specified by appending a unique suffix to
             the variables. For example::
                 issue_pat_wiki = (?:wiki-)(.+)
                 issue_server_link_wiki = https://wiki.example.com/{id}
                 issue_prefix_wiki = WIKI-
             With these settings, wiki pages can be referenced as wiki-some-id, and every
             such reference will be transformed into:
             .. code-block:: html
               <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
             Hook management
             ---------------
             Hooks can be managed in similar way to that used in ``.hgrc`` files.
             To manage hooks, choose *Admin > Settings > Hooks*.
             The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
             To add another custom hook simply fill in the first textbox with
             ``<name>.<hook_type>`` and the second with the hook path. Example hooks
             can be found in ``kallithea.lib.hooks``.
             Changing default encoding
             -------------------------
             By default, Kallithea uses UTF-8 encoding.
             This is configurable as ``default_encoding`` in the .ini file.
             This affects many parts in Kallithea including user names, filenames, and
             encoding of commit messages. In addition Kallithea can detect if the ``chardet``
             library is installed. If ``chardet`` is detected Kallithea will fallback to it
             when there are encode/decode errors.
             Celery configuration
             --------------------
             Kallithea can use the distributed task queue system Celery_ to run tasks like
             cloning repositories or sending emails.
             Kallithea will in most setups work perfectly fine out of the box (without
             Celery), executing all tasks in the web server process. Some tasks can however
             take some time to run and it can be better to run such tasks asynchronously in
             a separate process so the web server can focus on serving web requests.
             For installation and configuration of Celery, see the `Celery documentation`_.
             Note that Celery requires a message broker service like RabbitMQ_ (recommended)
             or Redis_.
             The use of Celery is configured in the Kallithea ini configuration file.
             To enable it, simply set::
               use_celery = true
             and add or change the ``celery.*`` and ``broker.*`` configuration variables.
             Remember that the ini files use the format with '.' and not with '_' like
             Celery. So for example setting `BROKER_HOST` in Celery means setting
             `broker.host` in the configuration file.
             To start the Celery process, run::
              paster celeryd <configfile.ini>
             .. note::
                Make sure you run this command from the same virtualenv, and with the same
                user that Kallithea runs.
             HTTPS support
             -------------
             Kallithea will by default generate URLs based on the WSGI environment.
             Alternatively, you can use some special configuration settings to control
             directly which scheme/protocol Kallithea will use when generating URLs:
             - With ``https_fixup = true``, the scheme will be taken from the
               ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
               (default ``http``).
             - With ``force_https = true`` the default will be ``https``.
             - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
             Nginx virtual host example
             --------------------------
             Sample config for Nginx using proxy:
             .. code-block:: nginx
                 upstream kallithea {
                     server 127.0.0.1:5000;
                     # add more instances for load balancing
                     #server 127.0.0.1:5001;
                     #server 127.0.0.1:5002;
                 }
                 ## gist alias
                 server {
                    listen          443;
                    server_name     gist.example.com;
                    access_log      /var/log/nginx/gist.access.log;
                    error_log       /var/log/nginx/gist.error.log;
                    ssl on;
                    ssl_certificate     gist.your.kallithea.server.crt;
                    ssl_certificate_key gist.your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
                    rewrite (.*)    https://kallithea.example.com/_admin/gists;
                 }
                 server {
                    listen          443;
                    server_name     kallithea.example.com
                    access_log      /var/log/nginx/kallithea.access.log;
                    error_log       /var/log/nginx/kallithea.error.log;
                    ssl on;
                    ssl_certificate     your.kallithea.server.crt;
                    ssl_certificate_key your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    ## uncomment root directive if you want to serve static files by nginx
                    ## requires static_files = false in .ini file
                    #root /path/to/installation/kallithea/public;
                    include         /etc/nginx/proxy.conf;
                    location / {
                         try_files $uri @kallithea;
                    }
                    location @kallithea {
                         proxy_pass      http://127.0.0.1:5000;
                    }
                 }
             Here's the proxy.conf. It's tuned so it will not timeout on long
             pushes or large pushes::
                 proxy_redirect              off;
                 proxy_set_header            Host $host;
                 ## needed for container auth
                 #proxy_set_header            REMOTE_USER $remote_user;
                 #proxy_set_header            X-Forwarded-User $remote_user;
                 proxy_set_header            X-Url-Scheme $scheme;
                 proxy_set_header            X-Host $http_host;
                 proxy_set_header            X-Real-IP $remote_addr;
                 proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header            Proxy-host $proxy_host;
                 proxy_buffering             off;
                 proxy_connect_timeout       7200;
                 proxy_send_timeout          7200;
                 proxy_read_timeout          7200;
                 proxy_buffers               8 32k;
                 client_max_body_size        1024m;
                 client_body_buffer_size     128k;
                 large_client_header_buffers 8 64k;
             Apache virtual host reverse proxy example
             -----------------------------------------
             Here is a sample configuration file for Apache using proxy:
             .. code-block:: apache
                 <VirtualHost *:80>
                         ServerName kallithea.example.com
                         <Proxy *>
                           # For Apache 2.4 and later:
                           Require all granted
                           # For Apache 2.2 and earlier, instead use:
                           # Order allow,deny
                           # Allow from all
                         </Proxy>
                         #important !
                         #Directive to properly generate url (clone url) for pylons
                         ProxyPreserveHost On
                         #kallithea instance
                         ProxyPass / http://127.0.0.1:5000/
                         ProxyPassReverse / http://127.0.0.1:5000/
                         #to enable https use line below
                         #SetEnvIf X-Url-Scheme https HTTPS=1
                 </VirtualHost>
             Additional tutorial
             http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
             Apache as subdirectory
             ----------------------
             Apache subdirectory part:
             .. code-block:: apache
                 <Location /<someprefix> >
                   ProxyPass http://127.0.0.1:5000/<someprefix>
                   ProxyPassReverse http://127.0.0.1:5000/<someprefix>
                   SetEnvIf X-Url-Scheme https HTTPS=1
                 </Location>
             Besides the regular apache setup you will need to add the following line
             into ``[app:main]`` section of your .ini file::
                 filter-with = proxy-prefix
             Add the following at the end of the .ini file::
                 [filter:proxy-prefix]
                 use = egg:PasteDeploy#prefix
                 prefix = /<someprefix>
             then change ``<someprefix>`` into your chosen prefix
             Apache with mod_wsgi
             --------------------
             Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
             that, you'll need to:
             - Install mod_wsgi. If using a Debian-based distro, you can install
               the package libapache2-mod-wsgi::
                 aptitude install libapache2-mod-wsgi
             - Enable mod_wsgi::
                 a2enmod wsgi
+            - Add global Apache configuration to tell mod_wsgi that Python only will be
+              used in the WSGI processes and shouldn't be initialized in the Apache
+              processes::
+                WSGIRestrictEmbedded On
             - Create a wsgi dispatch script, like the one below. Make sure you
               check that the paths correctly point to where you installed Kallithea
               and its Python Virtual Environment.
             - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
               as in the following example. Once again, check the paths are
               correctly specified.
             Here is a sample excerpt from an Apache Virtual Host configuration file:
             .. code-block:: apache
                 WSGIDaemonProcess kallithea \
-                    processes=1 threads=4 \
+                    threads=4 \
-                    python-path=/srv/kallithea/venv/lib/python2.7/site-packages
+                    python-home=/srv/kallithea/venv
+                WSGIProcessGroup kallithea
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
             Or if using a dispatcher WSGI script with proper virtualenv activation:
             .. code-block:: apache
-                WSGIDaemonProcess kallithea processes=1 threads=4
+                WSGIDaemonProcess kallithea threads=4
+                WSGIProcessGroup kallithea
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
-            .. note::
+            Apache will by default run as a special Apache user, on Linux systems
-               When running apache as root, please make sure it doesn't run Kallithea as
+            usually ``www-data`` or ``apache``. If you need to have the repositories
-               root, for examply by adding: ``user=www-data group=www-data`` to the configuration.
+            directory owned by a different user, use the user and group options to
+            WSGIDaemonProcess to set the name of the user and group. """
             .. note::
                If running Kallithea in multiprocess mode,
                make sure you set ``instance_id = *`` in the configuration so each process
                gets it's own cache invalidation key.
             Example WSGI dispatch script:
             .. code-block:: python
                 import os
                 os.environ["HGENCODING"] = "UTF-8"
                 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
                 # sometimes it's needed to set the curent dir
                 os.chdir('/srv/kallithea/')
                 import site
                 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
-                from paste.deploy import loadapp
+                ini = '/srv/kallithea/my.ini'
                 from paste.script.util.logging_config import fileConfig
+                fileConfig(ini)
-                fileConfig('/srv/kallithea/my.ini')
+                from paste.deploy import loadapp
-                application = loadapp('config:/srv/kallithea/my.ini')
+                application = loadapp('config:' + ini)
             Or using proper virtualenv activation:
             .. code-block:: python
                 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
                 execfile(activate_this, dict(__file__=activate_this))
                 import os
                 os.environ['HOME'] = '/srv/kallithea'
                 ini = '/srv/kallithea/kallithea.ini'
                 from paste.script.util.logging_config import fileConfig
                 fileConfig(ini)
                 from paste.deploy import loadapp
                 application = loadapp('config:' + ini)
             Other configuration files
             -------------------------
             A number of `example init.d scripts`__ can be found in
             the ``init.d`` directory of the Kallithea source.
             .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
             .. _Mercurial: http://mercurial.selenic.com/
             .. _Celery: http://celeryproject.org/
             .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
             .. _RabbitMQ: http://www.rabbitmq.com/
             .. _Redis: http://redis.io/
             .. _python-ldap: http://www.python-ldap.org/
             .. _mercurial-server: http://www.lshift.net/mercurial-server.html
             .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories