##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

docs: improve mod_wsgi documentation (Issue #203)...
Mads Kiilerich -
r5752:8c479b27 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,810 +1,819 b''
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Setting up Kallithea
9 9 --------------------
10 10
11 11 First, you will need to create a Kallithea configuration file. Run the
12 12 following command to do so::
13 13
14 14 paster make-config Kallithea my.ini
15 15
16 16 This will create the file ``my.ini`` in the current directory. This
17 17 configuration file contains the various settings for Kallithea, e.g.
18 18 proxy port, email settings, usage of static files, cache, Celery
19 19 settings, and logging.
20 20
21 21 Next, you need to create the databases used by Kallithea. It is recommended to
22 22 use PostgreSQL or SQLite (default). If you choose a database other than the
23 23 default, ensure you properly adjust the database URL in your ``my.ini``
24 24 configuration file to use this other database. Kallithea currently supports
25 25 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 26 the following command::
27 27
28 28 paster setup-db my.ini
29 29
30 30 This will prompt you for a "root" path. This "root" path is the location where
31 31 Kallithea will store all of its repositories on the current machine. After
32 32 entering this "root" path ``setup-db`` will also prompt you for a username
33 33 and password for the initial admin account which ``setup-db`` sets
34 34 up for you.
35 35
36 36 The ``setup-db`` values can also be given on the command line.
37 37 Example::
38 38
39 39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40 40
41 41 The ``setup-db`` command will create all needed tables and an
42 42 admin account. When choosing a root path you can either use a new
43 43 empty location, or a location which already contains existing
44 44 repositories. If you choose a location which contains existing
45 45 repositories Kallithea will add all of the repositories at the chosen
46 46 location to its database. (Note: make sure you specify the correct
47 47 path to the root).
48 48
49 49 .. note:: the given path for Mercurial_ repositories **must** be write
50 50 accessible for the application. It's very important since
51 51 the Kallithea web interface will work without write access,
52 52 but when trying to do a push it will fail with permission
53 53 denied errors unless it has write access.
54 54
55 55 You are now ready to use Kallithea. To run it simply execute::
56 56
57 57 paster serve my.ini
58 58
59 59 - This command runs the Kallithea server. The web app should be available at
60 60 http://127.0.0.1:5000. The IP address and port is configurable via the
61 61 configuration file created in the previous step.
62 62 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 63 - The default permissions on each repository is read, and the owner is admin.
64 64 Remember to update these if needed.
65 65 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 66 settings, as well as edit more advanced options on users and
67 67 repositories.
68 68
69 69
70 70 Extensions
71 71 ----------
72 72
73 73 Optionally one can create an ``rcextensions`` package that extends Kallithea
74 74 functionality.
75 75 To generate a skeleton extensions package, run::
76 76
77 77 paster make-rcext my.ini
78 78
79 79 This will create an ``rcextensions`` package next to the specified ``ini`` file.
80 80 With ``rcextensions`` it's possible to add additional mapping for whoosh,
81 81 stats and add additional code into the push/pull/create/delete repo hooks,
82 82 for example for sending signals to build-bots such as Jenkins.
83 83
84 84 See the ``__init__.py`` file inside the generated ``rcextensions`` package
85 85 for more details.
86 86
87 87
88 88 Using Kallithea with SSH
89 89 ------------------------
90 90
91 91 Kallithea currently only hosts repositories using http and https. (The addition
92 92 of ssh hosting is a planned future feature.) However you can easily use ssh in
93 93 parallel with Kallithea. (Repository access via ssh is a standard "out of
94 94 the box" feature of Mercurial_ and you can use this to access any of the
95 95 repositories that Kallithea is hosting. See PublishingRepositories_)
96 96
97 97 Kallithea repository structures are kept in directories with the same name
98 98 as the project. When using repository groups, each group is a subdirectory.
99 99 This allows you to easily use ssh for accessing repositories.
100 100
101 101 In order to use ssh you need to make sure that your web server and the users'
102 102 login accounts have the correct permissions set on the appropriate directories.
103 103
104 104 .. note:: These permissions are independent of any permissions you
105 105 have set up using the Kallithea web interface.
106 106
107 107 If your main directory (the same as set in Kallithea settings) is for
108 108 example set to ``/srv/repos`` and the repository you are using is
109 109 named ``kallithea``, then to clone via ssh you should run::
110 110
111 111 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
112 112
113 113 Using other external tools such as mercurial-server_ or using ssh key-based
114 114 authentication is fully supported.
115 115
116 116 .. note:: In an advanced setup, in order for your ssh access to use
117 117 the same permissions as set up via the Kallithea web
118 118 interface, you can create an authentication hook to connect
119 119 to the Kallithea db and run check functions for permissions
120 120 against that.
121 121
122 122
123 123 Setting up Whoosh full text search
124 124 ----------------------------------
125 125
126 126 Kallithea provides full text search of repositories using `Whoosh`__.
127 127
128 128 .. __: https://pythonhosted.org/Whoosh/
129 129
130 130 For an incremental index build, run::
131 131
132 132 paster make-index my.ini
133 133
134 134 For a full index rebuild, run::
135 135
136 136 paster make-index my.ini -f
137 137
138 138 The ``--repo-location`` option allows the location of the repositories to be overriden;
139 139 usually, the location is retrieved from the Kallithea database.
140 140
141 141 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
142 142
143 143 paster make-index my.ini --index-only=vcs,kallithea
144 144
145 145 To keep your index up-to-date it is necessary to do periodic index builds;
146 146 for this, it is recommended to use a crontab entry. Example::
147 147
148 148 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
149 149
150 150 When using incremental mode (the default), Whoosh will check the last
151 151 modification date of each file and add it to be reindexed if a newer file is
152 152 available. The indexing daemon checks for any removed files and removes them
153 153 from index.
154 154
155 155 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
156 156 or in the admin panel you can check the "build from scratch" checkbox.
157 157
158 158 .. _ldap-setup:
159 159
160 160 Setting up LDAP support
161 161 -----------------------
162 162
163 163 Kallithea supports LDAP authentication. In order
164 164 to use LDAP, you have to install the python-ldap_ package. This package is
165 165 available via PyPI, so you can install it by running::
166 166
167 167 pip install python-ldap
168 168
169 169 .. note:: ``python-ldap`` requires some libraries to be installed on
170 170 your system, so before installing it check that you have at
171 171 least the ``openldap`` and ``sasl`` libraries.
172 172
173 173 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
174 174 and then *Save*, to enable the LDAP plugin and configure its settings.
175 175
176 176 Here's a typical LDAP setup::
177 177
178 178 Connection settings
179 179 Enable LDAP = checked
180 180 Host = host.example.com
181 181 Port = 389
182 182 Account = <account>
183 183 Password = <password>
184 184 Connection Security = LDAPS connection
185 185 Certificate Checks = DEMAND
186 186
187 187 Search settings
188 188 Base DN = CN=users,DC=host,DC=example,DC=org
189 189 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
190 190 LDAP Search Scope = SUBTREE
191 191
192 192 Attribute mappings
193 193 Login Attribute = uid
194 194 First Name Attribute = firstName
195 195 Last Name Attribute = lastName
196 196 Email Attribute = mail
197 197
198 198 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
199 199
200 200 Search settings
201 201 Base DN = DC=host,DC=example,DC=org
202 202 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
203 203 LDAP Search Scope = SUBTREE
204 204
205 205 .. _enable_ldap:
206 206
207 207 Enable LDAP : required
208 208 Whether to use LDAP for authenticating users.
209 209
210 210 .. _ldap_host:
211 211
212 212 Host : required
213 213 LDAP server hostname or IP address. Can be also a comma separated
214 214 list of servers to support LDAP fail-over.
215 215
216 216 .. _Port:
217 217
218 218 Port : required
219 219 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
220 220
221 221 .. _ldap_account:
222 222
223 223 Account : optional
224 224 Only required if the LDAP server does not allow anonymous browsing of
225 225 records. This should be a special account for record browsing. This
226 226 will require `LDAP Password`_ below.
227 227
228 228 .. _LDAP Password:
229 229
230 230 Password : optional
231 231 Only required if the LDAP server does not allow anonymous browsing of
232 232 records.
233 233
234 234 .. _Enable LDAPS:
235 235
236 236 Connection Security : required
237 237 Defines the connection to LDAP server
238 238
239 239 No encryption
240 240 Plain non encrypted connection
241 241
242 242 LDAPS connection
243 243 Enable LDAPS connections. It will likely require `Port`_ to be set to
244 244 a different value (standard LDAPS port is 636). When LDAPS is enabled
245 245 then `Certificate Checks`_ is required.
246 246
247 247 START_TLS on LDAP connection
248 248 START TLS connection
249 249
250 250 .. _Certificate Checks:
251 251
252 252 Certificate Checks : optional
253 253 How SSL certificates verification is handled -- this is only useful when
254 254 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
255 255 while the other options are susceptible to man-in-the-middle attacks. SSL
256 256 certificates can be installed to /etc/openldap/cacerts so that the
257 257 DEMAND or HARD options can be used with self-signed certificates or
258 258 certificates that do not have traceable certificates of authority.
259 259
260 260 NEVER
261 261 A serve certificate will never be requested or checked.
262 262
263 263 ALLOW
264 264 A server certificate is requested. Failure to provide a
265 265 certificate or providing a bad certificate will not terminate the
266 266 session.
267 267
268 268 TRY
269 269 A server certificate is requested. Failure to provide a
270 270 certificate does not halt the session; providing a bad certificate
271 271 halts the session.
272 272
273 273 DEMAND
274 274 A server certificate is requested and must be provided and
275 275 authenticated for the session to proceed.
276 276
277 277 HARD
278 278 The same as DEMAND.
279 279
280 280 .. _Base DN:
281 281
282 282 Base DN : required
283 283 The Distinguished Name (DN) where searches for users will be performed.
284 284 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
285 285
286 286 .. _LDAP Filter:
287 287
288 288 LDAP Filter : optional
289 289 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
290 290 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
291 291 which LDAP objects are identified as representing Users for
292 292 authentication. The filter is augmented by `Login Attribute`_ below.
293 293 This can commonly be left blank.
294 294
295 295 .. _LDAP Search Scope:
296 296
297 297 LDAP Search Scope : required
298 298 This limits how far LDAP will search for a matching object.
299 299
300 300 BASE
301 301 Only allows searching of `Base DN`_ and is usually not what you
302 302 want.
303 303
304 304 ONELEVEL
305 305 Searches all entries under `Base DN`_, but not Base DN itself.
306 306
307 307 SUBTREE
308 308 Searches all entries below `Base DN`_, but not Base DN itself.
309 309 When using SUBTREE `LDAP Filter`_ is useful to limit object
310 310 location.
311 311
312 312 .. _Login Attribute:
313 313
314 314 Login Attribute : required
315 315 The LDAP record attribute that will be matched as the USERNAME or
316 316 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
317 317 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
318 318 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
319 319 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
320 320 ::
321 321
322 322 (&(LDAPFILTER)(uid=jsmith))
323 323
324 324 .. _ldap_attr_firstname:
325 325
326 326 First Name Attribute : required
327 327 The LDAP record attribute which represents the user's first name.
328 328
329 329 .. _ldap_attr_lastname:
330 330
331 331 Last Name Attribute : required
332 332 The LDAP record attribute which represents the user's last name.
333 333
334 334 .. _ldap_attr_email:
335 335
336 336 Email Attribute : required
337 337 The LDAP record attribute which represents the user's email address.
338 338
339 339 If all data are entered correctly, and python-ldap_ is properly installed
340 340 users should be granted access to Kallithea with LDAP accounts. At this
341 341 time user information is copied from LDAP into the Kallithea user database.
342 342 This means that updates of an LDAP user object may not be reflected as a
343 343 user update in Kallithea.
344 344
345 345 If You have problems with LDAP access and believe You entered correct
346 346 information check out the Kallithea logs, any error messages sent from LDAP
347 347 will be saved there.
348 348
349 349 Active Directory
350 350 ''''''''''''''''
351 351
352 352 Kallithea can use Microsoft Active Directory for user authentication. This
353 353 is done through an LDAP or LDAPS connection to Active Directory. The
354 354 following LDAP configuration settings are typical for using Active
355 355 Directory ::
356 356
357 357 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
358 358 Login Attribute = sAMAccountName
359 359 First Name Attribute = givenName
360 360 Last Name Attribute = sn
361 361 Email Attribute = mail
362 362
363 363 All other LDAP settings will likely be site-specific and should be
364 364 appropriately configured.
365 365
366 366
367 367 Authentication by container or reverse-proxy
368 368 --------------------------------------------
369 369
370 370 Kallithea supports delegating the authentication
371 371 of users to its WSGI container, or to a reverse-proxy server through which all
372 372 clients access the application.
373 373
374 374 When these authentication methods are enabled in Kallithea, it uses the
375 375 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
376 376 perform the authentication itself. The authorization, however, is still done by
377 377 Kallithea according to its settings.
378 378
379 379 When a user logs in for the first time using these authentication methods,
380 380 a matching user account is created in Kallithea with default permissions. An
381 381 administrator can then modify it using Kallithea's admin interface.
382 382
383 383 It's also possible for an administrator to create accounts and configure their
384 384 permissions before the user logs in for the first time, using the :ref:`create-user` API.
385 385
386 386 Container-based authentication
387 387 ''''''''''''''''''''''''''''''
388 388
389 389 In a container-based authentication setup, Kallithea reads the user name from
390 390 the ``REMOTE_USER`` server variable provided by the WSGI container.
391 391
392 392 After setting up your container (see `Apache with mod_wsgi`_), you'll need
393 393 to configure it to require authentication on the location configured for
394 394 Kallithea.
395 395
396 396 Proxy pass-through authentication
397 397 '''''''''''''''''''''''''''''''''
398 398
399 399 In a proxy pass-through authentication setup, Kallithea reads the user name
400 400 from the ``X-Forwarded-User`` request header, which should be configured to be
401 401 sent by the reverse-proxy server.
402 402
403 403 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
404 404 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
405 405 configure the authentication and add the username in a request header named
406 406 ``X-Forwarded-User``.
407 407
408 408 For example, the following config section for Apache sets a subdirectory in a
409 409 reverse-proxy setup with basic auth:
410 410
411 411 .. code-block:: apache
412 412
413 413 <Location /someprefix>
414 414 ProxyPass http://127.0.0.1:5000/someprefix
415 415 ProxyPassReverse http://127.0.0.1:5000/someprefix
416 416 SetEnvIf X-Url-Scheme https HTTPS=1
417 417
418 418 AuthType Basic
419 419 AuthName "Kallithea authentication"
420 420 AuthUserFile /srv/kallithea/.htpasswd
421 421 Require valid-user
422 422
423 423 RequestHeader unset X-Forwarded-User
424 424
425 425 RewriteEngine On
426 426 RewriteCond %{LA-U:REMOTE_USER} (.+)
427 427 RewriteRule .* - [E=RU:%1]
428 428 RequestHeader set X-Forwarded-User %{RU}e
429 429 </Location>
430 430
431 431 .. note::
432 432 If you enable proxy pass-through authentication, make sure your server is
433 433 only accessible through the proxy. Otherwise, any client would be able to
434 434 forge the authentication header and could effectively become authenticated
435 435 using any account of their liking.
436 436
437 437
438 438 Integration with issue trackers
439 439 -------------------------------
440 440
441 441 Kallithea provides a simple integration with issue trackers. It's possible
442 442 to define a regular expression that will match an issue ID in commit messages,
443 443 and have that replaced with a URL to the issue. To enable this simply
444 444 uncomment the following variables in the ini file::
445 445
446 446 issue_pat = (?:^#|\s#)(\w+)
447 447 issue_server_link = https://issues.example.com/{repo}/issue/{id}
448 448 issue_prefix = #
449 449
450 450 ``issue_pat`` is the regular expression describing which strings in
451 451 commit messages will be treated as issue references. A match group in
452 452 parentheses should be used to specify the actual issue id.
453 453
454 454 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
455 455
456 456 Matched issue references are replaced with the link specified in
457 457 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
458 458 ``{repo}`` with the repository name. Since the # is stripped away,
459 459 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
460 460 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
461 461 generate a URL in the format:
462 462
463 463 .. code-block:: html
464 464
465 465 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
466 466
467 467 If needed, more than one pattern can be specified by appending a unique suffix to
468 468 the variables. For example::
469 469
470 470 issue_pat_wiki = (?:wiki-)(.+)
471 471 issue_server_link_wiki = https://wiki.example.com/{id}
472 472 issue_prefix_wiki = WIKI-
473 473
474 474 With these settings, wiki pages can be referenced as wiki-some-id, and every
475 475 such reference will be transformed into:
476 476
477 477 .. code-block:: html
478 478
479 479 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
480 480
481 481
482 482 Hook management
483 483 ---------------
484 484
485 485 Hooks can be managed in similar way to that used in ``.hgrc`` files.
486 486 To manage hooks, choose *Admin > Settings > Hooks*.
487 487
488 488 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
489 489
490 490 To add another custom hook simply fill in the first textbox with
491 491 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
492 492 can be found in ``kallithea.lib.hooks``.
493 493
494 494
495 495 Changing default encoding
496 496 -------------------------
497 497
498 498 By default, Kallithea uses UTF-8 encoding.
499 499 This is configurable as ``default_encoding`` in the .ini file.
500 500 This affects many parts in Kallithea including user names, filenames, and
501 501 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
502 502 library is installed. If ``chardet`` is detected Kallithea will fallback to it
503 503 when there are encode/decode errors.
504 504
505 505
506 506 Celery configuration
507 507 --------------------
508 508
509 509 Kallithea can use the distributed task queue system Celery_ to run tasks like
510 510 cloning repositories or sending emails.
511 511
512 512 Kallithea will in most setups work perfectly fine out of the box (without
513 513 Celery), executing all tasks in the web server process. Some tasks can however
514 514 take some time to run and it can be better to run such tasks asynchronously in
515 515 a separate process so the web server can focus on serving web requests.
516 516
517 517 For installation and configuration of Celery, see the `Celery documentation`_.
518 518 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
519 519 or Redis_.
520 520
521 521 The use of Celery is configured in the Kallithea ini configuration file.
522 522 To enable it, simply set::
523 523
524 524 use_celery = true
525 525
526 526 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
527 527
528 528 Remember that the ini files use the format with '.' and not with '_' like
529 529 Celery. So for example setting `BROKER_HOST` in Celery means setting
530 530 `broker.host` in the configuration file.
531 531
532 532 To start the Celery process, run::
533 533
534 534 paster celeryd <configfile.ini>
535 535
536 536 .. note::
537 537 Make sure you run this command from the same virtualenv, and with the same
538 538 user that Kallithea runs.
539 539
540 540
541 541 HTTPS support
542 542 -------------
543 543
544 544 Kallithea will by default generate URLs based on the WSGI environment.
545 545
546 546 Alternatively, you can use some special configuration settings to control
547 547 directly which scheme/protocol Kallithea will use when generating URLs:
548 548
549 549 - With ``https_fixup = true``, the scheme will be taken from the
550 550 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
551 551 (default ``http``).
552 552 - With ``force_https = true`` the default will be ``https``.
553 553 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
554 554
555 555
556 556 Nginx virtual host example
557 557 --------------------------
558 558
559 559 Sample config for Nginx using proxy:
560 560
561 561 .. code-block:: nginx
562 562
563 563 upstream kallithea {
564 564 server 127.0.0.1:5000;
565 565 # add more instances for load balancing
566 566 #server 127.0.0.1:5001;
567 567 #server 127.0.0.1:5002;
568 568 }
569 569
570 570 ## gist alias
571 571 server {
572 572 listen 443;
573 573 server_name gist.example.com;
574 574 access_log /var/log/nginx/gist.access.log;
575 575 error_log /var/log/nginx/gist.error.log;
576 576
577 577 ssl on;
578 578 ssl_certificate gist.your.kallithea.server.crt;
579 579 ssl_certificate_key gist.your.kallithea.server.key;
580 580
581 581 ssl_session_timeout 5m;
582 582
583 583 ssl_protocols SSLv3 TLSv1;
584 584 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
585 585 ssl_prefer_server_ciphers on;
586 586
587 587 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
588 588 rewrite (.*) https://kallithea.example.com/_admin/gists;
589 589 }
590 590
591 591 server {
592 592 listen 443;
593 593 server_name kallithea.example.com
594 594 access_log /var/log/nginx/kallithea.access.log;
595 595 error_log /var/log/nginx/kallithea.error.log;
596 596
597 597 ssl on;
598 598 ssl_certificate your.kallithea.server.crt;
599 599 ssl_certificate_key your.kallithea.server.key;
600 600
601 601 ssl_session_timeout 5m;
602 602
603 603 ssl_protocols SSLv3 TLSv1;
604 604 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
605 605 ssl_prefer_server_ciphers on;
606 606
607 607 ## uncomment root directive if you want to serve static files by nginx
608 608 ## requires static_files = false in .ini file
609 609 #root /path/to/installation/kallithea/public;
610 610 include /etc/nginx/proxy.conf;
611 611 location / {
612 612 try_files $uri @kallithea;
613 613 }
614 614
615 615 location @kallithea {
616 616 proxy_pass http://127.0.0.1:5000;
617 617 }
618 618
619 619 }
620 620
621 621 Here's the proxy.conf. It's tuned so it will not timeout on long
622 622 pushes or large pushes::
623 623
624 624 proxy_redirect off;
625 625 proxy_set_header Host $host;
626 626 ## needed for container auth
627 627 #proxy_set_header REMOTE_USER $remote_user;
628 628 #proxy_set_header X-Forwarded-User $remote_user;
629 629 proxy_set_header X-Url-Scheme $scheme;
630 630 proxy_set_header X-Host $http_host;
631 631 proxy_set_header X-Real-IP $remote_addr;
632 632 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
633 633 proxy_set_header Proxy-host $proxy_host;
634 634 proxy_buffering off;
635 635 proxy_connect_timeout 7200;
636 636 proxy_send_timeout 7200;
637 637 proxy_read_timeout 7200;
638 638 proxy_buffers 8 32k;
639 639 client_max_body_size 1024m;
640 640 client_body_buffer_size 128k;
641 641 large_client_header_buffers 8 64k;
642 642
643 643
644 644 Apache virtual host reverse proxy example
645 645 -----------------------------------------
646 646
647 647 Here is a sample configuration file for Apache using proxy:
648 648
649 649 .. code-block:: apache
650 650
651 651 <VirtualHost *:80>
652 652 ServerName kallithea.example.com
653 653
654 654 <Proxy *>
655 655 # For Apache 2.4 and later:
656 656 Require all granted
657 657
658 658 # For Apache 2.2 and earlier, instead use:
659 659 # Order allow,deny
660 660 # Allow from all
661 661 </Proxy>
662 662
663 663 #important !
664 664 #Directive to properly generate url (clone url) for pylons
665 665 ProxyPreserveHost On
666 666
667 667 #kallithea instance
668 668 ProxyPass / http://127.0.0.1:5000/
669 669 ProxyPassReverse / http://127.0.0.1:5000/
670 670
671 671 #to enable https use line below
672 672 #SetEnvIf X-Url-Scheme https HTTPS=1
673 673 </VirtualHost>
674 674
675 675 Additional tutorial
676 676 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
677 677
678 678
679 679 Apache as subdirectory
680 680 ----------------------
681 681
682 682 Apache subdirectory part:
683 683
684 684 .. code-block:: apache
685 685
686 686 <Location /<someprefix> >
687 687 ProxyPass http://127.0.0.1:5000/<someprefix>
688 688 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
689 689 SetEnvIf X-Url-Scheme https HTTPS=1
690 690 </Location>
691 691
692 692 Besides the regular apache setup you will need to add the following line
693 693 into ``[app:main]`` section of your .ini file::
694 694
695 695 filter-with = proxy-prefix
696 696
697 697 Add the following at the end of the .ini file::
698 698
699 699 [filter:proxy-prefix]
700 700 use = egg:PasteDeploy#prefix
701 701 prefix = /<someprefix>
702 702
703 703 then change ``<someprefix>`` into your chosen prefix
704 704
705 705
706 706 Apache with mod_wsgi
707 707 --------------------
708 708
709 709 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
710 710 that, you'll need to:
711 711
712 712 - Install mod_wsgi. If using a Debian-based distro, you can install
713 713 the package libapache2-mod-wsgi::
714 714
715 715 aptitude install libapache2-mod-wsgi
716 716
717 717 - Enable mod_wsgi::
718 718
719 719 a2enmod wsgi
720 720
721 - Add global Apache configuration to tell mod_wsgi that Python only will be
722 used in the WSGI processes and shouldn't be initialized in the Apache
723 processes::
724
725 WSGIRestrictEmbedded On
726
721 727 - Create a wsgi dispatch script, like the one below. Make sure you
722 728 check that the paths correctly point to where you installed Kallithea
723 729 and its Python Virtual Environment.
724 730 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
725 731 as in the following example. Once again, check the paths are
726 732 correctly specified.
727 733
728 734 Here is a sample excerpt from an Apache Virtual Host configuration file:
729 735
730 736 .. code-block:: apache
731 737
732 738 WSGIDaemonProcess kallithea \
733 processes=1 threads=4 \
734 python-path=/srv/kallithea/venv/lib/python2.7/site-packages
739 threads=4 \
740 python-home=/srv/kallithea/venv
741 WSGIProcessGroup kallithea
735 742 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
736 743 WSGIPassAuthorization On
737 744
738 745 Or if using a dispatcher WSGI script with proper virtualenv activation:
739 746
740 747 .. code-block:: apache
741 748
742 WSGIDaemonProcess kallithea processes=1 threads=4
749 WSGIDaemonProcess kallithea threads=4
750 WSGIProcessGroup kallithea
743 751 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
744 752 WSGIPassAuthorization On
745 753
746 .. note::
747 When running apache as root, please make sure it doesn't run Kallithea as
748 root, for examply by adding: ``user=www-data group=www-data`` to the configuration.
754 Apache will by default run as a special Apache user, on Linux systems
755 usually ``www-data`` or ``apache``. If you need to have the repositories
756 directory owned by a different user, use the user and group options to
757 WSGIDaemonProcess to set the name of the user and group. """
749 758
750 759 .. note::
751 760 If running Kallithea in multiprocess mode,
752 761 make sure you set ``instance_id = *`` in the configuration so each process
753 762 gets it's own cache invalidation key.
754 763
755 764 Example WSGI dispatch script:
756 765
757 766 .. code-block:: python
758 767
759 768 import os
760 769 os.environ["HGENCODING"] = "UTF-8"
761 770 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
762 771
763 772 # sometimes it's needed to set the curent dir
764 773 os.chdir('/srv/kallithea/')
765 774
766 775 import site
767 776 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
768 777
769 from paste.deploy import loadapp
778 ini = '/srv/kallithea/my.ini'
770 779 from paste.script.util.logging_config import fileConfig
771
772 fileConfig('/srv/kallithea/my.ini')
773 application = loadapp('config:/srv/kallithea/my.ini')
780 fileConfig(ini)
781 from paste.deploy import loadapp
782 application = loadapp('config:' + ini)
774 783
775 784 Or using proper virtualenv activation:
776 785
777 786 .. code-block:: python
778 787
779 788 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
780 789 execfile(activate_this, dict(__file__=activate_this))
781 790
782 791 import os
783 792 os.environ['HOME'] = '/srv/kallithea'
784 793
785 794 ini = '/srv/kallithea/kallithea.ini'
786 795 from paste.script.util.logging_config import fileConfig
787 796 fileConfig(ini)
788 797 from paste.deploy import loadapp
789 798 application = loadapp('config:' + ini)
790 799
791 800
792 801 Other configuration files
793 802 -------------------------
794 803
795 804 A number of `example init.d scripts`__ can be found in
796 805 the ``init.d`` directory of the Kallithea source.
797 806
798 807 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
799 808
800 809
801 810 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
802 811 .. _python: http://www.python.org/
803 812 .. _Mercurial: http://mercurial.selenic.com/
804 813 .. _Celery: http://celeryproject.org/
805 814 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
806 815 .. _RabbitMQ: http://www.rabbitmq.com/
807 816 .. _Redis: http://redis.io/
808 817 .. _python-ldap: http://www.python-ldap.org/
809 818 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
810 819 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now