Merge pull request #168 from skoranda/mod_wsgi_documentation

Add documentation for deploying with mod_wsgi

Author: johanlundberg

doc/README.md

@@ -573,7 +573,17 @@ satosa-saml-metadata <path to proxy_conf.yaml> <path to key for signing> <path t
 
 Detailed usage instructions can be viewed by running `satosa-saml-metadata --help`.
 
-# <a name="run" style="color:#000000">Start proxy application</a>
+# Running the proxy application
+
+The SATOSA proxy is a Python WSGI application and so may be run using any WSGI compliant web server.
+
+## Using Gunicorn
+
+Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX and is the server used most often
+to run the proxy. In a production deployment the Gunicorn server is often proxied by a
+full featured general purpose web server (in a reverse proxy architecture) such as Nginx or 
+Apache HTTP Server to help buffer slow clients and enable more sophisticated error page rendering.
+
 Start the proxy server with the following command:
 ```bash
 gunicorn -b<socket address> satosa.wsgi:app --keyfile=<https key> --certfile=<https cert>
@@ -589,3 +599,9 @@ located somewhere else, use the environment variable `SATOSA_CONFIG` to specify
 ```bash
 set SATOSA_CONFIG=/home/user/proxy_conf.yaml
 ```
+
+## Using Apache HTTP Server and mod\_wsgi
+
+See the [auxiliary documentation for running using mod\_wsgi](mod_wsgi.md).
+
+

doc/mod_wsgi.md

@@ -0,0 +1,200 @@
+# Running SATOSA Using Apache HTTP Server and mod\_wsgi
+
+This document describes how to deploy and run the SATOSA proxy using
+Apache HTTP Server and mod\_wsgi. To be concrete this document details
+deploying SATOSA on the latest CentOS 7.x release.
+
+## Dependencies
+
+```
+yum install epel-release
+yum install httpd mod_ssl httpd-devel python34 python34-devel
+yum install xmlsec1-openssl gcc curl
+```
+
+Install the latest production release of pip and use it to install the latest 
+production release of mod\_wsgi:
+
+```
+curl https://bootstrap.pypa.io/get-pip.py | python3
+pip install mod_wsgi
+```
+
+Create a `satosa` user to run the WSGI daemon:
+
+```
+useradd --home-dir /etc/satosa --no-create-home --system --user-group satosa
+```
+
+## Installation
+
+Use pip to install SATOSA:
+
+```
+pip install SATOSA
+```
+
+To instead install the latest from the master branch on the GitHub repository:
+
+```
+yum install git
+pip install --upgrade git+https://github.com/IdentityPython/SATOSA.git#egg=SATOSA
+```
+
+To upgrade and use the latest release of pySAML2:
+
+```
+pip install --upgrade pysaml2
+```
+
+## Installation of SATOSA Microservices
+
+```
+curl -L -o satosa_microservices.tar.gz \
+    https://github.com/IdentityPython/satosa_microservices/archive/master.tar.gz \
+    && mkdir -p /opt/satosa_microservices \
+    && tar -zxf satosa_microservices.tar.gz -C /opt/satosa_microservices --strip-components=1 \
+    && rm -f satosa_microservices.tar.gz
+```
+
+If you need the LDAP Attribute Store microservice you must also install
+ldap3 using pip:
+
+```
+pip install ldap3
+```
+
+## Apache Configuration
+
+Use the `mod_wsgi-express module-config` command to determine the correct
+module path and Python home to add to the Apache configuration. For
+example:
+
+```
+$ mod_wsgi-express module-config
+LoadModule wsgi_module "/usr/lib64/python3.4/site-packages/mod_wsgi/server/mod_wsgi-py34.cpython-34m.so"
+WSGIPythonHome "/usr"
+```
+
+Edit the Apache config and in the global section (not within a virtual
+host) add the `LoadModule` and `WSGIPythonHome` lines as output from the
+above command.
+
+Edit the Apache config and in your virtual host configuration add
+
+```
+WSGIDaemonProcess satosa processes=2 threads=15 \
+  display-name=%{GROUP} home=/etc/satosa user=satosa group=satosa \
+  restart-interval=86400 graceful-timeout=3600 \
+  python-path=/opt/satosa_microservices/src/satosa/micro_services:/etc/satosa
+
+WSGIApplicationGroup satosa
+WSGIProcessGroup satosa
+
+WSGIScriptAlias / /usr/lib/python3.4/site-packages/satosa/wsgi.py
+WSGICallableObject app
+WSGIImportScript /usr/lib/python3.4/site-packages/satosa/wsgi.py \
+  process-group=satosa application-group=satosa
+```
+
+## SATOSA Configuration
+
+Create the directory `/etc/satosa` and in it the SATOSA `proxy_conf.yaml`
+configuration file. For example
+
+```
+$ mkdir /etc/satosa
+$ cat << EOF > /etc/satosa/proxy_conf.yaml
+
+BASE: https://some.host.org
+
+STATE_ENCRYPTION_KEY: fazmC8yELv38f9PF0kbS
+
+USER_ID_HASH_SALT: i7tmt34rzb2QRDgN1Ggy
+
+INTERNAL_ATTRIBUTES: "/etc/satosa/internal_attributes.yaml"
+
+COOKIE_STATE_NAME: "SATOSA_STATE"
+
+BACKEND_MODULES:
+  - "/etc/satosa/plugins/saml2_backend.yaml"
+
+FRONTEND_MODULES:
+  - "/etc/satosa/plugins/ping_frontend.yaml"  
+  - "/etc/satosa/plugins/saml2_frontend.yaml"
+
+MICRO_SERVICES:
+  - "/etc/satosa/plugins/primary_identifier.yaml"
+  - "/etc/satosa/plugins/ldap_attribute_store.yaml"
+
+CONSENT:
+  enable: No
+
+ACCOUNT_LINKING:
+  enable: No
+
+LOGGING:
+  version: 1
+  formatters:
+    simple:
+      format: "[%(asctime)s] [%(levelname)s] [%(name)s]: %(message)s"
+  handlers:
+    console:
+      class: logging.StreamHandler
+      formatter: simple
+      stream: ext://sys.stderr
+  loggers:
+    satosa:
+      level: INFO
+      handlers:
+        - console
+      propagate: no
+  root:
+    level: INFO
+    handlers: 
+      - console
+```
+
+Complete the SATOSA configuration as detailed in your `proxy_conf.yaml`
+file. See the [SATOSA configuration reference](./README.md) for details.
+
+After SATOSA is configured restart the Apache server:
+
+
+```
+systemctl restart httpd
+```
+
+## Logging
+
+SATOSA log output is sent to the Apache server logs as configured in the
+Apache configuration.
+
+
+## Overriding Errors
+
+The body of the HTML sent by SATOSA when it encounters an error condition
+is not user friendly. To configure Apache to catch errors returned by
+SATOSA and override the HTML displayed add to the global Apache config
+
+```
+WSGIErrorOverride On
+```
+
+Then in the virtual host add before the WSGIScriptAlias for example
+
+```
+ErrorDocument 404 /error.html
+ErrorDocument 500 /error.html
+
+Alias /error.html /var/www/html/error.html
+```
+
+
+
+
+
+
+
+
+