Changes between Version 2 and Version 3 of TracStandalone


Ignore:
Timestamp:
Jun 30, 2013, 12:50:38 PM (5 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracStandalone

    v2 v3  
    8484Use [http://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [http://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service.
    8585
     86=== Option 3 ===
     87
     88also cygwin's cygrunsrv.exe can be used:
     89{{{
     90$ cygrunsrv --install tracd --path /cygdrive/c/Python27/Scripts/tracd.exe --args '--port 8000 --env-parent-dir E:\IssueTrackers\Trac\Projects'
     91$ net start tracd
     92}}}
     93
    8694== Using Authentication ==
     95
     96Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (htpasswd and htdigest) to easily create a password file in the proper format for tracd to use in authentication. (It is also possible to create the password file without htpasswd or htdigest; see below for alternatives)
    8797
    8898Tracd provides support for both Basic and Digest authentication. Digest is considered more secure. The examples below use Digest; to use Basic authentication, replace `--auth` with `--basic-auth` in the command line.
     
    128138This section describes how to use `tracd` with Apache .htpasswd files.
    129139
     140  Note: It is necessary (at least with Python 2.6) to install the fcrypt package in order to
     141  decode some htpasswd formats.  Trac source code attempt an `import crypt` first, but there
     142  is no such package for Python 2.6. Only `SHA-1` passwords (since Trac 1.0) work without this module.
     143
    130144To create a .htpasswd file use Apache's `htpasswd` command (see [#GeneratingPasswordsWithoutApache below] for a method to create these files without using Apache):
    131145{{{
     
    152166If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [http://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions.  You'll be prompted for a password to enter for each user that you create.  For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file.
    153167
    154 Note that you can start tracd without the --auth argument, but if you click on the ''Login'' link you will get an error.
     168Note that you can start tracd without the `--auth` argument, but if you click on the ''Login'' link you will get an error.
    155169
    156170=== Generating Passwords Without Apache ===
    157171
    158 Basic Authorization can be accomplished via this [http://www.4webhelp.net/us/password.php online HTTP Password generator].  Copy the generated password-hash line to the .htpasswd file on your system.
     172Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`.  Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd ; Windows Python can grok MD5 password hashes just fine and you should use MD5.
    159173
    160174You can use this simple Python script to generate a '''digest''' password file:
     
    202216It is possible to use `md5sum` utility to generate digest-password file:
    203217{{{
    204  $ printf "${user}:trac:${password}" | md5sum - >>user.htdigest
    205 }}}
    206 and manually delete " -" from the end and add "${user}:trac:" to the start of line from 'to-file'.
     218user=
     219realm=
     220password=
     221path_to_file=
     222echo ${user}:${realm}:$(printf "${user}:${realm}:${password}" | md5sum - | sed -e 's/\s\+-//') > ${path_to_file}
     223}}}
    207224
    208225== Reference ==
     
    222239  -b HOSTNAME, --hostname=HOSTNAME
    223240                        the host name or IP address to bind to
    224   --protocol=PROTOCOL   http|scgi|ajp
     241  --protocol=PROTOCOL   http|scgi|ajp|fcgi
    225242  -q, --unquote         unquote PATH_INFO (may be needed when using ajp)
    226   --http10              use HTTP/1.0 protocol version (default)
    227   --http11              use HTTP/1.1 protocol version instead of HTTP/1.0
     243  --http10              use HTTP/1.0 protocol version instead of HTTP/1.1
     244  --http11              use HTTP/1.1 protocol version (default)
    228245  -e PARENTDIR, --env-parent-dir=PARENTDIR
    229246                        parent directory of the project environments
     
    232249  -r, --auto-reload     restart automatically when sources are modified
    233250  -s, --single-env      only serve a single project without the project list
    234 }}}
     251  -d, --daemonize       run in the background as a daemon
     252  --pidfile=PIDFILE     when daemonizing, file to which to write pid
     253  --umask=MASK          when daemonizing, file mode creation mask to use, in
     254                        octal notation (default 022)
     255  --group=GROUP         the group to run as
     256  --user=USER           the user to run as
     257}}}
     258
     259Use the -d option so that tracd doesn't hang if you close the terminal window where tracd was started.
    235260
    236261== Tips ==
     
    261286See also [trac:TracOnWindowsIisAjp], [trac:TracNginxRecipe].
    262287
     288=== Authentication for tracd behind a proxy
     289It is convenient to provide central external authentication to your tracd instances, instead of using {{{--basic-auth}}}. There is some discussion about this in #9206.
     290
     291Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap.
     292
     293First we bring tracd into Apache's location namespace.
     294
     295{{{
     296<Location /project/proxified>
     297        Require ldap-group cn=somegroup, ou=Groups,dc=domain.com
     298        Require ldap-user somespecificusertoo
     299        ProxyPass http://localhost:8101/project/proxified/
     300        # Turns out we don't really need complicated RewriteRules here at all
     301        RequestHeader set REMOTE_USER %{REMOTE_USER}s
     302</Location>
     303}}}
     304
     305Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory:
     306{{{
     307#!python
     308from trac.core import *
     309from trac.config import BoolOption
     310from trac.web.api import IAuthenticator
     311
     312class MyRemoteUserAuthenticator(Component):
     313
     314    implements(IAuthenticator)
     315
     316    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false',
     317               """Whether the 'Remote-User:' HTTP header is to be trusted for user logins
     318                (''since ??.??').""")
     319
     320    def authenticate(self, req):
     321        if self.obey_remote_user_header and req.get_header('Remote-User'):
     322            return req.get_header('Remote-User')
     323        return None
     324
     325}}}
     326
     327Add this new parameter to your TracIni:
     328{{{
     329...
     330[trac]
     331...
     332obey_remote_user_header = true
     333...
     334}}}
     335
     336Run tracd:
     337{{{
     338tracd -p 8101 -r -s proxified --base-path=/project/proxified
     339}}}
     340
     341Note that if you want to install this plugin for all projects, you have to put it in your [TracPlugins#Plugindiscovery global plugins_dir] and enable it in your global trac.ini.
     342
     343Global config (e.g. `/srv/trac/conf/trac.ini`):
     344{{{
     345[components]
     346remote-user-auth.* = enabled
     347[inherit]
     348plugins_dir = /srv/trac/plugins
     349[trac]
     350obey_remote_user_header = true
     351}}}
     352
     353Environment config (e.g. `/srv/trac/envs/myenv`):
     354{{{
     355[inherit]
     356file = /srv/trac/conf/trac.ini
     357}}}
     358
    263359=== Serving a different base path than / ===
    264360Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is