Revision 75453cf2

b/docs/source/adminguide.rst
1 1
Administrator Guide
2 2
===================
3 3

  
4
Add the following line in in ``uwsgi_params``::
4
Install packages::
5 5

  
6
  uwsgi_param  UWSGI_SCHEME       $scheme;
6
  apt-get install git python-django python-setuptools python-sphinx
7
  apt-get install apache2 libapache2-mod-wsgi
8

  
9
Get the source::
10

  
11
  cd /
12
  git clone https://code.grnet.gr/git/pithos
13

  
14
Setup the files::
15

  
16
  cd /pithos
17
  python setup.py build_sphinx
18
  cd /pithos/pithos
19
  cp settings.py.dist settings.py
20

  
21
Edit ``/etc/apache2/sites-available/pithos``::
22

  
23
  <VirtualHost *:80>
24
	ServerAdmin webmaster@pithos.dev.grnet.gr
25
	ServerName pithos.dev.grnet.gr
26

  
27
	DocumentRoot /var/www/pithos_web_client
28
	<Directory />
29
		Options FollowSymLinks
30
		AllowOverride None
31
	</Directory>
32
	<Directory /var/www/>
33
		Options Indexes FollowSymLinks MultiViews
34
		AllowOverride None
35
		Order allow,deny
36
		allow from all
37
	</Directory>
38

  
39
	Alias /docs "/pithos/docs/build/html"
40
	<Directory /pithos/docs/build/html/>
41
		Order allow,deny
42
		Allow from all
43
	</Directory>
44

  
45
	RewriteEngine On
46
	RewriteRule ^/v(.*) /api/v$1 [PT]
47
	RewriteRule ^/public(.*) /api/public$1 [PT]
48

  
49
	<Directory /pithos/pithos/wsgi/>
50
		Order allow,deny
51
		Allow from all
52
	</Directory>
53
	WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi
54

  
55
	# WSGIDaemonProcess pithos
56
	# WSGIProcessGroup pithos
57

  
58
	ErrorLog ${APACHE_LOG_DIR}/pithos.error.log
59

  
60
	# Possible values include: debug, info, notice, warn, error, crit,
61
	# alert, emerg.
62
	LogLevel warn
63

  
64
	CustomLog ${APACHE_LOG_DIR}/pithos.access.log combined
65

  
66
  </VirtualHost>
67

  
68
Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.key`` and ``/etc/ssl/certs/pithos.dev.crt``)::
69

  
70
  <IfModule mod_ssl.c>
71
  <VirtualHost _default_:443>
72
	ServerAdmin webmaster@pithos.dev.grnet.gr
73
	ServerName pithos.dev.grnet.gr
74

  
75
	DocumentRoot /var/www/pithos_web_client
76
	<Directory />
77
		Options FollowSymLinks
78
		AllowOverride None
79
	</Directory>
80
	<Directory /var/www/>
81
		Options Indexes FollowSymLinks MultiViews
82
		AllowOverride None
83
		Order allow,deny
84
		allow from all
85
	</Directory>
86

  
87
	Alias /docs "/pithos/docs/build/html"
88
	<Directory /pithos/docs/build/html/>
89
		Order allow,deny
90
		Allow from all
91
	</Directory>
92

  
93
	RewriteEngine On
94
	RewriteRule ^/v(.*) /api/v$1 [PT]
95
	RewriteRule ^/public(.*) /api/public$1 [PT]
96

  
97
        <Directory /pithos/pithos/wsgi/>
98
                Order allow,deny
99
                Allow from all
100
        </Directory>
101
        WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi
102

  
103
	ErrorLog ${APACHE_LOG_DIR}/pithos-ssl.error.log
104

  
105
	# Possible values include: debug, info, notice, warn, error, crit,
106
	# alert, emerg.
107
	LogLevel warn
108

  
109
	CustomLog ${APACHE_LOG_DIR}/pithos-ssl.access.log combined
110

  
111
	#   SSL Engine Switch:
112
	#   Enable/Disable SSL for this virtual host.
113
	SSLEngine on
114

  
115
	#   A self-signed (snakeoil) certificate can be created by installing
116
	#   the ssl-cert package. See
117
	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
118
	#   If both key and certificate are stored in the same file, only the
119
	#   SSLCertificateFile directive is needed.
120
	SSLCertificateFile    /etc/ssl/certs/pithos.dev.crt
121
	SSLCertificateKeyFile /etc/ssl/private/pithos.dev.key
122

  
123
	#   Server Certificate Chain:
124
	#   Point SSLCertificateChainFile at a file containing the
125
	#   concatenation of PEM encoded CA certificates which form the
126
	#   certificate chain for the server certificate. Alternatively
127
	#   the referenced file can be the same as SSLCertificateFile
128
	#   when the CA certificates are directly appended to the server
129
	#   certificate for convinience.
130
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
131

  
132
	#   Certificate Authority (CA):
133
	#   Set the CA certificate verification path where to find CA
134
	#   certificates for client authentication or alternatively one
135
	#   huge file containing all of them (file must be PEM encoded)
136
	#   Note: Inside SSLCACertificatePath you need hash symlinks
137
	#         to point to the certificate files. Use the provided
138
	#         Makefile to update the hash symlinks after changes.
139
	#SSLCACertificatePath /etc/ssl/certs/
140
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
141

  
142
	#   Certificate Revocation Lists (CRL):
143
	#   Set the CA revocation path where to find CA CRLs for client
144
	#   authentication or alternatively one huge file containing all
145
	#   of them (file must be PEM encoded)
146
	#   Note: Inside SSLCARevocationPath you need hash symlinks
147
	#         to point to the certificate files. Use the provided
148
	#         Makefile to update the hash symlinks after changes.
149
	#SSLCARevocationPath /etc/apache2/ssl.crl/
150
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
151

  
152
	#   Client Authentication (Type):
153
	#   Client certificate verification type and depth.  Types are
154
	#   none, optional, require and optional_no_ca.  Depth is a
155
	#   number which specifies how deeply to verify the certificate
156
	#   issuer chain before deciding the certificate is not valid.
157
	#SSLVerifyClient require
158
	#SSLVerifyDepth  10
159

  
160
	#   Access Control:
161
	#   With SSLRequire you can do per-directory access control based
162
	#   on arbitrary complex boolean expressions containing server
163
	#   variable checks and other lookup directives.  The syntax is a
164
	#   mixture between C and Perl.  See the mod_ssl documentation
165
	#   for more details.
166
	#<Location />
167
	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
168
	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
169
	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
170
	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
171
	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
172
	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
173
	#</Location>
174

  
175
	#   SSL Engine Options:
176
	#   Set various options for the SSL engine.
177
	#   o FakeBasicAuth:
178
	#     Translate the client X.509 into a Basic Authorisation.  This means that
179
	#     the standard Auth/DBMAuth methods can be used for access control.  The
180
	#     user name is the `one line' version of the client's X.509 certificate.
181
	#     Note that no password is obtained from the user. Every entry in the user
182
	#     file needs this password: `xxj31ZMTZzkVA'.
183
	#   o ExportCertData:
184
	#     This exports two additional environment variables: SSL_CLIENT_CERT and
185
	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
186
	#     server (always existing) and the client (only existing when client
187
	#     authentication is used). This can be used to import the certificates
188
	#     into CGI scripts.
189
	#   o StdEnvVars:
190
	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
191
	#     Per default this exportation is switched off for performance reasons,
192
	#     because the extraction step is an expensive operation and is usually
193
	#     useless for serving static content. So one usually enables the
194
	#     exportation for CGI and SSI requests only.
195
	#   o StrictRequire:
196
	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
197
	#     under a "Satisfy any" situation, i.e. when it applies access is denied
198
	#     and no other module can change it.
199
	#   o OptRenegotiate:
200
	#     This enables optimized SSL connection renegotiation handling when SSL
201
	#     directives are used in per-directory context.
202
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
203
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
204
		SSLOptions +StdEnvVars
205
	</FilesMatch>
206
	<Directory /usr/lib/cgi-bin>
207
		SSLOptions +StdEnvVars
208
	</Directory>
209

  
210
	#   SSL Protocol Adjustments:
211
	#   The safe and default but still SSL/TLS standard compliant shutdown
212
	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
213
	#   the close notify alert from client. When you need a different shutdown
214
	#   approach you can use one of the following variables:
215
	#   o ssl-unclean-shutdown:
216
	#     This forces an unclean shutdown when the connection is closed, i.e. no
217
	#     SSL close notify alert is send or allowed to received.  This violates
218
	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
219
	#     this when you receive I/O errors because of the standard approach where
220
	#     mod_ssl sends the close notify alert.
221
	#   o ssl-accurate-shutdown:
222
	#     This forces an accurate shutdown when the connection is closed, i.e. a
223
	#     SSL close notify alert is send and mod_ssl waits for the close notify
224
	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
225
	#     practice often causes hanging connections with brain-dead browsers. Use
226
	#     this only for browsers where you know that their SSL implementation
227
	#     works correctly.
228
	#   Notice: Most problems of broken clients are also related to the HTTP
229
	#   keep-alive facility, so you usually additionally want to disable
230
	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
231
	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
232
	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
233
	#   "force-response-1.0" for this.
234
	BrowserMatch "MSIE [2-6]" \
235
		nokeepalive ssl-unclean-shutdown \
236
		downgrade-1.0 force-response-1.0
237
	# MSIE 7 and newer should be able to use keepalive
238
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
239

  
240
  </VirtualHost>
241
  </IfModule>
242

  
243
Configure and run apache::
244

  
245
  a2enmod ssl
246
  a2enmod rewrite
247
  a2dissite default
248
  a2ensite pithos
249
  a2ensite pithos-ssl
250
  mkdir /var/www/pithos
251
  mkdir /var/www/pithos_web_client
252
  /etc/init.d/apache2 restart

Also available in: Unified diff