3842
Comment: Removing HgWeb wiki words.
|
6508
sections positions fix
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from HgWebInIISOnWindows ## page was renamed from HgWebOnWindows |
|
Line 3: | Line 5: |
= Installing HgWeb on Windows = == Creating the Hg``Web Website == |
= Configuring HgWeb in IIS on Windows = |
Line 10: | Line 10: |
== Creating the HgWeb Website == |
|
Line 31: | Line 34: |
C:\Windows\system32\inetsrv\appcmd set config /section:isapiCgiRestriction /+"[path='C:\Python26\python.exe -u %22%s%22',description='Python',allowed='True']" | > C:\Windows\system32\inetsrv\appcmd set config /section:isapiCgiRestriction /+"[path='C:\Python26\python.exe -u %22%s%22',description='Python',allowed='True']" |
Line 54: | Line 57: |
config = "HGWEB_ROOT\hgweb.config | config = "HGWEB_ROOT\hgweb.config" |
Line 84: | Line 87: |
== Authenticating Against Active Directory == Add the following to your Hg``Web's web.config, in the {{{/configuration/system.webServer/security/authentication}}} section: {{{#!xml <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authentication> <basicAuthentication enabled="true" realm="YOUR_DOMAIN" defaultLogonDomain="YOUR_DOMAIN" /> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer> </configuration> }}} Replace {{{YOUR_DOMAIN}}} with the name of your Windows domain. Anonymous authentication is enabled so you can support unrestricted repositories (e.g. {{{allow_push=*}}}). You'll need to unlock the basic authentication configuration section so it can be configured in your web.config: {{{#!bat > C:\Windows\system32\inetsrv\appcmd unlock config /section:basicAuthentication }}} You can test that authentication is working by adding an {{{allow_push}}} setting to the repository's .hg\hgrc file '''on the server''': {{{#!ini allow_push = USERNAME }}} Commit a change an attempt a push. You should see a sequence like this: {{{#!bash > hg push pushing to https://localhost:4301/cm searching for changes http authorization required realm: YOUR_DOMAIN user: USERNAME password: }}} '''''Remember that basic authentication sends usernames and passwords over the network in the clear. Anyone on the network will be able to read the user's credentials. We strongly recommend securing connections with SSL.''''' Generating an SSL certificate and assigning it to your Hg``Web website is beyond the scope of this article. == File System Permissions == IIS starts CGI processes as the user being authenticated. For un-authenticated, anonymous users/requests, the CGI process is started as the website's application pool identity. For authenticated users/requests, the CGI process is started as the authenticated user. Make sure you set proper NTFS permissions on your server-side repositories. Anybody who needs read-only access should have '''Read & execute''', '''List folder contents''', and '''Read ''' permissions. Anybody who needs read/write access should have '''Modify''', '''Read & execute''', '''List folder contents''', '''Read''', and '''Write''' NTFS permissions. We recommend creating groups for each set of users for each repository, and grant the appropriate NTFS permissions to those groups. To grant someone permission, add them to the appropriate group. |
Configuring HgWeb in IIS on Windows
This page describes how to get HgWeb running on Windows Vista/2008 and 7/2008 R2.
Contents
1. Creating the HgWeb Website
Install Python 2.6. By default, this installs to C:\Python26. On this page, the Python installation folder is referred to as PYTHON_HOME.
Create an HgWeb website in IIS. We'll call the path to this website's root directory HGWEB_ROOT.
Create a web.config file in HGWEB_ROOT. Edit it to look like this:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers> <add name="Python" path="*.cgi" verb="*" modules="CgiModule" scriptProcessor="PYTHON_HOME\python.exe -u "%s"" resourceType="Unspecified" requireAccess="Script" /> </handlers> </system.webServer> </configuration>
You'll then need to enable the Python module. From a command prompt, run:
> C:\Windows\system32\inetsrv\appcmd set config /section:isapiCgiRestriction /+"[path='C:\Python26\python.exe -u %22%s%22',description='Python',allowed='True']"
You should have everything configured to start running CGI scripts through Python. To test that it's working, create a test.cgi file in HGWEB_ROOT:
Save the file. Hit the test.cgi file in your web browser. If you see It Works!, you've got the Python CGI handler installed correctly.
Create an empty file named hgweb.config in your HgWeb root directory. This is where the HgWeb configuration goes once everything is working.
Download and run the Mercurial Python module installer (it's the one whose description says "use this for running hgweb"). After installation, you should see mercurial and hgext directories in your PYTHON_HOME\Lib\site-packages directory. If you don't see those directories, you chose the wrong installer.
Download the hgweb.cgi script for your version of Mercurial. Browse the Mercurial source code. Click the the tag for your version, click Browse in the navigation menu, click the hgweb.cgi script, then right-click Raw from the navigation menu, choose Save As... and save the file into your HgWeb directory.
Open hgweb.cgi and change the value of the config variable to point to the hgweb.config file you created earlier:
1 config = "HGWEB_ROOT\hgweb.config"
Hit the hgweb.cgi script in your web browse and you should see the HgWeb interface.
2. Configuring URL Rewrite Rules
Now, we need to create some URL rewrite rules so that URLs to your repositories don't have hgweb.cgi in them.
First, you'll need to download and install version 2 of the Url Rewrite Module.
Once that is finished, edit the HGWEB_ROOT\web.config file and add the following <rewrite> section under <system.webServer>:
<system.webServer> <rewrite> <rules> <rule name="rewrite to hgwebdir" patternSyntax="Wildcard"> <match url="*" /> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /> </conditions> <action type="Rewrite" url="hgweb.cgi/{R:1}" /> </rule> </rules> </rewrite> </system.webServer>
You should now be able to hit your website without hgweb.cgi in the URL and see the HgWeb UI.
3. Authenticating Against Active Directory
Add the following to your HgWeb's web.config, in the /configuration/system.webServer/security/authentication section:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authentication> <basicAuthentication enabled="true" realm="YOUR_DOMAIN" defaultLogonDomain="YOUR_DOMAIN" /> <anonymousAuthentication enabled="true" /> </authentication> </security> </system.webServer> </configuration>
Replace YOUR_DOMAIN with the name of your Windows domain. Anonymous authentication is enabled so you can support unrestricted repositories (e.g. allow_push=*).
You'll need to unlock the basic authentication configuration section so it can be configured in your web.config:
> C:\Windows\system32\inetsrv\appcmd unlock config /section:basicAuthentication
You can test that authentication is working by adding an allow_push setting to the repository's .hg\hgrc file on the server:
allow_push = USERNAME
Commit a change an attempt a push. You should see a sequence like this:
> hg push pushing to https://localhost:4301/cm searching for changes http authorization required realm: YOUR_DOMAIN user: USERNAME password:
Remember that basic authentication sends usernames and passwords over the network in the clear. Anyone on the network will be able to read the user's credentials. We strongly recommend securing connections with SSL. Generating an SSL certificate and assigning it to your HgWeb website is beyond the scope of this article.
4. File System Permissions
IIS starts CGI processes as the user being authenticated. For un-authenticated, anonymous users/requests, the CGI process is started as the website's application pool identity. For authenticated users/requests, the CGI process is started as the authenticated user. Make sure you set proper NTFS permissions on your server-side repositories. Anybody who needs read-only access should have Read & execute, List folder contents, and Read permissions. Anybody who needs read/write access should have Modify, Read & execute, List folder contents, Read, and Write NTFS permissions. We recommend creating groups for each set of users for each repository, and grant the appropriate NTFS permissions to those groups. To grant someone permission, add them to the appropriate group.