Changes between Version 2 and Version 3 of TracStandalone
- Timestamp:
- 2015-05-25T08:23:07-07:00 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracStandalone
v2 v3 14 14 * Fewer features: Tracd implements a very simple web-server and is not as configurable or as scalable as Apache httpd. 15 15 * No native HTTPS support: [http://www.rickk.com/sslwrap/ sslwrap] can be used instead, 16 or [ http://trac.edgewall.org/wiki/STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy.16 or [trac:wiki:STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy. 17 17 18 18 == Usage examples == … … 22 22 $ tracd -p 8080 /path/to/project 23 23 }}} 24 Stric ly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use ''--hostname'' option.24 Strictly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use ''--hostname'' option. 25 25 {{{ 26 26 $ tracd --hostname=localhost -p 8080 /path/to/project … … 84 84 Use [http://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [http://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service. 85 85 86 === Option 3 === 87 88 also cygwin's cygrunsrv.exe can be used: 89 {{{ 90 $ cygrunsrv --install tracd --path /cygdrive/c/Python27/Scripts/tracd.exe --args '--port 8000 --env-parent-dir E:\IssueTrackers\Trac\Projects' 91 $ net start tracd 92 }}} 93 86 94 == Using Authentication == 95 96 Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (htpasswd and htdigest) to easily create a password file in the proper format for tracd to use in authentication. (It is also possible to create the password file without htpasswd or htdigest; see below for alternatives) 97 98 Make sure you place the generated password files on a filesystem which supports sub-second timestamps, as Trac will monitor their modified time and changes happening on a filesystem with too coarse-grained timestamp resolution (like `ext2` or `ext3` on Linux) may go undetected. 87 99 88 100 Tracd provides support for both Basic and Digest authentication. Digest is considered more secure. The examples below use Digest; to use Basic authentication, replace `--auth` with `--basic-auth` in the command line. … … 128 140 This section describes how to use `tracd` with Apache .htpasswd files. 129 141 142 Note: It is necessary (at least with Python 2.6) to install the fcrypt package in order to 143 decode some htpasswd formats. Trac source code attempt an `import crypt` first, but there 144 is no such package for Python 2.6. Only `SHA-1` passwords (since Trac 1.0) work without this module. 145 130 146 To create a .htpasswd file use Apache's `htpasswd` command (see [#GeneratingPasswordsWithoutApache below] for a method to create these files without using Apache): 131 147 {{{ … … 152 168 If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [http://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions. You'll be prompted for a password to enter for each user that you create. For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file. 153 169 154 Note that you can start tracd without the --authargument, but if you click on the ''Login'' link you will get an error.170 Note that you can start tracd without the `--auth` argument, but if you click on the ''Login'' link you will get an error. 155 171 156 172 === Generating Passwords Without Apache === 157 173 158 Basic Authorization can be accomplished via this [http:// www.4webhelp.net/us/password.php online HTTP Password generator]. Copy the generated password-hash line to the .htpasswd file on your system.174 Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`. Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd ; Windows Python can grok MD5 password hashes just fine and you should use MD5. 159 175 160 176 You can use this simple Python script to generate a '''digest''' password file: … … 202 218 It is possible to use `md5sum` utility to generate digest-password file: 203 219 {{{ 204 $ printf "${user}:trac:${password}" | md5sum - >>user.htdigest 205 }}} 206 and manually delete " -" from the end and add "${user}:trac:" to the start of line from 'to-file'. 220 user= 221 realm= 222 password= 223 path_to_file= 224 echo ${user}:${realm}:$(printf "${user}:${realm}:${password}" | md5sum - | sed -e 's/\s\+-//') > ${path_to_file} 225 }}} 207 226 208 227 == Reference == … … 222 241 -b HOSTNAME, --hostname=HOSTNAME 223 242 the host name or IP address to bind to 224 --protocol=PROTOCOL http|scgi|ajp 243 --protocol=PROTOCOL http|scgi|ajp|fcgi 225 244 -q, --unquote unquote PATH_INFO (may be needed when using ajp) 226 --http10 use HTTP/1.0 protocol version (default)227 --http11 use HTTP/1.1 protocol version instead of HTTP/1.0245 --http10 use HTTP/1.0 protocol version instead of HTTP/1.1 246 --http11 use HTTP/1.1 protocol version (default) 228 247 -e PARENTDIR, --env-parent-dir=PARENTDIR 229 248 parent directory of the project environments … … 232 251 -r, --auto-reload restart automatically when sources are modified 233 252 -s, --single-env only serve a single project without the project list 234 }}} 253 -d, --daemonize run in the background as a daemon 254 --pidfile=PIDFILE when daemonizing, file to which to write pid 255 --umask=MASK when daemonizing, file mode creation mask to use, in 256 octal notation (default 022) 257 --group=GROUP the group to run as 258 --user=USER the user to run as 259 }}} 260 261 Use the -d option so that tracd doesn't hang if you close the terminal window where tracd was started. 235 262 236 263 == Tips == … … 261 288 See also [trac:TracOnWindowsIisAjp], [trac:TracNginxRecipe]. 262 289 290 === Authentication for tracd behind a proxy 291 It is convenient to provide central external authentication to your tracd instances, instead of using {{{--basic-auth}}}. There is some discussion about this in #9206. 292 293 Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap. 294 295 First we bring tracd into Apache's location namespace. 296 297 {{{ 298 <Location /project/proxified> 299 Require ldap-group cn=somegroup, ou=Groups,dc=domain.com 300 Require ldap-user somespecificusertoo 301 ProxyPass http://localhost:8101/project/proxified/ 302 # Turns out we don't really need complicated RewriteRules here at all 303 RequestHeader set REMOTE_USER %{REMOTE_USER}s 304 </Location> 305 }}} 306 307 Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory: 308 {{{ 309 #!python 310 from trac.core import * 311 from trac.config import BoolOption 312 from trac.web.api import IAuthenticator 313 314 class MyRemoteUserAuthenticator(Component): 315 316 implements(IAuthenticator) 317 318 obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 319 """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 320 (''since ??.??').""") 321 322 def authenticate(self, req): 323 if self.obey_remote_user_header and req.get_header('Remote-User'): 324 return req.get_header('Remote-User') 325 return None 326 327 }}} 328 329 Add this new parameter to your TracIni: 330 {{{ 331 ... 332 [trac] 333 ... 334 obey_remote_user_header = true 335 ... 336 }}} 337 338 Run tracd: 339 {{{ 340 tracd -p 8101 -r -s proxified --base-path=/project/proxified 341 }}} 342 343 Note that if you want to install this plugin for all projects, you have to put it in your [TracPlugins#Plugindiscovery global plugins_dir] and enable it in your global trac.ini. 344 345 Global config (e.g. `/srv/trac/conf/trac.ini`): 346 {{{ 347 [components] 348 remote-user-auth.* = enabled 349 [inherit] 350 plugins_dir = /srv/trac/plugins 351 [trac] 352 obey_remote_user_header = true 353 }}} 354 355 Environment config (e.g. `/srv/trac/envs/myenv`): 356 {{{ 357 [inherit] 358 file = /srv/trac/conf/trac.ini 359 }}} 360 263 361 === Serving a different base path than / === 264 362 Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is