How to setup hgwebdir with wsgi on Ubuntu Lucid


Today i’ve successfully managed to run a hgwebdir istance which is able to allow pull, push and web browsing of multiple mercurial istances. Here is what i did.
First of all install the mercurial package via aptitude which will give you a working hgwebdir.wsgi file. Grab the hgwebdir.wsgi from /usr/share/doc/mercurial/examples/hgwebdir.wsgi and put it in /var/www/hg (i’ve used /var/www/ on in whatever directory you want to expose with apache. Then edit hgwebdir.wsgi and put an absolute pathname for the configuration file. Despite about relative paths, they didn’t work for me in this case. Last line of that file should look like:

application = hgwebdir('/var/www/')

Now let’s configure hgwebdir using the file /var/www/

allow_archive = gz, zip, bz2
style = coal
allow_push = *
push_ssl = false

/var/repositories = /var/repositories

I’m using /var/repositories as a directory for my repositories, using the coal style and allowing push to everyone (allow_push = *) and accept push even without ssl (push_ssl = false). Don’t worry, i’m not opening my repo to anyone, i’ll use apache to handle authentication and to decide who could push and who couldn’t. Last file to modify is the apache configuration which makes a “glue” between hgwebdir and apache. I’ve used virtualhosts which are the common way to host multiple sites in apache.

<VirtualHost *:80>

    WSGIScriptAliasMatch ^(.*)$ /var/www/$1

    # To enable "daemon" mode, uncomment following lines. (Read mod_wsgi docs for more info)
    # WSGIDaemonProcess user=USER group=GROUP threads=15 maximum-requests=1000
    # some more interesting options (tested on mod_wsgi 2.0):
    # processes=2 umask=0007 inactivity-timeout=300
    # WSGIProcessGroup

    <Directory /var/www/>
        Options ExecCGI FollowSymlinks

        AddHandler wsgi-script .wsgi

        AllowOverride None
        Order allow,deny
        Allow from all
    <Location />
    AuthType Basic
    AuthName "Mercurial repositories"
    AuthUserFile /var/www/
    Require valid-user

The Location directive handles the authentication. It’s a quite restrictive configuration which uses the same .htpasswd of my trac istance and needs authentication also to look at the repo. I’m hosting a company’s source code but even if it’s gpl3 there are some keys and passwords hardcoded in it, so for now the code is keept secret. Maybe you don’t want this feature, but you want to be able to make the repo world readable but allow pushing only to some people. To do so you should change the Location:

<Location />
    AuthType Basic
    AuthName "Mercurial repositories"
    AuthUserFile /var/www/
    <LimitExcept GET>
        Require valid-user

This will request authentication to make a push only. I also suggest you to run this all on port 443 so ssl will be enabled and password will be safe across the network. To so so, configure properly your apache and then modify the virtualhost field so you accept https only. ( instead of ).

How to bypass blocks
How to create an Amazon EC2 (cloud) instance of ubuntu server
  • Well, since you’re already hacking in ubuntu 10.04 — any help/tutorial on setting up a D dev stack with GDC and Tango in this distro?
    The problem is:
    – GDC is included in official repo (this is good actually!)
    – ppa d-language-packagers seem to only include libtango-daily-ldc-dev (and official repo only libtango-ldc-dev) and no -gdc version
    – no DSSS

  • Hey, nice article.

    I ran into trouble with this setup. When I enable my mercurial plugin, my trac complains:

    IOError: sys.stdin access restricted by mod_wsgi

    I know wsgi does not allow access to the stdin and stdout for security reasons, but I don’t anyone complaining about this ?

    Have you seen this issue ?

  • Nice post!

    Probably you are aware of that but I’ll tell just in case: when you setup apache authentication without SSL, in other words, not using https, your password goes plain in the request.

    In that case try not to access your repo from unsecured networks and mainly in geek conferences πŸ˜‰


    • Thanks Sergio.

      Yep i was aware but i didn’t think my article were useful and ranked on google. But it’s starting to have a lot of visits now and i think i’ll update the article with the useful informations about ssl support.

      If you already did it and you wanna share that knowledge just send me the new configuration: i’ll be glad to post it πŸ™‚

      See ya

  • Thank you very much. Very straightforward compared to some of the other sites I found. I could not get authentication or push for that matter without going to hgwebdir.wsgi instead of hgweb.

    I installed on the non-server distro of Lucid, so it needed apache2, openssh, and of course mod-wsgi.

    After some tweaking, everything is working.

Leave a Reply

%d bloggers like this: