I've been searching throughout this site for a solution but haven't been able to find one. I have a CentOS 6.4 server with Apache 2.2.15, Django 1.6 and mod_wsgi 3.2. I am using Apache to display static files and mod_wsgi to display Django content.
I placed the Django project files in the /srv directory due to this page.
When I run the Django development server, the test page that I wrote up displays properly. However, when I start my Apache server and visit 127.0.0.1, I get a 403 Forbidden error.
django.wsgi (in /srv/mysite)
import os
import sys
envpath = '/usr/lib/python2.6/site-packages'
pwd = os.path.dirname(os.path.abspath(__file__))
os.chdir(pwd)
sys.path = [env] + sys.path
os.environ['PYTHON_EGG_CACHE'] = '/srv/mysite/.python-egg'
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
site.addsitedir(envpath)
from django.core.handlers.wsgi import WSGIHandler
application = WSGIHandlers()
httpd.conf
WSGIScriptAlias / /srv/mysite/django.wsgi
WSGIPythonPath /srv/mysite
<more aliases and tags in order to get the right static files to show>
In the httpd.conf file, the user and group that is listed is the default apache. I ran a ls -l on the /srv directory and its owner and group were listed as root. So, I ran sudo chown -R apache:apache /srv/mysite which changed the directory and all subdirectories to use apache as owner and group.
However, no matter how much I Google or try, I can't get over this 403 error.
EDIT:
I've discovered that when I disable SELinux, and the WSGIPythonPath variable in the http.conf file is django.wsgi, it results in a 500 Internal Server error. However, when I change it to wsgi.py, my website displays properly. I am curious as to why that is.
In any case, since this will be a production machine, I prefer to keep SELinux on and figure out how to get the appropriate permissions figured out.
EDIT 2:
I've edited my django.wsgi file (changed above) ala this link
EDIT 3:
I tried moving my project files into the my /home/ folder. I've been alternating between trying django.wsgi and wsgi.py but still can't get past the 403 Forbidden error. I thought it was originally a permissions issue with the /srv directory but it appears that's not the case...I am trying to figure this out but nothing is working.
EDIT 4:
I decided to just stick the development server for now...but I still need to get this working and I am at the end of my rope. Is there anyone out there that can help me?
SELinux has its own system of granting access. Your process ever has to be granted to access files on filesystem depending on SELinux context. There are some default politics and contexts defined in SELinux those are usefull for default cases of your installation. Just web files are expected to be in '/var/www'. You can mostly check the current context of files or processes using switch '-Z', see
[root#localhost]# ls -Z /var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
Check the context of /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0 mysite
The Apache HTTPD server is allowed to access files with SELinux type httpd_sys_content_t byt it is NOT allowed to access files with SELinux type var_t.
1. Change the SELinux type for your directory and check the context
[root#localhost]# chcon -R -t httpd_sys_content_t /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Check if your webiste is working right now.
Till now it is not finished yet, while you relabel filesystem to default or if you use a daemon to check or relabel itself, you risk to lose your new labeling.
2. Make the default labaling for your directory
Create the default labeling by 'semange' and apply it on your directory by 'restorecon'
[root#localhost]# semanage fcontext -a -t httpd_sys_content_t /srv/mysite
[root#localhost]# restorecon -v -R /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Right now your SELinux labeling is fixed.
Note: It is possible regular expressions to define default context.
Debian: I'm not a Debian user, so the SELinux type can be a bit different, the principle is just the same, check the SELinux type of your apache directory and set it on your directory you want to be accessible from apache.
Read more at RedHat:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
Fedora SELinux documentation:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
Related
I have Copied my files to the server and also setup the domain in the route 53 and also installed the xampp server now
When i try starting the server with the command Python manage.py runserver 0.0.0.0:80
it gives me the following error
Error: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions
but when i visit the domain it autmatically redirected to
domian.com/dashboard/
and there is all the xampp and apache etc stuff
i tried to run it with out specifying the ip and port the it redirects to the domian/dashboard
i want this to use the xampp server for mysql and run on the domain
it seems you're using the the in-built Django webserver that is meant for development purposes but not the best for production follow the steps below Deploy Django Applications on windows server using XAMPP
Prerequisite: make sure that your project already have a virtual environment, and you copied your project folder into C:\xampp\htdocs.
also you might need windows 10 sdk installed.
Step 1:
first we should set mod wsgi apache rootdir to our xampp apache directory , so in you cmd type:
set “MOD_WSGI_APACHE_ROOTDIR=c:\xampp\apache”
Step 2:
activate your project environment
Step 3:
In your virtual environment type:
pip install mod_wsgi
Step 4:
then type this:
mod_wsgi-express module-config
the output result should be something like this:
LoadFile “c:/python37–32/python37.dll” LoadModule wsgi_module
“c:/python37–32/lib/site-packages/mod_wsgi/server/mod_wsgi.cp37-win32.pyd”
WSGIPythonHome “c:/python37–32”
Step 5:
open http.conf file and copy to LoadFile and LoadModule from previous step on it
Step 6:
copy this lines in http.conf too:
#path to wsgi.py file #the first “/ “ indicates the root url
WSGIScriptAlias /
“C:/xampp/htdocs/your_project_folder/your_project/wsgi.py”
#the one that you get from step 4
WSGIPythonHome “c:/python37–32”
#website path
WSGIPythonPath “C:/xampp/htdocs/your_project_folder”
#directory of website
<Directory “C:/xampp/htdocs/your_project_folder/your_project”>
Require all granted
Step 7:
Restart your xampp and enjoy
You may also find more details on this post
I have created a droplet, an ubuntu 18.04 server on digitalocen successfully.
Followed the install digitalocean's guide and ran the gunicorn,nginx, django etc. and ran the website successfully on the browser using my ip address i.e. firewalls, gunicorn and nginx and everything were configured correctly.
During the testing while uploading the images to the media folder I got an error "permissions denied" (POST error).
Found somewhere the below code on google and thought it solves the permissions related problem: https://www.semicolonworld.com/question/55551/django-errno-13-permission-denied-39-var-www-media-animals-user-uploads-39
sudo groupadd varwwwusers
sudo adduser www-data varwwwusers
sudo chgrp -R varwwwusers /var/www/
sudo chmod -R 760 /var/www/
But the above code messed up everything and ran into "502 Bad Gateway".
I am not very familiar with Linux deployments. Can someone help me investigating and resolving this issue. I think I have messed up the users, groups permissions.
How can I get this resolved OR how can I revert what I did OR is there any activity logs I can see and investigate.
I have checked the error.log and able to see
' connect() to unix:/run/gunicorn.sock failed (111: Connection refused) while connecting to upstream'
Thanks for the help in advance.
I guess that the problem is that by running sudo chmod -R 760 /var/www/ you have forbidden non-ownesrs of the folder to read, write and execute files form that directory. Then, since uwsgi processes does not belong to the www-data group (usually), uwsgi connection was refused.
The easiest way to solve this problem is to run sudo chmod -R 766 /var/www/ - this will grant writing and readind priveleges to anyone (chmod -R 764 should also work and is safer - it allows only reading files for non-owners). Alternatively, you may find out the name of the user running uwsgi and grant him permissions for reading files form the directory. See chmod manual (or google it) for reference.
I'm using mod_wsgi (v.4.5.20), installed with pip, in daemon mode, using a "main" apache instance as front (reverse proxy). I'm serving a django application, the "main" server hosts some other applications.
I'ld like to record the log files to a "known" directory. For now, the log files are recorded into the directory generated by the daemon-mode, aka. --server-root directory. The process is launched through a systemd service.
On the "main" apache settings, I've set the ErrorLog and CustomLog directives to my "wanted" log directory, but no files are recorded.
The "main" apache settings: (Note the X-Forwarded-For switch for company reverse proxy)
https://gist.github.com/frague59/0c9717bd5668140de392019874373f0a
Thanks for your help !
When you use mod_wsgi-express behind a front end Apache serving as proxy, the mod_wsgi-express configuration is completely independent to the front end. If you want to change where logs go for mod_wsgi-express use the --log-directory option. Presuming mod_wsgi-express is started as not root user, it will not be able to write to a root owned directory. If it needed to, you would need to start it as root and define --user and --group options to then be what user and group you want the WSGI application to run as. Because it start as root initially, then it can write logs to a root owned directory. Run mod_wsgi-express with the --help option to see all the command line options.
Environment
Linux Mint 17.1
Python 2.7
pyserial 2.7
Arduino UNO rv3
Desired Behaviour
I'm trying to send three values from a Python application to Arduino.
It works when doing the following from terminal:
$ python
$ import serial
$ import struct
$ ser = serial.Serial('/dev/ttyACM0', 9600)
$ ser.write(struct.pack('>3B', 255, 0, 0))
Current Behaviour
It doesn't work when using the same code in a Python file ie:
import serial
import struct
ser = serial.Serial('/dev/ttyACM0', 9600)
ser.write(struct.pack('>3B', red_value, green_value, blue_value))
Error Message
$ sudo tail -100 /var/log/apache2/error.log
OSError: [Errno 13] Permission denied: '/dev/ttyACM0'
Troubleshooting
Permissions
Application file:
$ ls -l
-rwxr-xr-x 1 myname mygroupname 114146 Jan 9 19:16 my_application.py
ttyACM0:
ls -l /dev/ttyACM0
crw-rw---- 1 root dialout 166, 0 Jan 9 20:12 /dev/ttyACM0
Groups
Groups the owner is a member of:
$ groups
mygroupname adm dialout cdrom sudo dip plugdev lpadmin sambashare
Due to various suggestions on the internet I also added the owner to the tty group via System Settings > Users and Groups. This had no effect.
Serial Ports Available
$ dmesg | grep tty
[ 0.000000] console [tty0] enabled
[ 3390.614686] cdc_acm 3-2:1.0: ttyACM0: USB ACM device
Update
I can force it to work under the following conditions:
01. Permissions for world must be set to rw ie:
sudo chmod 666 /dev/ttyACM0
02. Arduino IDE serial monitor needs to be open.
However these conditions are not sustainable as:
Permissions are reset each time the USB is connected.
The Arduino IDE serial monitor shouldn't need to be open.
The following fleshes out some of the ideas in the first answer (I tried to add this content to that answer and accept it, but the edits were rejected). I'm not an expert in the area, so please just use this information to support your own research.
You can do one of the following:
01. Alter the permissions on /dev/ttyACM0 so that world has read and write priviliges (something you may not want to do) - although you may find they reset each time the device is plugged in eg:
sudo chmod 666 /dev/ttyACM0
02. Create a rule in /etc/udev/rules.d that will set the permissions of the device (a restart will be required):
# navigate to rules.d directory
cd /etc/udev/rules.d
#create a new rule file
sudo touch my-newrule.rules
# open the file
sudo vim my-newrule.rules
# add the following
KERNEL=="ttyACM0", MODE="0666"
This also sets permissions for world to read and write, which you may not want to do.
For more information about this approach, see these answers:
https://unix.stackexchange.com/a/48596/92486
https://stackoverflow.com/a/11848003/1063287
03. The third option, which is the option I implemented, adds the Apache user to the dialout group so that if the script is being run by Apache, then it can access the device.
a) Find the location of your Apache config file, then search for the User setting within that file:
# open file in editor
sudo vim /etc/apache2/apache2.conf
# search for User setting
/User
You may find something like:
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
b) Quit vim and search for APACHE_RUN_USER in /etc/apache2/envvars (if the above scenario applies):
# open file in editor
sudo vim /etc/apache2/envvars
# search for APACHE_RUN_USER
/APACHE_RUN_USER
You may find something like:
export APACHE_RUN_USER=www-data
c) Add the User www-data to the dialout group:
sudo usermod -a -G dialout www-data
d) Restart.
As the Apache user has been added to the dialout group, the script should now be able to access the device.
Further Reading
How to find the location of the Apache config file:
https://stackoverflow.com/a/12202042/1063287
The permissions on the file make no difference to the user that the program runs as
When you are logged in interactively you do have permission to use the /dev/ttyACM0
When your script is running (presumably as the apache user) it does not have permission
You need to alter the permissions on the /dev/ttyACM0
See the 2nd answer here How can I programmatically set permissions on my char device for an example of altering udev permissions so the file has the correct permissions
Based on the accepted answer, I was able to just add the following to my setup.sh script
printf "KERNEL==\"ttyACM0\", MODE=\"0666\"" | sudo tee /etc/udev/rules.d/si-ct.rules
I've a Debian WebServer running Apache2.
How can I disable directory listing, globally, for all websites?
Note: This should also overwrite possible settings of virtual hosts.
Issue the following in you server terminal:
sudo a2dismod autoindex
service apache2 reload
After this all websites will have directory listing disabled.