Trac on Solaris using Apache mod_python and https

If Trac is being used by a distributed team over the internet we want to remove all privileges from unauthenticated users:

for perm in BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW 
REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW 
TIMELINE_VIEW WIKI_CREATE WIKI_MODIFY WIKI_VIEW
do
  trac-admin $tracenv permission remove anonymous $perm
  trac-admin $tracenv permission add authenticated $perm
done

We also want to encrypt traffic to the site. To do this I tried stunnel…

/opt/csw/bin/pkg-get -i stunnel

…and placed the following in /opt/csw/etc/stunnel/stunnel.conf

 [https]
accept  = 443
connect = 8000

I also commented out the chroot setup. Once configured all that is required is to run

cd /opt/csw/etc/stunnel 
/opt/csw/bin/stunnel

…and change /var/opt/csw/trac/conf/trac.ini

 [trac]
authz_file =
authz_module_name =
base_url = https://trac.mydomain.com

The bad news is that Trac 0.10.4 does not consistently use base_url, so creating a ticket, for example, redirects the user to an http page.

PATH=/opt/csw/bin:$PATH
tracenv=/var/opt/csw/trac
HTTPS=1; export HTTPS
nohup tracd --port 8000 $tracenv &

To resolve this issue I decided to move from tracd/stunnel to Apache2/mod_python. The default Solaris 10 distribution includes apache2 but not mod_python. Instead I installed mod_python from Blastwave, which in turn automatically installs the Blastwave cswapache2 package below /opt/csw/apache2.

pkg-get install ap2_modpython

We will want to run trac under apache2 using a dedicated account:

groupadd -g 202 trac
useradd -g trac -u 202 -d /var/opt/csw/trac trac
chown -R trac:trac /var/opt/csw/trac

Modified /opt/csw/apache2/etc/httpd.conf

User trac
Group trac
…
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
…

   SetHandler mod_python
   PythonInterpreter main_interpreter
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /var/opt/csw/trac

Created a self-signed certificate for the site:

cd /opt/csw/apache2/etc
PATH=$PATH:/usr/sfw/bin
/usr/sfw/bin/openssl genrsa -out server.key 2048
/usr/sfw/bin/openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/C=US/ST=Florida/O=My Company/CN=trac.mydomain.com"

Modified /opt/csw/apache2/etc/extra/httpd-ssl.conf

ServerName trac.mydomain.com
…

   SetHandler mod_python
   PythonInterpreter main_interpreter
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /var/opt/csw/trac

To start Blastwave Apache2 using SMF on Solaris:

svccfg -s cswapache2 setprop httpd/ssl=true
svccfg -s cswapache2 listprop

svcadm enable cswapache2

To check status

svcs cswapache2
svcs –xv