Differences between revisions 12 and 13

This page does not meet our wiki style guidelines. Please help improve this page by cleaning up its formatting.

Note:

This page appears to contain material that is no longer relevant. Please help improve this page by updating its content.

Configure Nginx

This page explains Nginx web server specific configuration for publishing repositories with the hgweb and reverse-proxy methods.

Contents

Configure Nginx
1. hgweb (with uwsgi)
2. Reverse proxy

hgweb (with uwsgi)

This example shows how to serve a set of mercurial repositories hosted on the subdirectory /hg of a server named mygoodserver.org

Repositories are located at /var/www/hg/repos

uwsgi configuration

For this example, uwsgi configuration directory is /etc/uwsgi/. You'll have to add this sample configuration file in apps-available subirectory and symlink it from apps-enable subdirectory. Make sure you start uwgsi service later.

/etc/uwsgi/apps-available/hgweb.ini

[uwsgi]
processes = 2
socket = /run/uwsgi/app/hgweb/socket
chdir = /var/www/hg
wsgi-file = hgweb.wsgi
uid = www-data
gid = www-data

The above configuration file instructs wsgi to launch 2 processes handling the hgweb.wsgi script, located at /var/www/hg directory. The processes communicates is through the socket located at /run/uwsgi/app/hgweb/socket

hgweb configuration

This is an subtly modified example of the script usually deployed with mercurial (see PublishingRepositories#Getting_the_hgweb_script) hgweb.wsgi

config = "/var/www/hg/hgweb.config"
import os
os.environ["HGENCODING"] = "UTF-8"
import cgitb; cgitb.enable()
from mercurial import demandimport; demandimport.enable()
from mercurial.hgweb import hgweb
application = hgweb(config)

As this script is intended to run from the uwsgi daemon, notice it should be placed at /var/www/hg

The hgweb.wsgi reads a configuration file which can specify a number of things, most importantly repositories local path and some general information. See PublishingRepositories#Configuration_of_hgweb for more details. hgweb.config

[paths]
/ = /var/www/hg/repos/*
[web]
style = gitweb
baseurl = http://mygoodserver.org/hg/
contact = Who knows!
staticurl = /hg/static

nginx configuration (repositories at /hg subdirectory)

As we intend to server repositories from a subdirectory of the server, we need to modify default site configuration. Provided nginx configuration is located at /etc/nginx/ the default site configuration is: /etc/nginx/sites-available/default

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /var/www;
        index index.html index.htm;

        # Make site accessible from http://localhost/
        server_name localhost mygoodserver mygoodserver.org;

        location /hg/ {
                uwsgi_pass unix:/run/uwsgi/app/hgweb/socket;
                include uwsgi_params;
                uwsgi_param SERVER_ADDR $server_addr;
#Note 1
                uwsgi_param REMOTE_USER $remote_user;
#Note 2
                uwsgi_modifier1 30;
                uwsgi_param SCRIPT_NAME /hg;

#Note 3
                limit_except GET HEAD {
                        allow 192.168.10.0/24;
                        allow 127.0.0.1;
                        allow ::1;
                        deny all;
                        auth_basic "Mercurial repository";
                        auth_basic_user_file /var/www/hg/.htpasswd;
                }
        }

        location /hg/static {
                alias /usr/share/mercurial/templates/static/;
                expires 30d;
        }
}

This configuration only includes mercurial repository serving, you may want to add additional web locations or services.

Notes:

$/!\$ REMOTE_USER passes authenticate username to hgweb script. This is required for proper authentication.
$/!\$ The uwsgi_modifier1 30 option sets the uWSGI modifier UWSGI_MODIFIER_MANAGE_PATH_INFO. This per-request modifier instructs the uWSGI server to rewrite the PATH_INFO value removing the SCRIPT_NAME from it. (See also http://uwsgi-docs.readthedocs.org/en/latest/Nginx.html#dynamic-apps)
This section enables push basic authorization for specified ips. See also HgWebDirStepByStep#Configuring_nginx

repository configuration

You can (and probably should) add per-repositories configuration. This configuration is specified in <repository root>/.hg/hgrc. Where <repository root> is /var/www/hg/repos in this example. Relevant section in this configuration file is [web]. You can specify there allowed pushers and/or wether ssl is required:

[web]
allow_push = granteduser
push_ssl = false

You can create a template preconfigured repository which you can clone or copy when you need a new repository. After the copy you can simply rename it

Reverse proxy

This is a solution I found for hosting personal projects. I was already using Nginx, didn't want to mess with (Fast)CGI, but still wanted some basic authentication for pushing. This method allows repositories to be served using hg serve, and then be cloned and accessed via the web interface anonymously, but HTTP authentication is required for pushing.

This method relies on a running "hg serve" instance. The web server is only a reverse proxy, transactions as submitted to running mercurial instance.

The first step is to configure Nginx.

server {
    listen      80;
    server_name <your-server-name>;    # standard stuff
    access_log  /path/to/access/log;
    error_log   /path/to/error/log;

    location / {
        limit_except GET { # do this for all requests but GETS
            auth_basic           "Restricted";
            auth_basic_user_file /path/to/htpasswd/file;
            proxy_pass http://localhost:8000;
        }

    proxy_pass http://localhost:8000; # or wherever hg serve is running
    }
}

Configure htpasswd

cd into the root directory of your repos (i.e. /var/hg/repos), and run htpasswd -c <file-name> <user-name> and supply a password. If you want to give a new user commit rights, simply cd back to that directory and run htpasswd <file-name> <user-name>.

Configure hg

The final step is to configure your repository's hgrc file, located at <repo-name>/.hg/hgrc. The import things in hgrc are to make sure that, in the [web] section, push_ssl is set to false and allow_push is set to *.

Serve

Now run hg serve as normal, and you should be able to access the web interface and clone the repository with no authentication, but to push to the central repository you need to have a user name and password from the htpasswd file.

-  ⇤ ← Revision 12 as of 2014-01-03 21:01:18 → 
  Size: 6158
  Editor: RaulSanchezSiles
  Comment: nginx w/uwsgi as subdirs details.
+   ← Revision 13 as of 2014-01-03 22:34:47 → ⇥
  Size: 6739
  Editor: RaulSanchezSiles
  Comment: Added per-repository setting and minor changes.
-Deletions are marked like this.
+Additions are marked like this.
 Line 109:
-. The ''uwsgi_modifier1 30'' option sets the uWSGI modifier UWSGI_MODIFIER_MANAGE_PATH_INFO. This per-request modifier instructs the uWSGI server to rewrite the PATH_INFO value removing the SCRIPT_NAME from it. (See also http://uwsgi-docs.readthedocs.org/en/latest/Nginx.html#dynamic-apps)
+. /!\ The ''uwsgi_modifier1 30'' option sets the uWSGI modifier UWSGI_MODIFIER_MANAGE_PATH_INFO. This per-request modifier instructs the uWSGI server to rewrite the PATH_INFO value removing the SCRIPT_NAME from it. (See also http://uwsgi-docs.readthedocs.org/en/latest/Nginx.html#dynamic-apps)
 Line 111:
+=== repository configuration ===
You can (and probably should) add per-repositories configuration. This configuration is specified in <repository root>/.hg/hgrc. Where <repository root> is ''/var/www/hg/repos'' in this example.
Relevant section in this configuration file is [web]. You can specify there allowed pushers and/or wether ssl is required:
{{{
[web]
allow_push = granteduser
push_ssl = false
}}}


{i} You can create a template preconfigured repository which you can clone or copy when you need a new repository. After the copy you can simply rename it