Changes between Version 1 and Version 2 of TracModWSGI
- Timestamp:
- 2015-04-01T12:42:00Z (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracModWSGI
v1 v2 1 = Trac and mod_wsgi =2 3 [http ://code.google.com/p/modwsgi/mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.1 = Trac and mod_wsgi 2 3 [https://github.com/GrahamDumpleton/mod_wsgi mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance. 4 4 5 5 [[PageOutline(2-3,Overview,inline)]] … … 7 7 == The `trac.wsgi` script 8 8 9 Trac can be run on top of mod_wsgi with the help of the following application script, which is just a Python file, though usually saved with a `.wsgi` extension. 9 Trac can be run on top of mod_wsgi with the help of an application script, which is just a Python file saved with a `.wsgi` extension. 10 11 A robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin. The script should be sufficient for most installations and users not wanting more information can proceed to [#Mappingrequeststothescript configuring Apache]. 12 13 If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in trac.wsgi: 14 {{{#!python 15 def application(environ, start_request): 16 # Add this to config when you have multiple projects 17 environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects') 18 .. 19 }}} 10 20 11 21 === A very basic script … … 61 71 Change it according to the path you installed the Trac libs at. 62 72 63 === Recommended `trac.wsgi` script64 65 A somewhat robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin.66 67 If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in the trac.wsgi in trac.wsgi: ''68 69 {{{#!python70 def application(environ, start_request):71 Add this to config when you have multiple projects72 environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects')73 ..74 ..75 }}}76 77 73 == Mapping requests to the script 78 74 79 75 After preparing your .wsgi script, add the following to your Apache configuration file, typically `httpd.conf`: 80 76 81 {{{ 77 {{{#!apache 82 78 WSGIScriptAlias /trac /usr/local/trac/mysite/apache/mysite.wsgi 83 79 … … 93 89 If you followed the directions [TracInstall#cgi-bin Generating the Trac cgi-bin directory], your Apache configuration file should look like following: 94 90 95 {{{ 91 {{{#!apache 96 92 WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi 97 93 … … 119 115 The following sections describe different methods for setting up authentication. See also [http://httpd.apache.org/docs/2.2/howto/auth.html Authentication, Authorization and Access Control] in the Apache guide. 120 116 121 === Using Basic Authentication ===117 === Using Basic Authentication 122 118 123 119 The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program as follows: 124 {{{ 120 {{{#!sh 125 121 $ htpasswd -c /somewhere/trac.htpasswd admin 126 122 New password: <type password> … … 130 126 131 127 After the first user, you don't need the "-c" option anymore: 132 {{{ 128 {{{#!sh 133 129 $ htpasswd /somewhere/trac.htpasswd john 134 130 New password: <type password> … … 142 138 143 139 Now, you need to enable authentication against the password file in the Apache configuration: 144 {{{ 140 {{{#!apache 145 141 <Location "/trac/login"> 146 142 AuthType Basic … … 152 148 153 149 If you are hosting multiple projects, you can use the same password file for all of them: 154 {{{ 150 {{{#!apache 155 151 <LocationMatch "/trac/[^/]+/login"> 156 152 AuthType Basic … … 163 159 See also the [http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html mod_auth_basic] documentation. 164 160 165 === Using Digest Authentication ===161 === Using Digest Authentication 166 162 167 163 For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. 168 164 169 165 You have to create your `.htpasswd` file with the `htdigest` command instead of `htpasswd`, as follows: 170 {{{ 171 #htdigest -c /somewhere/trac.htpasswd trac admin166 {{{#!sh 167 $ htdigest -c /somewhere/trac.htpasswd trac admin 172 168 }}} 173 169 174 170 The "trac" parameter above is the "realm", and will have to be reused in the Apache configuration in the !AuthName directive: 175 171 176 {{{ 172 {{{#!apache 177 173 <Location "/trac/login"> 178 179 AuthType Digest 180 AuthName "trac" 181 AuthDigestDomain /trac 182 AuthUserFile /somewhere/trac.htpasswd 183 Require valid-user 174 AuthType Digest 175 AuthName "trac" 176 AuthDigestDomain /trac 177 AuthUserFile /somewhere/trac.htpasswd 178 Require valid-user 184 179 </Location> 185 180 }}} … … 190 185 191 186 Don't forget to activate the mod_auth_digest. For example, on a Debian 4.0r1 (etch) system: 192 {{{ 193 187 {{{#!apache 188 LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so 194 189 }}} 195 190 … … 201 196 202 197 1. You need to load the following modules in Apache httpd.conf: 203 {{{ 204 LoadModule ldap_module modules/mod_ldap.so 205 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 206 }}} 207 208 2. Your httpd.conf also needs to look something like: 209 210 {{{ 198 {{{#!apache 199 LoadModule ldap_module modules/mod_ldap.so 200 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 201 }}} 202 1. Your httpd.conf also needs to look something like: 203 {{{#!apache 211 204 <Location /trac/> 212 205 # (if you're using it, mod_python specific settings go here) … … 222 215 </Location> 223 216 }}} 224 225 3. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory: 226 227 Use the following as your LDAP URL: 228 {{{ 229 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 230 }}} 231 232 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 233 {{{ 234 AuthLDAPBindDN [email protected] 235 AuthLDAPBindPassword "password" 236 }}} 237 238 The whole section looks like: 239 {{{ 217 1. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory. Use the following as your LDAP URL: 218 {{{#!apache 219 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 220 }}} 221 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 222 {{{#!apache 223 AuthLDAPBindDN [email protected] 224 AuthLDAPBindPassword "password" 225 }}} 226 The whole section looks like: 227 {{{#!apache 240 228 <Location /trac/> 241 229 # (if you're using it, mod_python specific settings go here) … … 251 239 authzldapauthoritative Off 252 240 # require valid-user 253 require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com241 Require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com 254 242 </Location> 255 243 }}} … … 258 246 259 247 Note 2: You can also require the user be a member of a certain LDAP group, instead of just having a valid login: 260 {{{ 261 248 {{{#!apache 249 Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com 262 250 }}} 263 251 … … 270 258 271 259 If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from the !SourceForge [http://sourceforge.net/projects/mod-auth-sspi/ mod-auth-sspi project] and then add the following to your !VirtualHost: 272 {{{ 273 274 275 276 277 278 279 280 281 282 283 260 {{{#!apache 261 <Location /trac/login> 262 AuthType SSPI 263 AuthName "Trac Login" 264 SSPIAuth On 265 SSPIAuthoritative On 266 SSPIDomain MyLocalDomain 267 SSPIOfferBasic On 268 SSPIOmitDomain Off 269 SSPIBasicPreferred On 270 Require valid-user 271 </Location> 284 272 }}} 285 273 … … 297 285 298 286 Here is an example (from the !HttpAuthStore link) using acct_mgr-0.4 for hosting a single project: 299 {{{ 287 {{{#!ini 300 288 [components] 301 289 ; be sure to enable the component … … 308 296 }}} 309 297 This will generally be matched with an Apache config like: 310 {{{ 298 {{{#!apache 311 299 <Location /authFile> 312 300 …HTTP authentication configuration… … … 325 313 326 314 Create the htpasswd file: 327 {{{ 315 {{{#!sh 328 316 cd /home/trac-for-my-proj/the-env 329 317 htpasswd -c htpasswd firstuser … … 335 323 Create this file e.g. (ubuntu) `/etc/apache2/sites-enabled/trac.my-proj.my-site.org.conf` with the following content: 336 324 337 {{{ 325 {{{#!apache 338 326 <Directory /home/trac-for-my-proj/the-deploy/cgi-bin/trac.wsgi> 339 327 WSGIApplicationGroup %{GLOBAL} … … 368 356 If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 0.3.4 or greater. See [trac:#10675] for details. 369 357 370 === Getting Trac to work nicely with SSPI and 'Require Group' ===358 === Getting Trac to work nicely with SSPI and 'Require Group' 371 359 372 360 If you have set Trac up on Apache, Win32 and configured SSPI, but added a 'Require group' option to your apache configuration, then the SSPIOmitDomain option is probably not working. If it is not working, your usernames in Trac probably look like 'DOMAIN\user' rather than 'user'. … … 386 374 }}} 387 375 388 === Trac with PostgreSQL ===376 === Trac with PostgreSQL 389 377 390 378 When using the mod_wsgi adapter with multiple Trac instances and PostgreSQL (or MySQL?) as the database, the server ''may'' create a lot of open database connections and thus PostgreSQL processes.