kallithea Files · init.d/celeryd-upstart.conf

Files @ f08fbf424898

Branch filter:

Location: kallithea/init.d/celeryd-upstart.conf

f08fbf424898 932 B text/plain Show Annotation Show as Raw Download as Raw

mads

auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header

The X-Forwarded-For header contains a list of IP addresses, where each
proxy server appends the IP they see their request coming from.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For .

Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim
any IP, which could be used to bypass IP restrictions configured in Kallithea.

Instead, only trust the last proxy in the chain, and thus only use the *last*
IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be
trusted, the last proxy server in the chain must be configured rewrite the
header accordingly.)

# celeryd - run the celeryd daemon as an upstart job for kallithea
# Change variables/paths as necessary and place file /etc/init/celeryd.conf
# start/stop/restart as normal upstart job (ie: $ start celeryd)

description     "Celery for Kallithea Mercurial Server"
author          "Matt Zuba <matt.zuba@goodwillaz.org"

start on starting kallithea
stop on stopped kallithea

respawn

umask 0022

env PIDFILE=/tmp/celeryd.pid
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
# To use group (if different from user), you must edit sudoers file and change
# root's entry from (ALL) to (ALL:ALL)
# env GROUP=hg

script
    COMMAND="/var/hg/.virtualenvs/kallithea/bin/kallithea-cli celery-run -c $APPINI -- --pidfile=$PIDFILE"
    if [ -z "$GROUP" ]; then
        exec sudo -u $USER $COMMAND
    else
        exec sudo -u $USER -g $GROUP $COMMAND
    fi
end script

post-stop script
    rm -f $PIDFILE
end script