I'm working on a Django 3.2 project which is hosted using Apache 2.4 server. The user authentication in this project is handled using HTTP Basic Authentication configured using LDAP.
I have implemented a sign up feature for new users. For that I have created the necessary form, view, template and url pattern in the Django project. The urlpattern to visit the sign up form is /signup.
My goal is to make the sign up urlpattern accessible to anyone i.e. prevent the Basic Authentication from showing when the sign up urlpattern is requested by user in the browser.
JFI, the complete Apache configuration is already complete and works already.
To achieve this, I have used the "LocationMatch" directive in the Apache configuration within the VirtualHost directive:
...
<LocationMatch "^/signup$">
Require all granted
</LocationMatch>
...
With this the Basic Authentication is removed when /signup URI is requested, but the server always redirects to another url which ultimately requires authentication hence giving the basic auth pop-up.
$ curl -I https://*****.com/signup
HTTP/1.1 302 Found
...
I have tried to redirect the request explicitly to /signup whenever the is /signup. This ends up in an endless loop of redirections.
RewriteEngine on
...
RewriteRule ^/signup$ /signup [R=301,L]
I have also tried other ways by setting environment variables within Apache configuration, I have restarted Apache whenever a change was done in config, I have cleared browser cache etc., but nothing seems be working.
FYI, I can access the /signup url successfully after logging into the application which is not useful for me.
I'm afraid I cannot share the complete source (apache config, django source etc.) here as the project is not completely open source yet. But I'm sure your suggestions would surely help me in some way.
I want to fix the redirection. I have no clue what I'm missing out here.
Related
I have a number of .html files on my web-server which I store in a specific folder. I have to protect them from unwanted users and let only a few people to be able to access this folder.
I would like to protect this specific folder, so users have to log in, but I don't want to use any PHP framework etc. It's only a simple HTML website created without PHP.
I have my own dedicated server, so there are some options to do it. For now I did basic HTTP Auth based on .htaccess and .htpasswd files, but I've just read it's no really secure because password is sent as plain text. I've found a similar option called .htdigest, but maybe there are more secure and also easy to set up ways to secure folder? Hope someone can recommend me a method to make it secure? Here is what I have on my server:
using CloudFlare Service (paid plan) which allows me to use SSL,
can install additional modules if needed.
Thank you for help!
you can use allow/deny directive
Order allow,deny
Deny from all
it will give user response code 403 forbidden page but if you want to return 404 response code then you can use below
RedirectMatch 404
references : http://httpd.apache.org/docs/current/sections.html
I have setup a IIS 8.5 server that runs a rails app using HttpPlatformHandler and Windows authentication. We have also tried using ARR as reverse proxy with same results.
This all works completely fine, users are authenticated using kerberos, and anonymous authentication is disabled, no problem there.
We can deny specific users and see that it has effect.
The problem is that there is no REMOTE_USER or AUTH_USER attribute anywhere in the http response headers. However the HTTP_AUTHORIZATION header is set and is eg "Negotiate YIIHJAYGKw....".
We haven't found a reasonable way to decode the HTTP_AUTORIZATION header either.
Any form of help would be much appreciated.
To fix this, you need to install helicontech's ISAPI_Rewrite 3 on the server running IIS. download url is here: ISAPI_Rewrite 3.
After that navigate to the install folder, the default is C:\Program Files\Helicon\ISAPI_Rewrite3
In there you will find a file called httpd.conf, open it up and add:
RewriteBase /
RewriteCond %{REQUEST_URI} ^/.*
RewriteHeader X-Remote-User: .* %{REMOTE_USER}
Now you will be able to get the remote username in your ruby code with:
request.env['HTTP_X_REMOTE_USER']
I have been searching for information on this topic for a couple days and I keep running into road blocks.
I have a Django web site and application running at www.example.com and I'm forcing HTTPS. It's deployed on Apache 2.2 with WSGI. This works fine and works for both example.com and www.example.com.
I also have a REST API (pip install djangorestframework) running at https://www.example.com/api/v1/. This also works fine.
I want to run the API from a subdomain https://api.example.com and keep this URL in the address bar. For example, to fetch JSON objects I might use something like this:
curl -X GET https://api.example.com/objects/ -H 'Authorization: Token xxx'
I can get this now by using this:
curl -X GET https://www.example.com/api/v1/objects/ -H 'Authorization: Token xxx'
I have a separate SSL certificate for this subdmain and his has been correctly configured.
I have tried many things in my Apache configuration to accomplish this but failed at every turn. I thought I could use mod_rewrite to silently fetch the content from https://www.example.com/api/v1/ while leaving https://api.example.com in the address bar. Is this possible? Here is what I've tried (in the sites-available virtual host file):
RewriteEngine on
RewriteCond %{HTTP_HOST} ^api.example.com [NC]
RewriteRule ^(.*)$ https://www.example.com/api/v1/$1 [L]
I have tried several variations of this idea to no avail. I played around with HTTPS on/off as well with no real benefit.
I read a couple places that using mod_proxy could accomplish this but when I went down this road, the API was available (after quite a bit of tweaking) at the desired URL (https://api.example.com) but none of my static content was there and when I clicked on a relative link in the Django REST Framework UI, I'd get 404s because it was looking at:
https://api.example.com/api/v1/
which Django complained about: /api/v1/api/v1/
I guess all I'm trying to do is make https://api.example.com the base URL for the API as if it were https://www.example.com/api/v1/.
Duplicate that lead to the discovery of the django-hosts package:
Django subdomain configuration for API endpoints
I have been playing around with this and it shows promise, although I haven't "solved" my problem yet. I plan to edit this answer once I get more information to share. In the meantime, if anyone has used django-hosts to approach my original question, please add your answers here or at least make some comments!
In deploying a version of the Django website I'm working on to Microsoft's Azure service, I added a page which takes a query string like
http://<my_site_name>.azurewebsites.net/security/user/?username=<some_username>&password=<some_password>
However, I was getting 404 responses to this URL. So I turned on Django's Debug flag and the page I get returned said:
Page not found (404)
Request Method: GET
Request URL: http://<my_site_name>.azurewebsites.net/security/user/?username=<some_username>&password=<some_password>?username=<some_username>&password=<some_password>
Using the `URLconf` defined in `<my_project_name>.urls`, Django tried these URL patterns, in this order:
^$
^security/ ^user/$
^account/
^admin/
^api/
The current URL, `security/user/?username=<some_username>&password=<some_password>`, didn't match any of these.
So it seems to be appending the query string onto the end of the url that already has the same query string. I have the site running on my local machine and on an iis server on my internal network which I'm using for staging before pushing to Azure. Neither of these site deployments do this, so this seems to be something specific to Azure.
Is there something I need to set in the Azure website management interface to prevent it from modifying URLs with query strings? Is there something I'm doing wrong with regards to using query strings with Azure?
In speaking to the providers of wfastcgi.py they told me it may be an issue with wfastcgi.py that is causing this problem. While they look into it they gave me a work around that fixes the issue.
Download the latest copy of wfastcgi.py from http://pytools.codeplex.com/releases
In that file find this part of the code:
if 'HTTP_X_ORIGINAL_URL' in record.params:
# We've been re-written for shared FastCGI hosting, send the original URL as the PATH_INFO.
record.params['PATH_INFO'] = record.params['HTTP_X_ORIGINAL_URL']
And add right below it (still part of the if block):
# PATH_INFO is not supposed to include the query parameters, so remove them
record.params['PATH_INFO'] = record.params['PATH_INFO'].split('?')[0]
Then, upload/deploy this modified file to the Azure site (either use the ftp to put it somewhere or add it to your site deployment. I'm deploying it so that if I need to modify it further its versioned and backed up.
In the Azure management page for the site, go to the site's configure page and change the handler mapping to point to the modified wfastcgi.py file and save the configuration.
i.e. my handler used to be the default D:\python27\scripts\wfastcgi.py. Since I deployed my modified file, the handler path is now: D:\home\site\wwwroot\wfastcgi.py
I also restarted the site, but you may not have to.
This modified script should now strip the query string from PATH_INFO, and urls with query strings should work. I'll be using this until I hear from the wfastcgi.py devs that the default wfastcgi.py file in the Python27 install has been fixed/replaced.
I have a django web application that's running on apache 2.2.14 and I want to run the admin application over https.
Having read considerable discussions on using a proxy, writing middleware, running alternative wsgi scripts, the chaps in #httpd came to my rescue. The solution is so simple, I was surprised I didn't find it online, so I'm curious to see if I've made some glaring assumptions or errors.
One complication was that I also wanted to run one of my django apps in the site over https, that is everything on /checkout.
Essentially, if a user requests a URI starting with /admin or /checkout on http, they are to be redirected to that URI but on https. Conversely, if a user requests a URI that does not start with /admin or /checkout on https, they are to be redirected to that URI but on http.
The key to solving this problem was to use Redirect and RedirectMatch directives in my VirtualHost configuration.
<VirtualHost *:80>
... host config stuff ...
Redirect /admin https://www.mywebsite.com/admin
Redirect /checkout https://www.mywebsite.com/checkout
</VirtualHost>
<VirtualHost *:443>
... ssl host config stuff ...
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
</VirtualHost>
Another approach is to use #secure_required decorator. This will automatically rewrite the requested url and redirect to https://... version of the URL. Then you don't have to have Redirect in *:80 configuration. *:443 configuration may still be required for performance purpose if you want other traffic to go through normal http traffic.
I tried your solution, but ran into several problems. First, the formatting on the admin site disappeared, as if it could not find the admin static files. Second, if I tried to reach the non-admin site through https, the browser would not find it and redirect me to Yahoo search. Oddly, if I edited the yahoo search URL to eliminate all text except my correct URL (minus the http://), it would continue to search through yahoo for my site. However, typing the exact same URL afresh sent me to my site.
I solved all of these issues by simply removing the
RedirectMatch ^(/(?!admin|checkout).*) http://www.mywebsite.com$1
directive.
I should mention that I don't have a /checkout section on my site and am only trying to secure /admin. ... and yes, I did substitute my URL for "mywebsite.com"
What you described should work, but there may be a problem in the future if you need to make changes to which paths are/are not HTTPS. Because this method requires the ability to correctly modify the Apache config file it means you do not want novices in the loop. Screw up the config file and your site can go 500-error in the blink of an eye.
We chose to have a simple text file that had a list of the must-be-HTTPS paths. Anyone on the project can edit it and it is checked for correctness when it is loaded. We handle any needed redirects to/from HTTPS in middleware and it seems to work just fine. This method will also work if you are running anything other than Apache.