Mercurial > kallithea

comparison docs/setup.rst @ 2031:82a88013a3fd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge 1.3 into stable
author Marcin Kuzminski <marcin@python-works.com>
date Sun, 26 Feb 2012 17:25:09 +0200
parents 752b0a7b7679 03a549b35c57
children ecd59c28f432
comparison
equal deleted inserted replaced
2005:ab0e122b38a7 2031:82a88013a3fd
344 344
345 All other LDAP settings will likely be site-specific and should be 345 All other LDAP settings will likely be site-specific and should be
346 appropriately configured. 346 appropriately configured.
347 347
348 348
349 Authentication by container or reverse-proxy
350 --------------------------------------------
351
352 Starting with version 1.3, RhodeCode supports delegating the authentication
353 of users to its WSGI container, or to a reverse-proxy server through which all
354 clients access the application.
355
356 When these authentication methods are enabled in RhodeCode, it uses the
357 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't
358 perform the authentication itself. The authorization, however, is still done by
359 RhodeCode according to its settings.
360
361 When a user logs in for the first time using these authentication methods,
362 a matching user account is created in RhodeCode with default permissions. An
363 administrator can then modify it using RhodeCode's admin interface.
364 It's also possible for an administrator to create accounts and configure their
365 permissions before the user logs in for the first time.
366
367 Container-based authentication
368 ''''''''''''''''''''''''''''''
369
370 In a container-based authentication setup, RhodeCode reads the user name from
371 the ``REMOTE_USER`` server variable provided by the WSGI container.
372
373 After setting up your container (see `Apache's WSGI config`_), you'd need
374 to configure it to require authentication on the location configured for
375 RhodeCode.
376
377 In order for RhodeCode to start using the provided username, you should set the
378 following in the [app:main] section of your .ini file::
379
380 container_auth_enabled = true
381
382
383 Proxy pass-through authentication
384 '''''''''''''''''''''''''''''''''
385
386 In a proxy pass-through authentication setup, RhodeCode reads the user name
387 from the ``X-Forwarded-User`` request header, which should be configured to be
388 sent by the reverse-proxy server.
389
390 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
391 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'd need to
392 configure the authentication and add the username in a request header named
393 ``X-Forwarded-User``.
394
395 For example, the following config section for Apache sets a subdirectory in a
396 reverse-proxy setup with basic auth::
397
398 <Location /<someprefix> >
399 ProxyPass http://127.0.0.1:5000/<someprefix>
400 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
401 SetEnvIf X-Url-Scheme https HTTPS=1
402
403 AuthType Basic
404 AuthName "RhodeCode authentication"
405 AuthUserFile /home/web/rhodecode/.htpasswd
406 require valid-user
407
408 RequestHeader unset X-Forwarded-User
409
410 RewriteEngine On
411 RewriteCond %{LA-U:REMOTE_USER} (.+)
412 RewriteRule .* - [E=RU:%1]
413 RequestHeader set X-Forwarded-User %{RU}e
414 </Location>
415
416 In order for RhodeCode to start using the forwarded username, you should set
417 the following in the [app:main] section of your .ini file::
418
419 proxypass_auth_enabled = true
420
421 .. note::
422 If you enable proxy pass-through authentication, make sure your server is
423 only accessible through the proxy. Otherwise, any client would be able to
424 forge the authentication header and could effectively become authenticated
425 using any account of their liking.
426
427 Integration with Issue trackers
428 -------------------------------
429
430 RhodeCode provides a simple integration with issue trackers. It's possible
431 to define a regular expression that will fetch issue id stored in commit
432 messages and replace that with an url to this issue. To enable this simply
433 uncomment following variables in the ini file::
434
435 url_pat = (?:^#|\s#)(\w+)
436 issue_server_link = https://myissueserver.com/{repo}/issue/{id}
437 issue_prefix = #
438
439 `url_pat` is the regular expression that will fetch issues from commit messages.
440 Default regex will match issues in format of #<number> eg. #300.
441
442 Matched issues will be replace with the link specified as `issue_server_link`
443 {id} will be replaced with issue id, and {repo} with repository name.
444 Since the # is striped `issue_prefix` is added as a prefix to url.
445 `issue_prefix` can be something different than # if you pass
446 ISSUE- as issue prefix this will generate an url in format::
447
448 <a href="https://myissueserver.com/example_repo/issue/300">ISSUE-300</a>
349 449
350 Hook management 450 Hook management
351 --------------- 451 ---------------
352 452
353 Hooks can be managed in similar way to this used in .hgrc files. 453 Hooks can be managed in similar way to this used in .hgrc files.
357 There are 4 built in hooks that cannot be changed (only enable/disable by 457 There are 4 built in hooks that cannot be changed (only enable/disable by
358 checkboxes on previos section). 458 checkboxes on previos section).
359 To add another custom hook simply fill in first section with 459 To add another custom hook simply fill in first section with
360 <name>.<hook_type> and the second one with hook path. Example hooks 460 <name>.<hook_type> and the second one with hook path. Example hooks
361 can be found at *rhodecode.lib.hooks*. 461 can be found at *rhodecode.lib.hooks*.
462
463
464 Changing default encoding
465 -------------------------
466
467 By default RhodeCode uses utf8 encoding, starting from 1.3 series this
468 can be changed, simply edit default_encoding in .ini file to desired one.
469 This affects many parts in rhodecode including commiters names, filenames,
470 encoding of commit messages. In addition RhodeCode can detect if `chardet`
471 library is installed. If `chardet` is detected RhodeCode will fallback to it
472 when there are encode/decode errors.
362 473
363 474
364 Setting Up Celery 475 Setting Up Celery
365 ----------------- 476 -----------------
366 477
395 Nginx virtual host example 506 Nginx virtual host example
396 -------------------------- 507 --------------------------
397 508
398 Sample config for nginx using proxy:: 509 Sample config for nginx using proxy::
399 510
511 upstream rc {
512 server 127.0.0.1:5000;
513 # add more instances for load balancing
514 #server 127.0.0.1:5001;
515 #server 127.0.0.1:5002;
516 }
517
400 server { 518 server {
401 listen 80; 519 listen 80;
402 server_name hg.myserver.com; 520 server_name hg.myserver.com;
403 access_log /var/log/nginx/rhodecode.access.log; 521 access_log /var/log/nginx/rhodecode.access.log;
404 error_log /var/log/nginx/rhodecode.error.log; 522 error_log /var/log/nginx/rhodecode.error.log;
523
405 location / { 524 location / {
406 root /var/www/rhodecode/rhodecode/public/; 525 try_files $uri @rhode;
407 if (!-f $request_filename){
408 proxy_pass http://127.0.0.1:5000;
409 }
410 #this is important if you want to use https !!!
411 proxy_set_header X-Url-Scheme $scheme;
412 include /etc/nginx/proxy.conf;
413 } 526 }
527
528 location @rhode {
529 proxy_pass http://rc;
530 include /etc/nginx/proxy.conf;
531 }
532
414 } 533 }
415 534
416 Here's the proxy.conf. It's tuned so it will not timeout on long 535 Here's the proxy.conf. It's tuned so it will not timeout on long
417 pushes or large pushes:: 536 pushes or large pushes::
418 537
419 proxy_redirect off; 538 proxy_redirect off;
420 proxy_set_header Host $host; 539 proxy_set_header Host $host;
540 proxy_set_header X-Url-Scheme $scheme;
421 proxy_set_header X-Host $http_host; 541 proxy_set_header X-Host $http_host;
422 proxy_set_header X-Real-IP $remote_addr; 542 proxy_set_header X-Real-IP $remote_addr;
423 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 543 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
424 proxy_set_header Proxy-host $proxy_host; 544 proxy_set_header Proxy-host $proxy_host;
425 client_max_body_size 400m; 545 client_max_body_size 400m;