If Trac is being used by a distributed team over the internet we want to remove all privileges from unauthenticated users:
for perm in BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW TIMELINE_VIEW WIKI_CREATE WIKI_MODIFY WIKI_VIEW do trac-admin $tracenv permission remove anonymous $perm trac-admin $tracenv permission add authenticated $perm done
We also want to encrypt traffic to the site. To do this I tried stunnel…
/opt/csw/bin/pkg-get -i stunnel
…and placed the following in /opt/csw/etc/stunnel/stunnel.conf
[https] accept = 443 connect = 8000
I also commented out the chroot setup. Once configured all that is required is to run
cd /opt/csw/etc/stunnel /opt/csw/bin/stunnel
…and change /var/opt/csw/trac/conf/trac.ini
[trac] authz_file = authz_module_name = base_url = https://trac.mydomain.com
The bad news is that Trac 0.10.4 does not consistently use base_url, so creating a ticket, for example, redirects the user to an http page.
PATH=/opt/csw/bin:$PATH tracenv=/var/opt/csw/trac HTTPS=1; export HTTPS nohup tracd --port 8000 $tracenv &
To resolve this issue I decided to move from tracd/stunnel to Apache2/mod_python. The default Solaris 10 distribution includes apache2 but not mod_python. Instead I installed mod_python from Blastwave, which in turn automatically installs the Blastwave cswapache2 package below /opt/csw/apache2.
pkg-get install ap2_modpython
We will want to run trac under apache2 using a dedicated account:
groupadd -g 202 trac useradd -g trac -u 202 -d /var/opt/csw/trac trac chown -R trac:trac /var/opt/csw/trac
Modified /opt/csw/apache2/etc/httpd.conf
User trac
Group trac
…
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
…
SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /var/opt/csw/trac
Created a self-signed certificate for the site:
cd /opt/csw/apache2/etc PATH=$PATH:/usr/sfw/bin /usr/sfw/bin/openssl genrsa -out server.key 2048 /usr/sfw/bin/openssl req -new -x509 -key server.key -out server.crt -days 365 -subj "/C=US/ST=Florida/O=My Company/CN=trac.mydomain.com"
Modified /opt/csw/apache2/etc/extra/httpd-ssl.conf
ServerName trac.mydomain.com … SetHandler mod_python PythonInterpreter main_interpreter PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/opt/csw/trac
To start Blastwave Apache2 using SMF on Solaris:
svccfg -s cswapache2 setprop httpd/ssl=true svccfg -s cswapache2 listprop svcadm enable cswapache2
To check status
svcs cswapache2 svcs –xv