Mercurial > kallithea
comparison docs/setup.rst @ 2031:82a88013a3fd
merge 1.3 into stable
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Sun, 26 Feb 2012 17:25:09 +0200 |
parents | 752b0a7b7679 03a549b35c57 |
children | ecd59c28f432 |
comparison
equal
deleted
inserted
replaced
2005:ab0e122b38a7 | 2031:82a88013a3fd |
---|---|
344 | 344 |
345 All other LDAP settings will likely be site-specific and should be | 345 All other LDAP settings will likely be site-specific and should be |
346 appropriately configured. | 346 appropriately configured. |
347 | 347 |
348 | 348 |
349 Authentication by container or reverse-proxy | |
350 -------------------------------------------- | |
351 | |
352 Starting with version 1.3, RhodeCode supports delegating the authentication | |
353 of users to its WSGI container, or to a reverse-proxy server through which all | |
354 clients access the application. | |
355 | |
356 When these authentication methods are enabled in RhodeCode, it uses the | |
357 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't | |
358 perform the authentication itself. The authorization, however, is still done by | |
359 RhodeCode according to its settings. | |
360 | |
361 When a user logs in for the first time using these authentication methods, | |
362 a matching user account is created in RhodeCode with default permissions. An | |
363 administrator can then modify it using RhodeCode's admin interface. | |
364 It's also possible for an administrator to create accounts and configure their | |
365 permissions before the user logs in for the first time. | |
366 | |
367 Container-based authentication | |
368 '''''''''''''''''''''''''''''' | |
369 | |
370 In a container-based authentication setup, RhodeCode reads the user name from | |
371 the ``REMOTE_USER`` server variable provided by the WSGI container. | |
372 | |
373 After setting up your container (see `Apache's WSGI config`_), you'd need | |
374 to configure it to require authentication on the location configured for | |
375 RhodeCode. | |
376 | |
377 In order for RhodeCode to start using the provided username, you should set the | |
378 following in the [app:main] section of your .ini file:: | |
379 | |
380 container_auth_enabled = true | |
381 | |
382 | |
383 Proxy pass-through authentication | |
384 ''''''''''''''''''''''''''''''''' | |
385 | |
386 In a proxy pass-through authentication setup, RhodeCode reads the user name | |
387 from the ``X-Forwarded-User`` request header, which should be configured to be | |
388 sent by the reverse-proxy server. | |
389 | |
390 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_, | |
391 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to | |
392 configure the authentication and add the username in a request header named | |
393 ``X-Forwarded-User``. | |
394 | |
395 For example, the following config section for Apache sets a subdirectory in a | |
396 reverse-proxy setup with basic auth:: | |
397 | |
398 <Location /<someprefix> > | |
399 ProxyPass http://127.0.0.1:5000/<someprefix> | |
400 ProxyPassReverse http://127.0.0.1:5000/<someprefix> | |
401 SetEnvIf X-Url-Scheme https HTTPS=1 | |
402 | |
403 AuthType Basic | |
404 AuthName "RhodeCode authentication" | |
405 AuthUserFile /home/web/rhodecode/.htpasswd | |
406 require valid-user | |
407 | |
408 RequestHeader unset X-Forwarded-User | |
409 | |
410 RewriteEngine On | |
411 RewriteCond %{LA-U:REMOTE_USER} (.+) | |
412 RewriteRule .* - [E=RU:%1] | |
413 RequestHeader set X-Forwarded-User %{RU}e | |
414 </Location> | |
415 | |
416 In order for RhodeCode to start using the forwarded username, you should set | |
417 the following in the [app:main] section of your .ini file:: | |
418 | |
419 proxypass_auth_enabled = true | |
420 | |
421 .. note:: | |
422 If you enable proxy pass-through authentication, make sure your server is | |
423 only accessible through the proxy. Otherwise, any client would be able to | |
424 forge the authentication header and could effectively become authenticated | |
425 using any account of their liking. | |
426 | |
427 Integration with Issue trackers | |
428 ------------------------------- | |
429 | |
430 RhodeCode provides a simple integration with issue trackers. It's possible | |
431 to define a regular expression that will fetch issue id stored in commit | |
432 messages and replace that with an url to this issue. To enable this simply | |
433 uncomment following variables in the ini file:: | |
434 | |
435 url_pat = (?:^#|\s#)(\w+) | |
436 issue_server_link = https://myissueserver.com/{repo}/issue/{id} | |
437 issue_prefix = # | |
438 | |
439 `url_pat` is the regular expression that will fetch issues from commit messages. | |
440 Default regex will match issues in format of #<number> eg. #300. | |
441 | |
442 Matched issues will be replace with the link specified as `issue_server_link` | |
443 {id} will be replaced with issue id, and {repo} with repository name. | |
444 Since the # is striped `issue_prefix` is added as a prefix to url. | |
445 `issue_prefix` can be something different than # if you pass | |
446 ISSUE- as issue prefix this will generate an url in format:: | |
447 | |
448 <a href="https://myissueserver.com/example_repo/issue/300">ISSUE-300</a> | |
349 | 449 |
350 Hook management | 450 Hook management |
351 --------------- | 451 --------------- |
352 | 452 |
353 Hooks can be managed in similar way to this used in .hgrc files. | 453 Hooks can be managed in similar way to this used in .hgrc files. |
357 There are 4 built in hooks that cannot be changed (only enable/disable by | 457 There are 4 built in hooks that cannot be changed (only enable/disable by |
358 checkboxes on previos section). | 458 checkboxes on previos section). |
359 To add another custom hook simply fill in first section with | 459 To add another custom hook simply fill in first section with |
360 <name>.<hook_type> and the second one with hook path. Example hooks | 460 <name>.<hook_type> and the second one with hook path. Example hooks |
361 can be found at *rhodecode.lib.hooks*. | 461 can be found at *rhodecode.lib.hooks*. |
462 | |
463 | |
464 Changing default encoding | |
465 ------------------------- | |
466 | |
467 By default RhodeCode uses utf8 encoding, starting from 1.3 series this | |
468 can be changed, simply edit default_encoding in .ini file to desired one. | |
469 This affects many parts in rhodecode including commiters names, filenames, | |
470 encoding of commit messages. In addition RhodeCode can detect if `chardet` | |
471 library is installed. If `chardet` is detected RhodeCode will fallback to it | |
472 when there are encode/decode errors. | |
362 | 473 |
363 | 474 |
364 Setting Up Celery | 475 Setting Up Celery |
365 ----------------- | 476 ----------------- |
366 | 477 |
395 Nginx virtual host example | 506 Nginx virtual host example |
396 -------------------------- | 507 -------------------------- |
397 | 508 |
398 Sample config for nginx using proxy:: | 509 Sample config for nginx using proxy:: |
399 | 510 |
511 upstream rc { | |
512 server 127.0.0.1:5000; | |
513 # add more instances for load balancing | |
514 #server 127.0.0.1:5001; | |
515 #server 127.0.0.1:5002; | |
516 } | |
517 | |
400 server { | 518 server { |
401 listen 80; | 519 listen 80; |
402 server_name hg.myserver.com; | 520 server_name hg.myserver.com; |
403 access_log /var/log/nginx/rhodecode.access.log; | 521 access_log /var/log/nginx/rhodecode.access.log; |
404 error_log /var/log/nginx/rhodecode.error.log; | 522 error_log /var/log/nginx/rhodecode.error.log; |
523 | |
405 location / { | 524 location / { |
406 root /var/www/rhodecode/rhodecode/public/; | 525 try_files $uri @rhode; |
407 if (!-f $request_filename){ | |
408 proxy_pass http://127.0.0.1:5000; | |
409 } | |
410 #this is important if you want to use https !!! | |
411 proxy_set_header X-Url-Scheme $scheme; | |
412 include /etc/nginx/proxy.conf; | |
413 } | 526 } |
527 | |
528 location @rhode { | |
529 proxy_pass http://rc; | |
530 include /etc/nginx/proxy.conf; | |
531 } | |
532 | |
414 } | 533 } |
415 | 534 |
416 Here's the proxy.conf. It's tuned so it will not timeout on long | 535 Here's the proxy.conf. It's tuned so it will not timeout on long |
417 pushes or large pushes:: | 536 pushes or large pushes:: |
418 | 537 |
419 proxy_redirect off; | 538 proxy_redirect off; |
420 proxy_set_header Host $host; | 539 proxy_set_header Host $host; |
540 proxy_set_header X-Url-Scheme $scheme; | |
421 proxy_set_header X-Host $http_host; | 541 proxy_set_header X-Host $http_host; |
422 proxy_set_header X-Real-IP $remote_addr; | 542 proxy_set_header X-Real-IP $remote_addr; |
423 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | 543 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
424 proxy_set_header Proxy-host $proxy_host; | 544 proxy_set_header Proxy-host $proxy_host; |
425 client_max_body_size 400m; | 545 client_max_body_size 400m; |