Changes between Version 2 and Version 3 of TracModWSGI

Timestamp:

Apr 16, 2016, 7:07:21 PM (8 years ago)

Author:

trac

Comment:

--

TracModWSGI

@@ -1 @@
-= Trac and mod_wsgi =
-
-[http://code.google.com/p/modwsgi/ mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.
+= Trac and mod_wsgi
+
+[https://github.com/GrahamDumpleton/mod_wsgi mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.
 
 [[PageOutline(2-3,Overview,inline)]]
@@ -7 +7 @@
 == The `trac.wsgi` script
 
-Trac can be run on top of mod_wsgi with the help of the following application script, which is just a Python file, though usually saved with a `.wsgi` extension. 
+Trac can be run on top of mod_wsgi with the help of an application script, which is just a Python file saved with a `.wsgi` extension. 
+
+A robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin. The script should be sufficient for most installations and users not wanting more information can proceed to [#Mappingrequeststothescript configuring Apache].
+
+If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in trac.wsgi:
+{{{#!python
+def application(environ, start_request):
+    # Add this to config when you have multiple projects                                             
+    environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects')  
+    ..
+}}}
 
 === A very basic script
@@ -61 +71 @@
 Change it according to the path you installed the Trac libs at.
 
-=== Recommended `trac.wsgi` script
-
-A somewhat robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin.
-
-If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in the trac.wsgi in trac.wsgi: ''
-
-{{{#!python
-  def application(environ, start_request):
-      Add this to config when you have multiple projects                                             
-      environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects')  
-      ..
-      ..
-}}}
-
 == Mapping requests to the script
 
 After preparing your .wsgi script, add the following to your Apache configuration file, typically `httpd.conf`:
 
-{{{
+{{{#!apache
 WSGIScriptAlias /trac /usr/local/trac/mysite/apache/mysite.wsgi
 
 <Directory /usr/local/trac/mysite/apache>
     WSGIApplicationGroup %{GLOBAL}
-    Order deny,allow
-    Allow from all
+    # For Apache 2.2
+    <IfModule !mod_authz_core.c>
+        Order deny,allow
+        Allow from all
+    </IfModule>
+    # For Apache 2.4
+    <IfModule mod_authz_core.c>
+        Require all granted
+    </IfModule>
 </Directory>
 }}}
@@ -93 +96 @@
 If you followed the directions [TracInstall#cgi-bin Generating the Trac cgi-bin directory], your Apache configuration file should look like following:
 
-{{{
+{{{#!apache
 WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi
 
 <Directory /usr/share/trac/cgi-bin>
     WSGIApplicationGroup %{GLOBAL}
-    Order deny,allow
-    Allow from all
+    # For Apache 2.2
+    <IfModule !mod_authz_core.c>
+        Order deny,allow
+        Allow from all
+    </IfModule>
+    # For Apache 2.4
+    <IfModule mod_authz_core.c>
+        Require all granted
+    </IfModule>
 </Directory>
 }}}
@@ -119 +129 @@
 The following sections describe different methods for setting up authentication. See also [http://httpd.apache.org/docs/2.2/howto/auth.html Authentication, Authorization and Access Control] in the Apache guide.
 
-=== Using Basic Authentication ===
+=== Using Basic Authentication
 
 The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program as follows:
-{{{
+{{{#!sh
 $ htpasswd -c /somewhere/trac.htpasswd admin
 New password: <type password>
@@ -130 +140 @@
 
 After the first user, you don't need the "-c" option anymore:
-{{{
+{{{#!sh
 $ htpasswd /somewhere/trac.htpasswd john
 New password: <type password>
@@ -142 +152 @@
 
 Now, you need to enable authentication against the password file in the Apache configuration:
-{{{
+{{{#!apache
 <Location "/trac/login">
   AuthType Basic
@@ -152 +162 @@
 
 If you are hosting multiple projects, you can use the same password file for all of them:
-{{{
+{{{#!apache
 <LocationMatch "/trac/[^/]+/login">
   AuthType Basic
@@ -163 +173 @@
 See also the [http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html mod_auth_basic] documentation.
 
-=== Using Digest Authentication ===
+=== Using Digest Authentication
 
 For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. 
 
 You have to create your `.htpasswd` file with the `htdigest` command instead of `htpasswd`, as follows:
-{{{
-# htdigest -c /somewhere/trac.htpasswd trac admin
+{{{#!sh
+$ htdigest -c /somewhere/trac.htpasswd trac admin
 }}}
 
 The "trac" parameter above is the "realm", and will have to be reused in the Apache configuration in the !AuthName directive:
 
-{{{
+{{{#!apache
 <Location "/trac/login">
-
-    AuthType Digest
-    AuthName "trac"
-    AuthDigestDomain /trac
-    AuthUserFile /somewhere/trac.htpasswd
-    Require valid-user
+  AuthType Digest
+  AuthName "trac"
+  AuthDigestDomain /trac
+  AuthUserFile /somewhere/trac.htpasswd
+  Require valid-user
 </Location>
 }}}
@@ -190 +199 @@
 
 Don't forget to activate the mod_auth_digest. For example, on a Debian 4.0r1 (etch) system:
-{{{
-    LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so
+{{{#!apache
+  LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so
 }}}
 
@@ -201 +210 @@
 
 1. You need to load the following modules in Apache httpd.conf:
-{{{
-LoadModule ldap_module modules/mod_ldap.so
-LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
-}}}
-
-2. Your httpd.conf also needs to look something like:
-
-{{{
+{{{#!apache
+  LoadModule ldap_module modules/mod_ldap.so
+  LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+}}}
+1. Your httpd.conf also needs to look something like:
+{{{#!apache
 <Location /trac/>
   # (if you're using it, mod_python specific settings go here)
@@ -222 +229 @@
 </Location>
 }}}
-
-3. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory:
-
-Use the following as your LDAP URL:
-{{{
-    AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
-}}}
-
-You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task:
-{{{
-    AuthLDAPBindDN ldap-auth-user@example.com
-    AuthLDAPBindPassword "password"
-}}}
-
-The whole section looks like:
-{{{
+1. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory. Use the following as your LDAP URL:
+{{{#!apache
+  AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
+}}}
+ You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task:
+{{{#!apache
+  AuthLDAPBindDN ldap-auth-user@example.com
+  AuthLDAPBindPassword "password"
+}}}
+ The whole section looks like:
+{{{#!apache
 <Location /trac/>
   # (if you're using it, mod_python specific settings go here)
@@ -251 +253 @@
   authzldapauthoritative Off
   # require valid-user
-  require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com
+  Require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com
 </Location>
 }}}
@@ -258 +260 @@
 
 Note 2: You can also require the user be a member of a certain LDAP group, instead of just having a valid login:
-{{{
-    Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com
+{{{#!apache
+  Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com
 }}}
 
@@ -270 +272 @@
 
 If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from the !SourceForge [http://sourceforge.net/projects/mod-auth-sspi/ mod-auth-sspi project] and then add the following to your !VirtualHost:
-{{{
-    <Location /trac/login>
-        AuthType SSPI
-        AuthName "Trac Login"
-        SSPIAuth On
-        SSPIAuthoritative On
-        SSPIDomain MyLocalDomain
-        SSPIOfferBasic On
-        SSPIOmitDomain Off
-        SSPIBasicPreferred On
-        Require valid-user
-    </Location>
+{{{#!apache
+<Location /trac/login>
+  AuthType SSPI
+  AuthName "Trac Login"
+  SSPIAuth On
+  SSPIAuthoritative On
+  SSPIDomain MyLocalDomain
+  SSPIOfferBasic On
+  SSPIOmitDomain Off
+  SSPIBasicPreferred On
+  Require valid-user
+</Location>
 }}}
 
@@ -290 +292 @@
 See also [trac:TracOnWindows/Advanced].
 
+=== Using CA !SiteMinder Authentication
+Setup CA !SiteMinder to protect your Trac login URL (e.g. /trac/login).  Then modify the trac.wsgi script generated using `trac-admin <env> deploy <dir>` to add the following lines, which extract the HTTP_SM_USER variable and set it to REMOTE_USER:
+
+{{{#!python
+def application(environ, start_request): 
+    # Set authenticated username on CA SiteMinder to REMOTE_USER variable 
+    # strip() is used to remove any spaces on the end of the string
+    if 'HTTP_SM_USER' in environ: 
+        environ['REMOTE_USER'] = environ['HTTP_SM_USER'].strip()
+    ...
+}}}
+
+Note:  you do not need any Apache "Location" directives.
+
 === Using Apache authentication with the Account Manager plugin's Login form ===
 
@@ -297 +313 @@
 
 Here is an example (from the !HttpAuthStore link) using acct_mgr-0.4 for hosting a single project:
-{{{
+{{{#!ini
 [components]
 ; be sure to enable the component
@@ -308 +324 @@
 }}}
 This will generally be matched with an Apache config like:
-{{{
+{{{#!apache
 <Location /authFile>
    …HTTP authentication configuration…
@@ -325 +341 @@
 
 Create the htpasswd file:
-{{{
+{{{#!sh
 cd /home/trac-for-my-proj/the-env
 htpasswd -c htpasswd firstuser
@@ -335 +351 @@
 Create this file e.g. (ubuntu) `/etc/apache2/sites-enabled/trac.my-proj.my-site.org.conf` with the following content:
 
-{{{
+{{{#!apache
 <Directory /home/trac-for-my-proj/the-deploy/cgi-bin/trac.wsgi>
   WSGIApplicationGroup %{GLOBAL}
@@ -366 +382 @@
 ''Note: using mod_wsgi 2.5 and Python 2.6.1 gave an Internal Server Error on my system (Apache 2.2.11 and Trac 0.11.2.1). Upgrading to Python 2.6.2 (as suggested [http://www.mail-archive.com/modwsgi@googlegroups.com/msg01917.html here]) solved this for me[[BR]]-- Graham Shanks''
 
-If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 0.3.4 or greater. See [trac:#10675] for details.
-
-=== Getting Trac to work nicely with SSPI and 'Require Group' ===
+If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 3.4 or greater. See [trac:#10675] for details.
+
+=== Getting Trac to work nicely with SSPI and 'Require Group'
 
 If you have set Trac up on Apache, Win32 and configured SSPI, but added a 'Require group' option to your apache configuration, then the SSPIOmitDomain option is probably not working. If it is not working, your usernames in Trac probably look like 'DOMAIN\user' rather than 'user'.
@@ -386 +402 @@
 }}}
 
-=== Trac with PostgreSQL ===
+=== Trac with PostgreSQL
 
 When using the mod_wsgi adapter with multiple Trac instances and PostgreSQL (or MySQL?) as the database, the server ''may'' create a lot of open database connections and thus PostgreSQL processes.