root / docs / source / adminguide.rst @ 7a0063ef
History | View | Annotate | Download (9.1 kB)
1 |
Administrator Guide |
---|---|
2 |
=================== |
3 |
|
4 |
Install packages:: |
5 |
|
6 |
apt-get install git python-django python-setuptools python-sphinx |
7 |
apt-get install apache2 libapache2-mod-wsgi |
8 |
|
9 |
Get the source:: |
10 |
|
11 |
cd / |
12 |
git clone https://code.grnet.gr/git/pithos |
13 |
|
14 |
Setup the files:: |
15 |
|
16 |
cd /pithos/pithos |
17 |
cp settings.py.dist settings.py |
18 |
cd /pithos |
19 |
python setup.py build_sphinx |
20 |
|
21 |
Edit ``/etc/apache2/sites-available/pithos``:: |
22 |
|
23 |
<VirtualHost *:80> |
24 |
ServerAdmin webmaster@pithos.dev.grnet.gr |
25 |
ServerName pithos.dev.grnet.gr |
26 |
|
27 |
DocumentRoot /var/www/pithos_web_client |
28 |
<Directory /> |
29 |
Options FollowSymLinks |
30 |
AllowOverride None |
31 |
</Directory> |
32 |
<Directory /var/www/> |
33 |
Options Indexes FollowSymLinks MultiViews |
34 |
AllowOverride None |
35 |
Order allow,deny |
36 |
allow from all |
37 |
</Directory> |
38 |
|
39 |
Alias /docs "/pithos/docs/build/html" |
40 |
<Directory /pithos/docs/build/html/> |
41 |
Order allow,deny |
42 |
Allow from all |
43 |
</Directory> |
44 |
|
45 |
RewriteEngine On |
46 |
RewriteRule ^/v(.*) /api/v$1 [PT] |
47 |
RewriteRule ^/public(.*) /api/public$1 [PT] |
48 |
|
49 |
<Directory /pithos/pithos/wsgi/> |
50 |
Order allow,deny |
51 |
Allow from all |
52 |
</Directory> |
53 |
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi |
54 |
|
55 |
# WSGIDaemonProcess pithos |
56 |
# WSGIProcessGroup pithos |
57 |
|
58 |
ErrorLog ${APACHE_LOG_DIR}/pithos.error.log |
59 |
|
60 |
# Possible values include: debug, info, notice, warn, error, crit, |
61 |
# alert, emerg. |
62 |
LogLevel warn |
63 |
|
64 |
CustomLog ${APACHE_LOG_DIR}/pithos.access.log combined |
65 |
|
66 |
</VirtualHost> |
67 |
|
68 |
Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.key`` and ``/etc/ssl/certs/pithos.dev.crt``):: |
69 |
|
70 |
<IfModule mod_ssl.c> |
71 |
<VirtualHost _default_:443> |
72 |
ServerAdmin webmaster@pithos.dev.grnet.gr |
73 |
ServerName pithos.dev.grnet.gr |
74 |
|
75 |
DocumentRoot /var/www/pithos_web_client |
76 |
<Directory /> |
77 |
Options FollowSymLinks |
78 |
AllowOverride None |
79 |
</Directory> |
80 |
<Directory /var/www/> |
81 |
Options Indexes FollowSymLinks MultiViews |
82 |
AllowOverride None |
83 |
Order allow,deny |
84 |
allow from all |
85 |
</Directory> |
86 |
|
87 |
Alias /docs "/pithos/docs/build/html" |
88 |
<Directory /pithos/docs/build/html/> |
89 |
Order allow,deny |
90 |
Allow from all |
91 |
</Directory> |
92 |
|
93 |
RewriteEngine On |
94 |
RewriteRule ^/v(.*) /api/v$1 [PT] |
95 |
RewriteRule ^/public(.*) /api/public$1 [PT] |
96 |
|
97 |
<Directory /pithos/pithos/wsgi/> |
98 |
Order allow,deny |
99 |
Allow from all |
100 |
</Directory> |
101 |
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi |
102 |
|
103 |
ErrorLog ${APACHE_LOG_DIR}/pithos-ssl.error.log |
104 |
|
105 |
# Possible values include: debug, info, notice, warn, error, crit, |
106 |
# alert, emerg. |
107 |
LogLevel warn |
108 |
|
109 |
CustomLog ${APACHE_LOG_DIR}/pithos-ssl.access.log combined |
110 |
|
111 |
# SSL Engine Switch: |
112 |
# Enable/Disable SSL for this virtual host. |
113 |
SSLEngine on |
114 |
|
115 |
# A self-signed (snakeoil) certificate can be created by installing |
116 |
# the ssl-cert package. See |
117 |
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info. |
118 |
# If both key and certificate are stored in the same file, only the |
119 |
# SSLCertificateFile directive is needed. |
120 |
SSLCertificateFile /etc/ssl/certs/pithos.dev.crt |
121 |
SSLCertificateKeyFile /etc/ssl/private/pithos.dev.key |
122 |
|
123 |
# Server Certificate Chain: |
124 |
# Point SSLCertificateChainFile at a file containing the |
125 |
# concatenation of PEM encoded CA certificates which form the |
126 |
# certificate chain for the server certificate. Alternatively |
127 |
# the referenced file can be the same as SSLCertificateFile |
128 |
# when the CA certificates are directly appended to the server |
129 |
# certificate for convinience. |
130 |
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt |
131 |
|
132 |
# Certificate Authority (CA): |
133 |
# Set the CA certificate verification path where to find CA |
134 |
# certificates for client authentication or alternatively one |
135 |
# huge file containing all of them (file must be PEM encoded) |
136 |
# Note: Inside SSLCACertificatePath you need hash symlinks |
137 |
# to point to the certificate files. Use the provided |
138 |
# Makefile to update the hash symlinks after changes. |
139 |
#SSLCACertificatePath /etc/ssl/certs/ |
140 |
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt |
141 |
|
142 |
# Certificate Revocation Lists (CRL): |
143 |
# Set the CA revocation path where to find CA CRLs for client |
144 |
# authentication or alternatively one huge file containing all |
145 |
# of them (file must be PEM encoded) |
146 |
# Note: Inside SSLCARevocationPath you need hash symlinks |
147 |
# to point to the certificate files. Use the provided |
148 |
# Makefile to update the hash symlinks after changes. |
149 |
#SSLCARevocationPath /etc/apache2/ssl.crl/ |
150 |
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl |
151 |
|
152 |
# Client Authentication (Type): |
153 |
# Client certificate verification type and depth. Types are |
154 |
# none, optional, require and optional_no_ca. Depth is a |
155 |
# number which specifies how deeply to verify the certificate |
156 |
# issuer chain before deciding the certificate is not valid. |
157 |
#SSLVerifyClient require |
158 |
#SSLVerifyDepth 10 |
159 |
|
160 |
# Access Control: |
161 |
# With SSLRequire you can do per-directory access control based |
162 |
# on arbitrary complex boolean expressions containing server |
163 |
# variable checks and other lookup directives. The syntax is a |
164 |
# mixture between C and Perl. See the mod_ssl documentation |
165 |
# for more details. |
166 |
#<Location /> |
167 |
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
168 |
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
169 |
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
170 |
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
171 |
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
172 |
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
173 |
#</Location> |
174 |
|
175 |
# SSL Engine Options: |
176 |
# Set various options for the SSL engine. |
177 |
# o FakeBasicAuth: |
178 |
# Translate the client X.509 into a Basic Authorisation. This means that |
179 |
# the standard Auth/DBMAuth methods can be used for access control. The |
180 |
# user name is the `one line' version of the client's X.509 certificate. |
181 |
# Note that no password is obtained from the user. Every entry in the user |
182 |
# file needs this password: `xxj31ZMTZzkVA'. |
183 |
# o ExportCertData: |
184 |
# This exports two additional environment variables: SSL_CLIENT_CERT and |
185 |
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
186 |
# server (always existing) and the client (only existing when client |
187 |
# authentication is used). This can be used to import the certificates |
188 |
# into CGI scripts. |
189 |
# o StdEnvVars: |
190 |
# This exports the standard SSL/TLS related `SSL_*' environment variables. |
191 |
# Per default this exportation is switched off for performance reasons, |
192 |
# because the extraction step is an expensive operation and is usually |
193 |
# useless for serving static content. So one usually enables the |
194 |
# exportation for CGI and SSI requests only. |
195 |
# o StrictRequire: |
196 |
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
197 |
# under a "Satisfy any" situation, i.e. when it applies access is denied |
198 |
# and no other module can change it. |
199 |
# o OptRenegotiate: |
200 |
# This enables optimized SSL connection renegotiation handling when SSL |
201 |
# directives are used in per-directory context. |
202 |
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
203 |
<FilesMatch "\.(cgi|shtml|phtml|php)$"> |
204 |
SSLOptions +StdEnvVars |
205 |
</FilesMatch> |
206 |
<Directory /usr/lib/cgi-bin> |
207 |
SSLOptions +StdEnvVars |
208 |
</Directory> |
209 |
|
210 |
# SSL Protocol Adjustments: |
211 |
# The safe and default but still SSL/TLS standard compliant shutdown |
212 |
# approach is that mod_ssl sends the close notify alert but doesn't wait for |
213 |
# the close notify alert from client. When you need a different shutdown |
214 |
# approach you can use one of the following variables: |
215 |
# o ssl-unclean-shutdown: |
216 |
# This forces an unclean shutdown when the connection is closed, i.e. no |
217 |
# SSL close notify alert is send or allowed to received. This violates |
218 |
# the SSL/TLS standard but is needed for some brain-dead browsers. Use |
219 |
# this when you receive I/O errors because of the standard approach where |
220 |
# mod_ssl sends the close notify alert. |
221 |
# o ssl-accurate-shutdown: |
222 |
# This forces an accurate shutdown when the connection is closed, i.e. a |
223 |
# SSL close notify alert is send and mod_ssl waits for the close notify |
224 |
# alert of the client. This is 100% SSL/TLS standard compliant, but in |
225 |
# practice often causes hanging connections with brain-dead browsers. Use |
226 |
# this only for browsers where you know that their SSL implementation |
227 |
# works correctly. |
228 |
# Notice: Most problems of broken clients are also related to the HTTP |
229 |
# keep-alive facility, so you usually additionally want to disable |
230 |
# keep-alive for those clients, too. Use variable "nokeepalive" for this. |
231 |
# Similarly, one has to force some clients to use HTTP/1.0 to workaround |
232 |
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
233 |
# "force-response-1.0" for this. |
234 |
BrowserMatch "MSIE [2-6]" \ |
235 |
nokeepalive ssl-unclean-shutdown \ |
236 |
downgrade-1.0 force-response-1.0 |
237 |
# MSIE 7 and newer should be able to use keepalive |
238 |
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown |
239 |
|
240 |
</VirtualHost> |
241 |
</IfModule> |
242 |
|
243 |
Configure and run apache:: |
244 |
|
245 |
a2enmod ssl |
246 |
a2enmod rewrite |
247 |
a2dissite default |
248 |
a2ensite pithos |
249 |
a2ensite pithos-ssl |
250 |
mkdir /var/www/pithos |
251 |
mkdir /var/www/pithos_web_client |
252 |
/etc/init.d/apache2 restart |