| 264 | === Authentication for tracd behind a proxy |
| 265 | It is convenient to provide central external authentication to your tracd instances, instead of using {{{--basic-auth}}}. There is some discussion about this in #9206. |
| 266 | |
| 267 | Below is example configuration based on Apache 2.2, mod_proxy, mod_authnz_ldap. |
| 268 | |
| 269 | First we bring tracd into Apache's location namespace. |
| 270 | |
| 271 | {{{ |
| 272 | <Location /project/proxified> |
| 273 | Require ldap-group cn=somegroup, ou=Groups,dc=domain.com |
| 274 | Require ldap-user somespecificusertoo |
| 275 | ProxyPass http://localhost:8101/project/proxified/ |
| 276 | # Turns out we don't really need complicated RewriteRules here at all |
| 277 | RequestHeader set REMOTE_USER %{REMOTE_USER}s |
| 278 | </Location> |
| 279 | }}} |
| 280 | |
| 281 | Then we need a single file plugin to recognize HTTP_REMOTE_USER header as valid authentication source. HTTP headers like '''HTTP_FOO_BAR''' will get converted to '''Foo-Bar''' during processing. Name it something like '''remote-user-auth.py''' and drop it into '''proxified/plugins''' directory: |
| 282 | {{{ |
| 283 | #!python |
| 284 | from trac.core import * |
| 285 | from trac.config import BoolOption |
| 286 | from trac.web.api import IAuthenticator |
| 287 | |
| 288 | class MyRemoteUserAuthenticator(Component): |
| 289 | |
| 290 | implements(IAuthenticator) |
| 291 | |
| 292 | obey_remote_user_header = BoolOption('trac', 'obey_remote_user_header', 'false', |
| 293 | """Whether the 'Remote-User:' HTTP header is to be trusted for user logins |
| 294 | (''since ??.??').""") |
| 295 | |
| 296 | def authenticate(self, req): |
| 297 | if self.obey_remote_user_header and req.get_header('Remote-User'): |
| 298 | return req.get_header('Remote-User') |
| 299 | return None |
| 300 | |
| 301 | }}} |
| 302 | |
| 303 | Add this new parameter to your TracIni: |
| 304 | {{{ |
| 305 | ... |
| 306 | [trac] |
| 307 | ... |
| 308 | obey_remote_user_header = true |
| 309 | ... |
| 310 | }}} |
| 311 | |
| 312 | Run tracd: |
| 313 | {{{ |
| 314 | tracd -p 8101 -r -s proxified --base-path=/project/proxified |
| 315 | }}} |
| 316 | |