Mercurial > kallithea

comparison docs/setup.rst @ 4501:a68fc4abeda3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue #7 remove obsolete configuration
author domruf <dominikruf@gmail.com>
date Wed, 27 Aug 2014 21:50:25 +0200
parents 8e26c46e9abe
children a9a1560dad79
comparison
equal deleted inserted replaced
4500:e69d34136be5 4501:a68fc4abeda3
366 366
367 367
368 Authentication by container or reverse-proxy 368 Authentication by container or reverse-proxy
369 -------------------------------------------- 369 --------------------------------------------
370 370
371 Starting with version 1.3, Kallithea supports delegating the authentication 371 Kallithea supports delegating the authentication
372 of users to its WSGI container, or to a reverse-proxy server through which all 372 of users to its WSGI container, or to a reverse-proxy server through which all
373 clients access the application. 373 clients access the application.
374 374
375 When these authentication methods are enabled in Kallithea, it uses the 375 When these authentication methods are enabled in Kallithea, it uses the
376 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't 376 username that the container/proxy (Apache/Nginx/etc) authenticated and doesn't
381 a matching user account is created in Kallithea with default permissions. An 381 a matching user account is created in Kallithea with default permissions. An
382 administrator can then modify it using Kallithea's admin interface. 382 administrator can then modify it using Kallithea's admin interface.
383 It's also possible for an administrator to create accounts and configure their 383 It's also possible for an administrator to create accounts and configure their
384 permissions before the user logs in for the first time. 384 permissions before the user logs in for the first time.
385 385
386
386 Container-based authentication 387 Container-based authentication
387 '''''''''''''''''''''''''''''' 388 ''''''''''''''''''''''''''''''
388 389
389 In a container-based authentication setup, Kallithea reads the user name from 390 In a container-based authentication setup, Kallithea reads the user name from
390 the ``REMOTE_USER`` server variable provided by the WSGI container. 391 the ``REMOTE_USER`` server variable provided by the WSGI container.
391 392
392 After setting up your container (see `Apache's WSGI config`_), you'd need 393 After setting up your container (see `Apache's WSGI config`_), you'd need
393 to configure it to require authentication on the location configured for 394 to configure it to require authentication on the location configured for
394 Kallithea. 395 Kallithea.
395
396 In order for Kallithea to start using the provided username, you should set the
397 following in the [app:main] section of your .ini file::
398
399 container_auth_enabled = true
400 396
401 397
402 Proxy pass-through authentication 398 Proxy pass-through authentication
403 ''''''''''''''''''''''''''''''''' 399 '''''''''''''''''''''''''''''''''
404 400
430 RewriteCond %{LA-U:REMOTE_USER} (.+) 426 RewriteCond %{LA-U:REMOTE_USER} (.+)
431 RewriteRule .* - [E=RU:%1] 427 RewriteRule .* - [E=RU:%1]
432 RequestHeader set X-Forwarded-User %{RU}e 428 RequestHeader set X-Forwarded-User %{RU}e
433 </Location> 429 </Location>
434 430
435 In order for Kallithea to start using the forwarded username, you should set
436 the following in the [app:main] section of your .ini file::
437
438 proxypass_auth_enabled = true
439 431
440 .. note:: 432 .. note::
441 If you enable proxy pass-through authentication, make sure your server is 433 If you enable proxy pass-through authentication, make sure your server is
442 only accessible through the proxy. Otherwise, any client would be able to 434 only accessible through the proxy. Otherwise, any client would be able to
443 forge the authentication header and could effectively become authenticated 435 forge the authentication header and could effectively become authenticated