Revision 75453cf2
b/docs/source/adminguide.rst | ||
---|---|---|
1 | 1 |
Administrator Guide |
2 | 2 |
=================== |
3 | 3 |
|
4 |
Add the following line in in ``uwsgi_params``::
|
|
4 |
Install packages::
|
|
5 | 5 |
|
6 |
uwsgi_param UWSGI_SCHEME $scheme; |
|
6 |
apt-get install git python-django python-setuptools python-sphinx |
|
7 |
apt-get install apache2 libapache2-mod-wsgi |
|
8 |
|
|
9 |
Get the source:: |
|
10 |
|
|
11 |
cd / |
|
12 |
git clone https://code.grnet.gr/git/pithos |
|
13 |
|
|
14 |
Setup the files:: |
|
15 |
|
|
16 |
cd /pithos |
|
17 |
python setup.py build_sphinx |
|
18 |
cd /pithos/pithos |
|
19 |
cp settings.py.dist settings.py |
|
20 |
|
|
21 |
Edit ``/etc/apache2/sites-available/pithos``:: |
|
22 |
|
|
23 |
<VirtualHost *:80> |
|
24 |
ServerAdmin webmaster@pithos.dev.grnet.gr |
|
25 |
ServerName pithos.dev.grnet.gr |
|
26 |
|
|
27 |
DocumentRoot /var/www/pithos_web_client |
|
28 |
<Directory /> |
|
29 |
Options FollowSymLinks |
|
30 |
AllowOverride None |
|
31 |
</Directory> |
|
32 |
<Directory /var/www/> |
|
33 |
Options Indexes FollowSymLinks MultiViews |
|
34 |
AllowOverride None |
|
35 |
Order allow,deny |
|
36 |
allow from all |
|
37 |
</Directory> |
|
38 |
|
|
39 |
Alias /docs "/pithos/docs/build/html" |
|
40 |
<Directory /pithos/docs/build/html/> |
|
41 |
Order allow,deny |
|
42 |
Allow from all |
|
43 |
</Directory> |
|
44 |
|
|
45 |
RewriteEngine On |
|
46 |
RewriteRule ^/v(.*) /api/v$1 [PT] |
|
47 |
RewriteRule ^/public(.*) /api/public$1 [PT] |
|
48 |
|
|
49 |
<Directory /pithos/pithos/wsgi/> |
|
50 |
Order allow,deny |
|
51 |
Allow from all |
|
52 |
</Directory> |
|
53 |
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi |
|
54 |
|
|
55 |
# WSGIDaemonProcess pithos |
|
56 |
# WSGIProcessGroup pithos |
|
57 |
|
|
58 |
ErrorLog ${APACHE_LOG_DIR}/pithos.error.log |
|
59 |
|
|
60 |
# Possible values include: debug, info, notice, warn, error, crit, |
|
61 |
# alert, emerg. |
|
62 |
LogLevel warn |
|
63 |
|
|
64 |
CustomLog ${APACHE_LOG_DIR}/pithos.access.log combined |
|
65 |
|
|
66 |
</VirtualHost> |
|
67 |
|
|
68 |
Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.key`` and ``/etc/ssl/certs/pithos.dev.crt``):: |
|
69 |
|
|
70 |
<IfModule mod_ssl.c> |
|
71 |
<VirtualHost _default_:443> |
|
72 |
ServerAdmin webmaster@pithos.dev.grnet.gr |
|
73 |
ServerName pithos.dev.grnet.gr |
|
74 |
|
|
75 |
DocumentRoot /var/www/pithos_web_client |
|
76 |
<Directory /> |
|
77 |
Options FollowSymLinks |
|
78 |
AllowOverride None |
|
79 |
</Directory> |
|
80 |
<Directory /var/www/> |
|
81 |
Options Indexes FollowSymLinks MultiViews |
|
82 |
AllowOverride None |
|
83 |
Order allow,deny |
|
84 |
allow from all |
|
85 |
</Directory> |
|
86 |
|
|
87 |
Alias /docs "/pithos/docs/build/html" |
|
88 |
<Directory /pithos/docs/build/html/> |
|
89 |
Order allow,deny |
|
90 |
Allow from all |
|
91 |
</Directory> |
|
92 |
|
|
93 |
RewriteEngine On |
|
94 |
RewriteRule ^/v(.*) /api/v$1 [PT] |
|
95 |
RewriteRule ^/public(.*) /api/public$1 [PT] |
|
96 |
|
|
97 |
<Directory /pithos/pithos/wsgi/> |
|
98 |
Order allow,deny |
|
99 |
Allow from all |
|
100 |
</Directory> |
|
101 |
WSGIScriptAlias /api /pithos/pithos/wsgi/pithos.wsgi |
|
102 |
|
|
103 |
ErrorLog ${APACHE_LOG_DIR}/pithos-ssl.error.log |
|
104 |
|
|
105 |
# Possible values include: debug, info, notice, warn, error, crit, |
|
106 |
# alert, emerg. |
|
107 |
LogLevel warn |
|
108 |
|
|
109 |
CustomLog ${APACHE_LOG_DIR}/pithos-ssl.access.log combined |
|
110 |
|
|
111 |
# SSL Engine Switch: |
|
112 |
# Enable/Disable SSL for this virtual host. |
|
113 |
SSLEngine on |
|
114 |
|
|
115 |
# A self-signed (snakeoil) certificate can be created by installing |
|
116 |
# the ssl-cert package. See |
|
117 |
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info. |
|
118 |
# If both key and certificate are stored in the same file, only the |
|
119 |
# SSLCertificateFile directive is needed. |
|
120 |
SSLCertificateFile /etc/ssl/certs/pithos.dev.crt |
|
121 |
SSLCertificateKeyFile /etc/ssl/private/pithos.dev.key |
|
122 |
|
|
123 |
# Server Certificate Chain: |
|
124 |
# Point SSLCertificateChainFile at a file containing the |
|
125 |
# concatenation of PEM encoded CA certificates which form the |
|
126 |
# certificate chain for the server certificate. Alternatively |
|
127 |
# the referenced file can be the same as SSLCertificateFile |
|
128 |
# when the CA certificates are directly appended to the server |
|
129 |
# certificate for convinience. |
|
130 |
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt |
|
131 |
|
|
132 |
# Certificate Authority (CA): |
|
133 |
# Set the CA certificate verification path where to find CA |
|
134 |
# certificates for client authentication or alternatively one |
|
135 |
# huge file containing all of them (file must be PEM encoded) |
|
136 |
# Note: Inside SSLCACertificatePath you need hash symlinks |
|
137 |
# to point to the certificate files. Use the provided |
|
138 |
# Makefile to update the hash symlinks after changes. |
|
139 |
#SSLCACertificatePath /etc/ssl/certs/ |
|
140 |
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt |
|
141 |
|
|
142 |
# Certificate Revocation Lists (CRL): |
|
143 |
# Set the CA revocation path where to find CA CRLs for client |
|
144 |
# authentication or alternatively one huge file containing all |
|
145 |
# of them (file must be PEM encoded) |
|
146 |
# Note: Inside SSLCARevocationPath you need hash symlinks |
|
147 |
# to point to the certificate files. Use the provided |
|
148 |
# Makefile to update the hash symlinks after changes. |
|
149 |
#SSLCARevocationPath /etc/apache2/ssl.crl/ |
|
150 |
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl |
|
151 |
|
|
152 |
# Client Authentication (Type): |
|
153 |
# Client certificate verification type and depth. Types are |
|
154 |
# none, optional, require and optional_no_ca. Depth is a |
|
155 |
# number which specifies how deeply to verify the certificate |
|
156 |
# issuer chain before deciding the certificate is not valid. |
|
157 |
#SSLVerifyClient require |
|
158 |
#SSLVerifyDepth 10 |
|
159 |
|
|
160 |
# Access Control: |
|
161 |
# With SSLRequire you can do per-directory access control based |
|
162 |
# on arbitrary complex boolean expressions containing server |
|
163 |
# variable checks and other lookup directives. The syntax is a |
|
164 |
# mixture between C and Perl. See the mod_ssl documentation |
|
165 |
# for more details. |
|
166 |
#<Location /> |
|
167 |
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ |
|
168 |
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ |
|
169 |
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ |
|
170 |
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ |
|
171 |
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ |
|
172 |
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ |
|
173 |
#</Location> |
|
174 |
|
|
175 |
# SSL Engine Options: |
|
176 |
# Set various options for the SSL engine. |
|
177 |
# o FakeBasicAuth: |
|
178 |
# Translate the client X.509 into a Basic Authorisation. This means that |
|
179 |
# the standard Auth/DBMAuth methods can be used for access control. The |
|
180 |
# user name is the `one line' version of the client's X.509 certificate. |
|
181 |
# Note that no password is obtained from the user. Every entry in the user |
|
182 |
# file needs this password: `xxj31ZMTZzkVA'. |
|
183 |
# o ExportCertData: |
|
184 |
# This exports two additional environment variables: SSL_CLIENT_CERT and |
|
185 |
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the |
|
186 |
# server (always existing) and the client (only existing when client |
|
187 |
# authentication is used). This can be used to import the certificates |
|
188 |
# into CGI scripts. |
|
189 |
# o StdEnvVars: |
|
190 |
# This exports the standard SSL/TLS related `SSL_*' environment variables. |
|
191 |
# Per default this exportation is switched off for performance reasons, |
|
192 |
# because the extraction step is an expensive operation and is usually |
|
193 |
# useless for serving static content. So one usually enables the |
|
194 |
# exportation for CGI and SSI requests only. |
|
195 |
# o StrictRequire: |
|
196 |
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even |
|
197 |
# under a "Satisfy any" situation, i.e. when it applies access is denied |
|
198 |
# and no other module can change it. |
|
199 |
# o OptRenegotiate: |
|
200 |
# This enables optimized SSL connection renegotiation handling when SSL |
|
201 |
# directives are used in per-directory context. |
|
202 |
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire |
|
203 |
<FilesMatch "\.(cgi|shtml|phtml|php)$"> |
|
204 |
SSLOptions +StdEnvVars |
|
205 |
</FilesMatch> |
|
206 |
<Directory /usr/lib/cgi-bin> |
|
207 |
SSLOptions +StdEnvVars |
|
208 |
</Directory> |
|
209 |
|
|
210 |
# SSL Protocol Adjustments: |
|
211 |
# The safe and default but still SSL/TLS standard compliant shutdown |
|
212 |
# approach is that mod_ssl sends the close notify alert but doesn't wait for |
|
213 |
# the close notify alert from client. When you need a different shutdown |
|
214 |
# approach you can use one of the following variables: |
|
215 |
# o ssl-unclean-shutdown: |
|
216 |
# This forces an unclean shutdown when the connection is closed, i.e. no |
|
217 |
# SSL close notify alert is send or allowed to received. This violates |
|
218 |
# the SSL/TLS standard but is needed for some brain-dead browsers. Use |
|
219 |
# this when you receive I/O errors because of the standard approach where |
|
220 |
# mod_ssl sends the close notify alert. |
|
221 |
# o ssl-accurate-shutdown: |
|
222 |
# This forces an accurate shutdown when the connection is closed, i.e. a |
|
223 |
# SSL close notify alert is send and mod_ssl waits for the close notify |
|
224 |
# alert of the client. This is 100% SSL/TLS standard compliant, but in |
|
225 |
# practice often causes hanging connections with brain-dead browsers. Use |
|
226 |
# this only for browsers where you know that their SSL implementation |
|
227 |
# works correctly. |
|
228 |
# Notice: Most problems of broken clients are also related to the HTTP |
|
229 |
# keep-alive facility, so you usually additionally want to disable |
|
230 |
# keep-alive for those clients, too. Use variable "nokeepalive" for this. |
|
231 |
# Similarly, one has to force some clients to use HTTP/1.0 to workaround |
|
232 |
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and |
|
233 |
# "force-response-1.0" for this. |
|
234 |
BrowserMatch "MSIE [2-6]" \ |
|
235 |
nokeepalive ssl-unclean-shutdown \ |
|
236 |
downgrade-1.0 force-response-1.0 |
|
237 |
# MSIE 7 and newer should be able to use keepalive |
|
238 |
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown |
|
239 |
|
|
240 |
</VirtualHost> |
|
241 |
</IfModule> |
|
242 |
|
|
243 |
Configure and run apache:: |
|
244 |
|
|
245 |
a2enmod ssl |
|
246 |
a2enmod rewrite |
|
247 |
a2dissite default |
|
248 |
a2ensite pithos |
|
249 |
a2ensite pithos-ssl |
|
250 |
mkdir /var/www/pithos |
|
251 |
mkdir /var/www/pithos_web_client |
|
252 |
/etc/init.d/apache2 restart |
Also available in: Unified diff