Changes between Version 2 and Version 3 of TracModWSGI
- Timestamp:
- Apr 16, 2016, 7:07:21 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracModWSGI
v2 v3 1 = Trac and mod_wsgi =2 3 [http ://code.google.com/p/modwsgi/mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.1 = Trac and mod_wsgi 2 3 [https://github.com/GrahamDumpleton/mod_wsgi mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance. 4 4 5 5 [[PageOutline(2-3,Overview,inline)]] … … 7 7 == The `trac.wsgi` script 8 8 9 Trac can be run on top of mod_wsgi with the help of the following application script, which is just a Python file, though usually saved with a `.wsgi` extension. 9 Trac can be run on top of mod_wsgi with the help of an application script, which is just a Python file saved with a `.wsgi` extension. 10 11 A robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin. The script should be sufficient for most installations and users not wanting more information can proceed to [#Mappingrequeststothescript configuring Apache]. 12 13 If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in trac.wsgi: 14 {{{#!python 15 def application(environ, start_request): 16 # Add this to config when you have multiple projects 17 environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects') 18 .. 19 }}} 10 20 11 21 === A very basic script … … 61 71 Change it according to the path you installed the Trac libs at. 62 72 63 === Recommended `trac.wsgi` script64 65 A somewhat robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin.66 67 If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in the trac.wsgi in trac.wsgi: ''68 69 {{{#!python70 def application(environ, start_request):71 Add this to config when you have multiple projects72 environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects')73 ..74 ..75 }}}76 77 73 == Mapping requests to the script 78 74 79 75 After preparing your .wsgi script, add the following to your Apache configuration file, typically `httpd.conf`: 80 76 81 {{{ 77 {{{#!apache 82 78 WSGIScriptAlias /trac /usr/local/trac/mysite/apache/mysite.wsgi 83 79 84 80 <Directory /usr/local/trac/mysite/apache> 85 81 WSGIApplicationGroup %{GLOBAL} 86 Order deny,allow 87 Allow from all 82 # For Apache 2.2 83 <IfModule !mod_authz_core.c> 84 Order deny,allow 85 Allow from all 86 </IfModule> 87 # For Apache 2.4 88 <IfModule mod_authz_core.c> 89 Require all granted 90 </IfModule> 88 91 </Directory> 89 92 }}} … … 93 96 If you followed the directions [TracInstall#cgi-bin Generating the Trac cgi-bin directory], your Apache configuration file should look like following: 94 97 95 {{{ 98 {{{#!apache 96 99 WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi 97 100 98 101 <Directory /usr/share/trac/cgi-bin> 99 102 WSGIApplicationGroup %{GLOBAL} 100 Order deny,allow 101 Allow from all 103 # For Apache 2.2 104 <IfModule !mod_authz_core.c> 105 Order deny,allow 106 Allow from all 107 </IfModule> 108 # For Apache 2.4 109 <IfModule mod_authz_core.c> 110 Require all granted 111 </IfModule> 102 112 </Directory> 103 113 }}} … … 119 129 The following sections describe different methods for setting up authentication. See also [http://httpd.apache.org/docs/2.2/howto/auth.html Authentication, Authorization and Access Control] in the Apache guide. 120 130 121 === Using Basic Authentication ===131 === Using Basic Authentication 122 132 123 133 The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program as follows: 124 {{{ 134 {{{#!sh 125 135 $ htpasswd -c /somewhere/trac.htpasswd admin 126 136 New password: <type password> … … 130 140 131 141 After the first user, you don't need the "-c" option anymore: 132 {{{ 142 {{{#!sh 133 143 $ htpasswd /somewhere/trac.htpasswd john 134 144 New password: <type password> … … 142 152 143 153 Now, you need to enable authentication against the password file in the Apache configuration: 144 {{{ 154 {{{#!apache 145 155 <Location "/trac/login"> 146 156 AuthType Basic … … 152 162 153 163 If you are hosting multiple projects, you can use the same password file for all of them: 154 {{{ 164 {{{#!apache 155 165 <LocationMatch "/trac/[^/]+/login"> 156 166 AuthType Basic … … 163 173 See also the [http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html mod_auth_basic] documentation. 164 174 165 === Using Digest Authentication ===175 === Using Digest Authentication 166 176 167 177 For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”. 168 178 169 179 You have to create your `.htpasswd` file with the `htdigest` command instead of `htpasswd`, as follows: 170 {{{ 171 #htdigest -c /somewhere/trac.htpasswd trac admin180 {{{#!sh 181 $ htdigest -c /somewhere/trac.htpasswd trac admin 172 182 }}} 173 183 174 184 The "trac" parameter above is the "realm", and will have to be reused in the Apache configuration in the !AuthName directive: 175 185 176 {{{ 186 {{{#!apache 177 187 <Location "/trac/login"> 178 179 AuthType Digest 180 AuthName "trac" 181 AuthDigestDomain /trac 182 AuthUserFile /somewhere/trac.htpasswd 183 Require valid-user 188 AuthType Digest 189 AuthName "trac" 190 AuthDigestDomain /trac 191 AuthUserFile /somewhere/trac.htpasswd 192 Require valid-user 184 193 </Location> 185 194 }}} … … 190 199 191 200 Don't forget to activate the mod_auth_digest. For example, on a Debian 4.0r1 (etch) system: 192 {{{ 193 201 {{{#!apache 202 LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so 194 203 }}} 195 204 … … 201 210 202 211 1. You need to load the following modules in Apache httpd.conf: 203 {{{ 204 LoadModule ldap_module modules/mod_ldap.so 205 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 206 }}} 207 208 2. Your httpd.conf also needs to look something like: 209 210 {{{ 212 {{{#!apache 213 LoadModule ldap_module modules/mod_ldap.so 214 LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 215 }}} 216 1. Your httpd.conf also needs to look something like: 217 {{{#!apache 211 218 <Location /trac/> 212 219 # (if you're using it, mod_python specific settings go here) … … 222 229 </Location> 223 230 }}} 224 225 3. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory: 226 227 Use the following as your LDAP URL: 228 {{{ 229 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 230 }}} 231 232 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 233 {{{ 234 AuthLDAPBindDN ldap-auth-user@example.com 235 AuthLDAPBindPassword "password" 236 }}} 237 238 The whole section looks like: 239 {{{ 231 1. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory. Use the following as your LDAP URL: 232 {{{#!apache 233 AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 234 }}} 235 You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task: 236 {{{#!apache 237 AuthLDAPBindDN ldap-auth-user@example.com 238 AuthLDAPBindPassword "password" 239 }}} 240 The whole section looks like: 241 {{{#!apache 240 242 <Location /trac/> 241 243 # (if you're using it, mod_python specific settings go here) … … 251 253 authzldapauthoritative Off 252 254 # require valid-user 253 require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com255 Require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com 254 256 </Location> 255 257 }}} … … 258 260 259 261 Note 2: You can also require the user be a member of a certain LDAP group, instead of just having a valid login: 260 {{{ 261 262 {{{#!apache 263 Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com 262 264 }}} 263 265 … … 270 272 271 273 If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from the !SourceForge [http://sourceforge.net/projects/mod-auth-sspi/ mod-auth-sspi project] and then add the following to your !VirtualHost: 272 {{{ 273 274 275 276 277 278 279 280 281 282 283 274 {{{#!apache 275 <Location /trac/login> 276 AuthType SSPI 277 AuthName "Trac Login" 278 SSPIAuth On 279 SSPIAuthoritative On 280 SSPIDomain MyLocalDomain 281 SSPIOfferBasic On 282 SSPIOmitDomain Off 283 SSPIBasicPreferred On 284 Require valid-user 285 </Location> 284 286 }}} 285 287 … … 290 292 See also [trac:TracOnWindows/Advanced]. 291 293 294 === Using CA !SiteMinder Authentication 295 Setup CA !SiteMinder to protect your Trac login URL (e.g. /trac/login). Then modify the trac.wsgi script generated using `trac-admin <env> deploy <dir>` to add the following lines, which extract the HTTP_SM_USER variable and set it to REMOTE_USER: 296 297 {{{#!python 298 def application(environ, start_request): 299 # Set authenticated username on CA SiteMinder to REMOTE_USER variable 300 # strip() is used to remove any spaces on the end of the string 301 if 'HTTP_SM_USER' in environ: 302 environ['REMOTE_USER'] = environ['HTTP_SM_USER'].strip() 303 ... 304 }}} 305 306 Note: you do not need any Apache "Location" directives. 307 292 308 === Using Apache authentication with the Account Manager plugin's Login form === 293 309 … … 297 313 298 314 Here is an example (from the !HttpAuthStore link) using acct_mgr-0.4 for hosting a single project: 299 {{{ 315 {{{#!ini 300 316 [components] 301 317 ; be sure to enable the component … … 308 324 }}} 309 325 This will generally be matched with an Apache config like: 310 {{{ 326 {{{#!apache 311 327 <Location /authFile> 312 328 …HTTP authentication configuration… … … 325 341 326 342 Create the htpasswd file: 327 {{{ 343 {{{#!sh 328 344 cd /home/trac-for-my-proj/the-env 329 345 htpasswd -c htpasswd firstuser … … 335 351 Create this file e.g. (ubuntu) `/etc/apache2/sites-enabled/trac.my-proj.my-site.org.conf` with the following content: 336 352 337 {{{ 353 {{{#!apache 338 354 <Directory /home/trac-for-my-proj/the-deploy/cgi-bin/trac.wsgi> 339 355 WSGIApplicationGroup %{GLOBAL} … … 366 382 ''Note: using mod_wsgi 2.5 and Python 2.6.1 gave an Internal Server Error on my system (Apache 2.2.11 and Trac 0.11.2.1). Upgrading to Python 2.6.2 (as suggested [http://www.mail-archive.com/modwsgi@googlegroups.com/msg01917.html here]) solved this for me[[BR]]-- Graham Shanks'' 367 383 368 If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 0.3.4 or greater. See [trac:#10675] for details.369 370 === Getting Trac to work nicely with SSPI and 'Require Group' ===384 If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 3.4 or greater. See [trac:#10675] for details. 385 386 === Getting Trac to work nicely with SSPI and 'Require Group' 371 387 372 388 If you have set Trac up on Apache, Win32 and configured SSPI, but added a 'Require group' option to your apache configuration, then the SSPIOmitDomain option is probably not working. If it is not working, your usernames in Trac probably look like 'DOMAIN\user' rather than 'user'. … … 386 402 }}} 387 403 388 === Trac with PostgreSQL ===404 === Trac with PostgreSQL 389 405 390 406 When using the mod_wsgi adapter with multiple Trac instances and PostgreSQL (or MySQL?) as the database, the server ''may'' create a lot of open database connections and thus PostgreSQL processes.