##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

spelling: account
timeless@gmail.com -
r5780:c37e5e57 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,864 +1,864
1 .. _setup:
1 .. _setup:
2
2
3 =====
3 =====
4 Setup
4 Setup
5 =====
5 =====
6
6
7
7
8 Setting up Kallithea
8 Setting up Kallithea
9 --------------------
9 --------------------
10
10
11 First, you will need to create a Kallithea configuration file. Run the
11 First, you will need to create a Kallithea configuration file. Run the
12 following command to do so::
12 following command to do so::
13
13
14 paster make-config Kallithea my.ini
14 paster make-config Kallithea my.ini
15
15
16 This will create the file ``my.ini`` in the current directory. This
16 This will create the file ``my.ini`` in the current directory. This
17 configuration file contains the various settings for Kallithea, e.g.
17 configuration file contains the various settings for Kallithea, e.g.
18 proxy port, email settings, usage of static files, cache, Celery
18 proxy port, email settings, usage of static files, cache, Celery
19 settings, and logging.
19 settings, and logging.
20
20
21 Next, you need to create the databases used by Kallithea. It is recommended to
21 Next, you need to create the databases used by Kallithea. It is recommended to
22 use PostgreSQL or SQLite (default). If you choose a database other than the
22 use PostgreSQL or SQLite (default). If you choose a database other than the
23 default, ensure you properly adjust the database URL in your ``my.ini``
23 default, ensure you properly adjust the database URL in your ``my.ini``
24 configuration file to use this other database. Kallithea currently supports
24 configuration file to use this other database. Kallithea currently supports
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 the following command::
26 the following command::
27
27
28 paster setup-db my.ini
28 paster setup-db my.ini
29
29
30 This will prompt you for a "root" path. This "root" path is the location where
30 This will prompt you for a "root" path. This "root" path is the location where
31 Kallithea will store all of its repositories on the current machine. After
31 Kallithea will store all of its repositories on the current machine. After
32 entering this "root" path ``setup-db`` will also prompt you for a username
32 entering this "root" path ``setup-db`` will also prompt you for a username
33 and password for the initial admin account which ``setup-db`` sets
33 and password for the initial admin account which ``setup-db`` sets
34 up for you.
34 up for you.
35
35
36 The ``setup-db`` values can also be given on the command line.
36 The ``setup-db`` values can also be given on the command line.
37 Example::
37 Example::
38
38
39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40
40
41 The ``setup-db`` command will create all needed tables and an
41 The ``setup-db`` command will create all needed tables and an
42 admin account. When choosing a root path you can either use a new
42 admin account. When choosing a root path you can either use a new
43 empty location, or a location which already contains existing
43 empty location, or a location which already contains existing
44 repositories. If you choose a location which contains existing
44 repositories. If you choose a location which contains existing
45 repositories Kallithea will add all of the repositories at the chosen
45 repositories Kallithea will add all of the repositories at the chosen
46 location to its database. (Note: make sure you specify the correct
46 location to its database. (Note: make sure you specify the correct
47 path to the root).
47 path to the root).
48
48
49 .. note:: the given path for Mercurial_ repositories **must** be write
49 .. note:: the given path for Mercurial_ repositories **must** be write
50 accessible for the application. It's very important since
50 accessible for the application. It's very important since
51 the Kallithea web interface will work without write access,
51 the Kallithea web interface will work without write access,
52 but when trying to do a push it will fail with permission
52 but when trying to do a push it will fail with permission
53 denied errors unless it has write access.
53 denied errors unless it has write access.
54
54
55 You are now ready to use Kallithea. To run it simply execute::
55 You are now ready to use Kallithea. To run it simply execute::
56
56
57 paster serve my.ini
57 paster serve my.ini
58
58
59 - This command runs the Kallithea server. The web app should be available at
59 - This command runs the Kallithea server. The web app should be available at
60 http://127.0.0.1:5000. The IP address and port is configurable via the
60 http://127.0.0.1:5000. The IP address and port is configurable via the
61 configuration file created in the previous step.
61 configuration file created in the previous step.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 - The default permissions on each repository is read, and the owner is admin.
63 - The default permissions on each repository is read, and the owner is admin.
64 Remember to update these if needed.
64 Remember to update these if needed.
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 settings, as well as edit more advanced options on users and
66 settings, as well as edit more advanced options on users and
67 repositories.
67 repositories.
68
68
69
69
70 Using Kallithea with SSH
70 Using Kallithea with SSH
71 ------------------------
71 ------------------------
72
72
73 Kallithea currently only hosts repositories using http and https. (The addition
73 Kallithea currently only hosts repositories using http and https. (The addition
74 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 of ssh hosting is a planned future feature.) However you can easily use ssh in
75 parallel with Kallithea. (Repository access via ssh is a standard "out of
75 parallel with Kallithea. (Repository access via ssh is a standard "out of
76 the box" feature of Mercurial_ and you can use this to access any of the
76 the box" feature of Mercurial_ and you can use this to access any of the
77 repositories that Kallithea is hosting. See PublishingRepositories_)
77 repositories that Kallithea is hosting. See PublishingRepositories_)
78
78
79 Kallithea repository structures are kept in directories with the same name
79 Kallithea repository structures are kept in directories with the same name
80 as the project. When using repository groups, each group is a subdirectory.
80 as the project. When using repository groups, each group is a subdirectory.
81 This allows you to easily use ssh for accessing repositories.
81 This allows you to easily use ssh for accessing repositories.
82
82
83 In order to use ssh you need to make sure that your web server and the users'
83 In order to use ssh you need to make sure that your web server and the users'
84 login accounts have the correct permissions set on the appropriate directories.
84 login accounts have the correct permissions set on the appropriate directories.
85
85
86 .. note:: These permissions are independent of any permissions you
86 .. note:: These permissions are independent of any permissions you
87 have set up using the Kallithea web interface.
87 have set up using the Kallithea web interface.
88
88
89 If your main directory (the same as set in Kallithea settings) is for
89 If your main directory (the same as set in Kallithea settings) is for
90 example set to ``/srv/repos`` and the repository you are using is
90 example set to ``/srv/repos`` and the repository you are using is
91 named ``kallithea``, then to clone via ssh you should run::
91 named ``kallithea``, then to clone via ssh you should run::
92
92
93 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
93 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
94
94
95 Using other external tools such as mercurial-server_ or using ssh key-based
95 Using other external tools such as mercurial-server_ or using ssh key-based
96 authentication is fully supported.
96 authentication is fully supported.
97
97
98 .. note:: In an advanced setup, in order for your ssh access to use
98 .. note:: In an advanced setup, in order for your ssh access to use
99 the same permissions as set up via the Kallithea web
99 the same permissions as set up via the Kallithea web
100 interface, you can create an authentication hook to connect
100 interface, you can create an authentication hook to connect
101 to the Kallithea db and run check functions for permissions
101 to the Kallithea db and run check functions for permissions
102 against that.
102 against that.
103
103
104
104
105 Setting up Whoosh full text search
105 Setting up Whoosh full text search
106 ----------------------------------
106 ----------------------------------
107
107
108 Kallithea provides full text search of repositories using `Whoosh`__.
108 Kallithea provides full text search of repositories using `Whoosh`__.
109
109
110 .. __: https://pythonhosted.org/Whoosh/
110 .. __: https://pythonhosted.org/Whoosh/
111
111
112 For an incremental index build, run::
112 For an incremental index build, run::
113
113
114 paster make-index my.ini
114 paster make-index my.ini
115
115
116 For a full index rebuild, run::
116 For a full index rebuild, run::
117
117
118 paster make-index my.ini -f
118 paster make-index my.ini -f
119
119
120 The ``--repo-location`` option allows the location of the repositories to be overriden;
120 The ``--repo-location`` option allows the location of the repositories to be overriden;
121 usually, the location is retrieved from the Kallithea database.
121 usually, the location is retrieved from the Kallithea database.
122
122
123 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
123 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
124
124
125 paster make-index my.ini --index-only=vcs,kallithea
125 paster make-index my.ini --index-only=vcs,kallithea
126
126
127 To keep your index up-to-date it is necessary to do periodic index builds;
127 To keep your index up-to-date it is necessary to do periodic index builds;
128 for this, it is recommended to use a crontab entry. Example::
128 for this, it is recommended to use a crontab entry. Example::
129
129
130 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
130 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
131
131
132 When using incremental mode (the default), Whoosh will check the last
132 When using incremental mode (the default), Whoosh will check the last
133 modification date of each file and add it to be reindexed if a newer file is
133 modification date of each file and add it to be reindexed if a newer file is
134 available. The indexing daemon checks for any removed files and removes them
134 available. The indexing daemon checks for any removed files and removes them
135 from index.
135 from index.
136
136
137 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
137 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
138 or in the admin panel you can check the "build from scratch" checkbox.
138 or in the admin panel you can check the "build from scratch" checkbox.
139
139
140 .. _ldap-setup:
140 .. _ldap-setup:
141
141
142
142
143 Setting up LDAP support
143 Setting up LDAP support
144 -----------------------
144 -----------------------
145
145
146 Kallithea supports LDAP authentication. In order
146 Kallithea supports LDAP authentication. In order
147 to use LDAP, you have to install the python-ldap_ package. This package is
147 to use LDAP, you have to install the python-ldap_ package. This package is
148 available via PyPI, so you can install it by running::
148 available via PyPI, so you can install it by running::
149
149
150 pip install python-ldap
150 pip install python-ldap
151
151
152 .. note:: ``python-ldap`` requires some libraries to be installed on
152 .. note:: ``python-ldap`` requires some libraries to be installed on
153 your system, so before installing it check that you have at
153 your system, so before installing it check that you have at
154 least the ``openldap`` and ``sasl`` libraries.
154 least the ``openldap`` and ``sasl`` libraries.
155
155
156 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
156 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
157 and then *Save*, to enable the LDAP plugin and configure its settings.
157 and then *Save*, to enable the LDAP plugin and configure its settings.
158
158
159 Here's a typical LDAP setup::
159 Here's a typical LDAP setup::
160
160
161 Connection settings
161 Connection settings
162 Enable LDAP = checked
162 Enable LDAP = checked
163 Host = host.example.com
163 Host = host.example.com
164 Port = 389
164 Port = 389
165 Account = <account>
165 Account = <account>
166 Password = <password>
166 Password = <password>
167 Connection Security = LDAPS connection
167 Connection Security = LDAPS connection
168 Certificate Checks = DEMAND
168 Certificate Checks = DEMAND
169
169
170 Search settings
170 Search settings
171 Base DN = CN=users,DC=host,DC=example,DC=org
171 Base DN = CN=users,DC=host,DC=example,DC=org
172 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
172 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
173 LDAP Search Scope = SUBTREE
173 LDAP Search Scope = SUBTREE
174
174
175 Attribute mappings
175 Attribute mappings
176 Login Attribute = uid
176 Login Attribute = uid
177 First Name Attribute = firstName
177 First Name Attribute = firstName
178 Last Name Attribute = lastName
178 Last Name Attribute = lastName
179 Email Attribute = mail
179 Email Attribute = mail
180
180
181 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
181 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
182
182
183 Search settings
183 Search settings
184 Base DN = DC=host,DC=example,DC=org
184 Base DN = DC=host,DC=example,DC=org
185 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
185 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
186 LDAP Search Scope = SUBTREE
186 LDAP Search Scope = SUBTREE
187
187
188 .. _enable_ldap:
188 .. _enable_ldap:
189
189
190 Enable LDAP : required
190 Enable LDAP : required
191 Whether to use LDAP for authenticating users.
191 Whether to use LDAP for authenticating users.
192
192
193 .. _ldap_host:
193 .. _ldap_host:
194
194
195 Host : required
195 Host : required
196 LDAP server hostname or IP address. Can be also a comma separated
196 LDAP server hostname or IP address. Can be also a comma separated
197 list of servers to support LDAP fail-over.
197 list of servers to support LDAP fail-over.
198
198
199 .. _Port:
199 .. _Port:
200
200
201 Port : required
201 Port : required
202 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
202 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
203
203
204 .. _ldap_account:
204 .. _ldap_account:
205
205
206 Account : optional
206 Account : optional
207 Only required if the LDAP server does not allow anonymous browsing of
207 Only required if the LDAP server does not allow anonymous browsing of
208 records. This should be a special account for record browsing. This
208 records. This should be a special account for record browsing. This
209 will require `LDAP Password`_ below.
209 will require `LDAP Password`_ below.
210
210
211 .. _LDAP Password:
211 .. _LDAP Password:
212
212
213 Password : optional
213 Password : optional
214 Only required if the LDAP server does not allow anonymous browsing of
214 Only required if the LDAP server does not allow anonymous browsing of
215 records.
215 records.
216
216
217 .. _Enable LDAPS:
217 .. _Enable LDAPS:
218
218
219 Connection Security : required
219 Connection Security : required
220 Defines the connection to LDAP server
220 Defines the connection to LDAP server
221
221
222 No encryption
222 No encryption
223 Plain non encrypted connection
223 Plain non encrypted connection
224
224
225 LDAPS connection
225 LDAPS connection
226 Enable LDAPS connections. It will likely require `Port`_ to be set to
226 Enable LDAPS connections. It will likely require `Port`_ to be set to
227 a different value (standard LDAPS port is 636). When LDAPS is enabled
227 a different value (standard LDAPS port is 636). When LDAPS is enabled
228 then `Certificate Checks`_ is required.
228 then `Certificate Checks`_ is required.
229
229
230 START_TLS on LDAP connection
230 START_TLS on LDAP connection
231 START TLS connection
231 START TLS connection
232
232
233 .. _Certificate Checks:
233 .. _Certificate Checks:
234
234
235 Certificate Checks : optional
235 Certificate Checks : optional
236 How SSL certificates verification is handled -- this is only useful when
236 How SSL certificates verification is handled -- this is only useful when
237 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
237 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
238 while the other options are susceptible to man-in-the-middle attacks. SSL
238 while the other options are susceptible to man-in-the-middle attacks. SSL
239 certificates can be installed to /etc/openldap/cacerts so that the
239 certificates can be installed to /etc/openldap/cacerts so that the
240 DEMAND or HARD options can be used with self-signed certificates or
240 DEMAND or HARD options can be used with self-signed certificates or
241 certificates that do not have traceable certificates of authority.
241 certificates that do not have traceable certificates of authority.
242
242
243 NEVER
243 NEVER
244 A serve certificate will never be requested or checked.
244 A serve certificate will never be requested or checked.
245
245
246 ALLOW
246 ALLOW
247 A server certificate is requested. Failure to provide a
247 A server certificate is requested. Failure to provide a
248 certificate or providing a bad certificate will not terminate the
248 certificate or providing a bad certificate will not terminate the
249 session.
249 session.
250
250
251 TRY
251 TRY
252 A server certificate is requested. Failure to provide a
252 A server certificate is requested. Failure to provide a
253 certificate does not halt the session; providing a bad certificate
253 certificate does not halt the session; providing a bad certificate
254 halts the session.
254 halts the session.
255
255
256 DEMAND
256 DEMAND
257 A server certificate is requested and must be provided and
257 A server certificate is requested and must be provided and
258 authenticated for the session to proceed.
258 authenticated for the session to proceed.
259
259
260 HARD
260 HARD
261 The same as DEMAND.
261 The same as DEMAND.
262
262
263 .. _Base DN:
263 .. _Base DN:
264
264
265 Base DN : required
265 Base DN : required
266 The Distinguished Name (DN) where searches for users will be performed.
266 The Distinguished Name (DN) where searches for users will be performed.
267 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
267 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
268
268
269 .. _LDAP Filter:
269 .. _LDAP Filter:
270
270
271 LDAP Filter : optional
271 LDAP Filter : optional
272 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
272 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
273 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
273 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
274 which LDAP objects are identified as representing Users for
274 which LDAP objects are identified as representing Users for
275 authentication. The filter is augmented by `Login Attribute`_ below.
275 authentication. The filter is augmented by `Login Attribute`_ below.
276 This can commonly be left blank.
276 This can commonly be left blank.
277
277
278 .. _LDAP Search Scope:
278 .. _LDAP Search Scope:
279
279
280 LDAP Search Scope : required
280 LDAP Search Scope : required
281 This limits how far LDAP will search for a matching object.
281 This limits how far LDAP will search for a matching object.
282
282
283 BASE
283 BASE
284 Only allows searching of `Base DN`_ and is usually not what you
284 Only allows searching of `Base DN`_ and is usually not what you
285 want.
285 want.
286
286
287 ONELEVEL
287 ONELEVEL
288 Searches all entries under `Base DN`_, but not Base DN itself.
288 Searches all entries under `Base DN`_, but not Base DN itself.
289
289
290 SUBTREE
290 SUBTREE
291 Searches all entries below `Base DN`_, but not Base DN itself.
291 Searches all entries below `Base DN`_, but not Base DN itself.
292 When using SUBTREE `LDAP Filter`_ is useful to limit object
292 When using SUBTREE `LDAP Filter`_ is useful to limit object
293 location.
293 location.
294
294
295 .. _Login Attribute:
295 .. _Login Attribute:
296
296
297 Login Attribute : required
297 Login Attribute : required
298 The LDAP record attribute that will be matched as the USERNAME or
298 The LDAP record attribute that will be matched as the USERNAME or
299 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
299 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
300 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
300 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
301 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
301 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
302 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
302 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
303 ::
303 ::
304
304
305 (&(LDAPFILTER)(uid=jsmith))
305 (&(LDAPFILTER)(uid=jsmith))
306
306
307 .. _ldap_attr_firstname:
307 .. _ldap_attr_firstname:
308
308
309 First Name Attribute : required
309 First Name Attribute : required
310 The LDAP record attribute which represents the user's first name.
310 The LDAP record attribute which represents the user's first name.
311
311
312 .. _ldap_attr_lastname:
312 .. _ldap_attr_lastname:
313
313
314 Last Name Attribute : required
314 Last Name Attribute : required
315 The LDAP record attribute which represents the user's last name.
315 The LDAP record attribute which represents the user's last name.
316
316
317 .. _ldap_attr_email:
317 .. _ldap_attr_email:
318
318
319 Email Attribute : required
319 Email Attribute : required
320 The LDAP record attribute which represents the user's email address.
320 The LDAP record attribute which represents the user's email address.
321
321
322 If all data are entered correctly, and python-ldap_ is properly installed
322 If all data are entered correctly, and python-ldap_ is properly installed
323 users should be granted access to Kallithea with LDAP accounts. At this
323 users should be granted access to Kallithea with LDAP accounts. At this
324 time user information is copied from LDAP into the Kallithea user database.
324 time user information is copied from LDAP into the Kallithea user database.
325 This means that updates of an LDAP user object may not be reflected as a
325 This means that updates of an LDAP user object may not be reflected as a
326 user update in Kallithea.
326 user update in Kallithea.
327
327
328 If You have problems with LDAP access and believe You entered correct
328 If You have problems with LDAP access and believe You entered correct
329 information check out the Kallithea logs, any error messages sent from LDAP
329 information check out the Kallithea logs, any error messages sent from LDAP
330 will be saved there.
330 will be saved there.
331
331
332 Active Directory
332 Active Directory
333 ^^^^^^^^^^^^^^^^
333 ^^^^^^^^^^^^^^^^
334
334
335 Kallithea can use Microsoft Active Directory for user authentication. This
335 Kallithea can use Microsoft Active Directory for user authentication. This
336 is done through an LDAP or LDAPS connection to Active Directory. The
336 is done through an LDAP or LDAPS connection to Active Directory. The
337 following LDAP configuration settings are typical for using Active
337 following LDAP configuration settings are typical for using Active
338 Directory ::
338 Directory ::
339
339
340 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
340 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
341 Login Attribute = sAMAccountName
341 Login Attribute = sAMAccountName
342 First Name Attribute = givenName
342 First Name Attribute = givenName
343 Last Name Attribute = sn
343 Last Name Attribute = sn
344 Email Attribute = mail
344 Email Attribute = mail
345
345
346 All other LDAP settings will likely be site-specific and should be
346 All other LDAP settings will likely be site-specific and should be
347 appropriately configured.
347 appropriately configured.
348
348
349
349
350 Authentication by container or reverse-proxy
350 Authentication by container or reverse-proxy
351 --------------------------------------------
351 --------------------------------------------
352
352
353 Kallithea supports delegating the authentication
353 Kallithea supports delegating the authentication
354 of users to its WSGI container, or to a reverse-proxy server through which all
354 of users to its WSGI container, or to a reverse-proxy server through which all
355 clients access the application.
355 clients access the application.
356
356
357 When these authentication methods are enabled in Kallithea, it uses the
357 When these authentication methods are enabled in Kallithea, it uses the
358 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
358 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
359 perform the authentication itself. The authorization, however, is still done by
359 perform the authentication itself. The authorization, however, is still done by
360 Kallithea according to its settings.
360 Kallithea according to its settings.
361
361
362 When a user logs in for the first time using these authentication methods,
362 When a user logs in for the first time using these authentication methods,
363 a matching user account is created in Kallithea with default permissions. An
363 a matching user account is created in Kallithea with default permissions. An
364 administrator can then modify it using Kallithea's admin interface.
364 administrator can then modify it using Kallithea's admin interface.
365
365
366 It's also possible for an administrator to create accounts and configure their
366 It's also possible for an administrator to create accounts and configure their
367 permissions before the user logs in for the first time, using the :ref:`create-user` API.
367 permissions before the user logs in for the first time, using the :ref:`create-user` API.
368
368
369 Container-based authentication
369 Container-based authentication
370 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
370 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
371
371
372 In a container-based authentication setup, Kallithea reads the user name from
372 In a container-based authentication setup, Kallithea reads the user name from
373 the ``REMOTE_USER`` server variable provided by the WSGI container.
373 the ``REMOTE_USER`` server variable provided by the WSGI container.
374
374
375 After setting up your container (see `Apache with mod_wsgi`_), you'll need
375 After setting up your container (see `Apache with mod_wsgi`_), you'll need
376 to configure it to require authentication on the location configured for
376 to configure it to require authentication on the location configured for
377 Kallithea.
377 Kallithea.
378
378
379 Proxy pass-through authentication
379 Proxy pass-through authentication
380 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
380 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
381
381
382 In a proxy pass-through authentication setup, Kallithea reads the user name
382 In a proxy pass-through authentication setup, Kallithea reads the user name
383 from the ``X-Forwarded-User`` request header, which should be configured to be
383 from the ``X-Forwarded-User`` request header, which should be configured to be
384 sent by the reverse-proxy server.
384 sent by the reverse-proxy server.
385
385
386 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
386 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
387 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
387 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
388 configure the authentication and add the username in a request header named
388 configure the authentication and add the username in a request header named
389 ``X-Forwarded-User``.
389 ``X-Forwarded-User``.
390
390
391 For example, the following config section for Apache sets a subdirectory in a
391 For example, the following config section for Apache sets a subdirectory in a
392 reverse-proxy setup with basic auth:
392 reverse-proxy setup with basic auth:
393
393
394 .. code-block:: apache
394 .. code-block:: apache
395
395
396 <Location /someprefix>
396 <Location /someprefix>
397 ProxyPass http://127.0.0.1:5000/someprefix
397 ProxyPass http://127.0.0.1:5000/someprefix
398 ProxyPassReverse http://127.0.0.1:5000/someprefix
398 ProxyPassReverse http://127.0.0.1:5000/someprefix
399 SetEnvIf X-Url-Scheme https HTTPS=1
399 SetEnvIf X-Url-Scheme https HTTPS=1
400
400
401 AuthType Basic
401 AuthType Basic
402 AuthName "Kallithea authentication"
402 AuthName "Kallithea authentication"
403 AuthUserFile /srv/kallithea/.htpasswd
403 AuthUserFile /srv/kallithea/.htpasswd
404 Require valid-user
404 Require valid-user
405
405
406 RequestHeader unset X-Forwarded-User
406 RequestHeader unset X-Forwarded-User
407
407
408 RewriteEngine On
408 RewriteEngine On
409 RewriteCond %{LA-U:REMOTE_USER} (.+)
409 RewriteCond %{LA-U:REMOTE_USER} (.+)
410 RewriteRule .* - [E=RU:%1]
410 RewriteRule .* - [E=RU:%1]
411 RequestHeader set X-Forwarded-User %{RU}e
411 RequestHeader set X-Forwarded-User %{RU}e
412 </Location>
412 </Location>
413
413
414 Setting metadata in container/reverse-proxy
414 Setting metadata in container/reverse-proxy
415 """""""""""""""""""""""""""""""""""""""""""
415 """""""""""""""""""""""""""""""""""""""""""
416 When a new user account is created on the first login, Kallithea has no information about
416 When a new user account is created on the first login, Kallithea has no information about
417 the user's email and full name. So you can set some additional request headers like in the
417 the user's email and full name. So you can set some additional request headers like in the
418 example below. In this example the user is authenticated via Kerberos and an Apache
418 example below. In this example the user is authenticated via Kerberos and an Apache
419 mod_python fixup handler is used to get the user information from a LDAP server. But you
419 mod_python fixup handler is used to get the user information from a LDAP server. But you
420 could set the request headers however you want.
420 could set the request headers however you want.
421
421
422 .. code-block:: apache
422 .. code-block:: apache
423
423
424 <Location /someprefix>
424 <Location /someprefix>
425 ProxyPass http://127.0.0.1:5000/someprefix
425 ProxyPass http://127.0.0.1:5000/someprefix
426 ProxyPassReverse http://127.0.0.1:5000/someprefix
426 ProxyPassReverse http://127.0.0.1:5000/someprefix
427 SetEnvIf X-Url-Scheme https HTTPS=1
427 SetEnvIf X-Url-Scheme https HTTPS=1
428
428
429 AuthName "Kerberos Login"
429 AuthName "Kerberos Login"
430 AuthType Kerberos
430 AuthType Kerberos
431 Krb5Keytab /etc/apache2/http.keytab
431 Krb5Keytab /etc/apache2/http.keytab
432 KrbMethodK5Passwd off
432 KrbMethodK5Passwd off
433 KrbVerifyKDC on
433 KrbVerifyKDC on
434 Require valid-user
434 Require valid-user
435
435
436 PythonFixupHandler ldapmetadata
436 PythonFixupHandler ldapmetadata
437
437
438 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
438 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
439 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
439 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
440 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
440 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
441 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
441 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
442 </Location>
442 </Location>
443
443
444 .. code-block:: python
444 .. code-block:: python
445
445
446 from mod_python import apache
446 from mod_python import apache
447 import ldap
447 import ldap
448
448
449 LDAP_SERVER = "ldap://server.mydomain.com:389"
449 LDAP_SERVER = "ldap://server.mydomain.com:389"
450 LDAP_USER = ""
450 LDAP_USER = ""
451 LDAP_PASS = ""
451 LDAP_PASS = ""
452 LDAP_ROOT = "dc=mydomain,dc=com"
452 LDAP_ROOT = "dc=mydomain,dc=com"
453 LDAP_FILTER = "sAMAcountName=%s"
453 LDAP_FILTER = "sAMAccountName=%s"
454 LDAP_ATTR_LIST = ['sAMAcountName','givenname','sn','mail']
454 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
455
455
456 def fixuphandler(req):
456 def fixuphandler(req):
457 if req.user is None:
457 if req.user is None:
458 # no user to search for
458 # no user to search for
459 return apache.OK
459 return apache.OK
460 else:
460 else:
461 try:
461 try:
462 if('\\' in req.user):
462 if('\\' in req.user):
463 username = req.user.split('\\')[1]
463 username = req.user.split('\\')[1]
464 elif('@' in req.user):
464 elif('@' in req.user):
465 username = req.user.split('@')[0]
465 username = req.user.split('@')[0]
466 else:
466 else:
467 username = req.user
467 username = req.user
468 l = ldap.initialize(LDAP_SERVER)
468 l = ldap.initialize(LDAP_SERVER)
469 l.simple_bind_s(LDAP_USER, LDAP_PASS)
469 l.simple_bind_s(LDAP_USER, LDAP_PASS)
470 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
470 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
471
471
472 req.subprocess_env['X_REMOTE_USER'] = username
472 req.subprocess_env['X_REMOTE_USER'] = username
473 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
473 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
474 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
474 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
475 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
475 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
476 except Exception, e:
476 except Exception, e:
477 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
477 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
478
478
479 return apache.OK
479 return apache.OK
480
480
481 .. note::
481 .. note::
482 If you enable proxy pass-through authentication, make sure your server is
482 If you enable proxy pass-through authentication, make sure your server is
483 only accessible through the proxy. Otherwise, any client would be able to
483 only accessible through the proxy. Otherwise, any client would be able to
484 forge the authentication header and could effectively become authenticated
484 forge the authentication header and could effectively become authenticated
485 using any account of their liking.
485 using any account of their liking.
486
486
487
487
488 Integration with issue trackers
488 Integration with issue trackers
489 -------------------------------
489 -------------------------------
490
490
491 Kallithea provides a simple integration with issue trackers. It's possible
491 Kallithea provides a simple integration with issue trackers. It's possible
492 to define a regular expression that will match an issue ID in commit messages,
492 to define a regular expression that will match an issue ID in commit messages,
493 and have that replaced with a URL to the issue. To enable this simply
493 and have that replaced with a URL to the issue. To enable this simply
494 uncomment the following variables in the ini file::
494 uncomment the following variables in the ini file::
495
495
496 issue_pat = (?:^#|\s#)(\w+)
496 issue_pat = (?:^#|\s#)(\w+)
497 issue_server_link = https://issues.example.com/{repo}/issue/{id}
497 issue_server_link = https://issues.example.com/{repo}/issue/{id}
498 issue_prefix = #
498 issue_prefix = #
499
499
500 ``issue_pat`` is the regular expression describing which strings in
500 ``issue_pat`` is the regular expression describing which strings in
501 commit messages will be treated as issue references. A match group in
501 commit messages will be treated as issue references. A match group in
502 parentheses should be used to specify the actual issue id.
502 parentheses should be used to specify the actual issue id.
503
503
504 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
504 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
505
505
506 Matched issue references are replaced with the link specified in
506 Matched issue references are replaced with the link specified in
507 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
507 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
508 ``{repo}`` with the repository name. Since the # is stripped away,
508 ``{repo}`` with the repository name. Since the # is stripped away,
509 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
509 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
510 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
510 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
511 generate a URL in the format:
511 generate a URL in the format:
512
512
513 .. code-block:: html
513 .. code-block:: html
514
514
515 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
515 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
516
516
517 If needed, more than one pattern can be specified by appending a unique suffix to
517 If needed, more than one pattern can be specified by appending a unique suffix to
518 the variables. For example::
518 the variables. For example::
519
519
520 issue_pat_wiki = (?:wiki-)(.+)
520 issue_pat_wiki = (?:wiki-)(.+)
521 issue_server_link_wiki = https://wiki.example.com/{id}
521 issue_server_link_wiki = https://wiki.example.com/{id}
522 issue_prefix_wiki = WIKI-
522 issue_prefix_wiki = WIKI-
523
523
524 With these settings, wiki pages can be referenced as wiki-some-id, and every
524 With these settings, wiki pages can be referenced as wiki-some-id, and every
525 such reference will be transformed into:
525 such reference will be transformed into:
526
526
527 .. code-block:: html
527 .. code-block:: html
528
528
529 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
529 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
530
530
531
531
532 Hook management
532 Hook management
533 ---------------
533 ---------------
534
534
535 Hooks can be managed in similar way to that used in ``.hgrc`` files.
535 Hooks can be managed in similar way to that used in ``.hgrc`` files.
536 To manage hooks, choose *Admin > Settings > Hooks*.
536 To manage hooks, choose *Admin > Settings > Hooks*.
537
537
538 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
538 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
539
539
540 To add another custom hook simply fill in the first textbox with
540 To add another custom hook simply fill in the first textbox with
541 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
541 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
542 can be found in ``kallithea.lib.hooks``.
542 can be found in ``kallithea.lib.hooks``.
543
543
544
544
545 Changing default encoding
545 Changing default encoding
546 -------------------------
546 -------------------------
547
547
548 By default, Kallithea uses UTF-8 encoding.
548 By default, Kallithea uses UTF-8 encoding.
549 This is configurable as ``default_encoding`` in the .ini file.
549 This is configurable as ``default_encoding`` in the .ini file.
550 This affects many parts in Kallithea including user names, filenames, and
550 This affects many parts in Kallithea including user names, filenames, and
551 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
551 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
552 library is installed. If ``chardet`` is detected Kallithea will fallback to it
552 library is installed. If ``chardet`` is detected Kallithea will fallback to it
553 when there are encode/decode errors.
553 when there are encode/decode errors.
554
554
555
555
556 Celery configuration
556 Celery configuration
557 --------------------
557 --------------------
558
558
559 Kallithea can use the distributed task queue system Celery_ to run tasks like
559 Kallithea can use the distributed task queue system Celery_ to run tasks like
560 cloning repositories or sending emails.
560 cloning repositories or sending emails.
561
561
562 Kallithea will in most setups work perfectly fine out of the box (without
562 Kallithea will in most setups work perfectly fine out of the box (without
563 Celery), executing all tasks in the web server process. Some tasks can however
563 Celery), executing all tasks in the web server process. Some tasks can however
564 take some time to run and it can be better to run such tasks asynchronously in
564 take some time to run and it can be better to run such tasks asynchronously in
565 a separate process so the web server can focus on serving web requests.
565 a separate process so the web server can focus on serving web requests.
566
566
567 For installation and configuration of Celery, see the `Celery documentation`_.
567 For installation and configuration of Celery, see the `Celery documentation`_.
568 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
568 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
569 or Redis_.
569 or Redis_.
570
570
571 The use of Celery is configured in the Kallithea ini configuration file.
571 The use of Celery is configured in the Kallithea ini configuration file.
572 To enable it, simply set::
572 To enable it, simply set::
573
573
574 use_celery = true
574 use_celery = true
575
575
576 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
576 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
577
577
578 Remember that the ini files use the format with '.' and not with '_' like
578 Remember that the ini files use the format with '.' and not with '_' like
579 Celery. So for example setting `BROKER_HOST` in Celery means setting
579 Celery. So for example setting `BROKER_HOST` in Celery means setting
580 `broker.host` in the configuration file.
580 `broker.host` in the configuration file.
581
581
582 To start the Celery process, run::
582 To start the Celery process, run::
583
583
584 paster celeryd <configfile.ini>
584 paster celeryd <configfile.ini>
585
585
586 .. note::
586 .. note::
587 Make sure you run this command from the same virtualenv, and with the same
587 Make sure you run this command from the same virtualenv, and with the same
588 user that Kallithea runs.
588 user that Kallithea runs.
589
589
590
590
591 HTTPS support
591 HTTPS support
592 -------------
592 -------------
593
593
594 Kallithea will by default generate URLs based on the WSGI environment.
594 Kallithea will by default generate URLs based on the WSGI environment.
595
595
596 Alternatively, you can use some special configuration settings to control
596 Alternatively, you can use some special configuration settings to control
597 directly which scheme/protocol Kallithea will use when generating URLs:
597 directly which scheme/protocol Kallithea will use when generating URLs:
598
598
599 - With ``https_fixup = true``, the scheme will be taken from the
599 - With ``https_fixup = true``, the scheme will be taken from the
600 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
600 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
601 (default ``http``).
601 (default ``http``).
602 - With ``force_https = true`` the default will be ``https``.
602 - With ``force_https = true`` the default will be ``https``.
603 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
603 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
604
604
605
605
606 Nginx virtual host example
606 Nginx virtual host example
607 --------------------------
607 --------------------------
608
608
609 Sample config for Nginx using proxy:
609 Sample config for Nginx using proxy:
610
610
611 .. code-block:: nginx
611 .. code-block:: nginx
612
612
613 upstream kallithea {
613 upstream kallithea {
614 server 127.0.0.1:5000;
614 server 127.0.0.1:5000;
615 # add more instances for load balancing
615 # add more instances for load balancing
616 #server 127.0.0.1:5001;
616 #server 127.0.0.1:5001;
617 #server 127.0.0.1:5002;
617 #server 127.0.0.1:5002;
618 }
618 }
619
619
620 ## gist alias
620 ## gist alias
621 server {
621 server {
622 listen 443;
622 listen 443;
623 server_name gist.example.com;
623 server_name gist.example.com;
624 access_log /var/log/nginx/gist.access.log;
624 access_log /var/log/nginx/gist.access.log;
625 error_log /var/log/nginx/gist.error.log;
625 error_log /var/log/nginx/gist.error.log;
626
626
627 ssl on;
627 ssl on;
628 ssl_certificate gist.your.kallithea.server.crt;
628 ssl_certificate gist.your.kallithea.server.crt;
629 ssl_certificate_key gist.your.kallithea.server.key;
629 ssl_certificate_key gist.your.kallithea.server.key;
630
630
631 ssl_session_timeout 5m;
631 ssl_session_timeout 5m;
632
632
633 ssl_protocols SSLv3 TLSv1;
633 ssl_protocols SSLv3 TLSv1;
634 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
634 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
635 ssl_prefer_server_ciphers on;
635 ssl_prefer_server_ciphers on;
636
636
637 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
637 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
638 rewrite (.*) https://kallithea.example.com/_admin/gists;
638 rewrite (.*) https://kallithea.example.com/_admin/gists;
639 }
639 }
640
640
641 server {
641 server {
642 listen 443;
642 listen 443;
643 server_name kallithea.example.com
643 server_name kallithea.example.com
644 access_log /var/log/nginx/kallithea.access.log;
644 access_log /var/log/nginx/kallithea.access.log;
645 error_log /var/log/nginx/kallithea.error.log;
645 error_log /var/log/nginx/kallithea.error.log;
646
646
647 ssl on;
647 ssl on;
648 ssl_certificate your.kallithea.server.crt;
648 ssl_certificate your.kallithea.server.crt;
649 ssl_certificate_key your.kallithea.server.key;
649 ssl_certificate_key your.kallithea.server.key;
650
650
651 ssl_session_timeout 5m;
651 ssl_session_timeout 5m;
652
652
653 ssl_protocols SSLv3 TLSv1;
653 ssl_protocols SSLv3 TLSv1;
654 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
654 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
655 ssl_prefer_server_ciphers on;
655 ssl_prefer_server_ciphers on;
656
656
657 ## uncomment root directive if you want to serve static files by nginx
657 ## uncomment root directive if you want to serve static files by nginx
658 ## requires static_files = false in .ini file
658 ## requires static_files = false in .ini file
659 #root /path/to/installation/kallithea/public;
659 #root /path/to/installation/kallithea/public;
660 include /etc/nginx/proxy.conf;
660 include /etc/nginx/proxy.conf;
661 location / {
661 location / {
662 try_files $uri @kallithea;
662 try_files $uri @kallithea;
663 }
663 }
664
664
665 location @kallithea {
665 location @kallithea {
666 proxy_pass http://127.0.0.1:5000;
666 proxy_pass http://127.0.0.1:5000;
667 }
667 }
668
668
669 }
669 }
670
670
671 Here's the proxy.conf. It's tuned so it will not timeout on long
671 Here's the proxy.conf. It's tuned so it will not timeout on long
672 pushes or large pushes::
672 pushes or large pushes::
673
673
674 proxy_redirect off;
674 proxy_redirect off;
675 proxy_set_header Host $host;
675 proxy_set_header Host $host;
676 ## needed for container auth
676 ## needed for container auth
677 #proxy_set_header REMOTE_USER $remote_user;
677 #proxy_set_header REMOTE_USER $remote_user;
678 #proxy_set_header X-Forwarded-User $remote_user;
678 #proxy_set_header X-Forwarded-User $remote_user;
679 proxy_set_header X-Url-Scheme $scheme;
679 proxy_set_header X-Url-Scheme $scheme;
680 proxy_set_header X-Host $http_host;
680 proxy_set_header X-Host $http_host;
681 proxy_set_header X-Real-IP $remote_addr;
681 proxy_set_header X-Real-IP $remote_addr;
682 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
682 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
683 proxy_set_header Proxy-host $proxy_host;
683 proxy_set_header Proxy-host $proxy_host;
684 proxy_buffering off;
684 proxy_buffering off;
685 proxy_connect_timeout 7200;
685 proxy_connect_timeout 7200;
686 proxy_send_timeout 7200;
686 proxy_send_timeout 7200;
687 proxy_read_timeout 7200;
687 proxy_read_timeout 7200;
688 proxy_buffers 8 32k;
688 proxy_buffers 8 32k;
689 client_max_body_size 1024m;
689 client_max_body_size 1024m;
690 client_body_buffer_size 128k;
690 client_body_buffer_size 128k;
691 large_client_header_buffers 8 64k;
691 large_client_header_buffers 8 64k;
692
692
693
693
694 Apache virtual host reverse proxy example
694 Apache virtual host reverse proxy example
695 -----------------------------------------
695 -----------------------------------------
696
696
697 Here is a sample configuration file for Apache using proxy:
697 Here is a sample configuration file for Apache using proxy:
698
698
699 .. code-block:: apache
699 .. code-block:: apache
700
700
701 <VirtualHost *:80>
701 <VirtualHost *:80>
702 ServerName kallithea.example.com
702 ServerName kallithea.example.com
703
703
704 <Proxy *>
704 <Proxy *>
705 # For Apache 2.4 and later:
705 # For Apache 2.4 and later:
706 Require all granted
706 Require all granted
707
707
708 # For Apache 2.2 and earlier, instead use:
708 # For Apache 2.2 and earlier, instead use:
709 # Order allow,deny
709 # Order allow,deny
710 # Allow from all
710 # Allow from all
711 </Proxy>
711 </Proxy>
712
712
713 #important !
713 #important !
714 #Directive to properly generate url (clone url) for pylons
714 #Directive to properly generate url (clone url) for pylons
715 ProxyPreserveHost On
715 ProxyPreserveHost On
716
716
717 #kallithea instance
717 #kallithea instance
718 ProxyPass / http://127.0.0.1:5000/
718 ProxyPass / http://127.0.0.1:5000/
719 ProxyPassReverse / http://127.0.0.1:5000/
719 ProxyPassReverse / http://127.0.0.1:5000/
720
720
721 #to enable https use line below
721 #to enable https use line below
722 #SetEnvIf X-Url-Scheme https HTTPS=1
722 #SetEnvIf X-Url-Scheme https HTTPS=1
723 </VirtualHost>
723 </VirtualHost>
724
724
725 Additional tutorial
725 Additional tutorial
726 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
726 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
727
727
728
728
729 Apache as subdirectory
729 Apache as subdirectory
730 ----------------------
730 ----------------------
731
731
732 Apache subdirectory part:
732 Apache subdirectory part:
733
733
734 .. code-block:: apache
734 .. code-block:: apache
735
735
736 <Location /<someprefix> >
736 <Location /<someprefix> >
737 ProxyPass http://127.0.0.1:5000/<someprefix>
737 ProxyPass http://127.0.0.1:5000/<someprefix>
738 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
738 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
739 SetEnvIf X-Url-Scheme https HTTPS=1
739 SetEnvIf X-Url-Scheme https HTTPS=1
740 </Location>
740 </Location>
741
741
742 Besides the regular apache setup you will need to add the following line
742 Besides the regular apache setup you will need to add the following line
743 into ``[app:main]`` section of your .ini file::
743 into ``[app:main]`` section of your .ini file::
744
744
745 filter-with = proxy-prefix
745 filter-with = proxy-prefix
746
746
747 Add the following at the end of the .ini file::
747 Add the following at the end of the .ini file::
748
748
749 [filter:proxy-prefix]
749 [filter:proxy-prefix]
750 use = egg:PasteDeploy#prefix
750 use = egg:PasteDeploy#prefix
751 prefix = /<someprefix>
751 prefix = /<someprefix>
752
752
753 then change ``<someprefix>`` into your chosen prefix
753 then change ``<someprefix>`` into your chosen prefix
754
754
755
755
756 Apache with mod_wsgi
756 Apache with mod_wsgi
757 --------------------
757 --------------------
758
758
759 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
759 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
760 that, you'll need to:
760 that, you'll need to:
761
761
762 - Install mod_wsgi. If using a Debian-based distro, you can install
762 - Install mod_wsgi. If using a Debian-based distro, you can install
763 the package libapache2-mod-wsgi::
763 the package libapache2-mod-wsgi::
764
764
765 aptitude install libapache2-mod-wsgi
765 aptitude install libapache2-mod-wsgi
766
766
767 - Enable mod_wsgi::
767 - Enable mod_wsgi::
768
768
769 a2enmod wsgi
769 a2enmod wsgi
770
770
771 - Add global Apache configuration to tell mod_wsgi that Python only will be
771 - Add global Apache configuration to tell mod_wsgi that Python only will be
772 used in the WSGI processes and shouldn't be initialized in the Apache
772 used in the WSGI processes and shouldn't be initialized in the Apache
773 processes::
773 processes::
774
774
775 WSGIRestrictEmbedded On
775 WSGIRestrictEmbedded On
776
776
777 - Create a wsgi dispatch script, like the one below. Make sure you
777 - Create a wsgi dispatch script, like the one below. Make sure you
778 check that the paths correctly point to where you installed Kallithea
778 check that the paths correctly point to where you installed Kallithea
779 and its Python Virtual Environment.
779 and its Python Virtual Environment.
780 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
780 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
781 as in the following example. Once again, check the paths are
781 as in the following example. Once again, check the paths are
782 correctly specified.
782 correctly specified.
783
783
784 Here is a sample excerpt from an Apache Virtual Host configuration file:
784 Here is a sample excerpt from an Apache Virtual Host configuration file:
785
785
786 .. code-block:: apache
786 .. code-block:: apache
787
787
788 WSGIDaemonProcess kallithea \
788 WSGIDaemonProcess kallithea \
789 threads=4 \
789 threads=4 \
790 python-home=/srv/kallithea/venv
790 python-home=/srv/kallithea/venv
791 WSGIProcessGroup kallithea
791 WSGIProcessGroup kallithea
792 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
792 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
793 WSGIPassAuthorization On
793 WSGIPassAuthorization On
794
794
795 Or if using a dispatcher WSGI script with proper virtualenv activation:
795 Or if using a dispatcher WSGI script with proper virtualenv activation:
796
796
797 .. code-block:: apache
797 .. code-block:: apache
798
798
799 WSGIDaemonProcess kallithea threads=4
799 WSGIDaemonProcess kallithea threads=4
800 WSGIProcessGroup kallithea
800 WSGIProcessGroup kallithea
801 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
801 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
802 WSGIPassAuthorization On
802 WSGIPassAuthorization On
803
803
804 Apache will by default run as a special Apache user, on Linux systems
804 Apache will by default run as a special Apache user, on Linux systems
805 usually ``www-data`` or ``apache``. If you need to have the repositories
805 usually ``www-data`` or ``apache``. If you need to have the repositories
806 directory owned by a different user, use the user and group options to
806 directory owned by a different user, use the user and group options to
807 WSGIDaemonProcess to set the name of the user and group.
807 WSGIDaemonProcess to set the name of the user and group.
808
808
809 Example WSGI dispatch script:
809 Example WSGI dispatch script:
810
810
811 .. code-block:: python
811 .. code-block:: python
812
812
813 import os
813 import os
814 os.environ["HGENCODING"] = "UTF-8"
814 os.environ["HGENCODING"] = "UTF-8"
815 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
815 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
816
816
817 # sometimes it's needed to set the curent dir
817 # sometimes it's needed to set the curent dir
818 os.chdir('/srv/kallithea/')
818 os.chdir('/srv/kallithea/')
819
819
820 import site
820 import site
821 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
821 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
822
822
823 ini = '/srv/kallithea/my.ini'
823 ini = '/srv/kallithea/my.ini'
824 from paste.script.util.logging_config import fileConfig
824 from paste.script.util.logging_config import fileConfig
825 fileConfig(ini)
825 fileConfig(ini)
826 from paste.deploy import loadapp
826 from paste.deploy import loadapp
827 application = loadapp('config:' + ini)
827 application = loadapp('config:' + ini)
828
828
829 Or using proper virtualenv activation:
829 Or using proper virtualenv activation:
830
830
831 .. code-block:: python
831 .. code-block:: python
832
832
833 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
833 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
834 execfile(activate_this, dict(__file__=activate_this))
834 execfile(activate_this, dict(__file__=activate_this))
835
835
836 import os
836 import os
837 os.environ['HOME'] = '/srv/kallithea'
837 os.environ['HOME'] = '/srv/kallithea'
838
838
839 ini = '/srv/kallithea/kallithea.ini'
839 ini = '/srv/kallithea/kallithea.ini'
840 from paste.script.util.logging_config import fileConfig
840 from paste.script.util.logging_config import fileConfig
841 fileConfig(ini)
841 fileConfig(ini)
842 from paste.deploy import loadapp
842 from paste.deploy import loadapp
843 application = loadapp('config:' + ini)
843 application = loadapp('config:' + ini)
844
844
845
845
846 Other configuration files
846 Other configuration files
847 -------------------------
847 -------------------------
848
848
849 A number of `example init.d scripts`__ can be found in
849 A number of `example init.d scripts`__ can be found in
850 the ``init.d`` directory of the Kallithea source.
850 the ``init.d`` directory of the Kallithea source.
851
851
852 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
852 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
853
853
854
854
855 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
855 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
856 .. _python: http://www.python.org/
856 .. _python: http://www.python.org/
857 .. _Mercurial: http://mercurial.selenic.com/
857 .. _Mercurial: http://mercurial.selenic.com/
858 .. _Celery: http://celeryproject.org/
858 .. _Celery: http://celeryproject.org/
859 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
859 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
860 .. _RabbitMQ: http://www.rabbitmq.com/
860 .. _RabbitMQ: http://www.rabbitmq.com/
861 .. _Redis: http://redis.io/
861 .. _Redis: http://redis.io/
862 .. _python-ldap: http://www.python-ldap.org/
862 .. _python-ldap: http://www.python-ldap.org/
863 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
863 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
864 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
864 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now