upstream/kallithea Commit - r6298:9c6f7178

1

.. _setup:

1

.. _setup:

2

3

=====

3

=====

4

Setup

4

Setup

5

=====

5

=====

6

7

8

Setting up Kallithea

8

Setting up Kallithea

9

--------------------

9

--------------------

10

11

First, you will need to create a Kallithea configuration file. Run the

11

First, you will need to create a Kallithea configuration file. Run the

12

following command to do so::

12

following command to do so::

13

14

paster make-config Kallithea my.ini

14

paster make-config Kallithea my.ini

15

16

This will create the file ``my.ini`` in the current directory. This

16

This will create the file ``my.ini`` in the current directory. This

17

configuration file contains the various settings for Kallithea, e.g.

17

configuration file contains the various settings for Kallithea, e.g.

18

proxy port, email settings, usage of static files, cache, Celery

18

proxy port, email settings, usage of static files, cache, Celery

19

settings, and logging.

19

settings, and logging.

20

21

Next, you need to create the databases used by Kallithea. It is recommended to

21

Next, you need to create the databases used by Kallithea. It is recommended to

22

use PostgreSQL or SQLite (default). If you choose a database other than the

22

use PostgreSQL or SQLite (default). If you choose a database other than the

23

default, ensure you properly adjust the database URL in your ``my.ini``

23

default, ensure you properly adjust the database URL in your ``my.ini``

24

configuration file to use this other database. Kallithea currently supports

24

configuration file to use this other database. Kallithea currently supports

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

25

PostgreSQL, SQLite and MySQL databases. Create the database by running

26

the following command::

26

the following command::

27

28

paster setup-db my.ini

28

paster setup-db my.ini

29

30

This will prompt you for a "root" path. This "root" path is the location where

30

This will prompt you for a "root" path. This "root" path is the location where

31

Kallithea will store all of its repositories on the current machine. After

31

Kallithea will store all of its repositories on the current machine. After

32

entering this "root" path ``setup-db`` will also prompt you for a username

32

entering this "root" path ``setup-db`` will also prompt you for a username

33

and password for the initial admin account which ``setup-db`` sets

33

and password for the initial admin account which ``setup-db`` sets

34

up for you.

34

up for you.

35

36

The ``setup-db`` values can also be given on the command line.

36

The ``setup-db`` values can also be given on the command line.

37

Example::

37

Example::

38

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

39

paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos

40

41

The ``setup-db`` command will create all needed tables and an

41

The ``setup-db`` command will create all needed tables and an

42

admin account. When choosing a root path you can either use a new

42

admin account. When choosing a root path you can either use a new

43

empty location, or a location which already contains existing

43

empty location, or a location which already contains existing

44

repositories. If you choose a location which contains existing

44

repositories. If you choose a location which contains existing

45

repositories Kallithea will add all of the repositories at the chosen

45

repositories Kallithea will add all of the repositories at the chosen

46

location to its database. (Note: make sure you specify the correct

46

location to its database. (Note: make sure you specify the correct

47

path to the root).

47

path to the root).

48

49

.. note:: the given path for Mercurial_ repositories **must** be write

49

.. note:: the given path for Mercurial_ repositories **must** be write

50

accessible for the application. It's very important since

50

accessible for the application. It's very important since

51

the Kallithea web interface will work without write access,

51

the Kallithea web interface will work without write access,

52

but when trying to do a push it will fail with permission

52

but when trying to do a push it will fail with permission

53

denied errors unless it has write access.

53

denied errors unless it has write access.

54

55

You are now ready to use Kallithea. To run it simply execute::

55

You are now ready to use Kallithea. To run it simply execute::

56

57

paster serve my.ini

57

paster serve my.ini

58

59

- This command runs the Kallithea server. The web app should be available at

59

- This command runs the Kallithea server. The web app should be available at

60

http://127.0.0.1:5000. The IP address and port is configurable via the

60

http://127.0.0.1:5000. The IP address and port is configurable via the

61

configuration file created in the previous step.

61

configuration file created in the previous step.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

62

- Log in to Kallithea using the admin account created when running ``setup-db``.

63

- The default permissions on each repository is read, and the owner is admin.

63

- The default permissions on each repository is read, and the owner is admin.

64

Remember to update these if needed.

64

Remember to update these if needed.

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

65

- In the admin panel you can toggle LDAP, anonymous, and permissions

66

settings, as well as edit more advanced options on users and

66

settings, as well as edit more advanced options on users and

67

repositories.

67

repositories.

68

69

70

Using Kallithea with SSH

70

Using Kallithea with SSH

71

------------------------

71

------------------------

72

73

Kallithea currently only hosts repositories using http and https. (The addition

73

Kallithea currently only hosts repositories using http and https. (The addition

74

of ssh hosting is a planned future feature.) However you can easily use ssh in

74

of ssh hosting is a planned future feature.) However you can easily use ssh in

75

parallel with Kallithea. (Repository access via ssh is a standard "out of

75

parallel with Kallithea. (Repository access via ssh is a standard "out of

76

the box" feature of Mercurial_ and you can use this to access any of the

76

the box" feature of Mercurial_ and you can use this to access any of the

77

repositories that Kallithea is hosting. See PublishingRepositories_)

77

repositories that Kallithea is hosting. See PublishingRepositories_)

78

79

Kallithea repository structures are kept in directories with the same name

79

Kallithea repository structures are kept in directories with the same name

80

as the project. When using repository groups, each group is a subdirectory.

80

as the project. When using repository groups, each group is a subdirectory.

81

This allows you to easily use ssh for accessing repositories.

81

This allows you to easily use ssh for accessing repositories.

82

83

In order to use ssh you need to make sure that your web server and the users'

83

In order to use ssh you need to make sure that your web server and the users'

84

login accounts have the correct permissions set on the appropriate directories.

84

login accounts have the correct permissions set on the appropriate directories.

85

86

.. note:: These permissions are independent of any permissions you

86

.. note:: These permissions are independent of any permissions you

87

have set up using the Kallithea web interface.

87

have set up using the Kallithea web interface.

88

89

If your main directory (the same as set in Kallithea settings) is for

89

If your main directory (the same as set in Kallithea settings) is for

90

example set to ``/srv/repos`` and the repository you are using is

90

example set to ``/srv/repos`` and the repository you are using is

91

named ``kallithea``, then to clone via ssh you should run::

91

named ``kallithea``, then to clone via ssh you should run::

92

93

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

93

hg clone ssh://user@kallithea.example.com/srv/repos/kallithea

94

95

Using other external tools such as mercurial-server_ or using ssh key-based

95

Using other external tools such as mercurial-server_ or using ssh key-based

96

authentication is fully supported.

96

authentication is fully supported.

97

98

.. note:: In an advanced setup, in order for your ssh access to use

98

.. note:: In an advanced setup, in order for your ssh access to use

99

the same permissions as set up via the Kallithea web

99

the same permissions as set up via the Kallithea web

100

interface, you can create an authentication hook to connect

100

interface, you can create an authentication hook to connect

101

to the Kallithea db and run check functions for permissions

101

to the Kallithea db and run check functions for permissions

102

against that.

102

against that.

103

104

105

Setting up Whoosh full text search

105

Setting up Whoosh full text search

106

----------------------------------

106

----------------------------------

107

108

Kallithea provides full text search of repositories using `Whoosh`__.

108

Kallithea provides full text search of repositories using `Whoosh`__.

109

110

.. __: https://pythonhosted.org/Whoosh/

110

.. __: https://pythonhosted.org/Whoosh/

111

112

For an incremental index build, run::

112

For an incremental index build, run::

113

114

paster make-index my.ini

114

paster make-index my.ini

115

116

For a full index rebuild, run::

116

For a full index rebuild, run::

117

118

paster make-index my.ini -f

118

paster make-index my.ini -f

119

120

The ``--repo-location`` option allows the location of the repositories to be overridden;

120

The ``--repo-location`` option allows the location of the repositories to be overridden;

121

usually, the location is retrieved from the Kallithea database.

121

usually, the location is retrieved from the Kallithea database.

122

123

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

123

The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::

124

125

paster make-index my.ini --index-only=vcs,kallithea

125

paster make-index my.ini --index-only=vcs,kallithea

126

127

To keep your index up-to-date it is necessary to do periodic index builds;

127

To keep your index up-to-date it is necessary to do periodic index builds;

128

for this, it is recommended to use a crontab entry. Example::

128

for this, it is recommended to use a crontab entry. Example::

129

130

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

130

0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini

131

132

When using incremental mode (the default), Whoosh will check the last

132

When using incremental mode (the default), Whoosh will check the last

133

modification date of each file and add it to be reindexed if a newer file is

133

modification date of each file and add it to be reindexed if a newer file is

134

available. The indexing daemon checks for any removed files and removes them

134

available. The indexing daemon checks for any removed files and removes them

135

from index.

135

from index.

136

137

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

137

If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,

138

or in the admin panel you can check the "build from scratch" checkbox.

138

or in the admin panel you can check the "build from scratch" checkbox.

139

140

.. _ldap-setup:

140

.. _ldap-setup:

141

142

143

Setting up LDAP support

143

Setting up LDAP support

144

-----------------------

144

-----------------------

145

146

Kallithea supports LDAP authentication. In order

146

Kallithea supports LDAP authentication. In order

147

to use LDAP, you have to install the python-ldap_ package. This package is

147

to use LDAP, you have to install the python-ldap_ package. This package is

148

available via PyPI, so you can install it by running::

148

available via PyPI, so you can install it by running::

149

150

pip install python-ldap

150

pip install python-ldap

151

152

.. note:: ``python-ldap`` requires some libraries to be installed on

152

.. note:: ``python-ldap`` requires some libraries to be installed on

153

your system, so before installing it check that you have at

153

your system, so before installing it check that you have at

154

least the ``openldap`` and ``sasl`` libraries.

154

least the ``openldap`` and ``sasl`` libraries.

155

156

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

156

Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button

157

and then *Save*, to enable the LDAP plugin and configure its settings.

157

and then *Save*, to enable the LDAP plugin and configure its settings.

158

159

Here's a typical LDAP setup::

159

Here's a typical LDAP setup::

160

161

Connection settings

161

Connection settings

162

Enable LDAP = checked

162

Enable LDAP = checked

163

Host = host.example.com

163

Host = host.example.com

164

Account = <account>

164

Account = <account>

165

Password = <password>

165

Password = <password>

166

Connection Security = LDAPS connection

166

Connection Security = LDAPS connection

167

Certificate Checks = DEMAND

167

Certificate Checks = DEMAND

168

169

Search settings

169

Search settings

170

Base DN = CN=users,DC=host,DC=example,DC=org

170

Base DN = CN=users,DC=host,DC=example,DC=org

171

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

171

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

172

LDAP Search Scope = SUBTREE

172

LDAP Search Scope = SUBTREE

173

174

Attribute mappings

174

Attribute mappings

175

Login Attribute = uid

175

Login Attribute = uid

176

First Name Attribute = firstName

176

First Name Attribute = firstName

177

Last Name Attribute = lastName

177

Last Name Attribute = lastName

178

Email Attribute = mail

178

Email Attribute = mail

179

180

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

180

If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::

181

182

Search settings

182

Search settings

183

Base DN = DC=host,DC=example,DC=org

183

Base DN = DC=host,DC=example,DC=org

184

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

184

LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))

185

LDAP Search Scope = SUBTREE

185

LDAP Search Scope = SUBTREE

186

187

.. _enable_ldap:

187

.. _enable_ldap:

188

189

Enable LDAP : required

189

Enable LDAP : required

190

Whether to use LDAP for authenticating users.

190

Whether to use LDAP for authenticating users.

191

192

.. _ldap_host:

192

.. _ldap_host:

193

194

Host : required

194

Host : required

195

LDAP server hostname or IP address. Can be also a comma separated

195

LDAP server hostname or IP address. Can be also a comma separated

196

list of servers to support LDAP fail-over.

196

list of servers to support LDAP fail-over.

197

198

.. _Port:

198

.. _Port:

199

200

Port : optional

200

Port : optional

201

Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.

201

Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.

202

Defaults to 636 for LDAPS.

202

Defaults to 636 for LDAPS.

203

204

.. _ldap_account:

204

.. _ldap_account:

205

206

Account : optional

206

Account : optional

207

Only required if the LDAP server does not allow anonymous browsing of

207

Only required if the LDAP server does not allow anonymous browsing of

208

records. This should be a special account for record browsing. This

208

records. This should be a special account for record browsing. This

209

will require `LDAP Password`_ below.

209

will require `LDAP Password`_ below.

210

211

.. _LDAP Password:

211

.. _LDAP Password:

212

213

Password : optional

213

Password : optional

214

Only required if the LDAP server does not allow anonymous browsing of

214

Only required if the LDAP server does not allow anonymous browsing of

215

records.

215

records.

216

217

.. _Enable LDAPS:

217

.. _Enable LDAPS:

218

219

Connection Security : required

219

Connection Security : required

220

Defines the connection to LDAP server

220

Defines the connection to LDAP server

221

222

PLAIN

222

PLAIN

223

Plain unencrypted LDAP connection.

223

Plain unencrypted LDAP connection.

224

This will by default use `Port`_ 389.

224

This will by default use `Port`_ 389.

225

226

LDAPS

226

LDAPS

227

Use secure LDAPS connections according to `Certificate

227

Use secure LDAPS connections according to `Certificate

228

Checks`_ configuration.

228

Checks`_ configuration.

229

This will by default use `Port`_ 636.

229

This will by default use `Port`_ 636.

230

231

START_TLS

231

START_TLS

232

Use START TLS according to `Certificate Checks`_ configuration on an

232

Use START TLS according to `Certificate Checks`_ configuration on an

233

apparently "plain" LDAP connection.

233

apparently "plain" LDAP connection.

234

This will by default use `Port`_ 389.

234

This will by default use `Port`_ 389.

235

236

.. _Certificate Checks:

236

.. _Certificate Checks:

237

238

Certificate Checks : optional

238

Certificate Checks : optional

239

How SSL certificates verification is handled -- this is only useful when

239

How SSL certificates verification is handled -- this is only useful when

240

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

240

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security

241

with mandatory certificate validation, while the other options are

241

with mandatory certificate validation, while the other options are

242

susceptible to man-in-the-middle attacks.

242

susceptible to man-in-the-middle attacks.

243

244

NEVER

244

NEVER

245

A serve certificate will never be requested or checked.

245

A serve certificate will never be requested or checked.

246

247

ALLOW

247

ALLOW

248

A server certificate is requested. Failure to provide a

248

A server certificate is requested. Failure to provide a

249

certificate or providing a bad certificate will not terminate the

249

certificate or providing a bad certificate will not terminate the

250

session.

250

session.

251

252

TRY

252

TRY

253

A server certificate is requested. Failure to provide a

253

A server certificate is requested. Failure to provide a

254

certificate does not halt the session; providing a bad certificate

254

certificate does not halt the session; providing a bad certificate

255

halts the session.

255

halts the session.

256

257

DEMAND

257

DEMAND

258

A server certificate is requested and must be provided and

258

A server certificate is requested and must be provided and

259

authenticated for the session to proceed.

259

authenticated for the session to proceed.

260

261

HARD

261

HARD

262

The same as DEMAND.

262

The same as DEMAND.

263

264

.. _Custom CA Certificates:

264

.. _Custom CA Certificates:

265

266

Custom CA Certificates : optional

266

Custom CA Certificates : optional

267

Directory used by OpenSSL to find CAs for validating the LDAP server certificate.

267

Directory used by OpenSSL to find CAs for validating the LDAP server certificate.

268

Python 2.7.10 and later default to using the system certificate store, and

268

Python 2.7.10 and later default to using the system certificate store, and

269

this should thus not be necessary when using certificates signed by a CA

269

this should thus not be necessary when using certificates signed by a CA

270

trusted by the system.

270

trusted by the system.

271

It can be set to something like `/etc/openldap/cacerts` on older systems or

271

It can be set to something like `/etc/openldap/cacerts` on older systems or

272

if using self-signed certificates.

272

if using self-signed certificates.

273

274

.. _Base DN:

274

.. _Base DN:

275

276

Base DN : required

276

Base DN : required

277

The Distinguished Name (DN) where searches for users will be performed.

277

The Distinguished Name (DN) where searches for users will be performed.

278

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

278

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

279

280

.. _LDAP Filter:

280

.. _LDAP Filter:

281

282

LDAP Filter : optional

282

LDAP Filter : optional

283

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

283

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

284

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

284

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

285

which LDAP objects are identified as representing Users for

285

which LDAP objects are identified as representing Users for

286

authentication. The filter is augmented by `Login Attribute`_ below.

286

authentication. The filter is augmented by `Login Attribute`_ below.

287

This can commonly be left blank.

287

This can commonly be left blank.

288

289

.. _LDAP Search Scope:

289

.. _LDAP Search Scope:

290

291

LDAP Search Scope : required

291

LDAP Search Scope : required

292

This limits how far LDAP will search for a matching object.

292

This limits how far LDAP will search for a matching object.

293

294

BASE

294

BASE

295

Only allows searching of `Base DN`_ and is usually not what you

295

Only allows searching of `Base DN`_ and is usually not what you

296

want.

296

want.

297

298

ONELEVEL

298

ONELEVEL

299

Searches all entries under `Base DN`_, but not Base DN itself.

299

Searches all entries under `Base DN`_, but not Base DN itself.

300

301

SUBTREE

301

SUBTREE

302

Searches all entries below `Base DN`_, but not Base DN itself.

302

Searches all entries below `Base DN`_, but not Base DN itself.

303

When using SUBTREE `LDAP Filter`_ is useful to limit object

303

When using SUBTREE `LDAP Filter`_ is useful to limit object

304

location.

304

location.

305

306

.. _Login Attribute:

306

.. _Login Attribute:

307

308

Login Attribute : required

308

Login Attribute : required

309

The LDAP record attribute that will be matched as the USERNAME or

309

The LDAP record attribute that will be matched as the USERNAME or

310

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

310

ACCOUNT used to connect to Kallithea. This will be added to `LDAP

311

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

311

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

312

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

312

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

313

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

313

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

314

::

314

::

315

316

(&(LDAPFILTER)(uid=jsmith))

316

(&(LDAPFILTER)(uid=jsmith))

317

318

.. _ldap_attr_firstname:

318

.. _ldap_attr_firstname:

319

320

First Name Attribute : required

320

First Name Attribute : required

321

The LDAP record attribute which represents the user's first name.

321

The LDAP record attribute which represents the user's first name.

322

323

.. _ldap_attr_lastname:

323

.. _ldap_attr_lastname:

324

325

Last Name Attribute : required

325

Last Name Attribute : required

326

The LDAP record attribute which represents the user's last name.

326

The LDAP record attribute which represents the user's last name.

327

328

.. _ldap_attr_email:

328

.. _ldap_attr_email:

329

330

Email Attribute : required

330

Email Attribute : required

331

The LDAP record attribute which represents the user's email address.

331

The LDAP record attribute which represents the user's email address.

332

333

If all data are entered correctly, and python-ldap_ is properly installed

333

If all data are entered correctly, and python-ldap_ is properly installed

334

users should be granted access to Kallithea with LDAP accounts. At this

334

users should be granted access to Kallithea with LDAP accounts. At this

335

time user information is copied from LDAP into the Kallithea user database.

335

time user information is copied from LDAP into the Kallithea user database.

336

This means that updates of an LDAP user object may not be reflected as a

336

This means that updates of an LDAP user object may not be reflected as a

337

user update in Kallithea.

337

user update in Kallithea.

338

339

If You have problems with LDAP access and believe You entered correct

339

If You have problems with LDAP access and believe You entered correct

340

information check out the Kallithea logs, any error messages sent from LDAP

340

information check out the Kallithea logs, any error messages sent from LDAP

341

will be saved there.

341

will be saved there.

342

343

Active Directory

343

Active Directory

344

^^^^^^^^^^^^^^^^

344

^^^^^^^^^^^^^^^^

345

346

Kallithea can use Microsoft Active Directory for user authentication. This

346

Kallithea can use Microsoft Active Directory for user authentication. This

347

is done through an LDAP or LDAPS connection to Active Directory. The

347

is done through an LDAP or LDAPS connection to Active Directory. The

348

following LDAP configuration settings are typical for using Active

348

following LDAP configuration settings are typical for using Active

349

Directory ::

349

Directory ::

350

351

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

351

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

352

Login Attribute = sAMAccountName

352

Login Attribute = sAMAccountName

353

First Name Attribute = givenName

353

First Name Attribute = givenName

354

Last Name Attribute = sn

354

Last Name Attribute = sn

355

Email Attribute = mail

355

Email Attribute = mail

356

357

All other LDAP settings will likely be site-specific and should be

357

All other LDAP settings will likely be site-specific and should be

358

appropriately configured.

358

appropriately configured.

359

360

361

Authentication by container or reverse-proxy

361

Authentication by container or reverse-proxy

362

--------------------------------------------

362

--------------------------------------------

363

364

Kallithea supports delegating the authentication

364

Kallithea supports delegating the authentication

365

of users to its WSGI container, or to a reverse-proxy server through which all

365

of users to its WSGI container, or to a reverse-proxy server through which all

366

clients access the application.

366

clients access the application.

367

368

When these authentication methods are enabled in Kallithea, it uses the

368

When these authentication methods are enabled in Kallithea, it uses the

369

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

369

username that the container/proxy (Apache or Nginx, etc.) provides and doesn't

370

perform the authentication itself. The authorization, however, is still done by

370

perform the authentication itself. The authorization, however, is still done by

371

Kallithea according to its settings.

371

Kallithea according to its settings.

372

373

When a user logs in for the first time using these authentication methods,

373

When a user logs in for the first time using these authentication methods,

374

a matching user account is created in Kallithea with default permissions. An

374

a matching user account is created in Kallithea with default permissions. An

375

administrator can then modify it using Kallithea's admin interface.

375

administrator can then modify it using Kallithea's admin interface.

376

377

It's also possible for an administrator to create accounts and configure their

377

It's also possible for an administrator to create accounts and configure their

378

permissions before the user logs in for the first time, using the :ref:`create-user` API.

378

permissions before the user logs in for the first time, using the :ref:`create-user` API.

379

380

Container-based authentication

380

Container-based authentication

381

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

381

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

382

383

In a container-based authentication setup, Kallithea reads the user name from

383

In a container-based authentication setup, Kallithea reads the user name from

384

the ``REMOTE_USER`` server variable provided by the WSGI container.

384

the ``REMOTE_USER`` server variable provided by the WSGI container.

385

386

After setting up your container (see `Apache with mod_wsgi`_), you'll need

386

After setting up your container (see `Apache with mod_wsgi`_), you'll need

387

to configure it to require authentication on the location configured for

387

to configure it to require authentication on the location configured for

388

Kallithea.

388

Kallithea.

389

390

Proxy pass-through authentication

390

Proxy pass-through authentication

391

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

391

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

392

393

In a proxy pass-through authentication setup, Kallithea reads the user name

393

In a proxy pass-through authentication setup, Kallithea reads the user name

394

from the ``X-Forwarded-User`` request header, which should be configured to be

394

from the ``X-Forwarded-User`` request header, which should be configured to be

395

sent by the reverse-proxy server.

395

sent by the reverse-proxy server.

396

397

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

397

After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,

398

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

398

`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to

399

configure the authentication and add the username in a request header named

399

configure the authentication and add the username in a request header named

400

``X-Forwarded-User``.

400

``X-Forwarded-User``.

401

402

For example, the following config section for Apache sets a subdirectory in a

402

For example, the following config section for Apache sets a subdirectory in a

403

reverse-proxy setup with basic auth:

403

reverse-proxy setup with basic auth:

404

405

.. code-block:: apache

405

.. code-block:: apache

406

407

407

408

ProxyPass http://127.0.0.1:5000/someprefix

408

ProxyPass http://127.0.0.1:5000/someprefix

409

ProxyPassReverse http://127.0.0.1:5000/someprefix

409

ProxyPassReverse http://127.0.0.1:5000/someprefix

410

SetEnvIf X-Url-Scheme https HTTPS=1

410

SetEnvIf X-Url-Scheme https HTTPS=1

411

412

AuthType Basic

412

AuthType Basic

413

AuthName "Kallithea authentication"

413

AuthName "Kallithea authentication"

414

AuthUserFile /srv/kallithea/.htpasswd

414

AuthUserFile /srv/kallithea/.htpasswd

415

Require valid-user

415

Require valid-user

416

417

RequestHeader unset X-Forwarded-User

417

RequestHeader unset X-Forwarded-User

418

419

RewriteEngine On

419

RewriteEngine On

420

RewriteCond %{LA-U:REMOTE_USER} (.+)

420

RewriteCond %{LA-U:REMOTE_USER} (.+)

421

RewriteRule .* - [E=RU:%1]

421

RewriteRule .* - [E=RU:%1]

422

RequestHeader set X-Forwarded-User %{RU}e

422

RequestHeader set X-Forwarded-User %{RU}e

423

</Location>

423

</Location>

424

425

Setting metadata in container/reverse-proxy

425

Setting metadata in container/reverse-proxy

426

"""""""""""""""""""""""""""""""""""""""""""

426

"""""""""""""""""""""""""""""""""""""""""""

427

When a new user account is created on the first login, Kallithea has no information about

427

When a new user account is created on the first login, Kallithea has no information about

428

the user's email and full name. So you can set some additional request headers like in the

428

the user's email and full name. So you can set some additional request headers like in the

429

example below. In this example the user is authenticated via Kerberos and an Apache

429

example below. In this example the user is authenticated via Kerberos and an Apache

430

mod_python fixup handler is used to get the user information from a LDAP server. But you

430

mod_python fixup handler is used to get the user information from a LDAP server. But you

431

could set the request headers however you want.

431

could set the request headers however you want.

432

433

.. code-block:: apache

433

.. code-block:: apache

434

435

435

436

ProxyPass http://127.0.0.1:5000/someprefix

436

ProxyPass http://127.0.0.1:5000/someprefix

437

ProxyPassReverse http://127.0.0.1:5000/someprefix

437

ProxyPassReverse http://127.0.0.1:5000/someprefix

438

SetEnvIf X-Url-Scheme https HTTPS=1

438

SetEnvIf X-Url-Scheme https HTTPS=1

439

440

AuthName "Kerberos Login"

440

AuthName "Kerberos Login"

441

AuthType Kerberos

441

AuthType Kerberos

442

Krb5Keytab /etc/apache2/http.keytab

442

Krb5Keytab /etc/apache2/http.keytab

443

KrbMethodK5Passwd off

443

KrbMethodK5Passwd off

444

KrbVerifyKDC on

444

KrbVerifyKDC on

445

Require valid-user

445

Require valid-user

446

447

PythonFixupHandler ldapmetadata

447

PythonFixupHandler ldapmetadata

448

449

RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e

449

RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e

450

RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e

450

RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e

451

RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e

451

RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e

452

RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e

452

RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e

453

</Location>

453

</Location>

454

455

.. code-block:: python

455

.. code-block:: python

456

457

from mod_python import apache

457

from mod_python import apache

458

import ldap

458

import ldap

459

460

LDAP_SERVER = "ldap://server.mydomain.com:389"

460

LDAP_SERVER = "ldap://server.mydomain.com:389"

461

LDAP_USER = ""

461

LDAP_USER = ""

462

LDAP_PASS = ""

462

LDAP_PASS = ""

463

LDAP_ROOT = "dc=mydomain,dc=com"

463

LDAP_ROOT = "dc=mydomain,dc=com"

464

LDAP_FILTER = "sAMAccountName=%s"

464

LDAP_FILTER = "sAMAccountName=%s"

465

LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']

465

LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']

466

467

def fixuphandler(req):

467

def fixuphandler(req):

468

if req.user is None:

468

if req.user is None:

469

# no user to search for

469

# no user to search for

470

return apache.OK

470

return apache.OK

471

else:

471

else:

472

try:

472

try:

473

if('\\' in req.user):

473

if('\\' in req.user):

474

username = req.user.split('\\')[1]

474

username = req.user.split('\\')[1]

475

elif('@' in req.user):

475

elif('@' in req.user):

476

username = req.user.split('@')[0]

476

username = req.user.split('@')[0]

477

else:

477

else:

478

username = req.user

478

username = req.user

479

l = ldap.initialize(LDAP_SERVER)

479

l = ldap.initialize(LDAP_SERVER)

480

l.simple_bind_s(LDAP_USER, LDAP_PASS)

480

l.simple_bind_s(LDAP_USER, LDAP_PASS)

481

r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)

481

r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)

482

483

req.subprocess_env['X_REMOTE_USER'] = username

483

req.subprocess_env['X_REMOTE_USER'] = username

484

req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()

484

req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()

485

req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]

485

req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]

486

req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]

486

req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]

487

except Exception, e:

487

except Exception, e:

488

apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)

488

apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)

489

490

return apache.OK

490

return apache.OK

491

492

.. note::

492

.. note::

493

If you enable proxy pass-through authentication, make sure your server is

493

If you enable proxy pass-through authentication, make sure your server is

494

only accessible through the proxy. Otherwise, any client would be able to

494

only accessible through the proxy. Otherwise, any client would be able to

495

forge the authentication header and could effectively become authenticated

495

forge the authentication header and could effectively become authenticated

496

using any account of their liking.

496

using any account of their liking.

497

498

499

Integration with issue trackers

499

Integration with issue trackers

500

-------------------------------

500

-------------------------------

501

502

Kallithea provides a simple integration with issue trackers. It's possible

502

Kallithea provides a simple integration with issue trackers. It's possible

503

to define a regular expression that will match an issue ID in commit messages,

503

to define a regular expression that will match an issue ID in commit messages,

504

and have that replaced with a URL to the issue. To enable this simply

504

and have that replaced with a URL to the issue. To enable this simply

505

uncomment the following variables in the ini file::

505

uncomment the following variables in the ini file::

506

507

issue_pat = (?:^#|\s#)(\w+)

507

issue_pat = (?:^#|\s#)(\w+)

508

issue_server_link = https://issues.example.com/{repo}/issue/{id}

508

issue_server_link = https://issues.example.com/{repo}/issue/{id}

509

issue_prefix = #

509

issue_prefix = #

510

511

``issue_pat`` is the regular expression describing which strings in

511

``issue_pat`` is the regular expression describing which strings in

512

commit messages will be treated as issue references. A match group in

512

commit messages will be treated as issue references. A match group in

513

parentheses should be used to specify the actual issue id.

513

parentheses should be used to specify the actual issue id.

514

515

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

515

The default expression matches issues in the format ``#<number>``, e.g., ``#300``.

516

517

Matched issue references are replaced with the link specified in

517

Matched issue references are replaced with the link specified in

518

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

518

``issue_server_link``. ``{id}`` is replaced with the issue ID, and

519

``{repo}`` with the repository name. Since the # is stripped away,

519

``{repo}`` with the repository name. Since the # is stripped away,

520

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

520

``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't

521

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

521

necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will

522

generate a URL in the format:

522

generate a URL in the format:

523

524

.. code-block:: html

524

.. code-block:: html

525

526

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

526

<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>

527

528

If needed, more than one pattern can be specified by appending a unique suffix to

528

If needed, more than one pattern can be specified by appending a unique suffix to

529

the variables. For example::

529

the variables. For example::

530

531

issue_pat_wiki = (?:wiki-)(.+)

531

issue_pat_wiki = (?:wiki-)(.+)

532

issue_server_link_wiki = https://wiki.example.com/{id}

532

issue_server_link_wiki = https://wiki.example.com/{id}

533

issue_prefix_wiki = WIKI-

533

issue_prefix_wiki = WIKI-

534

535

With these settings, wiki pages can be referenced as wiki-some-id, and every

535

With these settings, wiki pages can be referenced as wiki-some-id, and every

536

such reference will be transformed into:

536

such reference will be transformed into:

537

538

.. code-block:: html

538

.. code-block:: html

539

540

540

541

542

543

Hook management

543

Hook management

544

---------------

544

---------------

545

546

Hooks can be managed in similar way to that used in ``.hgrc`` files.

546

Hooks can be managed in similar way to that used in ``.hgrc`` files.

547

To manage hooks, choose *Admin > Settings > Hooks*.

547

To manage hooks, choose *Admin > Settings > Hooks*.

548

549

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

549

The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.

550

551

To add another custom hook simply fill in the first textbox with

551

To add another custom hook simply fill in the first textbox with

552

``<name>.<hook_type>`` and the second with the hook path. Example hooks

552

``<name>.<hook_type>`` and the second with the hook path. Example hooks

553

can be found in ``kallithea.lib.hooks``.

553

can be found in ``kallithea.lib.hooks``.

554

555

556

Changing default encoding

556

Changing default encoding

557

-------------------------

557

-------------------------

558

559

By default, Kallithea uses UTF-8 encoding.

559

By default, Kallithea uses UTF-8 encoding.

560

This is configurable as ``default_encoding`` in the .ini file.

560

This is configurable as ``default_encoding`` in the .ini file.

561

This affects many parts in Kallithea including user names, filenames, and

561

This affects many parts in Kallithea including user names, filenames, and

562

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

562

encoding of commit messages. In addition Kallithea can detect if the ``chardet``

563

library is installed. If ``chardet`` is detected Kallithea will fallback to it

563

library is installed. If ``chardet`` is detected Kallithea will fallback to it

564

when there are encode/decode errors.

564

when there are encode/decode errors.

565

566

567

Celery configuration

567

Celery configuration

568

--------------------

568

--------------------

569

570

Kallithea can use the distributed task queue system Celery_ to run tasks like

570

Kallithea can use the distributed task queue system Celery_ to run tasks like

571

cloning repositories or sending emails.

571

cloning repositories or sending emails.

572

573

Kallithea will in most setups work perfectly fine out of the box (without

573

Kallithea will in most setups work perfectly fine out of the box (without

574

Celery), executing all tasks in the web server process. Some tasks can however

574

Celery), executing all tasks in the web server process. Some tasks can however

575

take some time to run and it can be better to run such tasks asynchronously in

575

take some time to run and it can be better to run such tasks asynchronously in

576

a separate process so the web server can focus on serving web requests.

576

a separate process so the web server can focus on serving web requests.

577

578

For installation and configuration of Celery, see the `Celery documentation`_.

578

For installation and configuration of Celery, see the `Celery documentation`_.

579

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

579

Note that Celery requires a message broker service like RabbitMQ_ (recommended)

580

or Redis_.

580

or Redis_.

581

582

The use of Celery is configured in the Kallithea ini configuration file.

582

The use of Celery is configured in the Kallithea ini configuration file.

583

To enable it, simply set::

583

To enable it, simply set::

584

585

use_celery = true

585

use_celery = true

586

587

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

587

and add or change the ``celery.*`` and ``broker.*`` configuration variables.

588

589

Remember that the ini files use the format with '.' and not with '_' like

589

Remember that the ini files use the format with '.' and not with '_' like

590

Celery. So for example setting `BROKER_HOST` in Celery means setting

590

Celery. So for example setting `BROKER_HOST` in Celery means setting

591

`broker.host` in the configuration file.

591

`broker.host` in the configuration file.

592

593

To start the Celery process, run::

593

To start the Celery process, run::

594

595

paster celeryd <configfile.ini>

595

paster celeryd <configfile.ini>

596

597

.. note::

597

.. note::

598

Make sure you run this command from the same virtualenv, and with the same

598

Make sure you run this command from the same virtualenv, and with the same

599

user that Kallithea runs.

599

user that Kallithea runs.

600

601

602

HTTPS support

602

HTTPS support

603

-------------

603

-------------

604

605

Kallithea will by default generate URLs based on the WSGI environment.

605

Kallithea will by default generate URLs based on the WSGI environment.

606

607

Alternatively, you can use some special configuration settings to control

607

Alternatively, you can use some special configuration settings to control

608

directly which scheme/protocol Kallithea will use when generating URLs:

608

directly which scheme/protocol Kallithea will use when generating URLs:

609

610

- With ``https_fixup = true``, the scheme will be taken from the

610

- With ``https_fixup = true``, the scheme will be taken from the

611

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

611

``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header

612

(default ``http``).

612

(default ``http``).

613

- With ``force_https = true`` the default will be ``https``.

613

- With ``force_https = true`` the default will be ``https``.

614

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

614

- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.

615

616

617

Nginx virtual host example

617

Nginx virtual host example

618

--------------------------

618

--------------------------

619

620

Sample config for Nginx using proxy:

620

Sample config for Nginx using proxy:

621

622

.. code-block:: nginx

622

.. code-block:: nginx

623

624

upstream kallithea {

624

upstream kallithea {

625

server 127.0.0.1:5000;

625

server 127.0.0.1:5000;

626

# add more instances for load balancing

626

# add more instances for load balancing

627

#server 127.0.0.1:5001;

627

#server 127.0.0.1:5001;

628

#server 127.0.0.1:5002;

628

#server 127.0.0.1:5002;

629

}

629

}

630

631

## gist alias

631

## gist alias

632

server {

632

server {

633

listen 443;

633

listen 443;

634

server_name gist.example.com;

634

server_name gist.example.com;

635

access_log /var/log/nginx/gist.access.log;

635

access_log /var/log/nginx/gist.access.log;

636

error_log /var/log/nginx/gist.error.log;

636

error_log /var/log/nginx/gist.error.log;

637

638

ssl on;

638

ssl on;

639

ssl_certificate gist.your.kallithea.server.crt;

639

ssl_certificate gist.your.kallithea.server.crt;

640

ssl_certificate_key gist.your.kallithea.server.key;

640

ssl_certificate_key gist.your.kallithea.server.key;

641

642

ssl_session_timeout 5m;

642

ssl_session_timeout 5m;

643

644

ssl_protocols SSLv3 TLSv1;

644

ssl_protocols SSLv3 TLSv1;

645

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

645

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

646

ssl_prefer_server_ciphers on;

646

ssl_prefer_server_ciphers on;

647

648

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

648

rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;

649

rewrite (.*) https://kallithea.example.com/_admin/gists;

649

rewrite (.*) https://kallithea.example.com/_admin/gists;

650

}

650

}

651

652

server {

652

server {

653

listen 443;

653

listen 443;

654

server_name kallithea.example.com

654

server_name kallithea.example.com

655

access_log /var/log/nginx/kallithea.access.log;

655

access_log /var/log/nginx/kallithea.access.log;

656

error_log /var/log/nginx/kallithea.error.log;

656

error_log /var/log/nginx/kallithea.error.log;

657

658

ssl on;

658

ssl on;

659

ssl_certificate your.kallithea.server.crt;

659

ssl_certificate your.kallithea.server.crt;

660

ssl_certificate_key your.kallithea.server.key;

660

ssl_certificate_key your.kallithea.server.key;

661

662

ssl_session_timeout 5m;

662

ssl_session_timeout 5m;

663

664

ssl_protocols SSLv3 TLSv1;

664

ssl_protocols SSLv3 TLSv1;

665

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

665

ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;

666

ssl_prefer_server_ciphers on;

666

ssl_prefer_server_ciphers on;

667

668

## uncomment root directive if you want to serve static files by nginx

668

## uncomment root directive if you want to serve static files by nginx

669

## requires static_files = false in .ini file

669

## requires static_files = false in .ini file

670

#root /srv/kallithea/kallithea/kallithea/public;

670

#root /srv/kallithea/kallithea/kallithea/public;

671

include /etc/nginx/proxy.conf;

671

include /etc/nginx/proxy.conf;

672

location / {

672

location / {

673

try_files $uri @kallithea;

673

try_files $uri @kallithea;

674

}

674

}

675

676

location @kallithea {

676

location @kallithea {

677

proxy_pass http://127.0.0.1:5000;

677

proxy_pass http://127.0.0.1:5000;

678

}

678

}

679

680

}

680

}

681

682

Here's the proxy.conf. It's tuned so it will not timeout on long

682

Here's the proxy.conf. It's tuned so it will not timeout on long

683

pushes or large pushes::

683

pushes or large pushes::

684

685

proxy_redirect off;

685

proxy_redirect off;

686

proxy_set_header Host $host;

686

proxy_set_header Host $host;

687

## needed for container auth

687

## needed for container auth

688

#proxy_set_header REMOTE_USER $remote_user;

688

#proxy_set_header REMOTE_USER $remote_user;

689

#proxy_set_header X-Forwarded-User $remote_user;

689

#proxy_set_header X-Forwarded-User $remote_user;

690

proxy_set_header X-Url-Scheme $scheme;

690

proxy_set_header X-Url-Scheme $scheme;

691

proxy_set_header X-Host $http_host;

691

proxy_set_header X-Host $http_host;

692

proxy_set_header X-Real-IP $remote_addr;

692

proxy_set_header X-Real-IP $remote_addr;

693

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

693

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

694

proxy_set_header Proxy-host $proxy_host;

694

proxy_set_header Proxy-host $proxy_host;

695

proxy_buffering off;

695

proxy_buffering off;

696

proxy_connect_timeout 7200;

696

proxy_connect_timeout 7200;

697

proxy_send_timeout 7200;

697

proxy_send_timeout 7200;

698

proxy_read_timeout 7200;

698

proxy_read_timeout 7200;

699

proxy_buffers 8 32k;

699

proxy_buffers 8 32k;

700

client_max_body_size 1024m;

700

client_max_body_size 1024m;

701

client_body_buffer_size 128k;

701

client_body_buffer_size 128k;

702

large_client_header_buffers 8 64k;

702

large_client_header_buffers 8 64k;

703

704

705

Apache virtual host reverse proxy example

705

Apache virtual host reverse proxy example

706

-----------------------------------------

706

-----------------------------------------

707

708

Here is a sample configuration file for Apache using proxy:

708

Here is a sample configuration file for Apache using proxy:

709

710

.. code-block:: apache

710

.. code-block:: apache

711

712

712

713

ServerName kallithea.example.com

713

ServerName kallithea.example.com

714

715

715

716

# For Apache 2.4 and later:

716

# For Apache 2.4 and later:

717

Require all granted

717

Require all granted

718

719

# For Apache 2.2 and earlier, instead use:

719

# For Apache 2.2 and earlier, instead use:

720

# Order allow,deny

720

# Order allow,deny

721

# Allow from all

721

# Allow from all

722

</Proxy>

722

</Proxy>

723

724

#important !

724

#important !

725

#Directive to properly generate url (clone url) for pylons

725

#Directive to properly generate url (clone url) for pylons

726

ProxyPreserveHost On

726

ProxyPreserveHost On

727

728

#kallithea instance

728

#kallithea instance

729

ProxyPass / http://127.0.0.1:5000/

729

ProxyPass / http://127.0.0.1:5000/

730

ProxyPassReverse / http://127.0.0.1:5000/

730

ProxyPassReverse / http://127.0.0.1:5000/

731

732

#to enable https use line below

732

#to enable https use line below

733

#SetEnvIf X-Url-Scheme https HTTPS=1

733

#SetEnvIf X-Url-Scheme https HTTPS=1

734

</VirtualHost>

734

</VirtualHost>

735

736

Additional tutorial

736

Additional tutorial

737

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

737

http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons

738

739

740

Apache as subdirectory

740

Apache as subdirectory

741

----------------------

741

----------------------

742

743

Apache subdirectory part:

743

Apache subdirectory part:

744

745

.. code-block:: apache

745

.. code-block:: apache

746

747

747

748

ProxyPass http://127.0.0.1:5000/<someprefix>

748

ProxyPass http://127.0.0.1:5000/<someprefix>

749

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

749

ProxyPassReverse http://127.0.0.1:5000/<someprefix>

750

SetEnvIf X-Url-Scheme https HTTPS=1

750

SetEnvIf X-Url-Scheme https HTTPS=1

751

</Location>

751

</Location>

752

753

Besides the regular apache setup you will need to add the following line

753

Besides the regular apache setup you will need to add the following line

754

into ``[app:main]`` section of your .ini file::

754

into ``[app:main]`` section of your .ini file::

755

756

filter-with = proxy-prefix

756

filter-with = proxy-prefix

757

758

Add the following at the end of the .ini file::

758

Add the following at the end of the .ini file::

759

760

[filter:proxy-prefix]

760

[filter:proxy-prefix]

761

use = egg:PasteDeploy#prefix

761

use = egg:PasteDeploy#prefix

762

prefix = /<someprefix>

762

prefix = /<someprefix>

763

764

then change ``<someprefix>`` into your chosen prefix

764

then change ``<someprefix>`` into your chosen prefix

765

766

767

Apache with mod_wsgi

767

Apache with mod_wsgi

768

--------------------

768

--------------------

769

770

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

770

Alternatively, Kallithea can be set up with Apache under mod_wsgi. For

771

that, you'll need to:

771

that, you'll need to:

772

773

- Install mod_wsgi. If using a Debian-based distro, you can install

773

- Install mod_wsgi. If using a Debian-based distro, you can install

774

the package libapache2-mod-wsgi::

774

the package libapache2-mod-wsgi::

775

776

aptitude install libapache2-mod-wsgi

776

aptitude install libapache2-mod-wsgi

777

778

- Enable mod_wsgi::

778

- Enable mod_wsgi::

779

780

a2enmod wsgi

780

a2enmod wsgi

781

782

- Add global Apache configuration to tell mod_wsgi that Python only will be

782

- Add global Apache configuration to tell mod_wsgi that Python only will be

783

used in the WSGI processes and shouldn't be initialized in the Apache

783

used in the WSGI processes and shouldn't be initialized in the Apache

784

processes::

784

processes::

785

786

WSGIRestrictEmbedded On

786

WSGIRestrictEmbedded On

787

788

- Create a wsgi dispatch script, like the one below. Make sure you

788

- Create a wsgi dispatch script, like the one below. Make sure you

789

check that the paths correctly point to where you installed Kallithea

789

check that the paths correctly point to where you installed Kallithea

790

and its Python Virtual Environment.

790

and its Python Virtual Environment.

791

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

791

- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,

792

as in the following example. Once again, check the paths are

792

as in the following example. Once again, check the paths are

793

correctly specified.

793

correctly specified.

794

795

Here is a sample excerpt from an Apache Virtual Host configuration file:

795

Here is a sample excerpt from an Apache Virtual Host configuration file:

796

797

.. code-block:: apache

797

.. code-block:: apache

798

799

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \

799

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \

800

python-home=/srv/kallithea/venv

800

python-home=/srv/kallithea/venv

801

WSGIProcessGroup kallithea

801

WSGIProcessGroup kallithea

802

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

802

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

803

WSGIPassAuthorization On

803

WSGIPassAuthorization On

804

805

Or if using a dispatcher WSGI script with proper virtualenv activation:

805

Or if using a dispatcher WSGI script with proper virtualenv activation:

806

807

.. code-block:: apache

807

.. code-block:: apache

808

809

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100

809

WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100

810

WSGIProcessGroup kallithea

810

WSGIProcessGroup kallithea

811

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

811

WSGIScriptAlias / /srv/kallithea/dispatch.wsgi

812

WSGIPassAuthorization On

812

WSGIPassAuthorization On

813

814

Apache will by default run as a special Apache user, on Linux systems

814

Apache will by default run as a special Apache user, on Linux systems

815

usually ``www-data`` or ``apache``. If you need to have the repositories

815

usually ``www-data`` or ``apache``. If you need to have the repositories

816

directory owned by a different user, use the user and group options to

816

directory owned by a different user, use the user and group options to

817

WSGIDaemonProcess to set the name of the user and group.

817

WSGIDaemonProcess to set the name of the user and group.

818

819

Example WSGI dispatch script:

819

Example WSGI dispatch script:

820

821

.. code-block:: python

821

.. code-block:: python

822

823

import os

823

import os

824

os.environ["HGENCODING"] = "UTF-8"

824

os.environ["HGENCODING"] = "UTF-8"

825

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

825

os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'

826

827

# sometimes it's needed to set the current dir

827

# sometimes it's needed to set the current dir

828

os.chdir('/srv/kallithea/')

828

os.chdir('/srv/kallithea/')

829

830

import site

830

import site

831

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

831

site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")

832

833

ini = '/srv/kallithea/my.ini'

833

ini = '/srv/kallithea/my.ini'

834

from paste.script.util.logging_config import fileConfig

834

from paste.script.util.logging_config import fileConfig

835

fileConfig(ini)

835

fileConfig(ini)

836

from paste.deploy import loadapp

836

from paste.deploy import loadapp

837

application = loadapp('config:' + ini)

837

application = loadapp('config:' + ini)

838

839

Or using proper virtualenv activation:

839

Or using proper virtualenv activation:

840

841

.. code-block:: python

841

.. code-block:: python

842

843

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

843

activate_this = '/srv/kallithea/venv/bin/activate_this.py'

844

execfile(activate_this, dict(__file__=activate_this))

844

execfile(activate_this, dict(__file__=activate_this))

845

846

import os

846

import os

847

os.environ['HOME'] = '/srv/kallithea'

847

os.environ['HOME'] = '/srv/kallithea'

848

849

ini = '/srv/kallithea/kallithea.ini'

849

ini = '/srv/kallithea/kallithea.ini'

850

from paste.script.util.logging_config import fileConfig

850

from paste.script.util.logging_config import fileConfig

851

fileConfig(ini)

851

fileConfig(ini)

852

from paste.deploy import loadapp

852

from paste.deploy import loadapp

853

application = loadapp('config:' + ini)

853

application = loadapp('config:' + ini)

854

855

856

Other configuration files

856

Other configuration files

857

-------------------------

857

-------------------------

858

859

A number of `example init.d scripts`__ can be found in

859

A number of `example init.d scripts`__ can be found in

860

the ``init.d`` directory of the Kallithea source.

860

the ``init.d`` directory of the Kallithea source.

861

862

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

862

.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .

863

864

865

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

865

.. _virtualenv: http://pypi.python.org/pypi/virtualenv

866

.. _python: http://www.python.org/

866

.. _python: http://www.python.org/

867

.. _Mercurial: http://mercurial~~.selenic.com~~/

867

.. _Mercurial: https://www.mercurial-scm.org/

868

.. _Celery: http://celeryproject.org/

868

.. _Celery: http://celeryproject.org/

869

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

869

.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html

870

.. _RabbitMQ: http://www.rabbitmq.com/

870

.. _RabbitMQ: http://www.rabbitmq.com/

871

.. _Redis: http://redis.io/

871

.. _Redis: http://redis.io/

872

.. _python-ldap: http://www.python-ldap.org/

872

.. _python-ldap: http://www.python-ldap.org/

873

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

873

.. _mercurial-server: http://www.lshift.net/mercurial-server.html

874

.. _PublishingRepositories: http://mercurial~~.selenic.com~~/wiki/PublishingRepositories

874

.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             .. _contributing:
             =========================
             Contributing to Kallithea
             =========================
             Kallithea is developed and maintained by its users. Please join us and scratch
             your own itch.
             Infrastructure
             --------------
             The main repository is hosted on Our Own Kallithea (aka OOK) at
             https://kallithea-scm.org/repos/kallithea/, our self-hosted instance
             of Kallithea.
             For now, we use Bitbucket_ for `pull requests`_ and `issue tracking`_. The
             issue tracker is for tracking bugs, not for support, discussion, or ideas --
             please use the `mailing list`_ or :ref:`IRC <readme>` to reach the community.
             We use Weblate_ to translate the user interface messages into languages other
             than English. Join our project on `Hosted Weblate`_ to help us.
             To register, you can use your Bitbucket or GitHub account. See :ref:`translations`
             for more details.
             Getting started
             ---------------
             To get started with development::
                     hg clone https://kallithea-scm.org/repos/kallithea
                     cd kallithea
                     virtualenv ../kallithea-venv
                     source ../kallithea-venv/bin/activate
                     pip install --upgrade pip setuptools
                     pip install -e .
                     paster make-config Kallithea my.ini
                     paster setup-db my.ini --user=user --email=user@example.com --password=password --repos=/tmp
                     paster serve my.ini --reload &
                     firefox http://127.0.0.1:5000/
             You can also start out by forking https://bitbucket.org/conservancy/kallithea
             on Bitbucket_ and create a local clone of your own fork.
             Running tests
             -------------
             After finishing your changes make sure all tests pass cleanly. Install the test
             dependencies, then run the testsuite by invoking ``py.test`` from the
             project root::
                 pip install -r dev_requirements.txt
                 py.test
             Note that testing on Python 2.6 also requires ``unittest2``.
             You can also use ``tox`` to run the tests with all supported Python versions
             (currently Python 2.6--2.7).
             When running tests, Kallithea uses `kallithea/tests/test.ini` and populates the
             SQLite database specified there.
             It is possible to avoid recreating the full test database on each invocation of
             the tests, thus eliminating the initial delay. To achieve this, run the tests as::
                 paster serve kallithea/tests/test.ini --pid-file=test.pid --daemon
                 KALLITHEA_WHOOSH_TEST_DISABLE=1 KALLITHEA_NO_TMP_PATH=1 py.test
                 kill -9 $(cat test.pid)
             In these commands, the following variables are used::
                 KALLITHEA_WHOOSH_TEST_DISABLE=1 - skip whoosh index building and tests
                 KALLITHEA_NO_TMP_PATH=1 - disable new temp path for tests, used mostly for testing_vcs_operations
             You can run individual tests by specifying their path as argument to py.test.
             py.test also has many more options, see `py.test -h`. Some useful options
             are::
                 -k EXPRESSION         only run tests which match the given substring
                                       expression. An expression is a python evaluable
                                       expression where all names are substring-matched
                                       against test names and their parent classes. Example:
                 -x, --exitfirst       exit instantly on first error or failed test.
                 --lf                  rerun only the tests that failed at the last run (or
                                       all if none failed)
                 --ff                  run all tests but run the last failures first. This
                                       may re-order tests and thus lead to repeated fixture
                                       setup/teardown
                 --pdb                 start the interactive Python debugger on errors.
                 -s, --capture=no      don't capture stdout (any stdout output will be
                                       printed immediately)
             Contribution guidelines
             -----------------------
             Kallithea is GPLv3 and we assume all contributions are made by the
             committer/contributor and under GPLv3 unless explicitly stated. We do care a
             lot about preservation of copyright and license information for existing code
             that is brought into the project.
             Contributions will be accepted in most formats -- such as pull requests on
             Bitbucket, something hosted on your own Kallithea instance, or patches sent by
             email to the `kallithea-general`_ mailing list.
             When contributing via Bitbucket, please make your fork of
             https://bitbucket.org/conservancy/kallithea/ `non-publishing`_ -- it is one of
             the settings on "Repository details" page. This ensures your commits are in
             "draft" phase and makes it easier for you to address feedback and for project
             maintainers to integrate your changes.
             .. _non-publishing: https://www.mercurial-scm.org/wiki/Phases#Publishing_Repository
             Make sure to test your changes both manually and with the automatic tests
             before posting.
             We care about quality and review and keeping a clean repository history. We
             might give feedback that requests polishing contributions until they are
             "perfect". We might also rebase and collapse and make minor adjustments to your
             changes when we apply them.
             We try to make sure we have consensus on the direction the project is taking.
             Everything non-sensitive should be discussed in public -- preferably on the
             mailing list.  We aim at having all non-trivial changes reviewed by at least
             one other core developer before pushing. Obvious non-controversial changes will
             be handled more casually.
             For now we just have one official branch ("default") and will keep it so stable
             that it can be (and is) used in production. Experimental changes should live
             elsewhere (for example in a pull request) until they are ready.
             Coding guidelines
             -----------------
             We don't have a formal coding/formatting standard. We are currently using a mix
-            of Mercurial (http://mercurial.selenic.com/wiki/CodingStyle), pep8, and
+            of Mercurial's (https://www.mercurial-scm.org/wiki/CodingStyle), pep8, and
             consistency with existing code. Run ``scripts/run-all-cleanup`` before
             committing to ensure some basic code formatting consistency.
             We support both Python 2.6.x and 2.7.x and nothing else. For now we don't care
             about Python 3 compatibility.
             We try to support the most common modern web browsers. IE9 is still supported
             to the extent it is feasible, IE8 is not.
             We primarily support Linux and OS X on the server side but Windows should also work.
             HTML templates should use 2 spaces for indentation ... but be pragmatic. We
             should use templates cleverly and avoid duplication. We should use reasonable
             semantic markup with element classes and IDs that can be used for styling and testing.
             We should only use inline styles in places where it really is semantic (such as
             ``display: none``).
             JavaScript must use ``;`` between/after statements. Indentation 4 spaces. Inline
             multiline functions should be indented two levels -- one for the ``()`` and one for
             ``{}``.
             Variables holding jQuery objects should be named with a leading ``$``.
             Commit messages should have a leading short line summarizing the changes. For
             bug fixes, put ``(Issue #123)`` at the end of this line.
             Use American English grammar and spelling overall. Use `English title case`_ for
             page titles, button labels, headers, and 'labels' for fields in forms.
             .. _English title case: https://en.wikipedia.org/wiki/Capitalization#Title_case
             Template helpers (that is, everything in ``kallithea.lib.helpers``)
             should only be referenced from templates. If you need to call a
             helper from the Python code, consider moving the function somewhere
             else (e.g. to the model).
             Notes on the SQLAlchemy session
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
             Each HTTP request runs inside an independent SQLAlchemy session (as well
             as in an independent database transaction). Database model objects
             (almost) always belong to a particular SQLAlchemy session, which means
             that SQLAlchemy will ensure that they're kept in sync with the database
             (but also means that they cannot be shared across requests).
             Objects can be added to the session using ``Session().add``, but this is
             rarely needed:
             * When creating a database object by calling the constructor directly,
               it must explicitly be added to the session.
             * When creating an object using a factory function (like
               ``create_repo``), the returned object has already (by convention)
               been added to the session, and should not be added again.
             * When getting an object from the session (via ``Session().query`` or
               any of the utility functions that look up objects in the database),
               it's already part of the session, and should not be added again.
               SQLAlchemy monitors attribute modifications automatically for all
               objects it knows about and syncs them to the database.
             SQLAlchemy also flushes changes to the database automatically; manually
             calling ``Session().flush`` is usually only necessary when the Python
             code needs the database to assign an "auto-increment" primary key ID to
             a freshly created model object (before flushing, the ID attribute will
             be ``None``).
             "Roadmap"
             ---------
             We do not have a road map but are waiting for your contributions. Refer to the
             wiki_ for some ideas of places we might want to go -- contributions in these
             areas are very welcome.
             Thank you for your contribution!
             --------------------------------
             .. _Weblate: http://weblate.org/
             .. _issue tracking: https://bitbucket.org/conservancy/kallithea/issues?status=new&status=open
             .. _pull requests: https://bitbucket.org/conservancy/kallithea/pull-requests
             .. _bitbucket: http://bitbucket.org/
             .. _mailing list: http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
             .. _kallithea-general: http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
             .. _Hosted Weblate: https://hosted.weblate.org/projects/kallithea/kallithea/
             .. _wiki: https://bitbucket.org/conservancy/kallithea/wiki/Home

             .. _index:
             #######################
             Kallithea Documentation
             #######################
             **Readme**
             .. toctree::
                :maxdepth: 1
                readme
             **Installation**
             .. toctree::
                :maxdepth: 1
                overview
                installation
                installation_win
                installation_win_old
                installation_iis
                setup
                installation_puppet
                upgrade
             **Usage**
             .. toctree::
                :maxdepth: 1
                usage/general
                usage/vcs_support
                usage/locking
                usage/statistics
             **Administrator's guide**
             .. toctree::
                :maxdepth: 1
                usage/email
                usage/performance
                usage/backup
                usage/debugging
                usage/troubleshooting
                usage/customization
             **Development**
             .. toctree::
                :maxdepth: 1
                contributing
                dev/translation
                dev/dbmigrations
             **API**
             .. toctree::
                :maxdepth: 1
                api/api
             Other topics
             ************
             * :ref:`genindex`
             * :ref:`search`
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
             .. _django: http://www.djangoproject.com/
-            .. _mercurial: http://mercurial.selenic.com/
+            .. _mercurial: https://www.mercurial-scm.org/
             .. _bitbucket: http://bitbucket.org/
             .. _subversion: http://subversion.tigris.org/
             .. _git: http://git-scm.com/
             .. _celery: http://celeryproject.org/
             .. _Sphinx: http://sphinx.pocoo.org/
             .. _vcs: http://pypi.python.org/pypi/vcs

             .. _setup:
             =====
             Setup
             =====
             Setting up Kallithea
             --------------------
             First, you will need to create a Kallithea configuration file. Run the
             following command to do so::
                 paster make-config Kallithea my.ini
             This will create the file ``my.ini`` in the current directory. This
             configuration file contains the various settings for Kallithea, e.g.
             proxy port, email settings, usage of static files, cache, Celery
             settings, and logging.
             Next, you need to create the databases used by Kallithea. It is recommended to
             use PostgreSQL or SQLite (default). If you choose a database other than the
             default, ensure you properly adjust the database URL in your ``my.ini``
             configuration file to use this other database. Kallithea currently supports
             PostgreSQL, SQLite and MySQL databases. Create the database by running
             the following command::
                 paster setup-db my.ini
             This will prompt you for a "root" path. This "root" path is the location where
             Kallithea will store all of its repositories on the current machine. After
             entering this "root" path ``setup-db`` will also prompt you for a username
             and password for the initial admin account which ``setup-db`` sets
             up for you.
             The ``setup-db`` values can also be given on the command line.
             Example::
                 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
             The ``setup-db`` command will create all needed tables and an
             admin account. When choosing a root path you can either use a new
             empty location, or a location which already contains existing
             repositories. If you choose a location which contains existing
             repositories Kallithea will add all of the repositories at the chosen
             location to its database.  (Note: make sure you specify the correct
             path to the root).
             .. note:: the given path for Mercurial_ repositories **must** be write
                       accessible for the application. It's very important since
                       the Kallithea web interface will work without write access,
                       but when trying to do a push it will fail with permission
                       denied errors unless it has write access.
             You are now ready to use Kallithea. To run it simply execute::
                 paster serve my.ini
             - This command runs the Kallithea server. The web app should be available at
               http://127.0.0.1:5000. The IP address and port is configurable via the
               configuration file created in the previous step.
             - Log in to Kallithea using the admin account created when running ``setup-db``.
             - The default permissions on each repository is read, and the owner is admin.
               Remember to update these if needed.
             - In the admin panel you can toggle LDAP, anonymous, and permissions
               settings, as well as edit more advanced options on users and
               repositories.
             Using Kallithea with SSH
             ------------------------
             Kallithea currently only hosts repositories using http and https. (The addition
             of ssh hosting is a planned future feature.) However you can easily use ssh in
             parallel with Kallithea. (Repository access via ssh is a standard "out of
             the box" feature of Mercurial_ and you can use this to access any of the
             repositories that Kallithea is hosting. See PublishingRepositories_)
             Kallithea repository structures are kept in directories with the same name
             as the project. When using repository groups, each group is a subdirectory.
             This allows you to easily use ssh for accessing repositories.
             In order to use ssh you need to make sure that your web server and the users'
             login accounts have the correct permissions set on the appropriate directories.
             .. note:: These permissions are independent of any permissions you
                       have set up using the Kallithea web interface.
             If your main directory (the same as set in Kallithea settings) is for
             example set to ``/srv/repos`` and the repository you are using is
             named ``kallithea``, then to clone via ssh you should run::
                 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
             Using other external tools such as mercurial-server_ or using ssh key-based
             authentication is fully supported.
             .. note:: In an advanced setup, in order for your ssh access to use
                       the same permissions as set up via the Kallithea web
                       interface, you can create an authentication hook to connect
                       to the Kallithea db and run check functions for permissions
                       against that.
             Setting up Whoosh full text search
             ----------------------------------
             Kallithea provides full text search of repositories using `Whoosh`__.
             .. __: https://pythonhosted.org/Whoosh/
             For an incremental index build, run::
                 paster make-index my.ini
             For a full index rebuild, run::
                 paster make-index my.ini -f
             The ``--repo-location`` option allows the location of the repositories to be overridden;
             usually, the location is retrieved from the Kallithea database.
             The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
                 paster make-index my.ini --index-only=vcs,kallithea
             To keep your index up-to-date it is necessary to do periodic index builds;
             for this, it is recommended to use a crontab entry. Example::
 3  *  *  *  /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
             When using incremental mode (the default), Whoosh will check the last
             modification date of each file and add it to be reindexed if a newer file is
             available. The indexing daemon checks for any removed files and removes them
             from index.
             If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
             or in the admin panel you can check the "build from scratch" checkbox.
             .. _ldap-setup:
             Setting up LDAP support
             -----------------------
             Kallithea supports LDAP authentication. In order
             to use LDAP, you have to install the python-ldap_ package. This package is
             available via PyPI, so you can install it by running::
                 pip install python-ldap
             .. note:: ``python-ldap`` requires some libraries to be installed on
                       your system, so before installing it check that you have at
                       least the ``openldap`` and ``sasl`` libraries.
             Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
             and then *Save*, to enable the LDAP plugin and configure its settings.
             Here's a typical LDAP setup::
              Connection settings
              Enable LDAP          = checked
              Host                 = host.example.com
              Account              = <account>
              Password             = <password>
              Connection Security  = LDAPS connection
              Certificate Checks   = DEMAND
              Search settings
              Base DN              = CN=users,DC=host,DC=example,DC=org
              LDAP Filter          = (&(objectClass=user)(!(objectClass=computer)))
              LDAP Search Scope    = SUBTREE
              Attribute mappings
              Login Attribute      = uid
              First Name Attribute = firstName
              Last Name Attribute  = lastName
              Email Attribute      = mail
             If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
              Search settings
              Base DN              = DC=host,DC=example,DC=org
              LDAP Filter          = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
              LDAP Search Scope    = SUBTREE
             .. _enable_ldap:
             Enable LDAP : required
                 Whether to use LDAP for authenticating users.
             .. _ldap_host:
             Host : required
                 LDAP server hostname or IP address. Can be also a comma separated
                 list of servers to support LDAP fail-over.
             .. _Port:
             Port : optional
                 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
                 Defaults to 636 for LDAPS.
             .. _ldap_account:
             Account : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.  This should be a special account for record browsing.  This
                 will require `LDAP Password`_ below.
             .. _LDAP Password:
             Password : optional
                 Only required if the LDAP server does not allow anonymous browsing of
                 records.
             .. _Enable LDAPS:
             Connection Security : required
                 Defines the connection to LDAP server
                 PLAIN
                     Plain unencrypted LDAP connection.
                     This will by default use `Port`_ 389.
                 LDAPS
                     Use secure LDAPS connections according to `Certificate
                     Checks`_ configuration.
                     This will by default use `Port`_ 636.
                 START_TLS
                     Use START TLS according to `Certificate Checks`_ configuration on an
                     apparently "plain" LDAP connection.
                     This will by default use `Port`_ 389.
             .. _Certificate Checks:
             Certificate Checks : optional
                 How SSL certificates verification is handled -- this is only useful when
                 `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security
                 with mandatory certificate validation, while the other options are
                 susceptible to man-in-the-middle attacks.
                 NEVER
                     A serve certificate will never be requested or checked.
                 ALLOW
                     A server certificate is requested.  Failure to provide a
                     certificate or providing a bad certificate will not terminate the
                     session.
                 TRY
                     A server certificate is requested.  Failure to provide a
                     certificate does not halt the session; providing a bad certificate
                     halts the session.
                 DEMAND
                     A server certificate is requested and must be provided and
                     authenticated for the session to proceed.
                 HARD
                     The same as DEMAND.
             .. _Custom CA Certificates:
             Custom CA Certificates : optional
                 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
                 Python 2.7.10 and later default to using the system certificate store, and
                 this should thus not be necessary when using certificates signed by a CA
                 trusted by the system.
                 It can be set to something like `/etc/openldap/cacerts` on older systems or
                 if using self-signed certificates.
             .. _Base DN:
             Base DN : required
                 The Distinguished Name (DN) where searches for users will be performed.
                 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
             .. _LDAP Filter:
             LDAP Filter : optional
                 A LDAP filter defined by RFC 2254.  This is more useful when `LDAP
                 Search Scope`_ is set to SUBTREE.  The filter is useful for limiting
                 which LDAP objects are identified as representing Users for
                 authentication.  The filter is augmented by `Login Attribute`_ below.
                 This can commonly be left blank.
             .. _LDAP Search Scope:
             LDAP Search Scope : required
                 This limits how far LDAP will search for a matching object.
                 BASE
                     Only allows searching of `Base DN`_ and is usually not what you
                     want.
                 ONELEVEL
                     Searches all entries under `Base DN`_, but not Base DN itself.
                 SUBTREE
                     Searches all entries below `Base DN`_, but not Base DN itself.
                     When using SUBTREE `LDAP Filter`_ is useful to limit object
                     location.
             .. _Login Attribute:
             Login Attribute : required
                 The LDAP record attribute that will be matched as the USERNAME or
                 ACCOUNT used to connect to Kallithea.  This will be added to `LDAP
                 Filter`_ for locating the User object.  If `LDAP Filter`_ is specified as
                 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
                 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
                 ::
                     (&(LDAPFILTER)(uid=jsmith))
             .. _ldap_attr_firstname:
             First Name Attribute : required
                 The LDAP record attribute which represents the user's first name.
             .. _ldap_attr_lastname:
             Last Name Attribute : required
                 The LDAP record attribute which represents the user's last name.
             .. _ldap_attr_email:
             Email Attribute : required
                 The LDAP record attribute which represents the user's email address.
             If all data are entered correctly, and python-ldap_ is properly installed
             users should be granted access to Kallithea with LDAP accounts.  At this
             time user information is copied from LDAP into the Kallithea user database.
             This means that updates of an LDAP user object may not be reflected as a
             user update in Kallithea.
             If You have problems with LDAP access and believe You entered correct
             information check out the Kallithea logs, any error messages sent from LDAP
             will be saved there.
             Active Directory
             ^^^^^^^^^^^^^^^^
             Kallithea can use Microsoft Active Directory for user authentication.  This
             is done through an LDAP or LDAPS connection to Active Directory.  The
             following LDAP configuration settings are typical for using Active
             Directory ::
              Base DN              = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
              Login Attribute      = sAMAccountName
              First Name Attribute = givenName
              Last Name Attribute  = sn
              Email Attribute     = mail
             All other LDAP settings will likely be site-specific and should be
             appropriately configured.
             Authentication by container or reverse-proxy
             --------------------------------------------
             Kallithea supports delegating the authentication
             of users to its WSGI container, or to a reverse-proxy server through which all
             clients access the application.
             When these authentication methods are enabled in Kallithea, it uses the
             username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
             perform the authentication itself. The authorization, however, is still done by
             Kallithea according to its settings.
             When a user logs in for the first time using these authentication methods,
             a matching user account is created in Kallithea with default permissions. An
             administrator can then modify it using Kallithea's admin interface.
             It's also possible for an administrator to create accounts and configure their
             permissions before the user logs in for the first time, using the :ref:`create-user` API.
             Container-based authentication
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
             In a container-based authentication setup, Kallithea reads the user name from
             the ``REMOTE_USER`` server variable provided by the WSGI container.
             After setting up your container (see `Apache with mod_wsgi`_), you'll need
             to configure it to require authentication on the location configured for
             Kallithea.
             Proxy pass-through authentication
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
             In a proxy pass-through authentication setup, Kallithea reads the user name
             from the ``X-Forwarded-User`` request header, which should be configured to be
             sent by the reverse-proxy server.
             After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
             `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
             configure the authentication and add the username in a request header named
             ``X-Forwarded-User``.
             For example, the following config section for Apache sets a subdirectory in a
             reverse-proxy setup with basic auth:
             .. code-block:: apache
                 <Location /someprefix>
                   ProxyPass http://127.0.0.1:5000/someprefix
                   ProxyPassReverse http://127.0.0.1:5000/someprefix
                   SetEnvIf X-Url-Scheme https HTTPS=1
                   AuthType Basic
                   AuthName "Kallithea authentication"
                   AuthUserFile /srv/kallithea/.htpasswd
                   Require valid-user
                   RequestHeader unset X-Forwarded-User
                   RewriteEngine On
                   RewriteCond %{LA-U:REMOTE_USER} (.+)
                   RewriteRule .* - [E=RU:%1]
                   RequestHeader set X-Forwarded-User %{RU}e
                 </Location>
             Setting metadata in container/reverse-proxy
             """""""""""""""""""""""""""""""""""""""""""
             When a new user account is created on the first login, Kallithea has no information about
             the user's email and full name. So you can set some additional request headers like in the
             example below. In this example the user is authenticated via Kerberos and an Apache
             mod_python fixup handler is used to get the user information from a LDAP server. But you
             could set the request headers however you want.
             .. code-block:: apache
                 <Location /someprefix>
                   ProxyPass http://127.0.0.1:5000/someprefix
                   ProxyPassReverse http://127.0.0.1:5000/someprefix
                   SetEnvIf X-Url-Scheme https HTTPS=1
                   AuthName "Kerberos Login"
                   AuthType Kerberos
                   Krb5Keytab /etc/apache2/http.keytab
                   KrbMethodK5Passwd off
                   KrbVerifyKDC on
                   Require valid-user
                   PythonFixupHandler ldapmetadata
                   RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
                   RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
                   RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
                   RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
                 </Location>
             .. code-block:: python
                 from mod_python import apache
                 import ldap
                 LDAP_SERVER = "ldap://server.mydomain.com:389"
                 LDAP_USER = ""
                 LDAP_PASS = ""
                 LDAP_ROOT = "dc=mydomain,dc=com"
                 LDAP_FILTER = "sAMAccountName=%s"
                 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
                 def fixuphandler(req):
                     if req.user is None:
                         # no user to search for
                         return apache.OK
                     else:
                         try:
                             if('\\' in req.user):
                                 username = req.user.split('\\')[1]
                             elif('@' in req.user):
                                 username = req.user.split('@')[0]
                             else:
                                 username = req.user
                             l = ldap.initialize(LDAP_SERVER)
                             l.simple_bind_s(LDAP_USER, LDAP_PASS)
                             r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
                             req.subprocess_env['X_REMOTE_USER'] = username
                             req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
                             req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
                             req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
                         except Exception, e:
                             apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
                         return apache.OK
             .. note::
                If you enable proxy pass-through authentication, make sure your server is
                only accessible through the proxy. Otherwise, any client would be able to
                forge the authentication header and could effectively become authenticated
                using any account of their liking.
             Integration with issue trackers
             -------------------------------
             Kallithea provides a simple integration with issue trackers. It's possible
             to define a regular expression that will match an issue ID in commit messages,
             and have that replaced with a URL to the issue. To enable this simply
             uncomment the following variables in the ini file::
                 issue_pat = (?:^#|\s#)(\w+)
                 issue_server_link = https://issues.example.com/{repo}/issue/{id}
                 issue_prefix = #
             ``issue_pat`` is the regular expression describing which strings in
             commit messages will be treated as issue references. A match group in
             parentheses should be used to specify the actual issue id.
             The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
             Matched issue references are replaced with the link specified in
             ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
             ``{repo}`` with the repository name.  Since the # is stripped away,
             ``issue_prefix`` is prepended to the link text.  ``issue_prefix`` doesn't
             necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
             generate a URL in the format:
             .. code-block:: html
               <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
             If needed, more than one pattern can be specified by appending a unique suffix to
             the variables. For example::
                 issue_pat_wiki = (?:wiki-)(.+)
                 issue_server_link_wiki = https://wiki.example.com/{id}
                 issue_prefix_wiki = WIKI-
             With these settings, wiki pages can be referenced as wiki-some-id, and every
             such reference will be transformed into:
             .. code-block:: html
               <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
             Hook management
             ---------------
             Hooks can be managed in similar way to that used in ``.hgrc`` files.
             To manage hooks, choose *Admin > Settings > Hooks*.
             The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
             To add another custom hook simply fill in the first textbox with
             ``<name>.<hook_type>`` and the second with the hook path. Example hooks
             can be found in ``kallithea.lib.hooks``.
             Changing default encoding
             -------------------------
             By default, Kallithea uses UTF-8 encoding.
             This is configurable as ``default_encoding`` in the .ini file.
             This affects many parts in Kallithea including user names, filenames, and
             encoding of commit messages. In addition Kallithea can detect if the ``chardet``
             library is installed. If ``chardet`` is detected Kallithea will fallback to it
             when there are encode/decode errors.
             Celery configuration
             --------------------
             Kallithea can use the distributed task queue system Celery_ to run tasks like
             cloning repositories or sending emails.
             Kallithea will in most setups work perfectly fine out of the box (without
             Celery), executing all tasks in the web server process. Some tasks can however
             take some time to run and it can be better to run such tasks asynchronously in
             a separate process so the web server can focus on serving web requests.
             For installation and configuration of Celery, see the `Celery documentation`_.
             Note that Celery requires a message broker service like RabbitMQ_ (recommended)
             or Redis_.
             The use of Celery is configured in the Kallithea ini configuration file.
             To enable it, simply set::
               use_celery = true
             and add or change the ``celery.*`` and ``broker.*`` configuration variables.
             Remember that the ini files use the format with '.' and not with '_' like
             Celery. So for example setting `BROKER_HOST` in Celery means setting
             `broker.host` in the configuration file.
             To start the Celery process, run::
              paster celeryd <configfile.ini>
             .. note::
                Make sure you run this command from the same virtualenv, and with the same
                user that Kallithea runs.
             HTTPS support
             -------------
             Kallithea will by default generate URLs based on the WSGI environment.
             Alternatively, you can use some special configuration settings to control
             directly which scheme/protocol Kallithea will use when generating URLs:
             - With ``https_fixup = true``, the scheme will be taken from the
               ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
               (default ``http``).
             - With ``force_https = true`` the default will be ``https``.
             - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
             Nginx virtual host example
             --------------------------
             Sample config for Nginx using proxy:
             .. code-block:: nginx
                 upstream kallithea {
                     server 127.0.0.1:5000;
                     # add more instances for load balancing
                     #server 127.0.0.1:5001;
                     #server 127.0.0.1:5002;
                 }
                 ## gist alias
                 server {
                    listen          443;
                    server_name     gist.example.com;
                    access_log      /var/log/nginx/gist.access.log;
                    error_log       /var/log/nginx/gist.error.log;
                    ssl on;
                    ssl_certificate     gist.your.kallithea.server.crt;
                    ssl_certificate_key gist.your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
                    rewrite (.*)    https://kallithea.example.com/_admin/gists;
                 }
                 server {
                    listen          443;
                    server_name     kallithea.example.com
                    access_log      /var/log/nginx/kallithea.access.log;
                    error_log       /var/log/nginx/kallithea.error.log;
                    ssl on;
                    ssl_certificate     your.kallithea.server.crt;
                    ssl_certificate_key your.kallithea.server.key;
                    ssl_session_timeout 5m;
                    ssl_protocols SSLv3 TLSv1;
                    ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
                    ssl_prefer_server_ciphers on;
                    ## uncomment root directive if you want to serve static files by nginx
                    ## requires static_files = false in .ini file
                    #root /srv/kallithea/kallithea/kallithea/public;
                    include         /etc/nginx/proxy.conf;
                    location / {
                         try_files $uri @kallithea;
                    }
                    location @kallithea {
                         proxy_pass      http://127.0.0.1:5000;
                    }
                 }
             Here's the proxy.conf. It's tuned so it will not timeout on long
             pushes or large pushes::
                 proxy_redirect              off;
                 proxy_set_header            Host $host;
                 ## needed for container auth
                 #proxy_set_header            REMOTE_USER $remote_user;
                 #proxy_set_header            X-Forwarded-User $remote_user;
                 proxy_set_header            X-Url-Scheme $scheme;
                 proxy_set_header            X-Host $http_host;
                 proxy_set_header            X-Real-IP $remote_addr;
                 proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header            Proxy-host $proxy_host;
                 proxy_buffering             off;
                 proxy_connect_timeout       7200;
                 proxy_send_timeout          7200;
                 proxy_read_timeout          7200;
                 proxy_buffers               8 32k;
                 client_max_body_size        1024m;
                 client_body_buffer_size     128k;
                 large_client_header_buffers 8 64k;
             Apache virtual host reverse proxy example
             -----------------------------------------
             Here is a sample configuration file for Apache using proxy:
             .. code-block:: apache
                 <VirtualHost *:80>
                         ServerName kallithea.example.com
                         <Proxy *>
                           # For Apache 2.4 and later:
                           Require all granted
                           # For Apache 2.2 and earlier, instead use:
                           # Order allow,deny
                           # Allow from all
                         </Proxy>
                         #important !
                         #Directive to properly generate url (clone url) for pylons
                         ProxyPreserveHost On
                         #kallithea instance
                         ProxyPass / http://127.0.0.1:5000/
                         ProxyPassReverse / http://127.0.0.1:5000/
                         #to enable https use line below
                         #SetEnvIf X-Url-Scheme https HTTPS=1
                 </VirtualHost>
             Additional tutorial
             http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
             Apache as subdirectory
             ----------------------
             Apache subdirectory part:
             .. code-block:: apache
                 <Location /<someprefix> >
                   ProxyPass http://127.0.0.1:5000/<someprefix>
                   ProxyPassReverse http://127.0.0.1:5000/<someprefix>
                   SetEnvIf X-Url-Scheme https HTTPS=1
                 </Location>
             Besides the regular apache setup you will need to add the following line
             into ``[app:main]`` section of your .ini file::
                 filter-with = proxy-prefix
             Add the following at the end of the .ini file::
                 [filter:proxy-prefix]
                 use = egg:PasteDeploy#prefix
                 prefix = /<someprefix>
             then change ``<someprefix>`` into your chosen prefix
             Apache with mod_wsgi
             --------------------
             Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
             that, you'll need to:
             - Install mod_wsgi. If using a Debian-based distro, you can install
               the package libapache2-mod-wsgi::
                 aptitude install libapache2-mod-wsgi
             - Enable mod_wsgi::
                 a2enmod wsgi
             - Add global Apache configuration to tell mod_wsgi that Python only will be
               used in the WSGI processes and shouldn't be initialized in the Apache
               processes::
                 WSGIRestrictEmbedded On
             - Create a wsgi dispatch script, like the one below. Make sure you
               check that the paths correctly point to where you installed Kallithea
               and its Python Virtual Environment.
             - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
               as in the following example. Once again, check the paths are
               correctly specified.
             Here is a sample excerpt from an Apache Virtual Host configuration file:
             .. code-block:: apache
                 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
                     python-home=/srv/kallithea/venv
                 WSGIProcessGroup kallithea
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
             Or if using a dispatcher WSGI script with proper virtualenv activation:
             .. code-block:: apache
                 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
                 WSGIProcessGroup kallithea
                 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
                 WSGIPassAuthorization On
             Apache will by default run as a special Apache user, on Linux systems
             usually ``www-data`` or ``apache``. If you need to have the repositories
             directory owned by a different user, use the user and group options to
             WSGIDaemonProcess to set the name of the user and group.
             Example WSGI dispatch script:
             .. code-block:: python
                 import os
                 os.environ["HGENCODING"] = "UTF-8"
                 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
                 # sometimes it's needed to set the current dir
                 os.chdir('/srv/kallithea/')
                 import site
                 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
                 ini = '/srv/kallithea/my.ini'
                 from paste.script.util.logging_config import fileConfig
                 fileConfig(ini)
                 from paste.deploy import loadapp
                 application = loadapp('config:' + ini)
             Or using proper virtualenv activation:
             .. code-block:: python
                 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
                 execfile(activate_this, dict(__file__=activate_this))
                 import os
                 os.environ['HOME'] = '/srv/kallithea'
                 ini = '/srv/kallithea/kallithea.ini'
                 from paste.script.util.logging_config import fileConfig
                 fileConfig(ini)
                 from paste.deploy import loadapp
                 application = loadapp('config:' + ini)
             Other configuration files
             -------------------------
             A number of `example init.d scripts`__ can be found in
             the ``init.d`` directory of the Kallithea source.
             .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
-            .. _Mercurial: http://mercurial.selenic.com/
+            .. _Mercurial: https://www.mercurial-scm.org/
             .. _Celery: http://celeryproject.org/
             .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
             .. _RabbitMQ: http://www.rabbitmq.com/
             .. _Redis: http://redis.io/
             .. _python-ldap: http://www.python-ldap.org/
             .. _mercurial-server: http://www.lshift.net/mercurial-server.html
-            .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
+            .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories

             .. _troubleshooting:
             ===============
             Troubleshooting
             ===============
             :Q: **Missing static files?**
             :A: Make sure either to set the ``static_files = true`` in the .ini file or
                double check the root path for your http setup. It should point to
                for example:
                ``/home/my-virtual-python/lib/python2.7/site-packages/kallithea/public``
             |
             :Q: **Can't install celery/rabbitmq?**
             :A: Don't worry. Kallithea works without them, too. No extra setup is required.
                 Try out the great Celery docs for further help.
             |
             :Q: **Long lasting push timeouts?**
             :A: Make sure you set a longer timeout in your proxy/fcgi settings. Timeouts
                 are caused by the http server and not Kallithea.
             |
             :Q: **Large pushes timeouts?**
             :A: Make sure you set a proper ``max_body_size`` for the http server. Very often
                 Apache, Nginx, or other http servers kill the connection due to to large
                 body.
             |
             :Q: **Apache doesn't pass basicAuth on pull/push?**
             :A: Make sure you added ``WSGIPassAuthorization true``.
             |
             :Q: **Git fails on push/pull?**
             :A: Make sure you're using a WSGI http server that can handle chunked encoding
                 such as ``waitress`` or ``gunicorn``.
             |
             :Q: **How can I use hooks in Kallithea?**
             :A: It's easy if they are Python hooks: just use advanced link in
                 hooks section in Admin panel, that works only for Mercurial. If
                 you want to use Git hooks, just install th proper one in the repository,
                 e.g., create a file `/gitrepo/hooks/pre-receive`. You can also use
                 Kallithea-extensions to connect to callback hooks, for both Git
                 and Mercurial.
             |
             :Q: **Kallithea is slow for me, how can I make it faster?**
             :A: See the :ref:`performance` section.
             |
             :Q: **UnicodeDecodeError on Apache mod_wsgi**
             :A: Please read: https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/modwsgi/#if-you-get-a-unicodeencodeerror.
             |
             :Q: **Requests hanging on Windows**
             :A: Please try out with disabled Antivirus software, there are some known problems with Eset Antivirus. Make sure
                 you have installed the latest Windows patches (especially KB2789397).
             .. _virtualenv: http://pypi.python.org/pypi/virtualenv
             .. _python: http://www.python.org/
-            .. _mercurial: http://mercurial.selenic.com/
+            .. _mercurial: https://www.mercurial-scm.org/
             .. _celery: http://celeryproject.org/
             .. _rabbitmq: http://www.rabbitmq.com/
             .. _python-ldap: http://www.python-ldap.org/