cd /
git clone https://code.grnet.gr/git/pithos
-Setup the files (choose where to store data in ``settings.py`` and change ``SECRET_KEY``)::
+Setup the files::
cd /pithos/pithos
- cp settings.py.dist settings.py
python manage.py syncdb
cd /pithos
python setup.py build_sphinx
+It is advised that you create a ``settings.local`` file to place any configuration overrides (at least change ``SECRET_KEY``).
+
Edit ``/etc/apache2/sites-available/pithos`` (change the ``ServerName`` directive)::
<VirtualHost *:80>
Allow from all
</Directory>
+ SetEnv no-gzip
+ SetEnv dont-vary
+
RewriteEngine On
- RewriteRule ^/v(.*) /api/v$1 [PT]
- RewriteRule ^/public(.*) /api/public$1 [PT]
- RewriteRule ^/login(.*) https://%{HTTP_HOST}%{REQUEST_URI}
- RewriteRule ^/admin(.*) https://%{HTTP_HOST}%{REQUEST_URI}
+ RewriteRule ^/v(.*) /api/v$1 [PT,NE]
+ RewriteRule ^/public(.*) /api/public$1 [PT,NE]
+ RewriteRule ^/tools(.*) /api/ui$1 [PT,NE]
+ RewriteRule ^/im(.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+ RewriteRule ^/login(.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+
+ RequestHeader set X-Forwarded-Protocol "http"
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi
# WSGIDaemonProcess pithos
CustomLog ${APACHE_LOG_DIR}/pithos.access.log combined
</VirtualHost>
+To disable non-SSL connections, ``/etc/apache2/sites-available/pithos`` should be::
+
+ <VirtualHost *:80>
+ ServerAdmin webmaster@pithos.dev.grnet.gr
+ ServerName pithos.dev.grnet.gr
+
+ RewriteEngine On
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+ </VirtualHost>
+
Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.grnet.gr.key`` and ``/etc/ssl/certs/pithos.dev.grnet.gr.crt`` - change the ``ServerName`` directive)::
<IfModule mod_ssl.c>
Allow from all
</Directory>
+ SetEnv no-gzip
+ SetEnv dont-vary
+
RewriteEngine On
- RewriteRule ^/v(.*) /api/v$1 [PT]
- RewriteRule ^/public(.*) /api/public$1 [PT]
- RewriteRule ^/login(.*) /api/login$1 [PT]
- RewriteRule ^/admin(.*) /api/admin$1 [PT]
+ RewriteRule ^/v(.*) /api/v$1 [PT,NE]
+ RewriteRule ^/public(.*) /api/public$1 [PT,NE]
+ RewriteRule ^/tools(.*) /api/ui$1 [PT,NE]
+ RewriteRule ^/im(.*) /api/im$1 [PT,NE]
+ RewriteRule ^/login(.*) /api/im/login/dummy$1 [PT,NE]
+
+ RequestHeader set X-Forwarded-Protocol "https"
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi
# WSGIDaemonProcess pithos
# WSGIProcessGroup pithos
- ShibConfig /etc/shibboleth/shibboleth2.xml
- Alias /shibboleth-sp /usr/share/shibboleth
-
- <Location /api/login>
- AuthType shibboleth
- ShibRequireSession On
- ShibUseHeaders On
- require valid-user
- </Location>
-
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/pithos.error.log
CustomLog ${APACHE_LOG_DIR}/pithos.access.log combined
WSGIChunkedRequest On
+Make sure the data folder is writable by the web server user::
+
+ chown -R www-data:www-data /pithos/pithos/data
+
+If using an SQLite database, the same goes for the database file and the containing folder::
+
+ chown www-data:www-data /pithos/pithos/
+ chown www-data:www-data /pithos/pithos/backend.db
+
Configure and run apache::
a2enmod ssl
Useful alias to add in ``~/.bashrc``::
- alias pithos-sync='cd /pithos && git pull && python setup.py build_sphinx && /etc/init.d/apache2 restart'
+ alias sync-pithos='cd /pithos && git pull && python setup.py build_sphinx && /etc/init.d/apache2 restart'
+
+Gunicorn Setup
+--------------
+
+Add in ``/etc/apt/sources.list``::
+
+ deb http://backports.debian.org/debian-backports squeeze-backports main
+
+Then::
+
+ apt-get update
+ apt-get -t squeeze-backports install gunicorn
+ apt-get -t squeeze-backports install python-gevent
+
+Create ``/etc/gunicorn.d/pithos``::
+
+ CONFIG = {
+ 'mode': 'django',
+ 'working_dir': '/pithos/pithos',
+ 'user': 'www-data',
+ 'group': 'www-data',
+ 'args': (
+ '--bind=[::]:8080',
+ '--worker-class=egg:gunicorn#gevent',
+ '--workers=4',
+ '--log-level=debug',
+ '/pithos/pithos/settings.py',
+ ),
+ }
+
+Replace the ``WSGI*`` directives in ``/etc/apache2/sites-available/pithos`` and ``/etc/apache2/sites-available/pithos-ssl`` with::
+
+ <Proxy *>
+ Order allow,deny
+ Allow from all
+ </Proxy>
+
+ SetEnv proxy-sendchunked
+ SSLProxyEngine off
+ ProxyErrorOverride off
+
+ ProxyPass /api http://localhost:8080 retry=0
+ ProxyPassReverse /api http://localhost:8080
+
+Make sure that in ``settings.local``::
+
+ USE_X_FORWARDED_HOST = True
+
+Configure and run::
+
+ /etc/init.d/gunicorn restart
+ a2enmod proxy
+ a2enmod proxy_http
+ /etc/init.d/apache2 restart
+
+If experiencing timeout problems, try adding to ``/etc/gunicorn.d/pithos``::
+
+ ...
+ '--timeout=43200',
+ ...
Shibboleth Setup
----------------
Add in ``/etc/apache2/sites-available/pithos-ssl``::
- ShibConfig /etc/shibboleth/shibboleth2.xml
- Alias /shibboleth-sp /usr/share/shibboleth
+ ShibConfig /etc/shibboleth/shibboleth2.xml
+ Alias /shibboleth-sp /usr/share/shibboleth
- <Location /api/login>
- AuthType shibboleth
- ShibRequireSession On
- ShibUseHeaders On
- require valid-user
- </Location>
+ <Location /api/im/login/shibboleth>
+ AuthType shibboleth
+ ShibRequireSession On
+ ShibUseHeaders On
+ require valid-user
+ </Location>
Configure and run apache::
The following tokens should be available at the destination, after passing through the apache module::
- SHIB_EPPN = "eppn" # eduPersonPrincipalName
- SHIB_NAME = "Shib-InetOrgPerson-givenName"
- SHIB_SURNAME = "Shib-Person-surname"
- SHIB_CN = "Shib-Person-commonName"
- SHIB_DISPLAYNAME = "Shib-InetOrgPerson-displayName"
- SHIB_EP_AFFILIATION = "Shib-EP-Affiliation"
- SHIB_SESSION_ID = "Shib-Session-ID"
+ eppn # eduPersonPrincipalName
+ Shib-InetOrgPerson-givenName
+ Shib-Person-surname
+ Shib-Person-commonName
+ Shib-InetOrgPerson-displayName
+ Shib-EP-Affiliation
+ Shib-Session-ID
MySQL Setup
-----------