Changes between Initial Version and Version 1 of TracStandalone


Ignore:
Timestamp:
Sep 28, 2024, 9:46:32 PM (8 weeks ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracStandalone

    v1 v1  
     1= Tracd
     2
     3Tracd is a lightweight standalone Trac web server.
     4It can be used in a variety of situations, from a test or development server to a multiprocess setup behind another web server used as a load balancer.
     5
     6== Pros
     7
     8 * Fewer dependencies: You don't need to install Apache or any other web-server.
     9 * Fast: Should be almost as fast as the [wiki:TracModWSGI mod_wsgi] version (and much faster than the [wiki:TracCgi CGI]), especially since the HTTP/1.1 version of the protocol is enabled by default.
     10 * Automatic reloading: For development, Tracd can be used in ''auto_reload'' mode, which will automatically restart the server whenever you make a change to the code, for example in Trac itself or in a plugin.
     11
     12== Cons
     13
     14 * Fewer features: Tracd implements a very simple web-server and is not as configurable or as scalable as Apache httpd.
     15
     16== Usage examples
     17
     18A single project on port 8080. (http://localhost:8080/)
     19{{{#!sh
     20 $ tracd -p 8080 /path/to/project
     21}}}
     22Strictly speaking this will make your Trac accessible to everybody from your network rather than ''localhost only''. To truly limit it use the `--hostname` option.
     23{{{#!sh
     24 $ tracd --hostname=localhost -p 8080 /path/to/project
     25}}}
     26With more than one project. (http://localhost:8080/project1/ and http://localhost:8080/project2/)
     27{{{#!sh
     28 $ tracd -p 8080 /path/to/project1 /path/to/project2
     29}}}
     30
     31You can't have the last portion of the path identical between the projects since Trac uses that name to keep the URLs of the different projects unique. So if you use `/project1/path/to` and `/project2/path/to`, you will only see the second project.
     32
     33An alternative way to serve multiple projects is to specify a parent directory in which each subdirectory is a Trac project, using the `-e` option. The example above could be rewritten:
     34{{{#!sh
     35 $ tracd -p 8080 -e /path/to
     36}}}
     37
     38There is support for the HTTPS protocol (//Since 1.3.4//). Specify the path to the PEM certificate file and keyfile using the `--certfile` and `--keyfile` options. You can specify just the `--certfile` option if you have a [https://docs.python.org/2/library/ssl.html#combined-key-and-certificate combined key and certificate].
     39
     40To exit the server on Windows, be sure to use `CTRL-BREAK`. Using `CTRL-C` will leave a Python process running in the background.
     41
     42== Installing as a Windows Service
     43
     44=== Option 1
     45
     46To install as a Windows service, get the [https://www.google.com/search?q=srvany.exe SRVANY] utility and run:
     47{{{#!cmd
     48 C:\path\to\instsrv.exe tracd C:\path\to\srvany.exe
     49 reg add HKLM\SYSTEM\CurrentControlSet\Services\tracd\Parameters /v Application /d "\"C:\path\to\python.exe\" \"C:\path\to\python\scripts\tracd.exe\" <your tracd parameters>"
     50 net start tracd
     51}}}
     52
     53{{{#!div style="border: 1pt dotted; margin: 1em;"
     54**Attention:** Do not use `tracd.exe` directly. Instead register `python.exe` directly with `tracd.exe` as a parameter. If you use `tracd.exe`, it will spawn the Python process without SRVANY's knowledge. This Python process will survive a `net stop tracd`.
     55}}}
     56
     57If you want tracd to start automatically when you boot Windows, do:
     58{{{#!cmd
     59 sc config tracd start= auto
     60}}}
     61
     62The spacing here is important.
     63
     64{{{#!div
     65Once the service is installed, it might be simpler to run the Registry Editor rather than use the `reg add` command documented above.  Navigate to:[[BR]]
     66`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tracd\Parameters`
     67
     68Three (string) parameters are provided:
     69||!AppDirectory ||C:\Python27\ ||
     70||Application ||python.exe ||
     71||!AppParameters ||scripts\tracd.exe -p 8080 ... ||
     72
     73Note that, if the !AppDirectory is set as above, the paths of the executable ''and'' of the script name and parameter values are relative to the directory. This makes updating Python a little simpler because the change can be limited, here, to a single point.
     74This is true for the path to the .htpasswd file as well, despite the documentation calling out the /full/path/to/htpasswd; however, you may not wish to store that file under the Python directory.
     75}}}
     76
     77For Windows 7 User, srvany.exe may not be an option, so you can use [https://www.google.com/search?q=winserv.exe WINSERV] utility and run:
     78{{{#!cmd
     79"C:\path\to\winserv.exe" install tracd -displayname "tracd" -start auto "C:\path\to\python.exe" c:\path\to\python\scripts\tracd.exe <your tracd parameters>"
     80net start tracd
     81}}}
     82
     83=== Option 2
     84
     85Use [https://trac-hacks.org/wiki/WindowsServiceScript WindowsServiceScript], available at [https://trac-hacks.org/ Trac Hacks]. Installs, removes, starts, stops, etc. your Trac service.
     86
     87=== Option 3
     88
     89also cygwin's cygrunsrv.exe can be used:
     90{{{#!sh
     91$ cygrunsrv --install tracd --path /cygdrive/c/Python27/Scripts/tracd.exe --args '--port 8000 --env-parent-dir E:\IssueTrackers\Trac\Projects'
     92$ net start tracd
     93}}}
     94
     95== Using Authentication
     96
     97Tracd allows you to run Trac without the need for Apache, but you can take advantage of Apache's password tools (`htpasswd` and `htdigest`) to easily create a password file in the proper format for tracd to use in authentication. It is also possible to create the password file without `htpasswd` or `htdigest`; see below for alternatives.
     98
     99{{{#!div style="border: 1pt dotted; margin: 1em"
     100**Attention:** Make sure you place the generated password files on a filesystem which supports sub-second timestamps, as Trac will monitor their modified time and changes happening on a filesystem with too coarse-grained timestamp resolution (like `ext2` or `ext3` on Linux, or HFS+ on OSX).
     101}}}
     102
     103Tracd provides support for both Basic and Digest authentication. Digest is considered more secure. The examples below use Digest; to use Basic authentication, replace `--auth` with `--basic-auth` in the command line.
     104
     105The general format for using authentication is:
     106{{{#!sh
     107 $ tracd -p port --auth="base_project_dir,password_file_path,realm" project_path
     108}}}
     109where:
     110 * '''base_project_dir''': the base directory of the project specified as follows:
     111   * when serving multiple projects: ''relative'' to the `project_path`
     112   * when serving only a single project (`-s`): the name of the project directory
     113 Don't use an absolute path here as this won't work. ''Note:'' This parameter is case-sensitive even for environments on Windows.
     114 * '''password_file_path''': path to the password file
     115 * '''realm''': the realm name (can be anything)
     116 * '''project_path''': path of the project
     117
     118 * **`--auth`** in the above means use Digest authentication, replace `--auth` with `--basic-auth` if you want to use Basic auth.  Although Basic authentication does not require a "realm", the command parser does, so the second comma is required, followed directly by the closing quote for an empty realm name.
     119
     120Examples:
     121
     122{{{#!sh
     123 $ tracd -p 8080 \
     124   --auth="project1,/path/to/passwordfile,mycompany.com" /path/to/project1
     125}}}
     126
     127Of course, the password file can be be shared so that it is used for more than one project:
     128{{{#!sh
     129 $ tracd -p 8080 \
     130   --auth="project1,/path/to/passwordfile,mycompany.com" \
     131   --auth="project2,/path/to/passwordfile,mycompany.com" \
     132   /path/to/project1 /path/to/project2
     133}}}
     134
     135Another way to share the password file is to specify "*" for the project name:
     136{{{#!sh
     137 $ tracd -p 8080 \
     138   --auth="*,/path/to/users.htdigest,mycompany.com" \
     139   /path/to/project1 /path/to/project2
     140}}}
     141
     142=== Basic Authorization: Using a htpasswd password file
     143
     144This section describes how to use `tracd` with Apache .htpasswd files.
     145
     146'''Note''': On Windows It is necessary to install the [https://pypi.python.org/pypi/passlib passlib] package in order to decode some htpasswd formats. Only `SHA-1` passwords (since Trac 1.0) work without this module.
     147
     148To create a .htpasswd file use Apache's `htpasswd` command (see [#GeneratingPasswordsWithoutApache below] for a method to create these files without using Apache):
     149{{{#!sh
     150 $ sudo htpasswd -c /path/to/env/.htpasswd username
     151}}}
     152then for additional users:
     153{{{#!sh
     154 $ sudo htpasswd /path/to/env/.htpasswd username2
     155}}}
     156
     157Then to start `tracd` run something like this:
     158{{{#!sh
     159 $ tracd -p 8080 --basic-auth="project,/fullpath/environmentname/.htpasswd,realmname" /path/to/project
     160}}}
     161
     162For example:
     163{{{#!sh
     164 $ tracd -p 8080 --basic-auth="project,/srv/tracenv/testenv/.htpasswd,My Test Env" /path/to/project
     165}}}
     166
     167'''Note:''' You might need to pass "-m" as a parameter to htpasswd on some platforms (OpenBSD).
     168
     169=== Digest authentication: Using a htdigest password file
     170
     171If you have Apache available, you can use the htdigest command to generate the password file. Type 'htdigest' to get some usage instructions, or read [https://httpd.apache.org/docs/2.0/programs/htdigest.html this page] from the Apache manual to get precise instructions.  You'll be prompted for a password to enter for each user that you create.  For the name of the password file, you can use whatever you like, but if you use something like `users.htdigest` it will remind you what the file contains. As a suggestion, put it in your <projectname>/conf folder along with the [TracIni trac.ini] file.
     172
     173Note that you can start tracd without the `--auth` argument, but if you click on the ''Login'' link you will get an error.
     174
     175=== Generating Passwords Without Apache
     176
     177Basic Authorization can be accomplished via this [http://aspirine.org/htpasswd_en.html online HTTP Password generator] which also supports `SHA-1`.  Copy the generated password-hash line to the .htpasswd file on your system. Note that Windows Python lacks the "crypt" module that is the default hash type for htpasswd. Windows Python can grok MD5 password hashes just fine and you should use MD5.
     178
     179Trac also provides `htpasswd` and `htdigest` scripts in [https://trac.edgewall.org/browser/trunk/contrib contrib] (also available in the tar or zip archive):
     180{{{#!sh
     181$ ./contrib/htpasswd.py -cb htpasswd user1 user1
     182$ ./contrib/htpasswd.py -b htpasswd user2 user2
     183}}}
     184
     185{{{#!sh
     186$ ./contrib/htdigest.py -cb htdigest trac user1 user1
     187$ ./contrib/htdigest.py -b htdigest trac user2 user2
     188}}}
     189
     190==== Using `md5sum`
     191
     192It is possible to use `md5sum` utility to generate digest-password file:
     193{{{#!sh
     194user=
     195realm=
     196password=
     197path_to_file=
     198echo ${user}:${realm}:$(printf "${user}:${realm}:${password}" | md5sum - | sed -e 's/\s\+-//') > ${path_to_file}
     199}}}
     200
     201== Reference
     202
     203Here's the online help, as a reminder (`tracd -h` or `tracd --help`):
     204{{{
     205usage: tracd [-h] [--version] [-e PARENTDIR | -s]
     206             [-a DIGESTAUTH | --basic-auth BASICAUTH] [-p PORT] [-b HOSTNAME]
     207             [--protocol {http,https,scgi,ajp,fcgi}] [--certfile CERTFILE]
     208             [--keyfile KEYFILE] [-q] [--base-path BASE_PATH]
     209             [--http10 | --http11] [-r | -d] [--pidfile PIDFILE] [--umask MASK]
     210             [--group GROUP] [--user USER]
     211             [envs ...]
     212
     213positional arguments:
     214  envs                  path of the project environment(s)
     215
     216options:
     217  -h, --help            show this help message and exit
     218  --version             show program's version number and exit
     219  -e PARENTDIR, --env-parent-dir PARENTDIR
     220                        parent directory of the project environments
     221  -s, --single-env      only serve a single project without the project list
     222  -a DIGESTAUTH, --auth DIGESTAUTH
     223                        [projectdir],[htdigest_file],[realm]
     224  --basic-auth BASICAUTH
     225                        [projectdir],[htpasswd_file],[realm]
     226  -p PORT, --port PORT  the port number to bind to
     227  -b HOSTNAME, --hostname HOSTNAME
     228                        the host name or IP address to bind to
     229  --protocol {http,https,scgi,ajp,fcgi}
     230                        the server protocol (default: http)
     231  --certfile CERTFILE   PEM certificate file for HTTPS
     232  --keyfile KEYFILE     PEM key file for HTTPS
     233  -q, --unquote         unquote PATH_INFO (may be needed when using the ajp
     234                        protocol)
     235  --base-path BASE_PATH
     236                        the initial portion of the request URL's "path"
     237  --http10              use HTTP/1.0 protocol instead of HTTP/1.1
     238  --http11              use HTTP/1.1 protocol (default)
     239  -r, --auto-reload     restart automatically when sources are modified
     240  -d, --daemonize       run in the background as a daemon
     241  --pidfile PIDFILE     file to write pid when daemonizing
     242  --umask MASK          when daemonizing, file mode creation mask to use, in
     243                        octal notation (default: 022)
     244  --group GROUP         the group to run as
     245  --user USER           the user to run as
     246}}}
     247
     248Use the -d option so that tracd doesn't hang if you close the terminal window where tracd was started.
     249
     250== Tips
     251
     252=== Serving static content
     253
     254If `tracd` is the only web server used for the project, it can also be used to distribute static content, such as tarballs, Doxygen documentation, etc.
     255
     256This static content should be put in the `$TRAC_ENV/htdocs` folder, and is accessed by URLs like `<project_URL>/chrome/site/...`.
     257
     258Example: given a `$TRAC_ENV/htdocs/software-0.1.tar.gz` file, the corresponding relative URL would be `/<project_name>/chrome/site/software-0.1.tar.gz`, which in turn can be written as `htdocs:software-0.1.tar.gz` (TracLinks syntax) or `[/<project_name>/chrome/site/software-0.1.tar.gz]` (relative link syntax).
     259
     260=== Using tracd behind a proxy
     261
     262In some situations when you choose to use tracd behind Apache or another web server.
     263
     264In this situation, you might experience issues with redirects, like being redirected to URLs with the wrong host or protocol. In this case (and only in this case), setting the `[trac] use_base_url_for_redirect` to `true` can help, as this will force Trac to use the value of `[trac] base_url` for doing the redirects.
     265
     266If you're using the AJP protocol to connect with `tracd` (which is possible if you have flup installed), then you might experience problems with double quoting. Consider adding the `--unquote` parameter.
     267
     268See also [trac:TracOnWindowsIisAjp], [trac:TracNginxRecipe].
     269
     270=== Authentication for tracd behind a proxy
     271
     272It is convenient to provide central external authentication to your tracd instances, instead of using `--basic-auth`. See also [trac:#9206].
     273
     274Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap.
     275
     276First we bring tracd into Apache's location namespace.
     277
     278{{{#!apache
     279<Location /project/proxified>
     280        Require ldap-group cn=somegroup, ou=Groups,dc=domain.com
     281        Require ldap-user somespecificusertoo
     282        ProxyPass http://localhost:8101/project/proxified/
     283        # Turns out we don't really need complicated RewriteRules here at all
     284        RequestHeader set REMOTE_USER %{REMOTE_USER}s
     285</Location>
     286}}}
     287
     288Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory:
     289{{{#!python
     290from trac.core import *
     291from trac.config import BoolOption
     292from trac.web.api import IAuthenticator
     293
     294class MyRemoteUserAuthenticator(Component):
     295
     296    implements(IAuthenticator)
     297
     298    obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false',
     299               """Whether the 'Remote-User:' HTTP header is to be trusted for user logins
     300                (''since ??.??').""")
     301
     302    def authenticate(self, req):
     303        if self.obey_remote_user_header and req.get_header('Remote-User'):
     304            return req.get_header('Remote-User')
     305        return None
     306
     307}}}
     308
     309Add this new parameter to your TracIni:
     310{{{#!ini
     311[trac]
     312...
     313obey_remote_user_header = true
     314...
     315}}}
     316
     317Run tracd:
     318{{{#!sh
     319tracd -p 8101 -s proxified --base-path=/project/proxified
     320}}}
     321
     322Note that if you want to install this plugin for all projects, you have to put it in your [TracPlugins#Plugindiscovery global plugins_directory] and enable it in your global `trac.ini`.
     323
     324Global config (e.g. `/srv/trac/conf/trac.ini`):
     325{{{#!ini
     326[components]
     327remote-user-auth.* = enabled
     328[inherit]
     329plugins_dir = /srv/trac/plugins
     330[trac]
     331obey_remote_user_header = true
     332}}}
     333
     334Environment config (e.g. `/srv/trac/envs/myenv`):
     335{{{#!ini
     336[inherit]
     337file = /srv/trac/conf/trac.ini
     338}}}
     339
     340=== Serving a different base path than /
     341
     342Tracd supports serving projects with different base urls than /<project>. The parameter name to change this is:
     343{{{#!sh
     344 $ tracd --base-path=/some/path
     345}}}
     346
     347----
     348See also: TracInstall, TracCgi, TracModPython, TracGuide, [trac:TracOnWindowsStandalone#RunningTracdasservice Running tracd.exe as a Windows service]