##// END OF EJS Templates
make-config: allow configuration of any ini value...
Mads Kiilerich -
r6823:a8b9f2d6 default
parent child Browse files
Show More
@@ -1,893 +1,895 b''
1 .. _setup:
1 .. _setup:
2
2
3 =====
3 =====
4 Setup
4 Setup
5 =====
5 =====
6
6
7
7
8 Setting up Kallithea
8 Setting up Kallithea
9 --------------------
9 --------------------
10
10
11 First, you will need to create a Kallithea configuration file. Run the
11 First, you will need to create a Kallithea configuration file. Run the
12 following command to do so::
12 following command to do so::
13
13
14 gearbox make-config my.ini
14 gearbox make-config my.ini
15
15
16 This will create the file ``my.ini`` in the current directory. This
16 This will create the file ``my.ini`` in the current directory. This
17 configuration file contains the various settings for Kallithea, e.g.
17 configuration file contains the various settings for Kallithea, e.g.
18 proxy port, email settings, usage of static files, cache, Celery
18 proxy port, email settings, usage of static files, cache, Celery
19 settings, and logging.
19 settings, and logging. Extra settings can be specified like::
20
21 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
20
22
21 Next, you need to create the databases used by Kallithea. It is recommended to
23 Next, you need to create the databases used by Kallithea. It is recommended to
22 use PostgreSQL or SQLite (default). If you choose a database other than the
24 use PostgreSQL or SQLite (default). If you choose a database other than the
23 default, ensure you properly adjust the database URL in your ``my.ini``
25 default, ensure you properly adjust the database URL in your ``my.ini``
24 configuration file to use this other database. Kallithea currently supports
26 configuration file to use this other database. Kallithea currently supports
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
27 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 the following command::
28 the following command::
27
29
28 gearbox setup-db -c my.ini
30 gearbox setup-db -c my.ini
29
31
30 This will prompt you for a "root" path. This "root" path is the location where
32 This will prompt you for a "root" path. This "root" path is the location where
31 Kallithea will store all of its repositories on the current machine. After
33 Kallithea will store all of its repositories on the current machine. After
32 entering this "root" path ``setup-db`` will also prompt you for a username
34 entering this "root" path ``setup-db`` will also prompt you for a username
33 and password for the initial admin account which ``setup-db`` sets
35 and password for the initial admin account which ``setup-db`` sets
34 up for you.
36 up for you.
35
37
36 The ``setup-db`` values can also be given on the command line.
38 The ``setup-db`` values can also be given on the command line.
37 Example::
39 Example::
38
40
39 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
41 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40
42
41 The ``setup-db`` command will create all needed tables and an
43 The ``setup-db`` command will create all needed tables and an
42 admin account. When choosing a root path you can either use a new
44 admin account. When choosing a root path you can either use a new
43 empty location, or a location which already contains existing
45 empty location, or a location which already contains existing
44 repositories. If you choose a location which contains existing
46 repositories. If you choose a location which contains existing
45 repositories Kallithea will add all of the repositories at the chosen
47 repositories Kallithea will add all of the repositories at the chosen
46 location to its database. (Note: make sure you specify the correct
48 location to its database. (Note: make sure you specify the correct
47 path to the root).
49 path to the root).
48
50
49 .. note:: the given path for Mercurial_ repositories **must** be write
51 .. note:: the given path for Mercurial_ repositories **must** be write
50 accessible for the application. It's very important since
52 accessible for the application. It's very important since
51 the Kallithea web interface will work without write access,
53 the Kallithea web interface will work without write access,
52 but when trying to do a push it will fail with permission
54 but when trying to do a push it will fail with permission
53 denied errors unless it has write access.
55 denied errors unless it has write access.
54
56
55 You are now ready to use Kallithea. To run it simply execute::
57 You are now ready to use Kallithea. To run it simply execute::
56
58
57 gearbox serve -c my.ini
59 gearbox serve -c my.ini
58
60
59 - This command runs the Kallithea server. The web app should be available at
61 - This command runs the Kallithea server. The web app should be available at
60 http://127.0.0.1:5000. The IP address and port is configurable via the
62 http://127.0.0.1:5000. The IP address and port is configurable via the
61 configuration file created in the previous step.
63 configuration file created in the previous step.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
64 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 - The default permissions on each repository is read, and the owner is admin.
65 - The default permissions on each repository is read, and the owner is admin.
64 Remember to update these if needed.
66 Remember to update these if needed.
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
67 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 settings, as well as edit more advanced options on users and
68 settings, as well as edit more advanced options on users and
67 repositories.
69 repositories.
68
70
69
71
70 Internationalization (i18n support)
72 Internationalization (i18n support)
71 -----------------------------------
73 -----------------------------------
72
74
73 The Kallithea web interface is automatically displayed in the user's preferred
75 The Kallithea web interface is automatically displayed in the user's preferred
74 language, as indicated by the browser. Thus, different users may see the
76 language, as indicated by the browser. Thus, different users may see the
75 application in different languages. If the requested language is not available
77 application in different languages. If the requested language is not available
76 (because the translation file for that language does not yet exist or is
78 (because the translation file for that language does not yet exist or is
77 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
79 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
78 configuration file is used as fallback. If no fallback language is explicitly
80 configuration file is used as fallback. If no fallback language is explicitly
79 specified, English is used.
81 specified, English is used.
80
82
81 If you want to disable automatic language detection and instead configure a
83 If you want to disable automatic language detection and instead configure a
82 fixed language regardless of user preference, set ``i18n.enabled = false`` and
84 fixed language regardless of user preference, set ``i18n.enabled = false`` and
83 set ``i18n.lang`` to the desired language (or leave empty for English).
85 set ``i18n.lang`` to the desired language (or leave empty for English).
84
86
85
87
86 Using Kallithea with SSH
88 Using Kallithea with SSH
87 ------------------------
89 ------------------------
88
90
89 Kallithea currently only hosts repositories using http and https. (The addition
91 Kallithea currently only hosts repositories using http and https. (The addition
90 of ssh hosting is a planned future feature.) However you can easily use ssh in
92 of ssh hosting is a planned future feature.) However you can easily use ssh in
91 parallel with Kallithea. (Repository access via ssh is a standard "out of
93 parallel with Kallithea. (Repository access via ssh is a standard "out of
92 the box" feature of Mercurial_ and you can use this to access any of the
94 the box" feature of Mercurial_ and you can use this to access any of the
93 repositories that Kallithea is hosting. See PublishingRepositories_)
95 repositories that Kallithea is hosting. See PublishingRepositories_)
94
96
95 Kallithea repository structures are kept in directories with the same name
97 Kallithea repository structures are kept in directories with the same name
96 as the project. When using repository groups, each group is a subdirectory.
98 as the project. When using repository groups, each group is a subdirectory.
97 This allows you to easily use ssh for accessing repositories.
99 This allows you to easily use ssh for accessing repositories.
98
100
99 In order to use ssh you need to make sure that your web server and the users'
101 In order to use ssh you need to make sure that your web server and the users'
100 login accounts have the correct permissions set on the appropriate directories.
102 login accounts have the correct permissions set on the appropriate directories.
101
103
102 .. note:: These permissions are independent of any permissions you
104 .. note:: These permissions are independent of any permissions you
103 have set up using the Kallithea web interface.
105 have set up using the Kallithea web interface.
104
106
105 If your main directory (the same as set in Kallithea settings) is for
107 If your main directory (the same as set in Kallithea settings) is for
106 example set to ``/srv/repos`` and the repository you are using is
108 example set to ``/srv/repos`` and the repository you are using is
107 named ``kallithea``, then to clone via ssh you should run::
109 named ``kallithea``, then to clone via ssh you should run::
108
110
109 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
111 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
110
112
111 Using other external tools such as mercurial-server_ or using ssh key-based
113 Using other external tools such as mercurial-server_ or using ssh key-based
112 authentication is fully supported.
114 authentication is fully supported.
113
115
114 .. note:: In an advanced setup, in order for your ssh access to use
116 .. note:: In an advanced setup, in order for your ssh access to use
115 the same permissions as set up via the Kallithea web
117 the same permissions as set up via the Kallithea web
116 interface, you can create an authentication hook to connect
118 interface, you can create an authentication hook to connect
117 to the Kallithea db and run check functions for permissions
119 to the Kallithea db and run check functions for permissions
118 against that.
120 against that.
119
121
120
122
121 Setting up Whoosh full text search
123 Setting up Whoosh full text search
122 ----------------------------------
124 ----------------------------------
123
125
124 Kallithea provides full text search of repositories using `Whoosh`__.
126 Kallithea provides full text search of repositories using `Whoosh`__.
125
127
126 .. __: https://pythonhosted.org/Whoosh/
128 .. __: https://pythonhosted.org/Whoosh/
127
129
128 For an incremental index build, run::
130 For an incremental index build, run::
129
131
130 gearbox make-index -c my.ini
132 gearbox make-index -c my.ini
131
133
132 For a full index rebuild, run::
134 For a full index rebuild, run::
133
135
134 gearbox make-index -c my.ini -f
136 gearbox make-index -c my.ini -f
135
137
136 The ``--repo-location`` option allows the location of the repositories to be overridden;
138 The ``--repo-location`` option allows the location of the repositories to be overridden;
137 usually, the location is retrieved from the Kallithea database.
139 usually, the location is retrieved from the Kallithea database.
138
140
139 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
141 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
140
142
141 gearbox make-index -c my.ini --index-only=vcs,kallithea
143 gearbox make-index -c my.ini --index-only=vcs,kallithea
142
144
143 To keep your index up-to-date it is necessary to do periodic index builds;
145 To keep your index up-to-date it is necessary to do periodic index builds;
144 for this, it is recommended to use a crontab entry. Example::
146 for this, it is recommended to use a crontab entry. Example::
145
147
146 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
148 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
147
149
148 When using incremental mode (the default), Whoosh will check the last
150 When using incremental mode (the default), Whoosh will check the last
149 modification date of each file and add it to be reindexed if a newer file is
151 modification date of each file and add it to be reindexed if a newer file is
150 available. The indexing daemon checks for any removed files and removes them
152 available. The indexing daemon checks for any removed files and removes them
151 from index.
153 from index.
152
154
153 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
155 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
154 or in the admin panel you can check the "build from scratch" checkbox.
156 or in the admin panel you can check the "build from scratch" checkbox.
155
157
156 .. _ldap-setup:
158 .. _ldap-setup:
157
159
158
160
159 Setting up LDAP support
161 Setting up LDAP support
160 -----------------------
162 -----------------------
161
163
162 Kallithea supports LDAP authentication. In order
164 Kallithea supports LDAP authentication. In order
163 to use LDAP, you have to install the python-ldap_ package. This package is
165 to use LDAP, you have to install the python-ldap_ package. This package is
164 available via PyPI, so you can install it by running::
166 available via PyPI, so you can install it by running::
165
167
166 pip install python-ldap
168 pip install python-ldap
167
169
168 .. note:: ``python-ldap`` requires some libraries to be installed on
170 .. note:: ``python-ldap`` requires some libraries to be installed on
169 your system, so before installing it check that you have at
171 your system, so before installing it check that you have at
170 least the ``openldap`` and ``sasl`` libraries.
172 least the ``openldap`` and ``sasl`` libraries.
171
173
172 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
174 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
173 and then *Save*, to enable the LDAP plugin and configure its settings.
175 and then *Save*, to enable the LDAP plugin and configure its settings.
174
176
175 Here's a typical LDAP setup::
177 Here's a typical LDAP setup::
176
178
177 Connection settings
179 Connection settings
178 Enable LDAP = checked
180 Enable LDAP = checked
179 Host = host.example.com
181 Host = host.example.com
180 Account = <account>
182 Account = <account>
181 Password = <password>
183 Password = <password>
182 Connection Security = LDAPS
184 Connection Security = LDAPS
183 Certificate Checks = DEMAND
185 Certificate Checks = DEMAND
184
186
185 Search settings
187 Search settings
186 Base DN = CN=users,DC=host,DC=example,DC=org
188 Base DN = CN=users,DC=host,DC=example,DC=org
187 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
189 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
188 LDAP Search Scope = SUBTREE
190 LDAP Search Scope = SUBTREE
189
191
190 Attribute mappings
192 Attribute mappings
191 Login Attribute = uid
193 Login Attribute = uid
192 First Name Attribute = firstName
194 First Name Attribute = firstName
193 Last Name Attribute = lastName
195 Last Name Attribute = lastName
194 Email Attribute = mail
196 Email Attribute = mail
195
197
196 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
198 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
197
199
198 Search settings
200 Search settings
199 Base DN = DC=host,DC=example,DC=org
201 Base DN = DC=host,DC=example,DC=org
200 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
202 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
201 LDAP Search Scope = SUBTREE
203 LDAP Search Scope = SUBTREE
202
204
203 .. _enable_ldap:
205 .. _enable_ldap:
204
206
205 Enable LDAP : required
207 Enable LDAP : required
206 Whether to use LDAP for authenticating users.
208 Whether to use LDAP for authenticating users.
207
209
208 .. _ldap_host:
210 .. _ldap_host:
209
211
210 Host : required
212 Host : required
211 LDAP server hostname or IP address. Can be also a comma separated
213 LDAP server hostname or IP address. Can be also a comma separated
212 list of servers to support LDAP fail-over.
214 list of servers to support LDAP fail-over.
213
215
214 .. _Port:
216 .. _Port:
215
217
216 Port : optional
218 Port : optional
217 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
219 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
218 Defaults to 636 for LDAPS.
220 Defaults to 636 for LDAPS.
219
221
220 .. _ldap_account:
222 .. _ldap_account:
221
223
222 Account : optional
224 Account : optional
223 Only required if the LDAP server does not allow anonymous browsing of
225 Only required if the LDAP server does not allow anonymous browsing of
224 records. This should be a special account for record browsing. This
226 records. This should be a special account for record browsing. This
225 will require `LDAP Password`_ below.
227 will require `LDAP Password`_ below.
226
228
227 .. _LDAP Password:
229 .. _LDAP Password:
228
230
229 Password : optional
231 Password : optional
230 Only required if the LDAP server does not allow anonymous browsing of
232 Only required if the LDAP server does not allow anonymous browsing of
231 records.
233 records.
232
234
233 .. _Enable LDAPS:
235 .. _Enable LDAPS:
234
236
235 Connection Security : required
237 Connection Security : required
236 Defines the connection to LDAP server
238 Defines the connection to LDAP server
237
239
238 PLAIN
240 PLAIN
239 Plain unencrypted LDAP connection.
241 Plain unencrypted LDAP connection.
240 This will by default use `Port`_ 389.
242 This will by default use `Port`_ 389.
241
243
242 LDAPS
244 LDAPS
243 Use secure LDAPS connections according to `Certificate
245 Use secure LDAPS connections according to `Certificate
244 Checks`_ configuration.
246 Checks`_ configuration.
245 This will by default use `Port`_ 636.
247 This will by default use `Port`_ 636.
246
248
247 START_TLS
249 START_TLS
248 Use START TLS according to `Certificate Checks`_ configuration on an
250 Use START TLS according to `Certificate Checks`_ configuration on an
249 apparently "plain" LDAP connection.
251 apparently "plain" LDAP connection.
250 This will by default use `Port`_ 389.
252 This will by default use `Port`_ 389.
251
253
252 .. _Certificate Checks:
254 .. _Certificate Checks:
253
255
254 Certificate Checks : optional
256 Certificate Checks : optional
255 How SSL certificates verification is handled -- this is only useful when
257 How SSL certificates verification is handled -- this is only useful when
256 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
258 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
257 with mandatory certificate validation, while the other options are
259 with mandatory certificate validation, while the other options are
258 susceptible to man-in-the-middle attacks.
260 susceptible to man-in-the-middle attacks.
259
261
260 NEVER
262 NEVER
261 A serve certificate will never be requested or checked.
263 A serve certificate will never be requested or checked.
262
264
263 ALLOW
265 ALLOW
264 A server certificate is requested. Failure to provide a
266 A server certificate is requested. Failure to provide a
265 certificate or providing a bad certificate will not terminate the
267 certificate or providing a bad certificate will not terminate the
266 session.
268 session.
267
269
268 TRY
270 TRY
269 A server certificate is requested. Failure to provide a
271 A server certificate is requested. Failure to provide a
270 certificate does not halt the session; providing a bad certificate
272 certificate does not halt the session; providing a bad certificate
271 halts the session.
273 halts the session.
272
274
273 DEMAND
275 DEMAND
274 A server certificate is requested and must be provided and
276 A server certificate is requested and must be provided and
275 authenticated for the session to proceed.
277 authenticated for the session to proceed.
276
278
277 HARD
279 HARD
278 The same as DEMAND.
280 The same as DEMAND.
279
281
280 .. _Custom CA Certificates:
282 .. _Custom CA Certificates:
281
283
282 Custom CA Certificates : optional
284 Custom CA Certificates : optional
283 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
285 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
284 Python 2.7.10 and later default to using the system certificate store, and
286 Python 2.7.10 and later default to using the system certificate store, and
285 this should thus not be necessary when using certificates signed by a CA
287 this should thus not be necessary when using certificates signed by a CA
286 trusted by the system.
288 trusted by the system.
287 It can be set to something like `/etc/openldap/cacerts` on older systems or
289 It can be set to something like `/etc/openldap/cacerts` on older systems or
288 if using self-signed certificates.
290 if using self-signed certificates.
289
291
290 .. _Base DN:
292 .. _Base DN:
291
293
292 Base DN : required
294 Base DN : required
293 The Distinguished Name (DN) where searches for users will be performed.
295 The Distinguished Name (DN) where searches for users will be performed.
294 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
296 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
295
297
296 .. _LDAP Filter:
298 .. _LDAP Filter:
297
299
298 LDAP Filter : optional
300 LDAP Filter : optional
299 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
301 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
300 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
302 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
301 which LDAP objects are identified as representing Users for
303 which LDAP objects are identified as representing Users for
302 authentication. The filter is augmented by `Login Attribute`_ below.
304 authentication. The filter is augmented by `Login Attribute`_ below.
303 This can commonly be left blank.
305 This can commonly be left blank.
304
306
305 .. _LDAP Search Scope:
307 .. _LDAP Search Scope:
306
308
307 LDAP Search Scope : required
309 LDAP Search Scope : required
308 This limits how far LDAP will search for a matching object.
310 This limits how far LDAP will search for a matching object.
309
311
310 BASE
312 BASE
311 Only allows searching of `Base DN`_ and is usually not what you
313 Only allows searching of `Base DN`_ and is usually not what you
312 want.
314 want.
313
315
314 ONELEVEL
316 ONELEVEL
315 Searches all entries under `Base DN`_, but not Base DN itself.
317 Searches all entries under `Base DN`_, but not Base DN itself.
316
318
317 SUBTREE
319 SUBTREE
318 Searches all entries below `Base DN`_, but not Base DN itself.
320 Searches all entries below `Base DN`_, but not Base DN itself.
319 When using SUBTREE `LDAP Filter`_ is useful to limit object
321 When using SUBTREE `LDAP Filter`_ is useful to limit object
320 location.
322 location.
321
323
322 .. _Login Attribute:
324 .. _Login Attribute:
323
325
324 Login Attribute : required
326 Login Attribute : required
325 The LDAP record attribute that will be matched as the USERNAME or
327 The LDAP record attribute that will be matched as the USERNAME or
326 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
328 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
327 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
329 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
328 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
330 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
329 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
331 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
330 ::
332 ::
331
333
332 (&(LDAPFILTER)(uid=jsmith))
334 (&(LDAPFILTER)(uid=jsmith))
333
335
334 .. _ldap_attr_firstname:
336 .. _ldap_attr_firstname:
335
337
336 First Name Attribute : required
338 First Name Attribute : required
337 The LDAP record attribute which represents the user's first name.
339 The LDAP record attribute which represents the user's first name.
338
340
339 .. _ldap_attr_lastname:
341 .. _ldap_attr_lastname:
340
342
341 Last Name Attribute : required
343 Last Name Attribute : required
342 The LDAP record attribute which represents the user's last name.
344 The LDAP record attribute which represents the user's last name.
343
345
344 .. _ldap_attr_email:
346 .. _ldap_attr_email:
345
347
346 Email Attribute : required
348 Email Attribute : required
347 The LDAP record attribute which represents the user's email address.
349 The LDAP record attribute which represents the user's email address.
348
350
349 If all data are entered correctly, and python-ldap_ is properly installed
351 If all data are entered correctly, and python-ldap_ is properly installed
350 users should be granted access to Kallithea with LDAP accounts. At this
352 users should be granted access to Kallithea with LDAP accounts. At this
351 time user information is copied from LDAP into the Kallithea user database.
353 time user information is copied from LDAP into the Kallithea user database.
352 This means that updates of an LDAP user object may not be reflected as a
354 This means that updates of an LDAP user object may not be reflected as a
353 user update in Kallithea.
355 user update in Kallithea.
354
356
355 If You have problems with LDAP access and believe You entered correct
357 If You have problems with LDAP access and believe You entered correct
356 information check out the Kallithea logs, any error messages sent from LDAP
358 information check out the Kallithea logs, any error messages sent from LDAP
357 will be saved there.
359 will be saved there.
358
360
359 Active Directory
361 Active Directory
360 ^^^^^^^^^^^^^^^^
362 ^^^^^^^^^^^^^^^^
361
363
362 Kallithea can use Microsoft Active Directory for user authentication. This
364 Kallithea can use Microsoft Active Directory for user authentication. This
363 is done through an LDAP or LDAPS connection to Active Directory. The
365 is done through an LDAP or LDAPS connection to Active Directory. The
364 following LDAP configuration settings are typical for using Active
366 following LDAP configuration settings are typical for using Active
365 Directory ::
367 Directory ::
366
368
367 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
369 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
368 Login Attribute = sAMAccountName
370 Login Attribute = sAMAccountName
369 First Name Attribute = givenName
371 First Name Attribute = givenName
370 Last Name Attribute = sn
372 Last Name Attribute = sn
371 Email Attribute = mail
373 Email Attribute = mail
372
374
373 All other LDAP settings will likely be site-specific and should be
375 All other LDAP settings will likely be site-specific and should be
374 appropriately configured.
376 appropriately configured.
375
377
376
378
377 Authentication by container or reverse-proxy
379 Authentication by container or reverse-proxy
378 --------------------------------------------
380 --------------------------------------------
379
381
380 Kallithea supports delegating the authentication
382 Kallithea supports delegating the authentication
381 of users to its WSGI container, or to a reverse-proxy server through which all
383 of users to its WSGI container, or to a reverse-proxy server through which all
382 clients access the application.
384 clients access the application.
383
385
384 When these authentication methods are enabled in Kallithea, it uses the
386 When these authentication methods are enabled in Kallithea, it uses the
385 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
387 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
386 perform the authentication itself. The authorization, however, is still done by
388 perform the authentication itself. The authorization, however, is still done by
387 Kallithea according to its settings.
389 Kallithea according to its settings.
388
390
389 When a user logs in for the first time using these authentication methods,
391 When a user logs in for the first time using these authentication methods,
390 a matching user account is created in Kallithea with default permissions. An
392 a matching user account is created in Kallithea with default permissions. An
391 administrator can then modify it using Kallithea's admin interface.
393 administrator can then modify it using Kallithea's admin interface.
392
394
393 It's also possible for an administrator to create accounts and configure their
395 It's also possible for an administrator to create accounts and configure their
394 permissions before the user logs in for the first time, using the :ref:`create-user` API.
396 permissions before the user logs in for the first time, using the :ref:`create-user` API.
395
397
396 Container-based authentication
398 Container-based authentication
397 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
399 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
398
400
399 In a container-based authentication setup, Kallithea reads the user name from
401 In a container-based authentication setup, Kallithea reads the user name from
400 the ``REMOTE_USER`` server variable provided by the WSGI container.
402 the ``REMOTE_USER`` server variable provided by the WSGI container.
401
403
402 After setting up your container (see `Apache with mod_wsgi`_), you'll need
404 After setting up your container (see `Apache with mod_wsgi`_), you'll need
403 to configure it to require authentication on the location configured for
405 to configure it to require authentication on the location configured for
404 Kallithea.
406 Kallithea.
405
407
406 Proxy pass-through authentication
408 Proxy pass-through authentication
407 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
409 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
408
410
409 In a proxy pass-through authentication setup, Kallithea reads the user name
411 In a proxy pass-through authentication setup, Kallithea reads the user name
410 from the ``X-Forwarded-User`` request header, which should be configured to be
412 from the ``X-Forwarded-User`` request header, which should be configured to be
411 sent by the reverse-proxy server.
413 sent by the reverse-proxy server.
412
414
413 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
415 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
414 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
416 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
415 configure the authentication and add the username in a request header named
417 configure the authentication and add the username in a request header named
416 ``X-Forwarded-User``.
418 ``X-Forwarded-User``.
417
419
418 For example, the following config section for Apache sets a subdirectory in a
420 For example, the following config section for Apache sets a subdirectory in a
419 reverse-proxy setup with basic auth:
421 reverse-proxy setup with basic auth:
420
422
421 .. code-block:: apache
423 .. code-block:: apache
422
424
423 <Location /someprefix>
425 <Location /someprefix>
424 ProxyPass http://127.0.0.1:5000/someprefix
426 ProxyPass http://127.0.0.1:5000/someprefix
425 ProxyPassReverse http://127.0.0.1:5000/someprefix
427 ProxyPassReverse http://127.0.0.1:5000/someprefix
426 SetEnvIf X-Url-Scheme https HTTPS=1
428 SetEnvIf X-Url-Scheme https HTTPS=1
427
429
428 AuthType Basic
430 AuthType Basic
429 AuthName "Kallithea authentication"
431 AuthName "Kallithea authentication"
430 AuthUserFile /srv/kallithea/.htpasswd
432 AuthUserFile /srv/kallithea/.htpasswd
431 Require valid-user
433 Require valid-user
432
434
433 RequestHeader unset X-Forwarded-User
435 RequestHeader unset X-Forwarded-User
434
436
435 RewriteEngine On
437 RewriteEngine On
436 RewriteCond %{LA-U:REMOTE_USER} (.+)
438 RewriteCond %{LA-U:REMOTE_USER} (.+)
437 RewriteRule .* - [E=RU:%1]
439 RewriteRule .* - [E=RU:%1]
438 RequestHeader set X-Forwarded-User %{RU}e
440 RequestHeader set X-Forwarded-User %{RU}e
439 </Location>
441 </Location>
440
442
441 Setting metadata in container/reverse-proxy
443 Setting metadata in container/reverse-proxy
442 """""""""""""""""""""""""""""""""""""""""""
444 """""""""""""""""""""""""""""""""""""""""""
443 When a new user account is created on the first login, Kallithea has no information about
445 When a new user account is created on the first login, Kallithea has no information about
444 the user's email and full name. So you can set some additional request headers like in the
446 the user's email and full name. So you can set some additional request headers like in the
445 example below. In this example the user is authenticated via Kerberos and an Apache
447 example below. In this example the user is authenticated via Kerberos and an Apache
446 mod_python fixup handler is used to get the user information from a LDAP server. But you
448 mod_python fixup handler is used to get the user information from a LDAP server. But you
447 could set the request headers however you want.
449 could set the request headers however you want.
448
450
449 .. code-block:: apache
451 .. code-block:: apache
450
452
451 <Location /someprefix>
453 <Location /someprefix>
452 ProxyPass http://127.0.0.1:5000/someprefix
454 ProxyPass http://127.0.0.1:5000/someprefix
453 ProxyPassReverse http://127.0.0.1:5000/someprefix
455 ProxyPassReverse http://127.0.0.1:5000/someprefix
454 SetEnvIf X-Url-Scheme https HTTPS=1
456 SetEnvIf X-Url-Scheme https HTTPS=1
455
457
456 AuthName "Kerberos Login"
458 AuthName "Kerberos Login"
457 AuthType Kerberos
459 AuthType Kerberos
458 Krb5Keytab /etc/apache2/http.keytab
460 Krb5Keytab /etc/apache2/http.keytab
459 KrbMethodK5Passwd off
461 KrbMethodK5Passwd off
460 KrbVerifyKDC on
462 KrbVerifyKDC on
461 Require valid-user
463 Require valid-user
462
464
463 PythonFixupHandler ldapmetadata
465 PythonFixupHandler ldapmetadata
464
466
465 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
467 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
466 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
468 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
467 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
469 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
468 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
470 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
469 </Location>
471 </Location>
470
472
471 .. code-block:: python
473 .. code-block:: python
472
474
473 from mod_python import apache
475 from mod_python import apache
474 import ldap
476 import ldap
475
477
476 LDAP_SERVER = "ldaps://server.mydomain.com:636"
478 LDAP_SERVER = "ldaps://server.mydomain.com:636"
477 LDAP_USER = ""
479 LDAP_USER = ""
478 LDAP_PASS = ""
480 LDAP_PASS = ""
479 LDAP_ROOT = "dc=mydomain,dc=com"
481 LDAP_ROOT = "dc=mydomain,dc=com"
480 LDAP_FILTER = "sAMAccountName=%s"
482 LDAP_FILTER = "sAMAccountName=%s"
481 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
483 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
482
484
483 def fixuphandler(req):
485 def fixuphandler(req):
484 if req.user is None:
486 if req.user is None:
485 # no user to search for
487 # no user to search for
486 return apache.OK
488 return apache.OK
487 else:
489 else:
488 try:
490 try:
489 if('\\' in req.user):
491 if('\\' in req.user):
490 username = req.user.split('\\')[1]
492 username = req.user.split('\\')[1]
491 elif('@' in req.user):
493 elif('@' in req.user):
492 username = req.user.split('@')[0]
494 username = req.user.split('@')[0]
493 else:
495 else:
494 username = req.user
496 username = req.user
495 l = ldap.initialize(LDAP_SERVER)
497 l = ldap.initialize(LDAP_SERVER)
496 l.simple_bind_s(LDAP_USER, LDAP_PASS)
498 l.simple_bind_s(LDAP_USER, LDAP_PASS)
497 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
499 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
498
500
499 req.subprocess_env['X_REMOTE_USER'] = username
501 req.subprocess_env['X_REMOTE_USER'] = username
500 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
502 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
501 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
503 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
502 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
504 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
503 except Exception, e:
505 except Exception, e:
504 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
506 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
505
507
506 return apache.OK
508 return apache.OK
507
509
508 .. note::
510 .. note::
509 If you enable proxy pass-through authentication, make sure your server is
511 If you enable proxy pass-through authentication, make sure your server is
510 only accessible through the proxy. Otherwise, any client would be able to
512 only accessible through the proxy. Otherwise, any client would be able to
511 forge the authentication header and could effectively become authenticated
513 forge the authentication header and could effectively become authenticated
512 using any account of their liking.
514 using any account of their liking.
513
515
514
516
515 Integration with issue trackers
517 Integration with issue trackers
516 -------------------------------
518 -------------------------------
517
519
518 Kallithea provides a simple integration with issue trackers. It's possible
520 Kallithea provides a simple integration with issue trackers. It's possible
519 to define a regular expression that will match an issue ID in commit messages,
521 to define a regular expression that will match an issue ID in commit messages,
520 and have that replaced with a URL to the issue. To enable this simply
522 and have that replaced with a URL to the issue. To enable this simply
521 uncomment the following variables in the ini file::
523 uncomment the following variables in the ini file::
522
524
523 issue_pat = (?:^#|\s#)(\w+)
525 issue_pat = (?:^#|\s#)(\w+)
524 issue_server_link = https://issues.example.com/{repo}/issue/{id}
526 issue_server_link = https://issues.example.com/{repo}/issue/{id}
525 issue_prefix = #
527 issue_prefix = #
526
528
527 ``issue_pat`` is the regular expression describing which strings in
529 ``issue_pat`` is the regular expression describing which strings in
528 commit messages will be treated as issue references. A match group in
530 commit messages will be treated as issue references. A match group in
529 parentheses should be used to specify the actual issue id.
531 parentheses should be used to specify the actual issue id.
530
532
531 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
533 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
532
534
533 Matched issue references are replaced with the link specified in
535 Matched issue references are replaced with the link specified in
534 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
536 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
535 ``{repo}`` with the repository name. Since the # is stripped away,
537 ``{repo}`` with the repository name. Since the # is stripped away,
536 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
538 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
537 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
539 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
538 generate a URL in the format:
540 generate a URL in the format:
539
541
540 .. code-block:: html
542 .. code-block:: html
541
543
542 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
544 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
543
545
544 If needed, more than one pattern can be specified by appending a unique suffix to
546 If needed, more than one pattern can be specified by appending a unique suffix to
545 the variables. For example::
547 the variables. For example::
546
548
547 issue_pat_wiki = (?:wiki-)(.+)
549 issue_pat_wiki = (?:wiki-)(.+)
548 issue_server_link_wiki = https://wiki.example.com/{id}
550 issue_server_link_wiki = https://wiki.example.com/{id}
549 issue_prefix_wiki = WIKI-
551 issue_prefix_wiki = WIKI-
550
552
551 With these settings, wiki pages can be referenced as wiki-some-id, and every
553 With these settings, wiki pages can be referenced as wiki-some-id, and every
552 such reference will be transformed into:
554 such reference will be transformed into:
553
555
554 .. code-block:: html
556 .. code-block:: html
555
557
556 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
558 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
557
559
558
560
559 Hook management
561 Hook management
560 ---------------
562 ---------------
561
563
562 Hooks can be managed in similar way to that used in ``.hgrc`` files.
564 Hooks can be managed in similar way to that used in ``.hgrc`` files.
563 To manage hooks, choose *Admin > Settings > Hooks*.
565 To manage hooks, choose *Admin > Settings > Hooks*.
564
566
565 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
567 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
566
568
567 To add another custom hook simply fill in the first textbox with
569 To add another custom hook simply fill in the first textbox with
568 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
570 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
569 can be found in ``kallithea.lib.hooks``.
571 can be found in ``kallithea.lib.hooks``.
570
572
571
573
572 Changing default encoding
574 Changing default encoding
573 -------------------------
575 -------------------------
574
576
575 By default, Kallithea uses UTF-8 encoding.
577 By default, Kallithea uses UTF-8 encoding.
576 This is configurable as ``default_encoding`` in the .ini file.
578 This is configurable as ``default_encoding`` in the .ini file.
577 This affects many parts in Kallithea including user names, filenames, and
579 This affects many parts in Kallithea including user names, filenames, and
578 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
580 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
579 library is installed. If ``chardet`` is detected Kallithea will fallback to it
581 library is installed. If ``chardet`` is detected Kallithea will fallback to it
580 when there are encode/decode errors.
582 when there are encode/decode errors.
581
583
582
584
583 Celery configuration
585 Celery configuration
584 --------------------
586 --------------------
585
587
586 Kallithea can use the distributed task queue system Celery_ to run tasks like
588 Kallithea can use the distributed task queue system Celery_ to run tasks like
587 cloning repositories or sending emails.
589 cloning repositories or sending emails.
588
590
589 Kallithea will in most setups work perfectly fine out of the box (without
591 Kallithea will in most setups work perfectly fine out of the box (without
590 Celery), executing all tasks in the web server process. Some tasks can however
592 Celery), executing all tasks in the web server process. Some tasks can however
591 take some time to run and it can be better to run such tasks asynchronously in
593 take some time to run and it can be better to run such tasks asynchronously in
592 a separate process so the web server can focus on serving web requests.
594 a separate process so the web server can focus on serving web requests.
593
595
594 For installation and configuration of Celery, see the `Celery documentation`_.
596 For installation and configuration of Celery, see the `Celery documentation`_.
595 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
597 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
596 or Redis_.
598 or Redis_.
597
599
598 The use of Celery is configured in the Kallithea ini configuration file.
600 The use of Celery is configured in the Kallithea ini configuration file.
599 To enable it, simply set::
601 To enable it, simply set::
600
602
601 use_celery = true
603 use_celery = true
602
604
603 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
605 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
604
606
605 Remember that the ini files use the format with '.' and not with '_' like
607 Remember that the ini files use the format with '.' and not with '_' like
606 Celery. So for example setting `BROKER_HOST` in Celery means setting
608 Celery. So for example setting `BROKER_HOST` in Celery means setting
607 `broker.host` in the configuration file.
609 `broker.host` in the configuration file.
608
610
609 To start the Celery process, run::
611 To start the Celery process, run::
610
612
611 gearbox celeryd -c <configfile.ini>
613 gearbox celeryd -c <configfile.ini>
612
614
613 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
615 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
614 for more info.
616 for more info.
615
617
616 .. note::
618 .. note::
617 Make sure you run this command from the same virtualenv, and with the same
619 Make sure you run this command from the same virtualenv, and with the same
618 user that Kallithea runs.
620 user that Kallithea runs.
619
621
620
622
621 HTTPS support
623 HTTPS support
622 -------------
624 -------------
623
625
624 Kallithea will by default generate URLs based on the WSGI environment.
626 Kallithea will by default generate URLs based on the WSGI environment.
625
627
626 Alternatively, you can use some special configuration settings to control
628 Alternatively, you can use some special configuration settings to control
627 directly which scheme/protocol Kallithea will use when generating URLs:
629 directly which scheme/protocol Kallithea will use when generating URLs:
628
630
629 - With ``https_fixup = true``, the scheme will be taken from the
631 - With ``https_fixup = true``, the scheme will be taken from the
630 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
632 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
631 (default ``http``).
633 (default ``http``).
632 - With ``force_https = true`` the default will be ``https``.
634 - With ``force_https = true`` the default will be ``https``.
633 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
635 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
634
636
635
637
636 Nginx virtual host example
638 Nginx virtual host example
637 --------------------------
639 --------------------------
638
640
639 Sample config for Nginx using proxy:
641 Sample config for Nginx using proxy:
640
642
641 .. code-block:: nginx
643 .. code-block:: nginx
642
644
643 upstream kallithea {
645 upstream kallithea {
644 server 127.0.0.1:5000;
646 server 127.0.0.1:5000;
645 # add more instances for load balancing
647 # add more instances for load balancing
646 #server 127.0.0.1:5001;
648 #server 127.0.0.1:5001;
647 #server 127.0.0.1:5002;
649 #server 127.0.0.1:5002;
648 }
650 }
649
651
650 ## gist alias
652 ## gist alias
651 server {
653 server {
652 listen 443;
654 listen 443;
653 server_name gist.example.com;
655 server_name gist.example.com;
654 access_log /var/log/nginx/gist.access.log;
656 access_log /var/log/nginx/gist.access.log;
655 error_log /var/log/nginx/gist.error.log;
657 error_log /var/log/nginx/gist.error.log;
656
658
657 ssl on;
659 ssl on;
658 ssl_certificate gist.your.kallithea.server.crt;
660 ssl_certificate gist.your.kallithea.server.crt;
659 ssl_certificate_key gist.your.kallithea.server.key;
661 ssl_certificate_key gist.your.kallithea.server.key;
660
662
661 ssl_session_timeout 5m;
663 ssl_session_timeout 5m;
662
664
663 ssl_protocols SSLv3 TLSv1;
665 ssl_protocols SSLv3 TLSv1;
664 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
666 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
665 ssl_prefer_server_ciphers on;
667 ssl_prefer_server_ciphers on;
666
668
667 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
669 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
668 rewrite (.*) https://kallithea.example.com/_admin/gists;
670 rewrite (.*) https://kallithea.example.com/_admin/gists;
669 }
671 }
670
672
671 server {
673 server {
672 listen 443;
674 listen 443;
673 server_name kallithea.example.com
675 server_name kallithea.example.com
674 access_log /var/log/nginx/kallithea.access.log;
676 access_log /var/log/nginx/kallithea.access.log;
675 error_log /var/log/nginx/kallithea.error.log;
677 error_log /var/log/nginx/kallithea.error.log;
676
678
677 ssl on;
679 ssl on;
678 ssl_certificate your.kallithea.server.crt;
680 ssl_certificate your.kallithea.server.crt;
679 ssl_certificate_key your.kallithea.server.key;
681 ssl_certificate_key your.kallithea.server.key;
680
682
681 ssl_session_timeout 5m;
683 ssl_session_timeout 5m;
682
684
683 ssl_protocols SSLv3 TLSv1;
685 ssl_protocols SSLv3 TLSv1;
684 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
686 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
685 ssl_prefer_server_ciphers on;
687 ssl_prefer_server_ciphers on;
686
688
687 ## uncomment root directive if you want to serve static files by nginx
689 ## uncomment root directive if you want to serve static files by nginx
688 ## requires static_files = false in .ini file
690 ## requires static_files = false in .ini file
689 #root /srv/kallithea/kallithea/kallithea/public;
691 #root /srv/kallithea/kallithea/kallithea/public;
690 include /etc/nginx/proxy.conf;
692 include /etc/nginx/proxy.conf;
691 location / {
693 location / {
692 try_files $uri @kallithea;
694 try_files $uri @kallithea;
693 }
695 }
694
696
695 location @kallithea {
697 location @kallithea {
696 proxy_pass http://127.0.0.1:5000;
698 proxy_pass http://127.0.0.1:5000;
697 }
699 }
698
700
699 }
701 }
700
702
701 Here's the proxy.conf. It's tuned so it will not timeout on long
703 Here's the proxy.conf. It's tuned so it will not timeout on long
702 pushes or large pushes::
704 pushes or large pushes::
703
705
704 proxy_redirect off;
706 proxy_redirect off;
705 proxy_set_header Host $host;
707 proxy_set_header Host $host;
706 ## needed for container auth
708 ## needed for container auth
707 #proxy_set_header REMOTE_USER $remote_user;
709 #proxy_set_header REMOTE_USER $remote_user;
708 #proxy_set_header X-Forwarded-User $remote_user;
710 #proxy_set_header X-Forwarded-User $remote_user;
709 proxy_set_header X-Url-Scheme $scheme;
711 proxy_set_header X-Url-Scheme $scheme;
710 proxy_set_header X-Host $http_host;
712 proxy_set_header X-Host $http_host;
711 proxy_set_header X-Real-IP $remote_addr;
713 proxy_set_header X-Real-IP $remote_addr;
712 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
714 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
713 proxy_set_header Proxy-host $proxy_host;
715 proxy_set_header Proxy-host $proxy_host;
714 proxy_buffering off;
716 proxy_buffering off;
715 proxy_connect_timeout 7200;
717 proxy_connect_timeout 7200;
716 proxy_send_timeout 7200;
718 proxy_send_timeout 7200;
717 proxy_read_timeout 7200;
719 proxy_read_timeout 7200;
718 proxy_buffers 8 32k;
720 proxy_buffers 8 32k;
719 client_max_body_size 1024m;
721 client_max_body_size 1024m;
720 client_body_buffer_size 128k;
722 client_body_buffer_size 128k;
721 large_client_header_buffers 8 64k;
723 large_client_header_buffers 8 64k;
722
724
723
725
724 Apache virtual host reverse proxy example
726 Apache virtual host reverse proxy example
725 -----------------------------------------
727 -----------------------------------------
726
728
727 Here is a sample configuration file for Apache using proxy:
729 Here is a sample configuration file for Apache using proxy:
728
730
729 .. code-block:: apache
731 .. code-block:: apache
730
732
731 <VirtualHost *:80>
733 <VirtualHost *:80>
732 ServerName kallithea.example.com
734 ServerName kallithea.example.com
733
735
734 <Proxy *>
736 <Proxy *>
735 # For Apache 2.4 and later:
737 # For Apache 2.4 and later:
736 Require all granted
738 Require all granted
737
739
738 # For Apache 2.2 and earlier, instead use:
740 # For Apache 2.2 and earlier, instead use:
739 # Order allow,deny
741 # Order allow,deny
740 # Allow from all
742 # Allow from all
741 </Proxy>
743 </Proxy>
742
744
743 #important !
745 #important !
744 #Directive to properly generate url (clone url) for Kallithea
746 #Directive to properly generate url (clone url) for Kallithea
745 ProxyPreserveHost On
747 ProxyPreserveHost On
746
748
747 #kallithea instance
749 #kallithea instance
748 ProxyPass / http://127.0.0.1:5000/
750 ProxyPass / http://127.0.0.1:5000/
749 ProxyPassReverse / http://127.0.0.1:5000/
751 ProxyPassReverse / http://127.0.0.1:5000/
750
752
751 #to enable https use line below
753 #to enable https use line below
752 #SetEnvIf X-Url-Scheme https HTTPS=1
754 #SetEnvIf X-Url-Scheme https HTTPS=1
753 </VirtualHost>
755 </VirtualHost>
754
756
755 Additional tutorial
757 Additional tutorial
756 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
758 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
757
759
758
760
759 Apache as subdirectory
761 Apache as subdirectory
760 ----------------------
762 ----------------------
761
763
762 Apache subdirectory part:
764 Apache subdirectory part:
763
765
764 .. code-block:: apache
766 .. code-block:: apache
765
767
766 <Location /PREFIX >
768 <Location /PREFIX >
767 ProxyPass http://127.0.0.1:5000/PREFIX
769 ProxyPass http://127.0.0.1:5000/PREFIX
768 ProxyPassReverse http://127.0.0.1:5000/PREFIX
770 ProxyPassReverse http://127.0.0.1:5000/PREFIX
769 SetEnvIf X-Url-Scheme https HTTPS=1
771 SetEnvIf X-Url-Scheme https HTTPS=1
770 </Location>
772 </Location>
771
773
772 Besides the regular apache setup you will need to add the following line
774 Besides the regular apache setup you will need to add the following line
773 into ``[app:main]`` section of your .ini file::
775 into ``[app:main]`` section of your .ini file::
774
776
775 filter-with = proxy-prefix
777 filter-with = proxy-prefix
776
778
777 Add the following at the end of the .ini file::
779 Add the following at the end of the .ini file::
778
780
779 [filter:proxy-prefix]
781 [filter:proxy-prefix]
780 use = egg:PasteDeploy#prefix
782 use = egg:PasteDeploy#prefix
781 prefix = /PREFIX
783 prefix = /PREFIX
782
784
783 then change ``PREFIX`` into your chosen prefix
785 then change ``PREFIX`` into your chosen prefix
784
786
785
787
786 Apache with mod_wsgi
788 Apache with mod_wsgi
787 --------------------
789 --------------------
788
790
789 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
791 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
790 that, you'll need to:
792 that, you'll need to:
791
793
792 - Install mod_wsgi. If using a Debian-based distro, you can install
794 - Install mod_wsgi. If using a Debian-based distro, you can install
793 the package libapache2-mod-wsgi::
795 the package libapache2-mod-wsgi::
794
796
795 aptitude install libapache2-mod-wsgi
797 aptitude install libapache2-mod-wsgi
796
798
797 - Enable mod_wsgi::
799 - Enable mod_wsgi::
798
800
799 a2enmod wsgi
801 a2enmod wsgi
800
802
801 - Add global Apache configuration to tell mod_wsgi that Python only will be
803 - Add global Apache configuration to tell mod_wsgi that Python only will be
802 used in the WSGI processes and shouldn't be initialized in the Apache
804 used in the WSGI processes and shouldn't be initialized in the Apache
803 processes::
805 processes::
804
806
805 WSGIRestrictEmbedded On
807 WSGIRestrictEmbedded On
806
808
807 - Create a wsgi dispatch script, like the one below. Make sure you
809 - Create a wsgi dispatch script, like the one below. Make sure you
808 check that the paths correctly point to where you installed Kallithea
810 check that the paths correctly point to where you installed Kallithea
809 and its Python Virtual Environment.
811 and its Python Virtual Environment.
810 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
812 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
811 as in the following example. Once again, check the paths are
813 as in the following example. Once again, check the paths are
812 correctly specified.
814 correctly specified.
813
815
814 Here is a sample excerpt from an Apache Virtual Host configuration file:
816 Here is a sample excerpt from an Apache Virtual Host configuration file:
815
817
816 .. code-block:: apache
818 .. code-block:: apache
817
819
818 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
820 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
819 python-home=/srv/kallithea/venv
821 python-home=/srv/kallithea/venv
820 WSGIProcessGroup kallithea
822 WSGIProcessGroup kallithea
821 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
823 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
822 WSGIPassAuthorization On
824 WSGIPassAuthorization On
823
825
824 Or if using a dispatcher WSGI script with proper virtualenv activation:
826 Or if using a dispatcher WSGI script with proper virtualenv activation:
825
827
826 .. code-block:: apache
828 .. code-block:: apache
827
829
828 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
830 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
829 WSGIProcessGroup kallithea
831 WSGIProcessGroup kallithea
830 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
832 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
831 WSGIPassAuthorization On
833 WSGIPassAuthorization On
832
834
833 Apache will by default run as a special Apache user, on Linux systems
835 Apache will by default run as a special Apache user, on Linux systems
834 usually ``www-data`` or ``apache``. If you need to have the repositories
836 usually ``www-data`` or ``apache``. If you need to have the repositories
835 directory owned by a different user, use the user and group options to
837 directory owned by a different user, use the user and group options to
836 WSGIDaemonProcess to set the name of the user and group.
838 WSGIDaemonProcess to set the name of the user and group.
837
839
838 Example WSGI dispatch script:
840 Example WSGI dispatch script:
839
841
840 .. code-block:: python
842 .. code-block:: python
841
843
842 import os
844 import os
843 os.environ["HGENCODING"] = "UTF-8"
845 os.environ["HGENCODING"] = "UTF-8"
844 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
846 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
845
847
846 # sometimes it's needed to set the current dir
848 # sometimes it's needed to set the current dir
847 os.chdir('/srv/kallithea/')
849 os.chdir('/srv/kallithea/')
848
850
849 import site
851 import site
850 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
852 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
851
853
852 ini = '/srv/kallithea/my.ini'
854 ini = '/srv/kallithea/my.ini'
853 from paste.script.util.logging_config import fileConfig
855 from paste.script.util.logging_config import fileConfig
854 fileConfig(ini)
856 fileConfig(ini)
855 from paste.deploy import loadapp
857 from paste.deploy import loadapp
856 application = loadapp('config:' + ini)
858 application = loadapp('config:' + ini)
857
859
858 Or using proper virtualenv activation:
860 Or using proper virtualenv activation:
859
861
860 .. code-block:: python
862 .. code-block:: python
861
863
862 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
864 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
863 execfile(activate_this, dict(__file__=activate_this))
865 execfile(activate_this, dict(__file__=activate_this))
864
866
865 import os
867 import os
866 os.environ['HOME'] = '/srv/kallithea'
868 os.environ['HOME'] = '/srv/kallithea'
867
869
868 ini = '/srv/kallithea/kallithea.ini'
870 ini = '/srv/kallithea/kallithea.ini'
869 from paste.script.util.logging_config import fileConfig
871 from paste.script.util.logging_config import fileConfig
870 fileConfig(ini)
872 fileConfig(ini)
871 from paste.deploy import loadapp
873 from paste.deploy import loadapp
872 application = loadapp('config:' + ini)
874 application = loadapp('config:' + ini)
873
875
874
876
875 Other configuration files
877 Other configuration files
876 -------------------------
878 -------------------------
877
879
878 A number of `example init.d scripts`__ can be found in
880 A number of `example init.d scripts`__ can be found in
879 the ``init.d`` directory of the Kallithea source.
881 the ``init.d`` directory of the Kallithea source.
880
882
881 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
883 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
882
884
883
885
884 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
886 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
885 .. _python: http://www.python.org/
887 .. _python: http://www.python.org/
886 .. _Mercurial: https://www.mercurial-scm.org/
888 .. _Mercurial: https://www.mercurial-scm.org/
887 .. _Celery: http://celeryproject.org/
889 .. _Celery: http://celeryproject.org/
888 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
890 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
889 .. _RabbitMQ: http://www.rabbitmq.com/
891 .. _RabbitMQ: http://www.rabbitmq.com/
890 .. _Redis: http://redis.io/
892 .. _Redis: http://redis.io/
891 .. _python-ldap: http://www.python-ldap.org/
893 .. _python-ldap: http://www.python-ldap.org/
892 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
894 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
893 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
895 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
@@ -1,101 +1,116 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2 # This program is free software: you can redistribute it and/or modify
2 # This program is free software: you can redistribute it and/or modify
3 # it under the terms of the GNU General Public License as published by
3 # it under the terms of the GNU General Public License as published by
4 # the Free Software Foundation, either version 3 of the License, or
4 # the Free Software Foundation, either version 3 of the License, or
5 # (at your option) any later version.
5 # (at your option) any later version.
6 #
6 #
7 # This program is distributed in the hope that it will be useful,
7 # This program is distributed in the hope that it will be useful,
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 # GNU General Public License for more details.
10 # GNU General Public License for more details.
11 #
11 #
12 # You should have received a copy of the GNU General Public License
12 # You should have received a copy of the GNU General Public License
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 """
14 """
15 kallithea.lib.paster_commands.make_config
15 kallithea.lib.paster_commands.make_config
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
17
18 make-config gearbox command for Kallithea
18 make-config gearbox command for Kallithea
19
19
20 :license: GPLv3, see LICENSE.md for more details.
20 :license: GPLv3, see LICENSE.md for more details.
21 """
21 """
22
22
23
23
24 import os
24 import os
25 import sys
25 import sys
26 import uuid
26 import uuid
27 import argparse
27 import argparse
28 from collections import defaultdict
28
29
29 import mako.exceptions
30 import mako.exceptions
30
31
31 TMPL = 'template.ini.mako'
32 TMPL = 'template.ini.mako'
32 here = os.path.dirname(os.path.abspath(__file__))
33 here = os.path.dirname(os.path.abspath(__file__))
33
34
34 from kallithea.lib.paster_commands.common import BasePasterCommand
35 from kallithea.lib.paster_commands.common import BasePasterCommand
35 from kallithea.lib import inifile
36 from kallithea.lib import inifile
36
37
37
38
38 class Command(BasePasterCommand):
39 class Command(BasePasterCommand):
39 """Kallithea: Create a new config file
40 """Kallithea: Create a new config file
40
41
41 make-config is part of a two-phase installation process (the
42 make-config is part of a two-phase installation process (the
42 second phase is setup-app). make-config creates a bare configuration
43 second phase is setup-app). make-config creates a bare configuration
43 file (possibly filling in defaults from the extra
44 file (possibly filling in defaults from the extra
44 variables you give).
45 variables you give).
46
47 The first key=value arguments are used to customize the Mako variables that
48 are shown with --show-defaults. The following settings will be
49 patched/inserted in the [app:main] section ... until another section name
50 is specified and change where the following values go.
45 """
51 """
46
52
47 takes_config_file = False # at least not an existing one ...
53 takes_config_file = False # at least not an existing one ...
48
54
49 def take_action(self, args):
55 def take_action(self, args):
50 _run(args)
56 _run(args)
51
57
52 def get_parser(self, prog_name):
58 def get_parser(self, prog_name):
53 parser = super(Command, self).get_parser(prog_name)
59 parser = super(Command, self).get_parser(prog_name)
54
60
55 parser.add_argument('config_file', nargs='?',
61 parser.add_argument('config_file', nargs='?',
56 help='application config file to write')
62 help='application config file to write')
57
63
58 parser.add_argument('custom', nargs=argparse.REMAINDER,
64 parser.add_argument('custom', nargs=argparse.REMAINDER,
59 help='custom values for the config file')
65 help='custom values for the config file')
60
66
61 parser.add_argument('--show-defaults', action='store_true',
67 parser.add_argument('--show-defaults', action='store_true',
62 help="Show the default values that can be overridden")
68 help="Show the default values that can be overridden")
63
69
64 return parser
70 return parser
65
71
66
72
67 def _run(args):
73 def _run(args):
68 if args.config_file is None:
74 if args.config_file is None:
69 if not args.show_defaults:
75 if not args.show_defaults:
70 raise ValueError("Missing argument: config_file")
76 raise ValueError("Missing argument: config_file")
71 else:
77 else:
72 if args.show_defaults:
78 if args.show_defaults:
73 raise ValueError("Can't specify both config_file and --show_defaults")
79 raise ValueError("Can't specify both config_file and --show_defaults")
74
80
75 mako_variable_values = {}
81 mako_variable_values = {}
82 ini_settings = defaultdict(dict)
76
83
84 section_name = None
77 for parameter in args.custom:
85 for parameter in args.custom:
78 parts = parameter.split('=', 1)
86 parts = parameter.split('=', 1)
79 if len(parts) == 2:
87 if len(parts) == 1 and parameter.startswith('[') and parameter.endswith(']'):
88 section_name = parameter
89 elif len(parts) == 2:
80 key, value = parts
90 key, value = parts
81 mako_variable_values[key] = value
91 if section_name is None and key in inifile.default_variables:
92 mako_variable_values[key] = value
93 else:
94 if section_name is None:
95 section_name = '[app:main]'
96 ini_settings[section_name][key] = value
82 else:
97 else:
83 raise ValueError("Invalid name=value parameter %r" % parameter)
98 raise ValueError("Invalid name=value parameter %r" % parameter)
84
99
85 if args.show_defaults:
100 if args.show_defaults:
86 for key, value in inifile.default_variables.items():
101 for key, value in inifile.default_variables.items():
87 value = mako_variable_values.get(key, value)
102 value = mako_variable_values.get(key, value)
88 print '%s=%s' % (key, value)
103 print '%s=%s' % (key, value)
89 sys.exit(0)
104 sys.exit(0)
90
105
91 # use default that cannot be replaced
106 # use default that cannot be replaced
92 mako_variable_values.update({
107 mako_variable_values.update({
93 'uuid': lambda: uuid.uuid4().hex,
108 'uuid': lambda: uuid.uuid4().hex,
94 })
109 })
95 try:
110 try:
96 config_file = os.path.abspath(args.config_file)
111 config_file = os.path.abspath(args.config_file)
97 inifile.create(config_file, mako_variable_values, {})
112 inifile.create(config_file, mako_variable_values, ini_settings)
98 print 'Wrote new config file in %s' % config_file
113 print 'Wrote new config file in %s' % config_file
99
114
100 except Exception:
115 except Exception:
101 print mako.exceptions.text_error_template().render()
116 print mako.exceptions.text_error_template().render()
General Comments 0
You need to be logged in to leave comments. Login now