Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features:
* Apache/SSL
* mod_python
* multiple wikis
[[TableOfContents]]
== install Apache with SSL support ==
{{{
rm -rf /etc/httpd
yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb
/sbin/service httpd start
}}}
Check that http and https work. A dummy certificate is created automatically
during mod_ssl installation.
== TODO ==
* htdocs/index.html should be adapted
* apache config to redirect everything to http
* share the underlay directories
* farmconfig? or stay with one mod_python instance per wiki (safer?)
== moin basic installation (single wiki, CGI) ==
{{{
cd /tmp
tar xvfz moin-1.5.3.tar.gz
cd moin-1.5.3
python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log
}}}
Create a Wiki instance:
{{{
cd /usr1/moin/share/moin
mkdir testwiki
cp -a data underlay testwiki
mkdir testwiki/cgi-bin
cp server/moin.cgi testwiki/cgi-bin
cp config/wikiconfig.py testwiki
chown -R apache:apache testwiki
chmod -R ug+rwX testwiki
chmod -R o-rwx testwiki
}}}
Deal with SELinux:
{{{
chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin
chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin
chcon system_u:object_r:httpd_sys_content_t /usr1
}}}
The last one is important, or apache cannot access the wiki.
* => better have a separate filesystem under / for that
These lines are needed in testwiki/cgi-bin/moin.cgi:
{{{
sys.path.insert(0, '/usr1/moin/share/moin/testwiki')
sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages')
}}}
Edit wikiconfig.py:
{{{
sitename = u'Test Wiki'
page_front_page = u"TestWiki"
data_dir = '/usr1/moin/share/moin/testwiki/data/'
data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/'
}}}
The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work.
The paths are relative to the cgi executable, hence would need to be '../data' etc.
Create /etc/httpd/conf.d/moin.conf:
{{{
Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
Order deny,allow
Allow from all
ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi"
Order deny,allow
Allow from all
}}}
== mod_python ==
Simply change the Apache config to this:
{{{
Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
Order deny,allow
Allow from all
SetHandler python-program
# Add the path of your wiki directory
PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
PythonHandler MoinMoin.request::RequestModPy.run
PythonInterpreter testwiki
}}}
So instead of the ScriptAlias we define a Location and heve it handled by mod_python.
The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used:
== add another Wiki ==
Simply create another directory:
{{{
cd usr1/moin/share/moin
mkdir DVInfo
cp -a data underlay DVInfo
cp testwiki/wikiconfig.py DVInfo
chown -R apache:apache DVInfo
chmod -R ug+rwX DVInfo
chmod -R o-rwx DVInfo
}}}
The selinux context should be correct without having to chcon. Now Make the
obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki
in /etc/httpd/conf.d/moin-DVInfo.conf:
{{{
SetHandler python-program
# Add the path of your wiki directory
PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
PythonHandler MoinMoin.request::RequestModPy.run
PythonInterpreter DVInfo
}}}
Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well...
== Security: Force SSL ==
Add to Apache config (in global context):
{{{
RewriteEngine on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
}}}
== Secure Wiki using Kerberos5 and automatic user creation ==
Make wikiconfig.py start like this:
{{{#!python
from MoinMoin.multiconfig import DefaultConfig
from MoinMoin.auth import http, moin_cookie
class Config(DefaultConfig):
auth = [http, moin_cookie]
user_autocreate = True;
}}}
Lines 1 and 4 are there by default. Lines 2,5,6 need to be added.
Add to Apache config:
{{{
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms IFH.DE
KrbVerifyKDC Off
#Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
}}}
* only works if /etc/krb5.conf is MIT-compatible
* and maybe we could ''finally'' roll one out that is ?!
* for production, one should of course:
* get a keytab file for HTTP/host.ifh.de and configure it
* KrbVerifyKDC ''On''
* then also negotiate should work (krb w/o password from browsers)
Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin
will automatically create a user profile! The username is the Kerberos
Principal (''user''@IFH.DE), which is ugly! However, with a very tiny patch
{{{
--- MoinMoin/auth.py.orig 2006-06-05 15:54:55.000000000 +0200
+++ MoinMoin/auth.py 2006-06-05 15:55:13.000000000 +0200
@@ -183,6 +183,7 @@
auth_type = env.get('AUTH_TYPE','')
if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]:
username = env.get('REMOTE_USER','')
+ username = username.split('@')[0]
if auth_type in ('NTLM', 'Negotiate',):
# converting to standard case so the user can even enter wrong case
# (added since windows does not distinguish between e.g.
}}}
it works acceptably. An alias can be set in the User Preferences, which will be shown
e.g. in the Recent Changes. And one could create a second homepage which just includes
the first one, e.g. Stephan``Wiesand would look like this:
{{{
[[Include(wiesand}]]
}}}
Obviously, instead of stripping the realm, one could
* replace it with @DESY.DE
* fetch information from VAMOS or the registry and construct a WikiName
* this runs for EVERY request, hence the result should be cached persistently