Changes between Version 3 and Version 4 of TracStandalone
- Timestamp:
- Dec 4, 2020, 2:27:59 PM (4 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracStandalone
v3 v4 1 = Tracd =1 = Tracd 2 2 3 3 Tracd is a lightweight standalone Trac web server. 4 4 It can be used in a variety of situations, from a test or development server to a multiprocess setup behind another web server used as a load balancer. 5 5 6 == Pros ==6 == Pros 7 7 8 8 * Fewer dependencies: You don't need to install apache or any other web-server. … … 10 10 * Automatic reloading: For development, Tracd can be used in ''auto_reload'' mode, which will automatically restart the server whenever you make a change to the code (in Trac itself or in a plugin). 11 11 12 == Cons ==12 == Cons 13 13 14 14 * Fewer features: Tracd implements a very simple web-server and is not as configurable or as scalable as Apache httpd. 15 15 * No native HTTPS support: [http://www.rickk.com/sslwrap/ sslwrap] can be used instead, 16 or [ http://trac.edgewall.org/wiki/STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy.17 18 == Usage examples ==16 or [trac:wiki:STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy. 17 18 == Usage examples 19 19 20 20 A single project on port 8080. (http://localhost:8080/) 21 {{{ 21 {{{#!sh 22 22 $ tracd -p 8080 /path/to/project 23 23 }}} 24 Stric ly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use ''--hostname''option.25 {{{ 24 Strictly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use the `--hostname` option. 25 {{{#!sh 26 26 $ tracd --hostname=localhost -p 8080 /path/to/project 27 27 }}} 28 28 With more than one project. (http://localhost:8080/project1/ and http://localhost:8080/project2/) 29 {{{ 29 {{{#!sh 30 30 $ tracd -p 8080 /path/to/project1 /path/to/project2 31 31 }}} … … 35 35 36 36 An alternative way to serve multiple projects is to specify a parent directory in which each subdirectory is a Trac project, using the `-e` option. The example above could be rewritten: 37 {{{ 37 {{{#!sh 38 38 $ tracd -p 8080 -e /path/to 39 39 }}} 40 40 41 To exit the server on Windows, be sure to use {{{CTRL-BREAK}}} -- using {{{CTRL-C}}} will leave a Python process running in the background. 42 43 == Installing as a Windows Service == 44 45 === Option 1 === 41 There is support for the HTTPS protocol (//Since 1.3.4//). Specify the path to the PEM certificate file and keyfile using the `--certfile` and `--keyfile` options. You can specify just the `--certfile` option if you have a [https://docs.python.org/2/library/ssl.html#combined-key-and-certificate combined key and certificate]. 42 43 To exit the server on Windows, be sure to use `CTRL-BREAK` -- using `CTRL-C` will leave a Python process running in the background. 44 45 == Installing as a Windows Service 46 47 === Option 1 46 48 To install as a Windows service, get the [http://www.google.com/search?q=srvany.exe SRVANY] utility and run: 47 {{{ 49 {{{#!cmd 48 50 C:\path\to\instsrv.exe tracd C:\path\to\srvany.exe 49 reg add HKLM\SYSTEM\CurrentControlSet\Services\tracd\Parameters /v Application /d "\"C:\path\to\python.exe\" \"C:\path\to\python\scripts\tracd -script.py\" <your tracd parameters>"51 reg add HKLM\SYSTEM\CurrentControlSet\Services\tracd\Parameters /v Application /d "\"C:\path\to\python.exe\" \"C:\path\to\python\scripts\tracd.exe\" <your tracd parameters>" 50 52 net start tracd 51 53 }}} 52 54 53 '''DO NOT''' use {{{tracd.exe}}}. Instead register {{{python.exe}}} directly with {{{tracd-script.py}}} as a parameter. If you use {{{tracd.exe}}}, it will spawn the python process without SRVANY's knowledge. This python process will survive a {{{net stop tracd}}}. 55 {{{#!div style="border: 1pt dotted; margin: 1em;" 56 **Attention:** Do not use `tracd.exe` directly. Instead register `python.exe` directly with `tracd.exe` as a parameter. If you use `tracd.exe`, it will spawn the python process without SRVANY's knowledge. This python process will survive a `net stop tracd`. 57 }}} 54 58 55 59 If you want tracd to start automatically when you boot Windows, do: 56 {{{ 60 {{{#!cmd 57 61 sc config tracd start= auto 58 62 }}} … … 65 69 66 70 Three (string) parameters are provided: 67 ||!AppDirectory ||C:\Python2 6\ ||71 ||!AppDirectory ||C:\Python27\ || 68 72 ||Application ||python.exe || 69 ||!AppParameters ||scripts\tracd -script.py-p 8080 ... ||73 ||!AppParameters ||scripts\tracd.exe -p 8080 ... || 70 74 71 75 Note that, if the !AppDirectory is set as above, the paths of the executable ''and'' of the script name and parameter values are relative to the directory. This makes updating Python a little simpler because the change can be limited, here, to a single point. … … 74 78 75 79 For Windows 7 User, srvany.exe may not be an option, so you can use [http://www.google.com/search?q=winserv.exe WINSERV] utility and run: 76 {{{ 77 "C:\path\to\winserv.exe" install tracd -displayname "tracd" -start auto "C:\path\to\python.exe" c:\path\to\python\scripts\tracd-script.py <your tracd parameters>" 78 80 {{{#!cmd 81 "C:\path\to\winserv.exe" install tracd -displayname "tracd" -start auto "C:\path\to\python.exe" c:\path\to\python\scripts\tracd.exe <your tracd parameters>" 79 82 net start tracd 80 83 }}} 81 84 82 === Option 2 ===85 === Option 2 83 86 84 87 Use [http://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [http://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service. 85 88 86 == Using Authentication == 89 === Option 3 90 91 also cygwin's cygrunsrv.exe can be used: 92 {{{#!sh 93 $ cygrunsrv --install tracd --path /cygdrive/c/Python27/Scripts/tracd.exe --args '--port 8000 --env-parent-dir E:\IssueTrackers\Trac\Projects' 94 $ net start tracd 95 }}} 96 97 == Using Authentication 98 99 Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (`htpasswd` and `htdigest`) to easily create a password file in the proper format for tracd to use in authentication. (It is also possible to create the password file without `htpasswd` or `htdigest`; see below for alternatives) 100 101 {{{#!div style="border: 1pt dotted; margin: 1em" 102 **Attention:** Make sure you place the generated password files on a filesystem which supports sub-second timestamps, as Trac will monitor their modified time and changes happening on a filesystem with too coarse-grained timestamp resolution (like `ext2` or `ext3` on Linux, or HFS+ on OSX). 103 }}} 87 104 88 105 Tracd provides support for both Basic and Digest authentication. Digest is considered more secure. The examples below use Digest; to use Basic authentication, replace `--auth` with `--basic-auth` in the command line. 89 106 90 107 The general format for using authentication is: 91 {{{ 108 {{{#!sh 92 109 $ tracd -p port --auth="base_project_dir,password_file_path,realm" project_path 93 110 }}} … … 105 122 Examples: 106 123 107 {{{ 124 {{{#!sh 108 125 $ tracd -p 8080 \ 109 126 --auth="project1,/path/to/passwordfile,mycompany.com" /path/to/project1 … … 111 128 112 129 Of course, the password file can be be shared so that it is used for more than one project: 113 {{{ 130 {{{#!sh 114 131 $ tracd -p 8080 \ 115 132 --auth="project1,/path/to/passwordfile,mycompany.com" \ … … 119 136 120 137 Another way to share the password file is to specify "*" for the project name: 121 {{{ 138 {{{#!sh 122 139 $ tracd -p 8080 \ 123 140 --auth="*,/path/to/users.htdigest,mycompany.com" \ … … 125 142 }}} 126 143 127 === Basic Authorization: Using a htpasswd password file ===144 === Basic Authorization: Using a htpasswd password file 128 145 This section describes how to use `tracd` with Apache .htpasswd files. 129 146 147 Note: On Windows It is necessary to install the [https://pypi.python.org/pypi/passlib passlib] 148 package in order to decode some htpasswd formats. Only `SHA-1` passwords (since Trac 1.0) 149 work without this module. 150 130 151 To create a .htpasswd file use Apache's `htpasswd` command (see [#GeneratingPasswordsWithoutApache below] for a method to create these files without using Apache): 131 {{{ 152 {{{#!sh 132 153 $ sudo htpasswd -c /path/to/env/.htpasswd username 133 154 }}} 134 155 then for additional users: 135 {{{ 156 {{{#!sh 136 157 $ sudo htpasswd /path/to/env/.htpasswd username2 137 158 }}} 138 159 139 160 Then to start `tracd` run something like this: 140 {{{ 141 $ tracd -p 8080 --basic-auth="project dirname,/fullpath/environmentname/.htpasswd,realmname" /fullpath/environmentname161 {{{#!sh 162 $ tracd -p 8080 --basic-auth="project,/fullpath/environmentname/.htpasswd,realmname" /path/to/project 142 163 }}} 143 164 144 165 For example: 145 {{{ 146 $ tracd -p 8080 --basic-auth=" testenv,/srv/tracenv/testenv/.htpasswd,My Test Env" /srv/tracenv/testenv166 {{{#!sh 167 $ tracd -p 8080 --basic-auth="project,/srv/tracenv/testenv/.htpasswd,My Test Env" /path/to/project 147 168 }}} 148 169 ''Note:'' You might need to pass "-m" as a parameter to htpasswd on some platforms (OpenBSD). 149 170 150 === Digest authentication: Using a htdigest password file ===171 === Digest authentication: Using a htdigest password file 151 172 152 173 If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [http://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions. You'll be prompted for a password to enter for each user that you create. For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file. 153 174 154 Note that you can start tracd without the --auth argument, but if you click on the ''Login'' link you will get an error. 155 156 === Generating Passwords Without Apache === 157 158 Basic Authorization can be accomplished via this [http://www.4webhelp.net/us/password.php online HTTP Password generator]. Copy the generated password-hash line to the .htpasswd file on your system. 159 160 You can use this simple Python script to generate a '''digest''' password file: 161 162 {{{ 163 #!python 164 from optparse import OptionParser 165 # The md5 module is deprecated in Python 2.5 166 try: 167 from hashlib import md5 168 except ImportError: 169 from md5 import md5 170 realm = 'trac' 171 172 # build the options 173 usage = "usage: %prog [options]" 174 parser = OptionParser(usage=usage) 175 parser.add_option("-u", "--username",action="store", dest="username", type = "string", 176 help="the username for whom to generate a password") 177 parser.add_option("-p", "--password",action="store", dest="password", type = "string", 178 help="the password to use") 179 parser.add_option("-r", "--realm",action="store", dest="realm", type = "string", 180 help="the realm in which to create the digest") 181 (options, args) = parser.parse_args() 182 183 # check options 184 if (options.username is None) or (options.password is None): 185 parser.error("You must supply both the username and password") 186 if (options.realm is not None): 187 realm = options.realm 188 189 # Generate the string to enter into the htdigest file 190 kd = lambda x: md5(':'.join(x)).hexdigest() 191 print ':'.join((options.username, realm, kd([options.username, realm, options.password]))) 192 }}} 193 194 Note: If you use the above script you must set the realm in the `--auth` argument to '''`trac`'''. Example usage (assuming you saved the script as trac-digest.py): 195 196 {{{ 197 $ python trac-digest.py -u username -p password >> c:\digest.txt 198 $ tracd --port 8000 --auth=proj_name,c:\digest.txt,trac c:\path\to\proj_name 175 Note that you can start tracd without the `--auth` argument, but if you click on the ''Login'' link you will get an error. 176 177 === Generating Passwords Without Apache 178 179 Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`. Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd. Windows Python can grok MD5 password hashes just fine and you should use MD5. 180 181 Trac also provides `htpasswd` and `htdigest` scripts in `contrib`: 182 {{{#!sh 183 $ ./contrib/htpasswd.py -cb htpasswd user1 user1 184 $ ./contrib/htpasswd.py -b htpasswd user2 user2 185 }}} 186 187 {{{#!sh 188 $ ./contrib/htdigest.py -cb htdigest trac user1 user1 189 $ ./contrib/htdigest.py -b htdigest trac user2 user2 199 190 }}} 200 191 201 192 ==== Using `md5sum` 202 193 It is possible to use `md5sum` utility to generate digest-password file: 194 {{{#!sh 195 user= 196 realm= 197 password= 198 path_to_file= 199 echo ${user}:${realm}:$(printf "${user}:${realm}:${password}" | md5sum - | sed -e 's/\s\+-//') > ${path_to_file} 200 }}} 201 202 == Reference 203 204 Here's the online help, as a reminder (`tracd -h` or `tracd --help`): 203 205 {{{ 204 $ printf "${user}:trac:${password}" | md5sum - >>user.htdigest 205 }}} 206 and manually delete " -" from the end and add "${user}:trac:" to the start of line from 'to-file'. 207 208 == Reference == 209 210 Here's the online help, as a reminder (`tracd --help`): 211 {{{ 212 Usage: tracd [options] [projenv] ... 213 214 Options: 206 usage: tracd [-h] [--version] [-e PARENTDIR | -s] 207 [-a DIGESTAUTH | --basic-auth BASICAUTH] [-p PORT] [-b HOSTNAME] 208 [--protocol {http,https,scgi,ajp,fcgi}] [--certfile CERTFILE] 209 [--keyfile KEYFILE] [-q] [--base-path BASE_PATH] 210 [--http10 | --http11] [-r | -d] [--pidfile PIDFILE] 211 [--umask MASK] [--group GROUP] [--user USER] 212 [envs [envs ...]] 213 214 positional arguments: 215 envs path of the project environment(s) 216 217 optional arguments: 218 -h, --help show this help message and exit 215 219 --version show program's version number and exit 216 -h, --help show this help message and exit 217 -a DIGESTAUTH, --auth=DIGESTAUTH 220 -e PARENTDIR, --env-parent-dir PARENTDIR 221 parent directory of the project environments 222 -s, --single-env only serve a single project without the project list 223 -a DIGESTAUTH, --auth DIGESTAUTH 218 224 [projectdir],[htdigest_file],[realm] 219 --basic-auth =BASICAUTH225 --basic-auth BASICAUTH 220 226 [projectdir],[htpasswd_file],[realm] 221 -p PORT, --port =PORT the port number to bind to222 -b HOSTNAME, --hostname =HOSTNAME227 -p PORT, --port PORT the port number to bind to 228 -b HOSTNAME, --hostname HOSTNAME 223 229 the host name or IP address to bind to 224 --protocol =PROTOCOL http|scgi|ajp225 -q, --unquote unquote PATH_INFO (may be needed when using ajp)226 -- http10 use HTTP/1.0 protocol version (default)227 -- http11 use HTTP/1.1 protocol version instead of HTTP/1.0228 - e PARENTDIR, --env-parent-dir=PARENTDIR229 p arent directory of the project environments230 --base-path =BASE_PATH230 --protocol {http,https,scgi,ajp,fcgi} 231 the server protocol (default: http) 232 --certfile CERTFILE PEM certificate file for HTTPS 233 --keyfile KEYFILE PEM key file for HTTPS 234 -q, --unquote unquote PATH_INFO (may be needed when using the ajp 235 protocol) 236 --base-path BASE_PATH 231 237 the initial portion of the request URL's "path" 238 --http10 use HTTP/1.0 protocol instead of HTTP/1.1 239 --http11 use HTTP/1.1 protocol (default) 232 240 -r, --auto-reload restart automatically when sources are modified 233 -s, --single-env only serve a single project without the project list 234 }}} 235 236 == Tips == 237 238 === Serving static content === 241 -d, --daemonize run in the background as a daemon 242 --pidfile PIDFILE file to write pid when daemonizing 243 --umask MASK when daemonizing, file mode creation mask to use, in 244 octal notation (default: 022) 245 --group GROUP the group to run as 246 --user USER the user to run as 247 }}} 248 249 Use the -d option so that tracd doesn't hang if you close the terminal window where tracd was started. 250 251 == Tips 252 253 === Serving static content 239 254 240 255 If `tracd` is the only web server used for the project, … … 247 262 Example: given a `$TRAC_ENV/htdocs/software-0.1.tar.gz` file, 248 263 the corresponding relative URL would be `/<project_name>/chrome/site/software-0.1.tar.gz`, 249 which in turn can be written as `htdocs:software-0.1.tar.gz` (TracLinks syntax) or `[/<project_name>/chrome/site/software-0.1.tar.gz]` (relative link syntax). 250 251 ''Support for `htdocs:` TracLinks syntax was added in version 0.10'' 264 which in turn can be written as `htdocs:software-0.1.tar.gz` (TracLinks syntax) or `[/<project_name>/chrome/site/software-0.1.tar.gz]` (relative link syntax). 252 265 253 266 === Using tracd behind a proxy … … 261 274 See also [trac:TracOnWindowsIisAjp], [trac:TracNginxRecipe]. 262 275 263 === Serving a different base path than / === 276 === Authentication for tracd behind a proxy 277 It is convenient to provide central external authentication to your tracd instances, instead of using `--basic-auth`. There is some discussion about this in [trac:#9206]. 278 279 Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap. 280 281 First we bring tracd into Apache's location namespace. 282 283 {{{#!apache 284 <Location /project/proxified> 285 Require ldap-group cn=somegroup, ou=Groups,dc=domain.com 286 Require ldap-user somespecificusertoo 287 ProxyPass http://localhost:8101/project/proxified/ 288 # Turns out we don't really need complicated RewriteRules here at all 289 RequestHeader set REMOTE_USER %{REMOTE_USER}s 290 </Location> 291 }}} 292 293 Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory: 294 {{{#!python 295 from trac.core import * 296 from trac.config import BoolOption 297 from trac.web.api import IAuthenticator 298 299 class MyRemoteUserAuthenticator(Component): 300 301 implements(IAuthenticator) 302 303 obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 304 """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 305 (''since ??.??').""") 306 307 def authenticate(self, req): 308 if self.obey_remote_user_header and req.get_header('Remote-User'): 309 return req.get_header('Remote-User') 310 return None 311 312 }}} 313 314 Add this new parameter to your TracIni: 315 {{{#!ini 316 [trac] 317 ... 318 obey_remote_user_header = true 319 ... 320 }}} 321 322 Run tracd: 323 {{{#!sh 324 tracd -p 8101 -s proxified --base-path=/project/proxified 325 }}} 326 327 Note that if you want to install this plugin for all projects, you have to put it in your [TracPlugins#Plugindiscovery global plugins_dir] and enable it in your global trac.ini. 328 329 Global config (e.g. `/srv/trac/conf/trac.ini`): 330 {{{#!ini 331 [components] 332 remote-user-auth.* = enabled 333 [inherit] 334 plugins_dir = /srv/trac/plugins 335 [trac] 336 obey_remote_user_header = true 337 }}} 338 339 Environment config (e.g. `/srv/trac/envs/myenv`): 340 {{{#!ini 341 [inherit] 342 file = /srv/trac/conf/trac.ini 343 }}} 344 345 === Serving a different base path than / 264 346 Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is 265 {{{ 347 {{{#!sh 266 348 $ tracd --base-path=/some/path 267 349 }}}