• Setting up the web interface
  • Standalone
  • Apache
    • mod_fcgid
    • mod_proxy_fcgi
    • mod_perl 2.xx
    • Token Authentication
    • Restricting the REST 1.0 mail-gateway
  • nginx
  • lighttpd
• Running RT at /rt rather than /

Setting up the web interface

As of RT 3.9, RT's web interface speaks PSGI (http://plackperl.org) which lets you use RT with any PSGI-supported web server (which includes Apache, nginx, lighttpd, etc).

Standalone

The standalone RT web server is backed by a pure-Perl server engine (HTTP::Server::PSGI). This standalone server is appropriate for development and testing, but is not appropriate for production use.

You should not run this server against port 80 (which is the default port) because that requires root-level privileges and may conflict with any existing listeners. So choose a high port (for example 8080) and start the standalone server with:

    /opt/rt5/sbin/rt-server --port 8080

You can also run rt-server with any other PSGI server, for example, to use Starman, a high performance preforking server:

    /opt/rt5/sbin/rt-server --server Starman --port 8080

To listen on IPv6 too, you can install IO::Socket::INET6 and use Starman exactly like the above command.

Apache

WARNING: Both mod_speling and mod_cache are known to break RT. mod_speling will cause RT's CSS and JS to not be loaded, making RT appear unstyled. mod_cache will cache cookies, making users be spontaneously logged in as other users in the system.

See also "Apache Configuration" in authentication, in case you intend to use Apache to provide authentication.

mod_fcgid

Apache can run with several different Multi-Processing Modules (MPMs). To use mod_fcgid, you need to run it with the prefork MPM. Most Linux distributions today use the event MPM by default, so it is important to make sure Apache is configured to use prefork on your RT server. If you do not use prefork MPM, RT will start okay but fail under production load, either because the web server crashes or performance severely degrades.

WARNING: Before mod_fcgid 2.3.6, the maximum request size was 1GB. Starting in 2.3.6, this is now 128Kb. This is unlikely to be large enough for any RT install that handles attachments. You can read more about FcgidMaxRequestLen at http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html#fcgidmaxrequestlen

Most distributions will have a mod_fcgid.conf or similar file with mod_fcgid configurations and you should add:

    FcgidMaxRequestLen 1073741824

to return to the old default.

    <VirtualHost rt.example.com>
        ### Optional apache logs for RT
        # Ensure that your log rotation scripts know about these files
        # ErrorLog /opt/rt5/var/log/apache2.error
        # TransferLog /opt/rt5/var/log/apache2.access
        # LogLevel debug

        AddDefaultCharset UTF-8

        ScriptAlias / /opt/rt5/sbin/rt-server.fcgi/

        DocumentRoot "/opt/rt5/share/html"
        <Location />
            Require all granted
            Options +ExecCGI
            AddHandler fcgid-script fcgi
        </Location>
    </VirtualHost>

mod_proxy_fcgi

This Apache module supports proxying requests via the FastCGI protocol. In addition to running Apache, you also need to start RT FCGI processes separately with a command like this:

    /opt/rt5/sbin/rt-server.fcgi --listen /opt/rt5/var/rt.sock --nproc 10

In this configuration, RT runs with Plack::Handler::FCGI and supports any arguments documented there.

Below is the corresponding Apache configuration:

    <VirtualHost rt.example.com>
        AddDefaultCharset UTF-8

        ProxyPass / unix:/opt/rt5/var/rt.sock|fcgi://localhost/
        ProxyFCGIBackendType GENERIC
        ProxyFCGISetEnvIf "true" SCRIPT_NAME ""
    </VirtualHost>

Note that the SCRIPT_NAME directive is needed to avoid issues with URIs not being properly encoded, causing errors with URIs that have spaces.

In our testing we have found that this method shares more memory between RT FCGI processes, so it can allow you to run more RT processes with less memory. This comes at the cost of some extra management of the FCGI processes, which mod_fcgid handles for you.

mod_perl 2.xx

WARNING: mod_perl 1.99_xx is not supported.

WARNING: Due to thread-safety limitations, all timestamps will be presented in the webserver's default time zone when using the worker and event MPMs; the $Timezone setting and the user's timezone preference are ignored. We suggest the prefork MPM or FastCGI deployment if your privileged users are in a different timezone than the one the server is configured for.

NOTE: RT 3.8 and below suggested use of SetHandler perl-script; this is incorrect for RT 4, and (starting in RT 4.0.11) RT will refuse to start, to prevent difficulties sending mail from RT. Change to SetHandler modperl, as the example below uses.

    <VirtualHost rt.example.com>
        ### Optional apache logs for RT
        # ErrorLog /opt/rt5/var/log/apache2.error
        # TransferLog /opt/rt5/var/log/apache2.access
        # LogLevel debug

        AddDefaultCharset UTF-8

        DocumentRoot "/opt/rt5/share/html"
        <Location />
            Require all granted
            SetHandler modperl
            PerlResponseHandler Plack::Handler::Apache2
            PerlSetVar psgi_app /opt/rt5/sbin/rt-server
        </Location>
        <Perl>
            use Plack::Handler::Apache2;
            Plack::Handler::Apache2->preload("/opt/rt5/sbin/rt-server");
        </Perl>
    </VirtualHost>

Token Authentication

If you plan to set up token-based access, possibly to use RT::REST2, add the following directive to your RT Apache configuration to allow RT to access the Authorization header.

    SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

More information is available in RT::Authen::Token.

Restricting the REST 1.0 mail-gateway

RT processes email via a REST 1.0 endpoint. If you accept email on the same server as your running RT, you can restrict this endpoint to localhost only with a configuration like the following:

    # Accept requests only from localhost
    <Location /REST/1.0/NoAuth/mail-gateway>
        Require local
    </Location>

If you run bin/rt-mailgate on a separate server, you can update the above to allow additional IP addresses.

    <Location /REST/1.0/NoAuth/mail-gateway>
        Require ip 127.0.0.1 ::1 192.0.2.0  # Add your actual IPs
    </Location>

See the Apache documentation for additional configuration options.

After adding this configuration, test receiving email and confirm your bin/rt-mailgate utility and /etc/aliases configurations can successfully submit email to RT.

nginx

nginx requires that you start RT's fastcgi process externally, for example using spawn-fcgi:

    spawn-fcgi -u www-data -g www-data -a 127.0.0.1 -p 9000 \
        -- /opt/rt5/sbin/rt-server.fcgi

With the nginx configuration:

    server {
        listen 80;
        server_name rt.example.com;
        access_log  /var/log/nginx/access.log;

        location / {
            client_max_body_size 100M;

            fastcgi_param  QUERY_STRING       $query_string;
            fastcgi_param  REQUEST_METHOD     $request_method;
            fastcgi_param  CONTENT_TYPE       $content_type;
            fastcgi_param  CONTENT_LENGTH     $content_length;

            fastcgi_param  SCRIPT_NAME        "";
            fastcgi_param  PATH_INFO          $uri;
            fastcgi_param  REQUEST_URI        $request_uri;
            fastcgi_param  DOCUMENT_URI       $document_uri;
            fastcgi_param  DOCUMENT_ROOT      $document_root;
            fastcgi_param  SERVER_PROTOCOL    $server_protocol;

            fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
            fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

            fastcgi_param  REMOTE_ADDR        $remote_addr;
            fastcgi_param  REMOTE_PORT        $remote_port;
            fastcgi_param  SERVER_ADDR        $server_addr;
            fastcgi_param  SERVER_PORT        $server_port;
            fastcgi_param  SERVER_NAME        $server_name;
            fastcgi_pass 127.0.0.1:9000;
        }
    }

The default nginx value for client_max_body_size is 1M, which is too small for most RT systems that accept attachments. The 100M value above is a suggestion. Adjust this to accept the largest attachments you expect to allow via email and the web UI.

lighttpd

    server.modules += ( "mod_fastcgi" )
    $HTTP["host"] =~ "^rt.example.com" {
        fastcgi.server = (
            "/" => (
                "rt" => (
                    "socket"      => "/opt/rt5/var/socket",
                    "bin-path"    => "/opt/rt5/sbin/rt-server.fcgi",
                    "check-local" => "disable",
                    "fix-root-scriptname" => "enable",
                )
            )
        )
    }

Running RT at /rt rather than /

First you need to tell RT where it's located by setting $WebPath in your RT_SiteConfig.pm:

    # Important: don't include a trailing slash here.  Read `perldoc
    # etc/RT_Config.pm` for more information.
    Set($WebPath, "/rt");

Then you need to update your Apache configuration to match. Prefix any RT related ScriptAlias and Location directives with /rt. You should also make sure DocumentRoot is not set to /opt/rt5/share/html/, otherwise RT's source will be served from /.

For example: if you're using the sample mod_fcgid config above, you might change the relevant directives to:

    ScriptAlias /rt /opt/rt5/sbin/rt-server.fcgi/

    # Set DocumentRoot as appropriate for the other content you want to serve
    DocumentRoot /var/www

    <Location /rt>
        ...
    </Location>

If you are using mod_proxy_fcgi, change these:

    ProxyPass /rt/ unix:/opt/rt5/var/rt.sock|fcgi://localhost/
    <Location /rt>
        ProxyFCGISetEnvIf "true" SCRIPT_NAME "/rt"
    </Location>

If you're using the sample mod_perl configuration, you only need to change the Location directive.

If you're not using Apache, please see Plack::Handler::FCGI or the web server's own documentation for configuration examples.

← Back to index