I am trying to make a project and have some media files which should only be accessed by their owner.
In production, media and static files are served by apache (or nginx but I am using apache).
I was looking for some solutions and I am not able to apply.
On djangosnippets website, I found this code,
from mod_python import apache
from django.core.handlers.base import BaseHandler
from django.core.handlers.modpython import ModPythonRequest
class AccessHandler(BaseHandler):
def __call__(self, req):
from django.conf import settings
# set up middleware
if self._request_middleware is None:
self.load_middleware()
# populate the request object
request = ModPythonRequest(req)
# and apply the middleware to it
# actually only session and auth middleware would be needed here
for middleware_method in self._request_middleware:
middleware_method(request)
return request
def accesshandler(req):
os.environ.update(req.subprocess_env)
# check for PythonOptions
_str_to_bool = lambda s: s.lower() in ("1", "true", "on", "yes")
options = req.get_options()
permission_name = options.get("DjangoPermissionName", None)
staff_only = _str_to_bool(
options.get("DjangoRequireStaffStatus", "on")
)
superuser_only = _str_to_bool(
options.get("DjangoRequireSuperuserStatus", "off")
)
settings_module = options.get("DJANGO_SETTINGS_MODULE", None)
if settings_module:
os.environ["DJANGO_SETTINGS_MODULE"] = settings_module
request = AccessHandler()(req)
if request.user.is_authenticated():
if superuser_only and request.user.is_superuser:
return apache.OK
elif staff_only and request.user.is_staff:
return apache.OK
elif permission_name and request.user.has_perm(
permission_name
):
return apache.OK
return apache.HTTP_UNAUTHORIZED
But I am not able to install mod_python. Please tell me how to do that first
And I changed my .conf file for apache which is as below.
<VirtualHost *:80>
ServerName podcast.com
ServerAdmin srpatel980#gmail.com
DocumentRoot /home/username/Documents/secret_media
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/username/Documents/secret_media/static
<Directory /home/username/Documents/secret_media/static>
Require all granted
</Directory>
Alias /media /home/username/Documents/secret_media/media
<Directory /home/username/Documents/secret_media/media>
Require all granted
</Directory>
<Directory /home/username/Documents/secret_media/secret_media>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/username/Documents/secret_media/secret_media/wsgi.py
WSGIDaemonProcess secret_media python-path=/home/username/Documents/secret_media python-home=/home/username/Documents/secret_media/venv
WSGIProcessGroup secret_media
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_user_module modules/mod_authz_user.so
<Location "/media/images">
PythonPath /home/username/Documents/secret_media
PythonOption DJANGO_SETTINGS_MODULE secret_media.settings
PythonAccessHandler secret_media.wsgi.py #this should point to accesshandler
SetHandler None
</Location>
</VirtualHost>
There are some settings which are repeated, don't know why, please explain
X-Sendfile
I do not know about the method you use above, but I have been using mod_xsendfile to do the same. Whats the principle: request to a url is handeled by a view that checks access rights ... the view returns a response with a key "X-Sendfile" & file ... this triggers Apache on the way back to serve the media file.
I just show you the code without testing syntax .... please ask if something is not clear
Apache httpd.conf
LoadModule xsendfile_module modules/mod_xsendfile.so
in Apache remove the usual "alias media ..."
Apache httpd-vhosts.conf
<VirtualHost *:80>
# ... all your usual Django Config staff
# remove the usual alias /media/
# Alias /media/ d:/WEBSPACES/dieweltdahinter_project/media/
XSendFile on
XSendFilePath D:/your_path/media/
<Directory "D:/your_path/media">
Order Deny,Allow
Allow from all
</Directory>
</VirtualHost>
urls.py
urlpatterns = [
.....,
re_path(r'^media/(?P<folder>[A-Za-z0-9\-_]+)/(?P<filename>[A-Za-z0-9\-_]+).(?P<extension>[A-Za-z0-9]+)\/?$', app_views.media_xsendfile, name='media-xsendfile'),
.....
]
views.py
# add decorators to manage access
#
def media_xsendfile(request, folder='', filename=None, extension=None):
# add an kind of user check ....
# only server certain type of files
if extension in ('jpg', 'png', 'gif'):
response['Content-Type'] = 'image/'+extension
elif extension == 'mp3':
response['Content-Type'] = 'audio/mpeg'
else:
return
if not folder == '':
folder = '/'+folder+'/'
response = HttpResponse()
# this is the part of the response that Apache reacts upon:
response['X-Sendfile'] = smart_str(settings.MEDIA_ROOT + folder + filename + "." + extension)
# need to handover an absolute path to your file to Apache!!
return response
One way to do it is using a so-called X-Sendfile.
In simple words:
User requests URL to get a protected file (so you need to keep your public and protected files separately, and then either proxy a request to Django for protected files, or serve files directly from the apache/nginx if they are public)
Django view decides which file to return based on URL, and checks user permission, etc.
Django returns an HTTP Response with the 'X-Sendfile' header set to the server's file path
The web server finds the file and returns it to the requester
The setup will be different for nginx and apache, according to my findings you need to install mod_xsendfile for apache, nginx supports it out of the box. Hopefully, that helps, ask any additional questions if needed.
Related
I have a function in apps.py set to run at Apache boot/restart, however it doesn't and it only works after I pull up the index page.
However, if I use Django's development environment it works perfectly.
APPS.PY
from django.apps import AppConfig
class GpioAppConfig(AppConfig):
name = 'gpio_app'
verbose_name = "My Application"
def ready(self):
from apscheduler.schedulers.background import BackgroundScheduler
from gpio_app.models import Status, ApsScheduler
import gpio_app.scheduler as sched
import logging
logging.basicConfig()
logging.getLogger('apscheduler').setLevel(logging.DEBUG)
sched.cancel_day_schedule()
sched.get_schedule()
sched.daily_sched_update()
sched.add_status_db()
MOD_WSIG 000-default.conf is as follows:
<VirtualHost *:80>
ServerName 127.0.0.1
ServerAlias localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /robots.txt /path/to/mysite.com/static/robots.txt
Alias /favicon.ico /path/to/mysite.com/static/favicon.ico
Alias /static /home/pi/poolprojectdir/static
<Directory /home/pi/poolprojectdir/static>
Require all granted
</Directory>
<Directory /home/pi/poolprojectdir/poolproject>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess poolproject python- home=/home/pi/poolprojectdir/venv python-path=/home/pi/poolprojectdir
WSGIProcessGroup poolproject
WSGIScriptAlias / /home/pi/poolprojectdir/poolproject/wsgi.py
Any ideas as to how I get apps.py recognised by Apache2?
The problem is with apache loading your wsgi.py lazily - only after the first request arrives.
See this answer on how to fix this.
I have installed PyAMF, Django, Apache2, and mod_wsgi on a Mac OS X 10.6 machine. While developing the project I used Django development servier. I would like to continue to use http://localhost:8000/gateway or http://127.0.0.1:8000/gateway for the PyAMF gateway. I have my Flex project deployed on http://localhost and phpMyAdmin at http://localhost/phpmyadmin.They seem to work fine but I am not able to connect to the PyAMF gateway.
Here is my Apache setting:
<VirtualHost *:8000>
# Set this to 'warn' when you're done with debugging
LogLevel debug
CustomLog /var/log/apache2/pyamf-access.log combined
ErrorLog /var/log/apache2/pyamf-error.log
# PyAMF remoting gateway
WSGIScriptAlias /gateway /Library/WebServer/Documents/MyApp/django.wsgi
<Directory /Library/WebServer/Documents/MyApp>
WSGIApplicationGroup %{GLOBAL}
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Here is the content of the django.wsgi script
import os
import sys
path = '/Library/WebServer/Documents'
if path not in sys.path:
sys.path.append(path)
sys.path.append('/Library/WebServer/Documents/MyApp')
os.environ['PYTHON_EGG_CACHE'] = '/tmp'
os.environ['DJANGO_SETTINGS_MODULE'] = 'MyApp.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
import posixpath
def application(environ, start_response):
# Wrapper to set SCRIPT_NAME to actual mount point.
environ['SCRIPT_NAME'] = posixpath.dirname(environ['SCRIPT_NAME'])
if environ['SCRIPT_NAME'] == '/':
environ['SCRIPT_NAME'] = ''
return _application(environ, start_response)
I would appreciate any help.
Thanks
When you added separate VirtualHost on port 8000, did you also add to Apache configuration in appropriate place:
NameVirtualHost *:8000
Usually there would only be such a line for port 80.
I am trying to specify the access to a certain django view only to a client calling from a VPN IP (10.8.0.3 )
My django server is supported by apache using the following .conf
<VirtualHost *>
ServerAdmin webmaster#demo.cl
DocumentRoot /home/project/virtualenvs/env1
ServerName client1.project.cl
ServerAlias www.client1.project.cl
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
<Location "/">
SetHandler python-program
PythonHandler virtualhandler
SetEnv DJANGO_SETTINGS_MODULE project.settings
PythonOption django.root
SetEnv SITE_CLIENT_ID client1
PythonDebug On
PythonPath "['/home/project/virtualenvs/env1/django-site','/home/project/virtualenvs/env1/bin'] + sys.path"
</Location>
Alias /media "/home/project/virtualenvs/env1/lib/python2.6/site-packages/django/contrib/admin/media/"
<Location /media>
SetHandler None
</Location>
<Location /nodesaccess >
order Deny,Allow
Deny from all
Allow from 10.8.0.3
SetHandler python-program
PythonHandler virtualhandler
SetEnv DJANGO_SETTINGS_MODULE project.settings
PythonOption django.root
SetEnv SITE_CLIENT_ID client1
PythonDebug On
PythonPath "['/home/project/virtualenvs/env1/django- site','/home/project/virtualenvs/env1/bin'] + sys.path"
</Location>
</VirtualHost>
This previous configuration allows to create many django applications depending of the url, I recover the env variable and then apache load a certain setting.py which is exclusive and depends of the subdomain. Very interesting
Everything works fine (my applications) except that the access can not be denied using the "Allow from 10.8.0.3"
Any ideas?
Thank you
You can implement a simple middleware which will block any requests outside allowed IP addresses:
from django.conf import settings
from django.core.urlresolvers import reverse, NoReverseMatch
from django.http import Http404
class InternalUseOnlyMiddleware(object):
def process_request(self, request):
try:
admin_index = reverse('admin:index')
except NoReverseMatch:
return
if not request.path.startswith(admin_index):
return
remote_addr = request.META.get(
'HTTP_X_REAL_IP', request.META.get('REMOTE_ADDR', None))
if not remote_addr in settings.INTERNAL_IPS and not settings.DEBUG:
raise Http404
Original source: https://djangosnippets.org/snippets/2095/
You can use REMOTE_ADDR from HttpRequest.META (http://docs.djangoproject.com/en/dev/ref/request-response/) to check the requester IP in your view. And if it is different form the one you want just return 404 or 403 page.
I want that Apache and Pinax only deliver Attachments to authenticated users.
I found this post, but i can't make it work.
My Apache-conf-file:
WSGIPythonPath /usr/local/bin/python
<VirtualHost *:80>
ServerName www.domain.com
ServerAlias domain.com
WSGIDaemonProcess k-production python-path=/path/to/app/pinax-env/lib/python2.6/site-packages
WSGIProcessGroup k-production
Alias /site_media /path/to/app/cp/site_media
<Directory /path/to/app/cp/site_media>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias /site_media/media/attachments /path/to/app/cp/deploy/pinax.wsgi
<Directory /path/to/app/cp/site_media/media/attachments>
Deny from all
</Directory>
XSendFile On
XSendFileAllowAbove On
WSGIScriptAlias / /path/to/app/cp/deploy/pinax.wsgi
<Directory /path/to/app/cp/deploy>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
and my (still rough) view, that should get called:
#login_required
def sendfile(request, slug):
app, content_object_id, img = slug.split('/')
project_file = get_object_or_404(Attachment, attachment_file = 'attachments/'+slug)
response = HttpResponse()
response['X-Sendfile'] = os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug)
content_type = 'application/octet-stream'
response['Content-Type'] = content_type
response['Content-Disposition'] = 'attachment; filename="%s"' % os.path.basename(os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug))
return response
Apache throws a 403 no matter if the user is logged in.
Via the develoment-server i can access the view, but no data will get transmitted.
What is wrong?
I was trying to do pretty much exactly the same thing, and the solution turned out to be not using WSGIScriptAlias, and instead using a regular Alias to a directory that defined a wsgi handler. For the view I basically just wrote a wrapper around django.views.static.serve.
My apache conf ended up looking like this:
# myproject
<VirtualHost *:8080>
#DocumentRoot /var/www/myproject/public
ServerName myproject
ErrorLog /var/www/myproject/logs/apache_error_log
CustomLog /var/www/myproject/logs/apache_access_log common
AliasMatch ^/(media/uploads/protected/.*) /var/www/myproject/src/myproject-trunk/server/django.wsgi/$1
Alias /media/ /var/www/myproject/public/media/
Alias / /var/www/myproject/src/myproject-trunk/server/django.wsgi/
<Directory /var/www/myproject/src/myproject-trunk/server>
Options ExecCGI
AddHandler wsgi-script .wsgi
# WSGIApplicationGroup %{GLOBAL}
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/myproject/public/media>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
Try to concentrate on the development server first - since it is a simpler setup and thus less error prone.
Perhaps try this:
#login_required def sendfile(request, slug):
## these are never used
# app, content_object_id, img = slug.split('/')
# project_file = get_object_or_404(Attachment, attachment_file = 'attachments/'+slug)
response = HttpResponse()
response['X-Sendfile'] = os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug)
import pdb; pdb.set_trace()
# your development server will stop here
# you can now inspect the your context, e.g.
# >> p response['X-Sendfile']
# this should print the value of response['X-Sendfile']
# >> c
# this will continue program execution
# for more commands see http://www.python.org/doc/2.4/lib/debugger-commands.html
content_type = 'application/octet-stream'
response['Content-Type'] = content_type
# Content-Disposition filename is only for suggesting a name for the file
# when the user tries to download it, e.g.:
# response['Content-Disposition'] = 'attachment; filename='localfile.txt'
response['Content-Disposition'] = 'attachment; filename="%s"' % os.path.basename(os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug))
return response
But by using the dev server you won't get any files served, since Apache will do the file serving.
You can just ensure, the data sent to apache is correct.
Or use (not recommended for your production server)
f = open(os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug), 'rb')
response = HttpResponse(f.read())
instead of
response = HttpResponse()
response['X-Sendfile'] = os.path.join(settings.MEDIA_ROOT, 'attachments/'+slug)
Some Links:
Similar topic at stackoverflow
Below are the relevant configuration files, also at http://dpaste.com/97213/ .
The apache config is currently working, because accessing 'example.com/' shows me the index.html file I have placed at the document root.
I'd like to serve Django/apps at the prefix '/d', so 'example.com/d/' would load the default app, 'example.com/d/app3' would load another, as configured in urls.py.
Serving Django, I'm using the suggested mod_wsgi, on Linux.
Currently, I can access the Ticket app at 'example.com/d', but when the #login_required decorator tries to send me to the login page, I get sent to 'example.com/accounts/login', rather than the expected 'example.com/d/accounts/login'.
Since the default app loads correctly, I'm not sure what I'm doing wrong here, or if this is a bug in Django when generating the urls.
Any suggestions?
EDIT:
As a note, if I change the apache config line:
WSGIScriptAlias /d /home/blah/django_projects/Tickets/apache/django.wsgi
to
WSGIScriptAlias / /home/blah/django_projects/Tickets/apache/django.wsgi
The application, commenting, and logging in all work fine. Even going to 'example.com/admin' loads the admin, although I've left the admin media broken, so no stylesheets are loaded.
--- Configs Follow:
#
# /home/blah/django_projects/Ticket/urls.py
#
from django.conf.urls.defaults import *
from django.contrib import admin
admin.autodiscover()
urlpatterns = patterns('',
(r'^', include('ticket.urls')),
(r'^admin/', include(admin.site.urls)),
(r'^comments/', include('django.contrib.comments.urls')),
)
#
# /home/blah/django_projects/Ticket/apache/django.wsgi
#
import os, sys
sys.path.append(os.path.dirname(os.path.abspath(__file__)) + '/..')
sys.path.append('/home/blah/django_projects')
sys.path.append('/home/blah/django_projects/Tickets')
os.environ['DJANGO_SETTINGS_MODULE'] = 'Tickets.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
#
# /etc/apache2/sites-available/django_tickets_wsgi (apache conf)
#
NameVirtualHost *
<VirtualHost *>
Alias /media /home/blah/django_projects/Tickets/media
WSGIScriptAlias /d /home/blah/django_projects/Tickets/apache/django.wsgi
WSGIDaemonProcess exmaple_com user=blah group=blah processes=1 threads=10
WSGIProcessGroup example_com
ServerAdmin localhost#example.com
ServerName example.com
DocumentRoot /var/www/
<Directory /var/www/>
Options -Indexes FollowSymLinks -MultiViews -Includes
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>
This is a possible duplicate of Django Apache Redirect Problem, as that answer solved this problem.
I only eventually stumbled on that answer by opening almost all of the 'related questions' here, just out of desperation. From my perspective, I think my question has some valuable "search friendly" words.
EDIT: The answer: (via alex vasi)
Things to try:
Change current domain to "yourdomain.tld/cflow" in the "sites" framework. It's easy to do using django admin or dumpdata/loaddata manage.py commands.
Looks like your site is using login_required decorator. In that particular case you can add to settings.py:
LOGIN_URL = '/[prefix]/accounts/login/'
In your urls.py rename urlpatterns to base_urlpatterns; then add the followinig definition at the end of the same file:
urlpatterns = patterns('',
'^', include(base_urlpatterns), # iff you wish to maintain the un-prefixed URL's too
'^your_prefix/', include(base_urlpatterns),
)