Trac on Solaris using Apache mod_python and https

  • by Piers C

    • If Trac is being used by a distributed team over the internet we want to remove all privileges from unauthenticated users:

    for perm in BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW 
REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW 
TIMELINE_VIEW WIKI_CREATE WIKI_MODIFY WIKI_VIEW
do
  trac-admin $tracenv permission remove anonymous $perm
  trac-admin $tracenv permission add authenticated $perm
done

    We also want to encrypt traffic to the site. To do this I tried stunnel…

    /opt/csw/bin/pkg-get -i stunnel

    …and placed the following in /opt/csw/etc/stunnel/stunnel.conf

     [https]
accept  = 443
connect = 8000

    I also commented out the chroot setup. Once configured all that is required is to run

    cd /opt/csw/etc/stunnel 
/opt/csw/bin/stunnel

    …and change /var/opt/csw/trac/conf/trac.ini

     [trac]
authz_file =
authz_module_name =
base_url = https://trac.mydomain.com

    The bad news is that Trac 0.10.4 does not consistently use base_url, so creating a ticket, for example, redirects the user to an http page.

    PATH=/opt/csw/bin:$PATH
tracenv=/var/opt/csw/trac
HTTPS=1; export HTTPS
nohup tracd --port 8000 $tracenv &

    To resolve this issue I decided to move from tracd/stunnel to Apache2/mod_python. The default Solaris 10 distribution includes apache2 but not mod_python. Instead I installed mod_python from Blastwave, which in turn automatically installs the Blastwave cswapache2 package below /opt/csw/apache2.

    pkg-get install ap2_modpython

    We will want to run trac under apache2 using a dedicated account:

    groupadd -g 202 trac
useradd -g trac -u 202 -d /var/opt/csw/trac trac
chown -R trac:trac /var/opt/csw/trac

    Modified /opt/csw/apache2/etc/httpd.conf

    User trac
Group trac
…
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
…

   SetHandler mod_python
   PythonInterpreter main_interpreter
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /var/opt/csw/trac

    Created a self-signed certificate for the site:

    cd /opt/csw/apache2/etc
PATH=$PATH:/usr/sfw/bin
/usr/sfw/bin/openssl genrsa -out server.key 2048
/usr/sfw/bin/openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/C=US/ST=Florida/O=My Company/CN=trac.mydomain.com"

    Modified /opt/csw/apache2/etc/extra/httpd-ssl.conf

    ServerName trac.mydomain.com
…

   SetHandler mod_python
   PythonInterpreter main_interpreter
   PythonHandler trac.web.modpython_frontend
   PythonOption TracEnv /var/opt/csw/trac

    To start Blastwave Apache2 using SMF on Solaris:

    svccfg -s cswapache2 setprop httpd/ssl=true
svccfg -s cswapache2 listprop

svcadm enable cswapache2

    To check status

    svcs cswapache2
svcs –xv

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top