Show More
| @@ -14,7 +14,7 b' news' | |||
|
|
14 | 14 | ---- |
|
|
15 | 15 | |
|
|
16 | 16 | - #215 rst and markdown README files support |
|
|
17 | - #252 pass-through user identity | |
|
|
17 | - Container-based and proxy pass-through authentication support (#252) | |
|
|
18 | 18 | - hover top menu |
|
|
19 | 19 | - configurable clone url posibility to specify ssh:// manually as |
|
|
20 | 20 | alternative clone url. |
| @@ -347,6 +347,86 b' appropriately configured.' | |||
|
|
347 | 347 | |
|
|
348 | 348 | |
|
|
349 | 349 | |
|
|
350 | Authentication by container or reverse-proxy | |
|
|
351 | -------------------------------------------- | |
|
|
352 | ||
|
|
353 | Starting with version 1.3, RhodeCode supports delegating the authentication | |
|
|
354 | of users to its WSGI container, or to a reverse-proxy server through which all | |
|
|
355 | clients access the application. | |
|
|
356 | ||
|
|
357 | When these authentication methods are enabled in RhodeCode, it uses the | |
|
|
358 | username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't | |
|
|
359 | perform the authentication itself. The authorization, however, is still done by | |
|
|
360 | RhodeCode according to its settings. | |
|
|
361 | ||
|
|
362 | When a user logs in for the first time using these authentication methods, | |
|
|
363 | a matching user account is created in RhodeCode with default permissions. An | |
|
|
364 | administrator can then modify it using RhodeCode's admin interface. | |
|
|
365 | It's also possible for an administrator to create accounts and configure their | |
|
|
366 | permissions before the user logs in for the first time. | |
|
|
367 | ||
|
|
368 | Container-based authentication | |
|
|
369 | '''''''''''''''''''''''''''''' | |
|
|
370 | ||
|
|
371 | In a container-based authentication setup, RhodeCode reads the user name from | |
|
|
372 | the ``REMOTE_USER`` server variable provided by the WSGI container. | |
|
|
373 | ||
|
|
374 | After setting up your container (see `Apache's WSGI config`_), you'd need | |
|
|
375 | to configure it to require authentication on the location configured for | |
|
|
376 | RhodeCode. | |
|
|
377 | ||
|
|
378 | In order for RhodeCode to start using the provided username, you should set the | |
|
|
379 | following in the [app:main] section of your .ini file:: | |
|
|
380 | ||
|
|
381 | container_auth_enabled = true | |
|
|
382 | ||
|
|
383 | ||
|
|
384 | Proxy pass-through authentication | |
|
|
385 | ''''''''''''''''''''''''''''''''' | |
|
|
386 | ||
|
|
387 | In a proxy pass-through authentication setup, RhodeCode reads the user name | |
|
|
388 | from the ``X-Forwarded-User`` request header, which should be configured to be | |
|
|
389 | sent by the reverse-proxy server. | |
|
|
390 | ||
|
|
391 | After setting up your proxy solution (see `Apache virtual host reverse proxy example`_, | |
|
|
392 | `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to | |
|
|
393 | configure the authentication and add the username in a request header named | |
|
|
394 | ``X-Forwarded-User``. | |
|
|
395 | ||
|
|
396 | For example, the following config section for Apache sets a subdirectory in a | |
|
|
397 | reverse-proxy setup with basic auth:: | |
|
|
398 | ||
|
|
399 | <Location /<someprefix> > | |
|
|
400 | ProxyPass http://127.0.0.1:5000/<someprefix> | |
|
|
401 | ProxyPassReverse http://127.0.0.1:5000/<someprefix> | |
|
|
402 | SetEnvIf X-Url-Scheme https HTTPS=1 | |
|
|
403 | ||
|
|
404 | AuthType Basic | |
|
|
405 | AuthName "RhodeCode authentication" | |
|
|
406 | AuthUserFile /home/web/rhodecode/.htpasswd | |
|
|
407 | require valid-user | |
|
|
408 | ||
|
|
409 | RequestHeader unset X-Forwarded-User | |
|
|
410 | ||
|
|
411 | RewriteEngine On | |
|
|
412 | RewriteCond %{LA-U:REMOTE_USER} (.+) | |
|
|
413 | RewriteRule .* - [E=RU:%1] | |
|
|
414 | RequestHeader set X-Forwarded-User %{RU}e | |
|
|
415 | </Location> | |
|
|
416 | ||
|
|
417 | In order for RhodeCode to start using the forwarded username, you should set | |
|
|
418 | the following in the [app:main] section of your .ini file:: | |
|
|
419 | ||
|
|
420 | proxypass_auth_enabled = true | |
|
|
421 | ||
|
|
422 | .. note:: | |
|
|
423 | If you enable proxy pass-through authentication, make sure your server is | |
|
|
424 | only accessible through the proxy. Otherwise, any client would be able to | |
|
|
425 | forge the authentication header and could effectively become authenticated | |
|
|
426 | using any account of their liking. | |
|
|
427 | ||
|
|
428 | ||
|
|
429 | ||
|
|
350 | 430 | Hook management |
|
|
351 | 431 | --------------- |
|
|
352 | 432 | |
General Comments 0
You need to be logged in to leave comments.
Login now