Changes between Version 6 and Version 7 of TracModWSGI


Ignore:
Timestamp:
Jul 25, 2015, 7:08:55 PM (4 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracModWSGI

    v6 v7  
    1 = Trac and mod_wsgi
    2 
    3 [https://github.com/GrahamDumpleton/mod_wsgi mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.
     1= Trac and mod_wsgi =
     2
     3[http://code.google.com/p/modwsgi/ mod_wsgi] is an Apache module for running WSGI-compatible Python applications directly on top of the Apache webserver. The mod_wsgi adapter is written completely in C and provides very good performance.
    44
    55[[PageOutline(2-3,Overview,inline)]]
     
    77== The `trac.wsgi` script
    88
    9 Trac can be run on top of mod_wsgi with the help of an application script, which is just a Python file saved with a `.wsgi` extension.
    10 
    11 A robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin. The script should be sufficient for most installations and users not wanting more information can proceed to [#Mappingrequeststothescript configuring Apache].
    12 
    13 If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in trac.wsgi:
    14 {{{#!python
    15 def application(environ, start_request):
    16     # Add this to config when you have multiple projects                                             
    17     environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects') 
    18     ..
    19 }}}
     9Trac can be run on top of mod_wsgi with the help of the following application script, which is just a Python file, though usually saved with a `.wsgi` extension.
    2010
    2111=== A very basic script
     
    7161Change it according to the path you installed the Trac libs at.
    7262
     63=== Recommended `trac.wsgi` script
     64
     65A somewhat robust and generic version of this file can be created using the `trac-admin <env> deploy <dir>` command which automatically substitutes the required paths, see TracInstall#cgi-bin.
     66
     67If you are using Trac with multiple projects, you can specify their common parent directory using the `TRAC_ENV_PARENT_DIR` in the trac.wsgi in trac.wsgi: ''
     68
     69{{{#!python
     70  def application(environ, start_request):
     71      Add this to config when you have multiple projects                                             
     72      environ.setdefault('trac.env_parent_dir', '/usr/share/trac/projects') 
     73      ..
     74      ..
     75}}}
     76
    7377== Mapping requests to the script
    7478
    7579After preparing your .wsgi script, add the following to your Apache configuration file, typically `httpd.conf`:
    7680
    77 {{{#!apache
     81{{{
    7882WSGIScriptAlias /trac /usr/local/trac/mysite/apache/mysite.wsgi
    7983
     
    8993If you followed the directions [TracInstall#cgi-bin Generating the Trac cgi-bin directory], your Apache configuration file should look like following:
    9094
    91 {{{#!apache
     95{{{
    9296WSGIScriptAlias /trac /usr/share/trac/cgi-bin/trac.wsgi
    9397
     
    115119The following sections describe different methods for setting up authentication. See also [http://httpd.apache.org/docs/2.2/howto/auth.html Authentication, Authorization and Access Control] in the Apache guide.
    116120
    117 === Using Basic Authentication
     121=== Using Basic Authentication ===
    118122
    119123The simplest way to enable authentication with Apache is to create a password file. Use the `htpasswd` program as follows:
    120 {{{#!sh
     124{{{
    121125$ htpasswd -c /somewhere/trac.htpasswd admin
    122126New password: <type password>
     
    126130
    127131After the first user, you don't need the "-c" option anymore:
    128 {{{#!sh
     132{{{
    129133$ htpasswd /somewhere/trac.htpasswd john
    130134New password: <type password>
     
    138142
    139143Now, you need to enable authentication against the password file in the Apache configuration:
    140 {{{#!apache
     144{{{
    141145<Location "/trac/login">
    142146  AuthType Basic
     
    148152
    149153If you are hosting multiple projects, you can use the same password file for all of them:
    150 {{{#!apache
     154{{{
    151155<LocationMatch "/trac/[^/]+/login">
    152156  AuthType Basic
     
    159163See also the [http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html mod_auth_basic] documentation.
    160164
    161 === Using Digest Authentication
     165=== Using Digest Authentication ===
    162166
    163167For better security, it is recommended that you either enable SSL or at least use the “digest” authentication scheme instead of “Basic”.
    164168
    165169You have to create your `.htpasswd` file with the `htdigest` command instead of `htpasswd`, as follows:
    166 {{{#!sh
    167 $ htdigest -c /somewhere/trac.htpasswd trac admin
     170{{{
     171# htdigest -c /somewhere/trac.htpasswd trac admin
    168172}}}
    169173
    170174The "trac" parameter above is the "realm", and will have to be reused in the Apache configuration in the !AuthName directive:
    171175
    172 {{{#!apache
     176{{{
    173177<Location "/trac/login">
    174   AuthType Digest
    175   AuthName "trac"
    176   AuthDigestDomain /trac
    177   AuthUserFile /somewhere/trac.htpasswd
    178   Require valid-user
     178
     179    AuthType Digest
     180    AuthName "trac"
     181    AuthDigestDomain /trac
     182    AuthUserFile /somewhere/trac.htpasswd
     183    Require valid-user
    179184</Location>
    180185}}}
     
    185190
    186191Don't forget to activate the mod_auth_digest. For example, on a Debian 4.0r1 (etch) system:
    187 {{{#!apache
    188   LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so
     192{{{
     193    LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so
    189194}}}
    190195
     
    196201
    1972021. You need to load the following modules in Apache httpd.conf:
    198 {{{#!apache
    199   LoadModule ldap_module modules/mod_ldap.so
    200   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    201 }}}
    202 1. Your httpd.conf also needs to look something like:
    203 {{{#!apache
     203{{{
     204LoadModule ldap_module modules/mod_ldap.so
     205LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
     206}}}
     207
     2082. Your httpd.conf also needs to look something like:
     209
     210{{{
    204211<Location /trac/>
    205212  # (if you're using it, mod_python specific settings go here)
     
    215222</Location>
    216223}}}
    217 1. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory. Use the following as your LDAP URL:
    218 {{{#!apache
    219   AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
    220 }}}
    221  You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task:
    222 {{{#!apache
    223   AuthLDAPBindDN ldap-auth-user@example.com
    224   AuthLDAPBindPassword "password"
    225 }}}
    226  The whole section looks like:
    227 {{{#!apache
     224
     2253. You can use the LDAP interface as a way to authenticate to a Microsoft Active Directory:
     226
     227Use the following as your LDAP URL:
     228{{{
     229    AuthLDAPURL "ldap://directory.example.com:3268/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
     230}}}
     231
     232You will also need to provide an account for Apache to use when checking credentials. As this password will be listed in plaintext in the config, you need to use an account specifically for this task:
     233{{{
     234    AuthLDAPBindDN ldap-auth-user@example.com
     235    AuthLDAPBindPassword "password"
     236}}}
     237
     238The whole section looks like:
     239{{{
    228240<Location /trac/>
    229241  # (if you're using it, mod_python specific settings go here)
     
    239251  authzldapauthoritative Off
    240252  # require valid-user
    241   Require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com
     253  require ldap-group CN=Trac Users,CN=Users,DC=company,DC=com
    242254</Location>
    243255}}}
     
    246258
    247259Note 2: You can also require the user be a member of a certain LDAP group, instead of just having a valid login:
    248 {{{#!apache
    249   Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com
     260{{{
     261    Require ldap-group CN=Trac Users,CN=Users,DC=example,DC=com
    250262}}}
    251263
     
    258270
    259271If you are using Apache on Windows, you can use mod_auth_sspi to provide single-sign-on. Download the module from the !SourceForge [http://sourceforge.net/projects/mod-auth-sspi/ mod-auth-sspi project] and then add the following to your !VirtualHost:
    260 {{{#!apache
    261 <Location /trac/login>
    262   AuthType SSPI
    263   AuthName "Trac Login"
    264   SSPIAuth On
    265   SSPIAuthoritative On
    266   SSPIDomain MyLocalDomain
    267   SSPIOfferBasic On
    268   SSPIOmitDomain Off
    269   SSPIBasicPreferred On
    270   Require valid-user
    271 </Location>
     272{{{
     273    <Location /trac/login>
     274        AuthType SSPI
     275        AuthName "Trac Login"
     276        SSPIAuth On
     277        SSPIAuthoritative On
     278        SSPIDomain MyLocalDomain
     279        SSPIOfferBasic On
     280        SSPIOmitDomain Off
     281        SSPIBasicPreferred On
     282        Require valid-user
     283    </Location>
    272284}}}
    273285
     
    285297
    286298Here is an example (from the !HttpAuthStore link) using acct_mgr-0.4 for hosting a single project:
    287 {{{#!ini
     299{{{
    288300[components]
    289301; be sure to enable the component
     
    296308}}}
    297309This will generally be matched with an Apache config like:
    298 {{{#!apache
     310{{{
    299311<Location /authFile>
    300312   …HTTP authentication configuration…
     
    313325
    314326Create the htpasswd file:
    315 {{{#!sh
     327{{{
    316328cd /home/trac-for-my-proj/the-env
    317329htpasswd -c htpasswd firstuser
     
    323335Create this file e.g. (ubuntu) `/etc/apache2/sites-enabled/trac.my-proj.my-site.org.conf` with the following content:
    324336
    325 {{{#!apache
     337{{{
    326338<Directory /home/trac-for-my-proj/the-deploy/cgi-bin/trac.wsgi>
    327339  WSGIApplicationGroup %{GLOBAL}
     
    356368If you plan to use `mod_wsgi` in embedded mode on Windows or with the MPM worker on Linux, then you will need version 0.3.4 or greater. See [trac:#10675] for details.
    357369
    358 === Getting Trac to work nicely with SSPI and 'Require Group'
     370=== Getting Trac to work nicely with SSPI and 'Require Group' ===
    359371
    360372If you have set Trac up on Apache, Win32 and configured SSPI, but added a 'Require group' option to your apache configuration, then the SSPIOmitDomain option is probably not working. If it is not working, your usernames in Trac probably look like 'DOMAIN\user' rather than 'user'.
     
    374386}}}
    375387
    376 === Trac with PostgreSQL
     388=== Trac with PostgreSQL ===
    377389
    378390When using the mod_wsgi adapter with multiple Trac instances and PostgreSQL (or MySQL?) as the database, the server ''may'' create a lot of open database connections and thus PostgreSQL processes.

Search

Context Navigation

ZOO Sponsors

http://www.zoo-project.org/trac/chrome/site/img/geolabs-logo.pnghttp://www.zoo-project.org/trac/chrome/site/img/neogeo-logo.png http://www.zoo-project.org/trac/chrome/site/img/apptech-logo.png http://www.zoo-project.org/trac/chrome/site/img/3liz-logo.png http://www.zoo-project.org/trac/chrome/site/img/gateway-logo.png

Become a sponsor !

Knowledge partners

http://www.zoo-project.org/trac/chrome/site/img/ocu-logo.png http://www.zoo-project.org/trac/chrome/site/img/gucas-logo.png http://www.zoo-project.org/trac/chrome/site/img/polimi-logo.png http://www.zoo-project.org/trac/chrome/site/img/fem-logo.png http://www.zoo-project.org/trac/chrome/site/img/supsi-logo.png http://www.zoo-project.org/trac/chrome/site/img/cumtb-logo.png

Become a knowledge partner

Related links

http://zoo-project.org/img/ogclogo.png http://zoo-project.org/img/osgeologo.png