##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

spelling: account
timeless@gmail.com -
r5780:c37e5e57 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,864 +1,864
1 1 .. _setup:
2 2
3 3 =====
4 4 Setup
5 5 =====
6 6
7 7
8 8 Setting up Kallithea
9 9 --------------------
10 10
11 11 First, you will need to create a Kallithea configuration file. Run the
12 12 following command to do so::
13 13
14 14 paster make-config Kallithea my.ini
15 15
16 16 This will create the file ``my.ini`` in the current directory. This
17 17 configuration file contains the various settings for Kallithea, e.g.
18 18 proxy port, email settings, usage of static files, cache, Celery
19 19 settings, and logging.
20 20
21 21 Next, you need to create the databases used by Kallithea. It is recommended to
22 22 use PostgreSQL or SQLite (default). If you choose a database other than the
23 23 default, ensure you properly adjust the database URL in your ``my.ini``
24 24 configuration file to use this other database. Kallithea currently supports
25 25 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 26 the following command::
27 27
28 28 paster setup-db my.ini
29 29
30 30 This will prompt you for a "root" path. This "root" path is the location where
31 31 Kallithea will store all of its repositories on the current machine. After
32 32 entering this "root" path ``setup-db`` will also prompt you for a username
33 33 and password for the initial admin account which ``setup-db`` sets
34 34 up for you.
35 35
36 36 The ``setup-db`` values can also be given on the command line.
37 37 Example::
38 38
39 39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40 40
41 41 The ``setup-db`` command will create all needed tables and an
42 42 admin account. When choosing a root path you can either use a new
43 43 empty location, or a location which already contains existing
44 44 repositories. If you choose a location which contains existing
45 45 repositories Kallithea will add all of the repositories at the chosen
46 46 location to its database. (Note: make sure you specify the correct
47 47 path to the root).
48 48
49 49 .. note:: the given path for Mercurial_ repositories **must** be write
50 50 accessible for the application. It's very important since
51 51 the Kallithea web interface will work without write access,
52 52 but when trying to do a push it will fail with permission
53 53 denied errors unless it has write access.
54 54
55 55 You are now ready to use Kallithea. To run it simply execute::
56 56
57 57 paster serve my.ini
58 58
59 59 - This command runs the Kallithea server. The web app should be available at
60 60 http://127.0.0.1:5000. The IP address and port is configurable via the
61 61 configuration file created in the previous step.
62 62 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 63 - The default permissions on each repository is read, and the owner is admin.
64 64 Remember to update these if needed.
65 65 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 66 settings, as well as edit more advanced options on users and
67 67 repositories.
68 68
69 69
70 70 Using Kallithea with SSH
71 71 ------------------------
72 72
73 73 Kallithea currently only hosts repositories using http and https. (The addition
74 74 of ssh hosting is a planned future feature.) However you can easily use ssh in
75 75 parallel with Kallithea. (Repository access via ssh is a standard "out of
76 76 the box" feature of Mercurial_ and you can use this to access any of the
77 77 repositories that Kallithea is hosting. See PublishingRepositories_)
78 78
79 79 Kallithea repository structures are kept in directories with the same name
80 80 as the project. When using repository groups, each group is a subdirectory.
81 81 This allows you to easily use ssh for accessing repositories.
82 82
83 83 In order to use ssh you need to make sure that your web server and the users'
84 84 login accounts have the correct permissions set on the appropriate directories.
85 85
86 86 .. note:: These permissions are independent of any permissions you
87 87 have set up using the Kallithea web interface.
88 88
89 89 If your main directory (the same as set in Kallithea settings) is for
90 90 example set to ``/srv/repos`` and the repository you are using is
91 91 named ``kallithea``, then to clone via ssh you should run::
92 92
93 93 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
94 94
95 95 Using other external tools such as mercurial-server_ or using ssh key-based
96 96 authentication is fully supported.
97 97
98 98 .. note:: In an advanced setup, in order for your ssh access to use
99 99 the same permissions as set up via the Kallithea web
100 100 interface, you can create an authentication hook to connect
101 101 to the Kallithea db and run check functions for permissions
102 102 against that.
103 103
104 104
105 105 Setting up Whoosh full text search
106 106 ----------------------------------
107 107
108 108 Kallithea provides full text search of repositories using `Whoosh`__.
109 109
110 110 .. __: https://pythonhosted.org/Whoosh/
111 111
112 112 For an incremental index build, run::
113 113
114 114 paster make-index my.ini
115 115
116 116 For a full index rebuild, run::
117 117
118 118 paster make-index my.ini -f
119 119
120 120 The ``--repo-location`` option allows the location of the repositories to be overriden;
121 121 usually, the location is retrieved from the Kallithea database.
122 122
123 123 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
124 124
125 125 paster make-index my.ini --index-only=vcs,kallithea
126 126
127 127 To keep your index up-to-date it is necessary to do periodic index builds;
128 128 for this, it is recommended to use a crontab entry. Example::
129 129
130 130 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
131 131
132 132 When using incremental mode (the default), Whoosh will check the last
133 133 modification date of each file and add it to be reindexed if a newer file is
134 134 available. The indexing daemon checks for any removed files and removes them
135 135 from index.
136 136
137 137 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
138 138 or in the admin panel you can check the "build from scratch" checkbox.
139 139
140 140 .. _ldap-setup:
141 141
142 142
143 143 Setting up LDAP support
144 144 -----------------------
145 145
146 146 Kallithea supports LDAP authentication. In order
147 147 to use LDAP, you have to install the python-ldap_ package. This package is
148 148 available via PyPI, so you can install it by running::
149 149
150 150 pip install python-ldap
151 151
152 152 .. note:: ``python-ldap`` requires some libraries to be installed on
153 153 your system, so before installing it check that you have at
154 154 least the ``openldap`` and ``sasl`` libraries.
155 155
156 156 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
157 157 and then *Save*, to enable the LDAP plugin and configure its settings.
158 158
159 159 Here's a typical LDAP setup::
160 160
161 161 Connection settings
162 162 Enable LDAP = checked
163 163 Host = host.example.com
164 164 Port = 389
165 165 Account = <account>
166 166 Password = <password>
167 167 Connection Security = LDAPS connection
168 168 Certificate Checks = DEMAND
169 169
170 170 Search settings
171 171 Base DN = CN=users,DC=host,DC=example,DC=org
172 172 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
173 173 LDAP Search Scope = SUBTREE
174 174
175 175 Attribute mappings
176 176 Login Attribute = uid
177 177 First Name Attribute = firstName
178 178 Last Name Attribute = lastName
179 179 Email Attribute = mail
180 180
181 181 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
182 182
183 183 Search settings
184 184 Base DN = DC=host,DC=example,DC=org
185 185 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
186 186 LDAP Search Scope = SUBTREE
187 187
188 188 .. _enable_ldap:
189 189
190 190 Enable LDAP : required
191 191 Whether to use LDAP for authenticating users.
192 192
193 193 .. _ldap_host:
194 194
195 195 Host : required
196 196 LDAP server hostname or IP address. Can be also a comma separated
197 197 list of servers to support LDAP fail-over.
198 198
199 199 .. _Port:
200 200
201 201 Port : required
202 202 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
203 203
204 204 .. _ldap_account:
205 205
206 206 Account : optional
207 207 Only required if the LDAP server does not allow anonymous browsing of
208 208 records. This should be a special account for record browsing. This
209 209 will require `LDAP Password`_ below.
210 210
211 211 .. _LDAP Password:
212 212
213 213 Password : optional
214 214 Only required if the LDAP server does not allow anonymous browsing of
215 215 records.
216 216
217 217 .. _Enable LDAPS:
218 218
219 219 Connection Security : required
220 220 Defines the connection to LDAP server
221 221
222 222 No encryption
223 223 Plain non encrypted connection
224 224
225 225 LDAPS connection
226 226 Enable LDAPS connections. It will likely require `Port`_ to be set to
227 227 a different value (standard LDAPS port is 636). When LDAPS is enabled
228 228 then `Certificate Checks`_ is required.
229 229
230 230 START_TLS on LDAP connection
231 231 START TLS connection
232 232
233 233 .. _Certificate Checks:
234 234
235 235 Certificate Checks : optional
236 236 How SSL certificates verification is handled -- this is only useful when
237 237 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
238 238 while the other options are susceptible to man-in-the-middle attacks. SSL
239 239 certificates can be installed to /etc/openldap/cacerts so that the
240 240 DEMAND or HARD options can be used with self-signed certificates or
241 241 certificates that do not have traceable certificates of authority.
242 242
243 243 NEVER
244 244 A serve certificate will never be requested or checked.
245 245
246 246 ALLOW
247 247 A server certificate is requested. Failure to provide a
248 248 certificate or providing a bad certificate will not terminate the
249 249 session.
250 250
251 251 TRY
252 252 A server certificate is requested. Failure to provide a
253 253 certificate does not halt the session; providing a bad certificate
254 254 halts the session.
255 255
256 256 DEMAND
257 257 A server certificate is requested and must be provided and
258 258 authenticated for the session to proceed.
259 259
260 260 HARD
261 261 The same as DEMAND.
262 262
263 263 .. _Base DN:
264 264
265 265 Base DN : required
266 266 The Distinguished Name (DN) where searches for users will be performed.
267 267 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
268 268
269 269 .. _LDAP Filter:
270 270
271 271 LDAP Filter : optional
272 272 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
273 273 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
274 274 which LDAP objects are identified as representing Users for
275 275 authentication. The filter is augmented by `Login Attribute`_ below.
276 276 This can commonly be left blank.
277 277
278 278 .. _LDAP Search Scope:
279 279
280 280 LDAP Search Scope : required
281 281 This limits how far LDAP will search for a matching object.
282 282
283 283 BASE
284 284 Only allows searching of `Base DN`_ and is usually not what you
285 285 want.
286 286
287 287 ONELEVEL
288 288 Searches all entries under `Base DN`_, but not Base DN itself.
289 289
290 290 SUBTREE
291 291 Searches all entries below `Base DN`_, but not Base DN itself.
292 292 When using SUBTREE `LDAP Filter`_ is useful to limit object
293 293 location.
294 294
295 295 .. _Login Attribute:
296 296
297 297 Login Attribute : required
298 298 The LDAP record attribute that will be matched as the USERNAME or
299 299 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
300 300 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
301 301 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
302 302 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
303 303 ::
304 304
305 305 (&(LDAPFILTER)(uid=jsmith))
306 306
307 307 .. _ldap_attr_firstname:
308 308
309 309 First Name Attribute : required
310 310 The LDAP record attribute which represents the user's first name.
311 311
312 312 .. _ldap_attr_lastname:
313 313
314 314 Last Name Attribute : required
315 315 The LDAP record attribute which represents the user's last name.
316 316
317 317 .. _ldap_attr_email:
318 318
319 319 Email Attribute : required
320 320 The LDAP record attribute which represents the user's email address.
321 321
322 322 If all data are entered correctly, and python-ldap_ is properly installed
323 323 users should be granted access to Kallithea with LDAP accounts. At this
324 324 time user information is copied from LDAP into the Kallithea user database.
325 325 This means that updates of an LDAP user object may not be reflected as a
326 326 user update in Kallithea.
327 327
328 328 If You have problems with LDAP access and believe You entered correct
329 329 information check out the Kallithea logs, any error messages sent from LDAP
330 330 will be saved there.
331 331
332 332 Active Directory
333 333 ^^^^^^^^^^^^^^^^
334 334
335 335 Kallithea can use Microsoft Active Directory for user authentication. This
336 336 is done through an LDAP or LDAPS connection to Active Directory. The
337 337 following LDAP configuration settings are typical for using Active
338 338 Directory ::
339 339
340 340 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
341 341 Login Attribute = sAMAccountName
342 342 First Name Attribute = givenName
343 343 Last Name Attribute = sn
344 344 Email Attribute = mail
345 345
346 346 All other LDAP settings will likely be site-specific and should be
347 347 appropriately configured.
348 348
349 349
350 350 Authentication by container or reverse-proxy
351 351 --------------------------------------------
352 352
353 353 Kallithea supports delegating the authentication
354 354 of users to its WSGI container, or to a reverse-proxy server through which all
355 355 clients access the application.
356 356
357 357 When these authentication methods are enabled in Kallithea, it uses the
358 358 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
359 359 perform the authentication itself. The authorization, however, is still done by
360 360 Kallithea according to its settings.
361 361
362 362 When a user logs in for the first time using these authentication methods,
363 363 a matching user account is created in Kallithea with default permissions. An
364 364 administrator can then modify it using Kallithea's admin interface.
365 365
366 366 It's also possible for an administrator to create accounts and configure their
367 367 permissions before the user logs in for the first time, using the :ref:`create-user` API.
368 368
369 369 Container-based authentication
370 370 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
371 371
372 372 In a container-based authentication setup, Kallithea reads the user name from
373 373 the ``REMOTE_USER`` server variable provided by the WSGI container.
374 374
375 375 After setting up your container (see `Apache with mod_wsgi`_), you'll need
376 376 to configure it to require authentication on the location configured for
377 377 Kallithea.
378 378
379 379 Proxy pass-through authentication
380 380 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
381 381
382 382 In a proxy pass-through authentication setup, Kallithea reads the user name
383 383 from the ``X-Forwarded-User`` request header, which should be configured to be
384 384 sent by the reverse-proxy server.
385 385
386 386 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
387 387 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
388 388 configure the authentication and add the username in a request header named
389 389 ``X-Forwarded-User``.
390 390
391 391 For example, the following config section for Apache sets a subdirectory in a
392 392 reverse-proxy setup with basic auth:
393 393
394 394 .. code-block:: apache
395 395
396 396 <Location /someprefix>
397 397 ProxyPass http://127.0.0.1:5000/someprefix
398 398 ProxyPassReverse http://127.0.0.1:5000/someprefix
399 399 SetEnvIf X-Url-Scheme https HTTPS=1
400 400
401 401 AuthType Basic
402 402 AuthName "Kallithea authentication"
403 403 AuthUserFile /srv/kallithea/.htpasswd
404 404 Require valid-user
405 405
406 406 RequestHeader unset X-Forwarded-User
407 407
408 408 RewriteEngine On
409 409 RewriteCond %{LA-U:REMOTE_USER} (.+)
410 410 RewriteRule .* - [E=RU:%1]
411 411 RequestHeader set X-Forwarded-User %{RU}e
412 412 </Location>
413 413
414 414 Setting metadata in container/reverse-proxy
415 415 """""""""""""""""""""""""""""""""""""""""""
416 416 When a new user account is created on the first login, Kallithea has no information about
417 417 the user's email and full name. So you can set some additional request headers like in the
418 418 example below. In this example the user is authenticated via Kerberos and an Apache
419 419 mod_python fixup handler is used to get the user information from a LDAP server. But you
420 420 could set the request headers however you want.
421 421
422 422 .. code-block:: apache
423 423
424 424 <Location /someprefix>
425 425 ProxyPass http://127.0.0.1:5000/someprefix
426 426 ProxyPassReverse http://127.0.0.1:5000/someprefix
427 427 SetEnvIf X-Url-Scheme https HTTPS=1
428 428
429 429 AuthName "Kerberos Login"
430 430 AuthType Kerberos
431 431 Krb5Keytab /etc/apache2/http.keytab
432 432 KrbMethodK5Passwd off
433 433 KrbVerifyKDC on
434 434 Require valid-user
435 435
436 436 PythonFixupHandler ldapmetadata
437 437
438 438 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
439 439 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
440 440 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
441 441 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
442 442 </Location>
443 443
444 444 .. code-block:: python
445 445
446 446 from mod_python import apache
447 447 import ldap
448 448
449 449 LDAP_SERVER = "ldap://server.mydomain.com:389"
450 450 LDAP_USER = ""
451 451 LDAP_PASS = ""
452 452 LDAP_ROOT = "dc=mydomain,dc=com"
453 LDAP_FILTER = "sAMAcountName=%s"
454 LDAP_ATTR_LIST = ['sAMAcountName','givenname','sn','mail']
453 LDAP_FILTER = "sAMAccountName=%s"
454 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
455 455
456 456 def fixuphandler(req):
457 457 if req.user is None:
458 458 # no user to search for
459 459 return apache.OK
460 460 else:
461 461 try:
462 462 if('\\' in req.user):
463 463 username = req.user.split('\\')[1]
464 464 elif('@' in req.user):
465 465 username = req.user.split('@')[0]
466 466 else:
467 467 username = req.user
468 468 l = ldap.initialize(LDAP_SERVER)
469 469 l.simple_bind_s(LDAP_USER, LDAP_PASS)
470 470 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
471 471
472 472 req.subprocess_env['X_REMOTE_USER'] = username
473 473 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
474 474 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
475 475 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
476 476 except Exception, e:
477 477 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
478 478
479 479 return apache.OK
480 480
481 481 .. note::
482 482 If you enable proxy pass-through authentication, make sure your server is
483 483 only accessible through the proxy. Otherwise, any client would be able to
484 484 forge the authentication header and could effectively become authenticated
485 485 using any account of their liking.
486 486
487 487
488 488 Integration with issue trackers
489 489 -------------------------------
490 490
491 491 Kallithea provides a simple integration with issue trackers. It's possible
492 492 to define a regular expression that will match an issue ID in commit messages,
493 493 and have that replaced with a URL to the issue. To enable this simply
494 494 uncomment the following variables in the ini file::
495 495
496 496 issue_pat = (?:^#|\s#)(\w+)
497 497 issue_server_link = https://issues.example.com/{repo}/issue/{id}
498 498 issue_prefix = #
499 499
500 500 ``issue_pat`` is the regular expression describing which strings in
501 501 commit messages will be treated as issue references. A match group in
502 502 parentheses should be used to specify the actual issue id.
503 503
504 504 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
505 505
506 506 Matched issue references are replaced with the link specified in
507 507 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
508 508 ``{repo}`` with the repository name. Since the # is stripped away,
509 509 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
510 510 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
511 511 generate a URL in the format:
512 512
513 513 .. code-block:: html
514 514
515 515 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
516 516
517 517 If needed, more than one pattern can be specified by appending a unique suffix to
518 518 the variables. For example::
519 519
520 520 issue_pat_wiki = (?:wiki-)(.+)
521 521 issue_server_link_wiki = https://wiki.example.com/{id}
522 522 issue_prefix_wiki = WIKI-
523 523
524 524 With these settings, wiki pages can be referenced as wiki-some-id, and every
525 525 such reference will be transformed into:
526 526
527 527 .. code-block:: html
528 528
529 529 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
530 530
531 531
532 532 Hook management
533 533 ---------------
534 534
535 535 Hooks can be managed in similar way to that used in ``.hgrc`` files.
536 536 To manage hooks, choose *Admin > Settings > Hooks*.
537 537
538 538 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
539 539
540 540 To add another custom hook simply fill in the first textbox with
541 541 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
542 542 can be found in ``kallithea.lib.hooks``.
543 543
544 544
545 545 Changing default encoding
546 546 -------------------------
547 547
548 548 By default, Kallithea uses UTF-8 encoding.
549 549 This is configurable as ``default_encoding`` in the .ini file.
550 550 This affects many parts in Kallithea including user names, filenames, and
551 551 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
552 552 library is installed. If ``chardet`` is detected Kallithea will fallback to it
553 553 when there are encode/decode errors.
554 554
555 555
556 556 Celery configuration
557 557 --------------------
558 558
559 559 Kallithea can use the distributed task queue system Celery_ to run tasks like
560 560 cloning repositories or sending emails.
561 561
562 562 Kallithea will in most setups work perfectly fine out of the box (without
563 563 Celery), executing all tasks in the web server process. Some tasks can however
564 564 take some time to run and it can be better to run such tasks asynchronously in
565 565 a separate process so the web server can focus on serving web requests.
566 566
567 567 For installation and configuration of Celery, see the `Celery documentation`_.
568 568 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
569 569 or Redis_.
570 570
571 571 The use of Celery is configured in the Kallithea ini configuration file.
572 572 To enable it, simply set::
573 573
574 574 use_celery = true
575 575
576 576 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
577 577
578 578 Remember that the ini files use the format with '.' and not with '_' like
579 579 Celery. So for example setting `BROKER_HOST` in Celery means setting
580 580 `broker.host` in the configuration file.
581 581
582 582 To start the Celery process, run::
583 583
584 584 paster celeryd <configfile.ini>
585 585
586 586 .. note::
587 587 Make sure you run this command from the same virtualenv, and with the same
588 588 user that Kallithea runs.
589 589
590 590
591 591 HTTPS support
592 592 -------------
593 593
594 594 Kallithea will by default generate URLs based on the WSGI environment.
595 595
596 596 Alternatively, you can use some special configuration settings to control
597 597 directly which scheme/protocol Kallithea will use when generating URLs:
598 598
599 599 - With ``https_fixup = true``, the scheme will be taken from the
600 600 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
601 601 (default ``http``).
602 602 - With ``force_https = true`` the default will be ``https``.
603 603 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
604 604
605 605
606 606 Nginx virtual host example
607 607 --------------------------
608 608
609 609 Sample config for Nginx using proxy:
610 610
611 611 .. code-block:: nginx
612 612
613 613 upstream kallithea {
614 614 server 127.0.0.1:5000;
615 615 # add more instances for load balancing
616 616 #server 127.0.0.1:5001;
617 617 #server 127.0.0.1:5002;
618 618 }
619 619
620 620 ## gist alias
621 621 server {
622 622 listen 443;
623 623 server_name gist.example.com;
624 624 access_log /var/log/nginx/gist.access.log;
625 625 error_log /var/log/nginx/gist.error.log;
626 626
627 627 ssl on;
628 628 ssl_certificate gist.your.kallithea.server.crt;
629 629 ssl_certificate_key gist.your.kallithea.server.key;
630 630
631 631 ssl_session_timeout 5m;
632 632
633 633 ssl_protocols SSLv3 TLSv1;
634 634 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
635 635 ssl_prefer_server_ciphers on;
636 636
637 637 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
638 638 rewrite (.*) https://kallithea.example.com/_admin/gists;
639 639 }
640 640
641 641 server {
642 642 listen 443;
643 643 server_name kallithea.example.com
644 644 access_log /var/log/nginx/kallithea.access.log;
645 645 error_log /var/log/nginx/kallithea.error.log;
646 646
647 647 ssl on;
648 648 ssl_certificate your.kallithea.server.crt;
649 649 ssl_certificate_key your.kallithea.server.key;
650 650
651 651 ssl_session_timeout 5m;
652 652
653 653 ssl_protocols SSLv3 TLSv1;
654 654 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
655 655 ssl_prefer_server_ciphers on;
656 656
657 657 ## uncomment root directive if you want to serve static files by nginx
658 658 ## requires static_files = false in .ini file
659 659 #root /path/to/installation/kallithea/public;
660 660 include /etc/nginx/proxy.conf;
661 661 location / {
662 662 try_files $uri @kallithea;
663 663 }
664 664
665 665 location @kallithea {
666 666 proxy_pass http://127.0.0.1:5000;
667 667 }
668 668
669 669 }
670 670
671 671 Here's the proxy.conf. It's tuned so it will not timeout on long
672 672 pushes or large pushes::
673 673
674 674 proxy_redirect off;
675 675 proxy_set_header Host $host;
676 676 ## needed for container auth
677 677 #proxy_set_header REMOTE_USER $remote_user;
678 678 #proxy_set_header X-Forwarded-User $remote_user;
679 679 proxy_set_header X-Url-Scheme $scheme;
680 680 proxy_set_header X-Host $http_host;
681 681 proxy_set_header X-Real-IP $remote_addr;
682 682 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
683 683 proxy_set_header Proxy-host $proxy_host;
684 684 proxy_buffering off;
685 685 proxy_connect_timeout 7200;
686 686 proxy_send_timeout 7200;
687 687 proxy_read_timeout 7200;
688 688 proxy_buffers 8 32k;
689 689 client_max_body_size 1024m;
690 690 client_body_buffer_size 128k;
691 691 large_client_header_buffers 8 64k;
692 692
693 693
694 694 Apache virtual host reverse proxy example
695 695 -----------------------------------------
696 696
697 697 Here is a sample configuration file for Apache using proxy:
698 698
699 699 .. code-block:: apache
700 700
701 701 <VirtualHost *:80>
702 702 ServerName kallithea.example.com
703 703
704 704 <Proxy *>
705 705 # For Apache 2.4 and later:
706 706 Require all granted
707 707
708 708 # For Apache 2.2 and earlier, instead use:
709 709 # Order allow,deny
710 710 # Allow from all
711 711 </Proxy>
712 712
713 713 #important !
714 714 #Directive to properly generate url (clone url) for pylons
715 715 ProxyPreserveHost On
716 716
717 717 #kallithea instance
718 718 ProxyPass / http://127.0.0.1:5000/
719 719 ProxyPassReverse / http://127.0.0.1:5000/
720 720
721 721 #to enable https use line below
722 722 #SetEnvIf X-Url-Scheme https HTTPS=1
723 723 </VirtualHost>
724 724
725 725 Additional tutorial
726 726 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
727 727
728 728
729 729 Apache as subdirectory
730 730 ----------------------
731 731
732 732 Apache subdirectory part:
733 733
734 734 .. code-block:: apache
735 735
736 736 <Location /<someprefix> >
737 737 ProxyPass http://127.0.0.1:5000/<someprefix>
738 738 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
739 739 SetEnvIf X-Url-Scheme https HTTPS=1
740 740 </Location>
741 741
742 742 Besides the regular apache setup you will need to add the following line
743 743 into ``[app:main]`` section of your .ini file::
744 744
745 745 filter-with = proxy-prefix
746 746
747 747 Add the following at the end of the .ini file::
748 748
749 749 [filter:proxy-prefix]
750 750 use = egg:PasteDeploy#prefix
751 751 prefix = /<someprefix>
752 752
753 753 then change ``<someprefix>`` into your chosen prefix
754 754
755 755
756 756 Apache with mod_wsgi
757 757 --------------------
758 758
759 759 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
760 760 that, you'll need to:
761 761
762 762 - Install mod_wsgi. If using a Debian-based distro, you can install
763 763 the package libapache2-mod-wsgi::
764 764
765 765 aptitude install libapache2-mod-wsgi
766 766
767 767 - Enable mod_wsgi::
768 768
769 769 a2enmod wsgi
770 770
771 771 - Add global Apache configuration to tell mod_wsgi that Python only will be
772 772 used in the WSGI processes and shouldn't be initialized in the Apache
773 773 processes::
774 774
775 775 WSGIRestrictEmbedded On
776 776
777 777 - Create a wsgi dispatch script, like the one below. Make sure you
778 778 check that the paths correctly point to where you installed Kallithea
779 779 and its Python Virtual Environment.
780 780 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
781 781 as in the following example. Once again, check the paths are
782 782 correctly specified.
783 783
784 784 Here is a sample excerpt from an Apache Virtual Host configuration file:
785 785
786 786 .. code-block:: apache
787 787
788 788 WSGIDaemonProcess kallithea \
789 789 threads=4 \
790 790 python-home=/srv/kallithea/venv
791 791 WSGIProcessGroup kallithea
792 792 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
793 793 WSGIPassAuthorization On
794 794
795 795 Or if using a dispatcher WSGI script with proper virtualenv activation:
796 796
797 797 .. code-block:: apache
798 798
799 799 WSGIDaemonProcess kallithea threads=4
800 800 WSGIProcessGroup kallithea
801 801 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
802 802 WSGIPassAuthorization On
803 803
804 804 Apache will by default run as a special Apache user, on Linux systems
805 805 usually ``www-data`` or ``apache``. If you need to have the repositories
806 806 directory owned by a different user, use the user and group options to
807 807 WSGIDaemonProcess to set the name of the user and group.
808 808
809 809 Example WSGI dispatch script:
810 810
811 811 .. code-block:: python
812 812
813 813 import os
814 814 os.environ["HGENCODING"] = "UTF-8"
815 815 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
816 816
817 817 # sometimes it's needed to set the curent dir
818 818 os.chdir('/srv/kallithea/')
819 819
820 820 import site
821 821 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
822 822
823 823 ini = '/srv/kallithea/my.ini'
824 824 from paste.script.util.logging_config import fileConfig
825 825 fileConfig(ini)
826 826 from paste.deploy import loadapp
827 827 application = loadapp('config:' + ini)
828 828
829 829 Or using proper virtualenv activation:
830 830
831 831 .. code-block:: python
832 832
833 833 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
834 834 execfile(activate_this, dict(__file__=activate_this))
835 835
836 836 import os
837 837 os.environ['HOME'] = '/srv/kallithea'
838 838
839 839 ini = '/srv/kallithea/kallithea.ini'
840 840 from paste.script.util.logging_config import fileConfig
841 841 fileConfig(ini)
842 842 from paste.deploy import loadapp
843 843 application = loadapp('config:' + ini)
844 844
845 845
846 846 Other configuration files
847 847 -------------------------
848 848
849 849 A number of `example init.d scripts`__ can be found in
850 850 the ``init.d`` directory of the Kallithea source.
851 851
852 852 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
853 853
854 854
855 855 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
856 856 .. _python: http://www.python.org/
857 857 .. _Mercurial: http://mercurial.selenic.com/
858 858 .. _Celery: http://celeryproject.org/
859 859 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
860 860 .. _RabbitMQ: http://www.rabbitmq.com/
861 861 .. _Redis: http://redis.io/
862 862 .. _python-ldap: http://www.python-ldap.org/
863 863 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
864 864 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now