Changes between Version 2 and Version 3 of TracStandalone


Ignore:
Timestamp:
Mar 23, 2023, 6:44:37 AM (21 months ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracStandalone

    v2 v3  
    1 = Tracd =
     1= Tracd
    22
    33Tracd is a lightweight standalone Trac web server.
    44It can be used in a variety of situations, from a test or development server to a multiprocess setup behind another web server used as a load balancer.
    55
    6 == Pros ==
     6== Pros
    77
    88 * Fewer dependencies: You don't need to install apache or any other web-server.
     
    1010 * Automatic reloading: For development, Tracd can be used in ''auto_reload'' mode, which will automatically restart the server whenever you make a change to the code (in Trac itself or in a plugin).
    1111
    12 == Cons ==
     12== Cons
    1313
    1414 * Fewer features: Tracd implements a very simple web-server and is not as configurable or as scalable as Apache httpd.
    1515 * No native HTTPS support: [http://www.rickk.com/sslwrap/ sslwrap] can be used instead,
    16    or [http://trac.edgewall.org/wiki/STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy.
    17 
    18 == Usage examples ==
     16   or [trac:wiki:STunnelTracd stunnel -- a tutorial on how to use stunnel with tracd] or Apache with mod_proxy.
     17
     18== Usage examples
    1919
    2020A single project on port 8080. (http://localhost:8080/)
    21 {{{
     21{{{#!sh
    2222 $ tracd -p 8080 /path/to/project
    2323}}}
    24 Stricly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use ''--hostname'' option.
    25 {{{
     24Strictly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use the `--hostname` option.
     25{{{#!sh
    2626 $ tracd --hostname=localhost -p 8080 /path/to/project
    2727}}}
    2828With more than one project. (http://localhost:8080/project1/ and http://localhost:8080/project2/)
    29 {{{
     29{{{#!sh
    3030 $ tracd -p 8080 /path/to/project1 /path/to/project2
    3131}}}
     
    3535
    3636An alternative way to serve multiple projects is to specify a parent directory in which each subdirectory is a Trac project, using the `-e` option. The example above could be rewritten:
    37 {{{
     37{{{#!sh
    3838 $ tracd -p 8080 -e /path/to
    3939}}}
    4040
    41 To exit the server on Windows, be sure to use {{{CTRL-BREAK}}} -- using {{{CTRL-C}}} will leave a Python process running in the background.
    42 
    43 == Installing as a Windows Service ==
    44 
    45 === Option 1 ===
    46 To install as a Windows service, get the [http://www.google.com/search?q=srvany.exe SRVANY] utility and run:
    47 {{{
     41There is support for the HTTPS protocol (//Since 1.3.4//). Specify the path to the PEM certificate file and keyfile using the `--certfile` and `--keyfile` options. You can specify just the `--certfile` option if you have a [https://docs.python.org/2/library/ssl.html#combined-key-and-certificate combined key and certificate].
     42
     43To exit the server on Windows, be sure to use `CTRL-BREAK` -- using `CTRL-C` will leave a Python process running in the background.
     44
     45== Installing as a Windows Service
     46
     47=== Option 1
     48To install as a Windows service, get the [https://www.google.com/search?q=srvany.exe SRVANY] utility and run:
     49{{{#!cmd
    4850 C:\path\to\instsrv.exe tracd C:\path\to\srvany.exe
    49  reg add HKLM\SYSTEM\CurrentControlSet\Services\tracd\Parameters /v Application /d "\"C:\path\to\python.exe\" \"C:\path\to\python\scripts\tracd-script.py\" <your tracd parameters>"
     51 reg add HKLM\SYSTEM\CurrentControlSet\Services\tracd\Parameters /v Application /d "\"C:\path\to\python.exe\" \"C:\path\to\python\scripts\tracd.exe\" <your tracd parameters>"
    5052 net start tracd
    5153}}}
    5254
    53 '''DO NOT''' use {{{tracd.exe}}}.  Instead register {{{python.exe}}} directly with {{{tracd-script.py}}} as a parameter.  If you use {{{tracd.exe}}}, it will spawn the python process without SRVANY's knowledge.  This python process will survive a {{{net stop tracd}}}.
     55{{{#!div style="border: 1pt dotted; margin: 1em;"
     56**Attention:** Do not use `tracd.exe` directly.  Instead register `python.exe` directly with `tracd.exe` as a parameter.  If you use `tracd.exe`, it will spawn the python process without SRVANY's knowledge.  This python process will survive a `net stop tracd`.
     57}}}
    5458
    5559If you want tracd to start automatically when you boot Windows, do:
    56 {{{
     60{{{#!cmd
    5761 sc config tracd start= auto
    5862}}}
     
    6569
    6670Three (string) parameters are provided:
    67 ||!AppDirectory ||C:\Python26\ ||
     71||!AppDirectory ||C:\Python27\ ||
    6872||Application ||python.exe ||
    69 ||!AppParameters ||scripts\tracd-script.py -p 8080 ... ||
     73||!AppParameters ||scripts\tracd.exe -p 8080 ... ||
    7074
    7175Note that, if the !AppDirectory is set as above, the paths of the executable ''and'' of the script name and parameter values are relative to the directory.  This makes updating Python a little simpler because the change can be limited, here, to a single point.
     
    7377}}}
    7478
    75 For Windows 7 User, srvany.exe may not be an option, so you can use [http://www.google.com/search?q=winserv.exe WINSERV] utility and run:
    76 {{{
    77 "C:\path\to\winserv.exe" install tracd -displayname "tracd" -start auto "C:\path\to\python.exe" c:\path\to\python\scripts\tracd-script.py <your tracd parameters>"
    78 
     79For Windows 7 User, srvany.exe may not be an option, so you can use [https://www.google.com/search?q=winserv.exe WINSERV] utility and run:
     80{{{#!cmd
     81"C:\path\to\winserv.exe" install tracd -displayname "tracd" -start auto "C:\path\to\python.exe" c:\path\to\python\scripts\tracd.exe <your tracd parameters>"
    7982net start tracd
    8083}}}
    8184
    82 === Option 2 ===
    83 
    84 Use [http://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [http://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service.
    85 
    86 === Option 3 ===
     85=== Option 2
     86
     87Use [https://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [https://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service.
     88
     89=== Option 3
    8790
    8891also cygwin's cygrunsrv.exe can be used:
    89 {{{
     92{{{#!sh
    9093$ cygrunsrv --install tracd --path /cygdrive/c/Python27/Scripts/tracd.exe --args '--port 8000 --env-parent-dir E:\IssueTrackers\Trac\Projects'
    9194$ net start tracd
    9295}}}
    9396
    94 == Using Authentication ==
    95 
    96 Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (htpasswd and htdigest) to easily create a password file in the proper format for tracd to use in authentication. (It is also possible to create the password file without htpasswd or htdigest; see below for alternatives)
     97== Using Authentication
     98
     99Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (`htpasswd` and `htdigest`) to easily create a password file in the proper format for tracd to use in authentication. (It is also possible to create the password file without `htpasswd` or `htdigest`; see below for alternatives)
     100
     101{{{#!div style="border: 1pt dotted; margin: 1em"
     102**Attention:** Make sure you place the generated password files on a filesystem which supports sub-second timestamps, as Trac will monitor their modified time and changes happening on a filesystem with too coarse-grained timestamp resolution (like `ext2` or `ext3` on Linux, or HFS+ on OSX).
     103}}}
    97104
    98105Tracd provides support for both Basic and Digest authentication. Digest is considered more secure. The examples below use Digest; to use Basic authentication, replace `--auth` with `--basic-auth` in the command line.
    99106
    100107The general format for using authentication is:
    101 {{{
     108{{{#!sh
    102109 $ tracd -p port --auth="base_project_dir,password_file_path,realm" project_path
    103110}}}
     
    115122Examples:
    116123
    117 {{{
     124{{{#!sh
    118125 $ tracd -p 8080 \
    119126   --auth="project1,/path/to/passwordfile,mycompany.com" /path/to/project1
     
    121128
    122129Of course, the password file can be be shared so that it is used for more than one project:
    123 {{{
     130{{{#!sh
    124131 $ tracd -p 8080 \
    125132   --auth="project1,/path/to/passwordfile,mycompany.com" \
     
    129136
    130137Another way to share the password file is to specify "*" for the project name:
    131 {{{
     138{{{#!sh
    132139 $ tracd -p 8080 \
    133140   --auth="*,/path/to/users.htdigest,mycompany.com" \
     
    135142}}}
    136143
    137 === Basic Authorization: Using a htpasswd password file ===
     144=== Basic Authorization: Using a htpasswd password file
    138145This section describes how to use `tracd` with Apache .htpasswd files.
    139146
    140   Note: It is necessary (at least with Python 2.6) to install the fcrypt package in order to
    141   decode some htpasswd formats.  Trac source code attempt an `import crypt` first, but there
    142   is no such package for Python 2.6. Only `SHA-1` passwords (since Trac 1.0) work without this module.
     147  Note: On Windows It is necessary to install the [https://pypi.python.org/pypi/passlib passlib]
     148  package in order to decode some htpasswd formats. Only `SHA-1` passwords (since Trac 1.0)
     149  work without this module.
    143150
    144151To create a .htpasswd file use Apache's `htpasswd` command (see [#GeneratingPasswordsWithoutApache below] for a method to create these files without using Apache):
    145 {{{
     152{{{#!sh
    146153 $ sudo htpasswd -c /path/to/env/.htpasswd username
    147154}}}
    148155then for additional users:
    149 {{{
     156{{{#!sh
    150157 $ sudo htpasswd /path/to/env/.htpasswd username2
    151158}}}
    152159
    153160Then to start `tracd` run something like this:
    154 {{{
    155  $ tracd -p 8080 --basic-auth="projectdirname,/fullpath/environmentname/.htpasswd,realmname" /fullpath/environmentname
     161{{{#!sh
     162 $ tracd -p 8080 --basic-auth="project,/fullpath/environmentname/.htpasswd,realmname" /path/to/project
    156163}}}
    157164
    158165For example:
    159 {{{
    160  $ tracd -p 8080 --basic-auth="testenv,/srv/tracenv/testenv/.htpasswd,My Test Env" /srv/tracenv/testenv
     166{{{#!sh
     167 $ tracd -p 8080 --basic-auth="project,/srv/tracenv/testenv/.htpasswd,My Test Env" /path/to/project
    161168}}}
    162169''Note:'' You might need to pass "-m" as a parameter to htpasswd on some platforms (OpenBSD).
    163170
    164 === Digest authentication: Using a htdigest password file ===
    165 
    166 If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [http://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions.  You'll be prompted for a password to enter for each user that you create.  For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file.
     171=== Digest authentication: Using a htdigest password file
     172
     173If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [https://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions.  You'll be prompted for a password to enter for each user that you create.  For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file.
    167174
    168175Note that you can start tracd without the `--auth` argument, but if you click on the ''Login'' link you will get an error.
    169176
    170 === Generating Passwords Without Apache ===
    171 
    172 Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`.  Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd ; Windows Python can grok MD5 password hashes just fine and you should use MD5.
    173 
    174 You can use this simple Python script to generate a '''digest''' password file:
    175 
    176 {{{
    177 #!python
    178 from optparse import OptionParser
    179 # The md5 module is deprecated in Python 2.5
    180 try:
    181     from hashlib import md5
    182 except ImportError:
    183     from md5 import md5
    184 realm = 'trac'
    185 
    186 # build the options
    187 usage = "usage: %prog [options]"
    188 parser = OptionParser(usage=usage)
    189 parser.add_option("-u", "--username",action="store", dest="username", type = "string",
    190                   help="the username for whom to generate a password")
    191 parser.add_option("-p", "--password",action="store", dest="password", type = "string",
    192                   help="the password to use")
    193 parser.add_option("-r", "--realm",action="store", dest="realm", type = "string",
    194                   help="the realm in which to create the digest")
    195 (options, args) = parser.parse_args()
    196 
    197 # check options
    198 if (options.username is None) or (options.password is None):
    199    parser.error("You must supply both the username and password")
    200 if (options.realm is not None):
    201    realm = options.realm
    202    
    203 # Generate the string to enter into the htdigest file
    204 kd = lambda x: md5(':'.join(x)).hexdigest()
    205 print ':'.join((options.username, realm, kd([options.username, realm, options.password])))
    206 }}}
    207 
    208 Note: If you use the above script you must set the realm in the `--auth` argument to '''`trac`'''. Example usage (assuming you saved the script as trac-digest.py):
    209 
    210 {{{
    211  $ python trac-digest.py -u username -p password >> c:\digest.txt
    212  $ tracd --port 8000 --auth=proj_name,c:\digest.txt,trac c:\path\to\proj_name
     177=== Generating Passwords Without Apache
     178
     179Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`.  Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd. Windows Python can grok MD5 password hashes just fine and you should use MD5.
     180
     181Trac also provides `htpasswd` and `htdigest` scripts in `contrib`:
     182{{{#!sh
     183$ ./contrib/htpasswd.py -cb htpasswd user1 user1
     184$ ./contrib/htpasswd.py -b htpasswd user2 user2
     185}}}
     186
     187{{{#!sh
     188$ ./contrib/htdigest.py -cb htdigest trac user1 user1
     189$ ./contrib/htdigest.py -b htdigest trac user2 user2
    213190}}}
    214191
    215192==== Using `md5sum`
    216193It is possible to use `md5sum` utility to generate digest-password file:
    217 {{{
     194{{{#!sh
    218195user=
    219196realm=
     
    223200}}}
    224201
    225 == Reference ==
    226 
    227 Here's the online help, as a reminder (`tracd --help`):
     202== Reference
     203
     204Here's the online help, as a reminder (`tracd -h` or `tracd --help`):
    228205{{{
    229 Usage: tracd [options] [projenv] ...
    230 
    231 Options:
     206usage: tracd [-h] [--version] [-e PARENTDIR | -s]
     207             [-a DIGESTAUTH | --basic-auth BASICAUTH] [-p PORT] [-b HOSTNAME]
     208             [--protocol {http,https,scgi,ajp,fcgi}] [--certfile CERTFILE]
     209             [--keyfile KEYFILE] [-q] [--base-path BASE_PATH]
     210             [--http10 | --http11] [-r | -d] [--pidfile PIDFILE]
     211             [--umask MASK] [--group GROUP] [--user USER]
     212             [envs [envs ...]]
     213
     214positional arguments:
     215  envs                  path of the project environment(s)
     216
     217optional arguments:
     218  -h, --help            show this help message and exit
    232219  --version             show program's version number and exit
    233   -h, --help            show this help message and exit
    234   -a DIGESTAUTH, --auth=DIGESTAUTH
     220  -e PARENTDIR, --env-parent-dir PARENTDIR
     221                        parent directory of the project environments
     222  -s, --single-env      only serve a single project without the project list
     223  -a DIGESTAUTH, --auth DIGESTAUTH
    235224                        [projectdir],[htdigest_file],[realm]
    236   --basic-auth=BASICAUTH
     225  --basic-auth BASICAUTH
    237226                        [projectdir],[htpasswd_file],[realm]
    238   -p PORT, --port=PORT  the port number to bind to
    239   -b HOSTNAME, --hostname=HOSTNAME
     227  -p PORT, --port PORT  the port number to bind to
     228  -b HOSTNAME, --hostname HOSTNAME
    240229                        the host name or IP address to bind to
    241   --protocol=PROTOCOL   http|scgi|ajp|fcgi
    242   -q, --unquote         unquote PATH_INFO (may be needed when using ajp)
    243   --http10              use HTTP/1.0 protocol version instead of HTTP/1.1
    244   --http11              use HTTP/1.1 protocol version (default)
    245   -e PARENTDIR, --env-parent-dir=PARENTDIR
    246                         parent directory of the project environments
    247   --base-path=BASE_PATH
     230  --protocol {http,https,scgi,ajp,fcgi}
     231                        the server protocol (default: http)
     232  --certfile CERTFILE   PEM certificate file for HTTPS
     233  --keyfile KEYFILE     PEM key file for HTTPS
     234  -q, --unquote         unquote PATH_INFO (may be needed when using the ajp
     235                        protocol)
     236  --base-path BASE_PATH
    248237                        the initial portion of the request URL's "path"
     238  --http10              use HTTP/1.0 protocol instead of HTTP/1.1
     239  --http11              use HTTP/1.1 protocol (default)
    249240  -r, --auto-reload     restart automatically when sources are modified
    250   -s, --single-env      only serve a single project without the project list
    251241  -d, --daemonize       run in the background as a daemon
    252   --pidfile=PIDFILE     when daemonizing, file to which to write pid
    253   --umask=MASK          when daemonizing, file mode creation mask to use, in
    254                         octal notation (default 022)
    255   --group=GROUP         the group to run as
    256   --user=USER           the user to run as
     242  --pidfile PIDFILE     file to write pid when daemonizing
     243  --umask MASK          when daemonizing, file mode creation mask to use, in
     244                        octal notation (default: 022)
     245  --group GROUP         the group to run as
     246  --user USER           the user to run as
    257247}}}
    258248
    259249Use the -d option so that tracd doesn't hang if you close the terminal window where tracd was started.
    260250
    261 == Tips ==
    262 
    263 === Serving static content ===
    264 
    265 If `tracd` is the only web server used for the project, 
    266 it can also be used to distribute static content 
     251== Tips
     252
     253=== Serving static content
     254
     255If `tracd` is the only web server used for the project,
     256it can also be used to distribute static content
    267257(tarballs, Doxygen documentation, etc.)
    268258
     
    271261
    272262Example: given a `$TRAC_ENV/htdocs/software-0.1.tar.gz` file,
    273 the corresponding relative URL would be `/<project_name>/chrome/site/software-0.1.tar.gz`,
    274 which in turn can be written as `htdocs:software-0.1.tar.gz` (TracLinks syntax) or `[/<project_name>/chrome/site/software-0.1.tar.gz]` (relative link syntax).
    275 
    276  ''Support for `htdocs:` TracLinks syntax was added in version 0.10''
     263the corresponding relative URL would be `/<project_name>/chrome/site/software-0.1.tar.gz`,
     264which in turn can be written as `htdocs:software-0.1.tar.gz` (TracLinks syntax) or `[/<project_name>/chrome/site/software-0.1.tar.gz]` (relative link syntax).
    277265
    278266=== Using tracd behind a proxy
     
    287275
    288276=== Authentication for tracd behind a proxy
    289 It is convenient to provide central external authentication to your tracd instances, instead of using {{{--basic-auth}}}. There is some discussion about this in #9206.
     277It is convenient to provide central external authentication to your tracd instances, instead of using `--basic-auth`. There is some discussion about this in [trac:#9206].
    290278
    291279Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap.
     
    293281First we bring tracd into Apache's location namespace.
    294282
    295 {{{
     283{{{#!apache
    296284<Location /project/proxified>
    297285        Require ldap-group cn=somegroup, ou=Groups,dc=domain.com
     
    304292
    305293Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory:
    306 {{{
    307 #!python
     294{{{#!python
    308295from trac.core import *
    309296from trac.config import BoolOption
     
    314301    implements(IAuthenticator)
    315302
    316     obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', 
    317                """Whether the 'Remote-User:' HTTP header is to be trusted for user logins 
    318                 (''since ??.??').""") 
     303    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false',
     304               """Whether the 'Remote-User:' HTTP header is to be trusted for user logins
     305                (''since ??.??').""")
    319306
    320307    def authenticate(self, req):
    321         if self.obey_remote_user_header and req.get_header('Remote-User'): 
    322             return req.get_header('Remote-User') 
     308        if self.obey_remote_user_header and req.get_header('Remote-User'):
     309            return req.get_header('Remote-User')
    323310        return None
    324311
     
    326313
    327314Add this new parameter to your TracIni:
    328 {{{
    329 ...
     315{{{#!ini
    330316[trac]
    331317...
     
    335321
    336322Run tracd:
    337 {{{
    338 tracd -p 8101 -r -s proxified --base-path=/project/proxified
     323{{{#!sh
     324tracd -p 8101 -s proxified --base-path=/project/proxified
    339325}}}
    340326
     
    342328
    343329Global config (e.g. `/srv/trac/conf/trac.ini`):
    344 {{{
     330{{{#!ini
    345331[components]
    346332remote-user-auth.* = enabled
     
    352338
    353339Environment config (e.g. `/srv/trac/envs/myenv`):
    354 {{{
     340{{{#!ini
    355341[inherit]
    356342file = /srv/trac/conf/trac.ini
    357343}}}
    358344
    359 === Serving a different base path than / ===
     345=== Serving a different base path than /
    360346Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is
    361 {{{
     347{{{#!sh
    362348 $ tracd --base-path=/some/path
    363349}}}