Netcraft have published an SSL analysis report that tracks web server operating system usage.
Month: February 2009
Trac on Solaris using Apache mod_python and https
If Trac is being used by a distributed team over the internet we want to remove all privileges from unauthenticated users:
for perm in BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW TIMELINE_VIEW WIKI_CREATE WIKI_MODIFY WIKI_VIEW do trac-admin $tracenv permission remove anonymous $perm trac-admin $tracenv permission add authenticated $perm done
We also want to encrypt traffic to the site. To do this I tried stunnel…
/opt/csw/bin/pkg-get -i stunnel
…and placed the following in /opt/csw/etc/stunnel/stunnel.conf
[https] accept = 443 connect = 8000
I also commented out the chroot setup. Once configured all that is required is to run
cd /opt/csw/etc/stunnel /opt/csw/bin/stunnel
…and change /var/opt/csw/trac/conf/trac.ini
[trac] authz_file = authz_module_name = base_url = https://trac.mydomain.com
The bad news is that Trac 0.10.4 does not consistently use base_url, so creating a ticket, for example, redirects the user to an http page.
PATH=/opt/csw/bin:$PATH tracenv=/var/opt/csw/trac HTTPS=1; export HTTPS nohup tracd --port 8000 $tracenv &
To resolve this issue I decided to move from tracd/stunnel to Apache2/mod_python. The default Solaris 10 distribution includes apache2 but not mod_python. Instead I installed mod_python from Blastwave, which in turn automatically installs the Blastwave cswapache2 package below /opt/csw/apache2.
pkg-get install ap2_modpython
We will want to run trac under apache2 using a dedicated account:
groupadd -g 202 trac useradd -g trac -u 202 -d /var/opt/csw/trac trac chown -R trac:trac /var/opt/csw/trac
Modified /opt/csw/apache2/etc/httpd.conf
User trac
Group trac
…
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
…
SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /var/opt/csw/trac
Created a self-signed certificate for the site:
cd /opt/csw/apache2/etc PATH=$PATH:/usr/sfw/bin /usr/sfw/bin/openssl genrsa -out server.key 2048 /usr/sfw/bin/openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/C=US/ST=Florida/O=My Company/CN=trac.mydomain.com"
Modified /opt/csw/apache2/etc/extra/httpd-ssl.conf
ServerName trac.mydomain.com … SetHandler mod_python PythonInterpreter main_interpreter PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/opt/csw/trac
To start Blastwave Apache2 using SMF on Solaris:
svccfg -s cswapache2 setprop httpd/ssl=true svccfg -s cswapache2 listprop svcadm enable cswapache2
To check status
svcs cswapache2 svcs –xv
Trac on Solaris
Trac is a web-based software project management and bug/issue tracking system. Example publicly accessible sites that use Trac include
- Spring IDE http://springide.org/project
- Trac developers themselves http://trac.edgewall.org/
- One Laptop Per Child http://dev.laptop.org/
- Berkeley Open Infrastructure for Network Computing (BOINC) http://boinc.berkeley.edu/trac used by SETI at Home
- Twisted Matrix http://twistedmatrix.com/trac/report
Getting Trac installed on Solaris 10 is easy, see http://trac.edgewall.org/wiki/TracOnSolaris Question is, what next?
Blastwave packages are installed below /opt/csw (csw = Community SoftWare). /opt/csw/share/doc/trac/INSTALL provides the next steps. I used:
PATH=/opt/csw/bin:$PATH MANPATH=/opt/csw/share/man:$MANPATH tracenv=/var/opt/csw/trac trac-admin $tracenv initenv tracd --port 8000 $tracenv & # no authentication firefox http://localhost:8000/trac
For a small number of users the tracd standalone server is good enough. Authentication can be managed with htdigest on Solaris 10 thusly:
/usr/apache2/bin/htdigest -c $tracenv/conf/users.htdigest mydomain.com fred
Tracd can then be started like this:
PATH=/opt/csw/bin:$PATH tracenv=/var/opt/csw/trac nohup tracd --port 8000 --auth *,$tracenv/conf/users.htdigest,mydomain.com $tracenv &
To change the logo upload the new logo to /opt/csw/share/trac/htdocs and modify trac.ini
[header_logo] … link = https://trac.mydomain.com/ src = common/mylogo.png … [project] descr = My Trac footer = Visit the Trac open source project at http://trac.edgewall.org/ icon = common/trac.ico name = My Project url = https://myproject.mydomain.com/
Trac is much easier to administer with the WebAdmin plugin, which for Trac 0.10.4 requires downloading and installing from source:
easy_install http://svn.edgewall.com/repos/trac/sandbox/webadmin/
To get started a Trac administrator has to be empowered:
trac-admin /var/opt/csw/trac permission add fred TRAC_ADMIN
To simplify account administration we’ll also try an account manger plugin
/opt/csw/bin/easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.10
…and change /var/opt/csw/trac/conf/trac.ini
[components] webadmin.* = enabled trac.web.auth.LoginModule = disabled acct_mgr.api = enabled acct_mgr.htfile.HtDigestStore = enabled acct_mgr.web_ui.AccountModule = enabled acct_mgr.web_ui.LoginModule = enabled acct_mgr.web_ui.RegistrationModule = disabled acct_mgr.admin.AccountManagerAdminPage = enabled [account-manager] password_format = htdigest password_store = HtDigestStore password_file = /var/opt/csw/trac/conf/users.htdigest htdigest_realm = mydomain.com
Tracd can then be started like this:
PATH=/opt/csw/bin:$PATH tracenv=/var/opt/csw/trac nohup tracd --port 8000 $tracenv &
To manage custom fields we’ll add another plugin
easy_install http://trac-hacks.org/svn/customfieldadminplugin/0.10
…and change /var/opt/csw/trac/conf/trac.ini
[components] customfieldadmin.* = enabled