Django Based framework virtual host setup https on Apache - django

I am using a django based framework and have successfully figured Apache settings for http mode. Basically I have done the setting correctly on <VirtualHost *:80> ... </VirtualHost> and when I do, http://mysite.domain.com I get routed correctly to my site and the site pages and the skins get render correctly.
I have setup https://mysite.domain.com to work with shibboleth, shibboleth is working and when use the https I get routed to login credential page via shibboleth server, and after successful login I get redirect to https://mysite.domain.com but site doesn't get rendered correctly and skins don't show up as same as http://mysite.domain.com.
Here is my Apache settings, I am trying to understand what I am doing wrong here
<VirtualHost *:443>
ServerAdmin myname#mydomain.com
DocumentRoot /code/vEnviornment/mysite
ServerName mydomain.com
#<LocationMatch "^(?!/admin)">
#<LocationMatch "^(?!/m)">
# RewriteEngine on
# RewriteRule django.wsgi(.*)$ https://mydomain.com:443$1 [L,R=301]
#</LocationMatch>
SSLEngine on
#your SSL keys
#I have removed this wasn't comfortable putting SSL key info
#Alias /admin/media/ /usr/local/lib/python2.6/site-packages/django/contrib/admin/media/
Alias /admin/media/ /usr/local/lib/python2.7/dist-packages/django/contrib/admin/media/
WSGIScriptAlias /m/ /code/vEnviornment/mysite/django.wsgi
<Directory "/">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Directory>
Alias /Shibboleth.sso /tmp
# CustomLog /var/log/httpd/mysite/access_log common
# ErrorLog /var/log/httpd/mysite/error_log
CustomLog /var/log/apache2/mysite/access_log common
ErrorLog /var/log/apache2/mysite/error_log
</VirtualHost>
And here is how I have hetup http:
<VirtualHost *:80>
ServerAdmin myname#mydomain.com
DocumentRoot /code/vEnviornment/mysite
ServerName mysite.mydomain.com
#aliases to serve static media directly
#will probably need adjustment
Alias /m/ /code/vEnviornment/mysite/static/
Alias /upfiles/ /code/vEnviornment/mysite/myframework/upfiles/
<DirectoryMatch "/code/vEnviornment/mysite/myframework/skins/([^/]+)/media">
Order deny,allow
Allow from all
</DirectoryMatch>
<Directory "/code/vEnviornment/mysite/myframework/upfiles">
Order deny,allow
Allow from all
</Directory>
#must be a distinct name within your apache configuration
WSGIDaemonProcess mysite2
WSGIProcessGroup mysite2
WSGIScriptAlias / /code/vEnviornment/mysite/django.wsgi
#make all admin stuff except media go through secure connection
<LocationMatch "/admin(?!/media)">
RewriteEngine on
RewriteRule /admin(.*)$ https://128.101.35.71/admin$1 [L,R=301]
</LocationMatch>
# CustomLog /var/log/httpd/mysite/access_log common
# ErrorLog /var/log/httpd/mysite/error_log
CustomLog /var/log/apache2/mysite/access_log common
ErrorLog /var/log/apache2/mysite/error_log
LogLevel debug
</VirtualHost>
What am I doing wrong here to render the site incorrectly via https?

Alias /m/ /code/vEnviornment/mysite/static/
Alias /upfiles/ /code/vEnviornment/mysite/myframework/upfiles/
These two lines are missing in https virual host
and
your WSGIScriptAlias should point to / not /m/

Related

Posting http request after enabeling TLS/SSL

I have a website using Angular for the frontend, Django for the backend and they are being served using Apache.
It was working properly until I enabled TLS/SSL using letsencrypt.
Since then I was still able to access the website using https, but all my http request to the backend give errors.
The error message is:
Http failure response for http://backend.IP:8080/api/load_data/: 0 Unknown Error
If I call the API function from the browser like this:
http://backend.IP:8080/api/load_data/
It works well and returns the expected data from the backend, but when posting http request from the code it gives the previous error.
Here is apache configurations for the frontend.conf:
<VirtualHost *:80>
DocumentRoot "/home/ubuntu/myproject/static/"
# Other directives here
DirectoryIndex index.php index.htm index.html
<Directory "/home/ubuntu/myproject/static">
AllowOverride All
Require all granted
</Directory>
# Logs
ErrorLog /var/log/apache2/frontend_error.log
CustomLog /var/log/apache2/frontend_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =test.myproject.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Here is the frontend-le-ssl.conf:
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
DocumentRoot "/home/ubuntu/myproject/static/"
# Other directives here
DirectoryIndex index.php index.htm index.html
<Directory "/home/ubuntu/myproject/static">
AllowOverride All
Require all granted
</Directory>
# Logs
ErrorLog /var/log/apache2/frontend_error.log
CustomLog /var/log/apache2/frontend_access.log combined
ServerName test.myproject.org
SSLCertificateFile /etc/letsencrypt/live/test.myproject.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.myproject.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
</VirtualHost>
</IfModule>
Here is the 000-default.conf:
<VirtualHost *:8080>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/ubuntu/myproject/static
<Directory /home/ubuntu/myproject/static>
Require all granted
</Directory>
<Directory /home/ubuntu/myproject/myproject >
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess myproject python-home=/home/ubuntu/myproject/venv python-path=/home/ubuntu/myproject
WSGIProcessGroup myproject
WSGIScriptAlias / /home/ubuntu/myproject/myproject/wsgi.py
</VirtualHost>
Angular environment.prod.ts:
export const environment = {
appVersion: require('../../package.json').version,
production: true,
apiURL: 'http://backend.IP:8080/api/',
mediaURL: 'http://backend.IP:8080',
};
Angular proxy.conf.json:
{
"/api": {
"target": "http://backend.IP:80",
"secure": false
},
"/media": {
"target": "http://backend.IP:80",
"secure": false
}
}
Backend settings.py:
SESSION_COOKIE_SECURE=True
SESSION_COOKIE_HTTPONLY=True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
ALLOWED_HOSTS = ['backend.IP',
'http://backend.IP',
'http://backend.IP:8080',
'https://backend.IP',
'https://backend.IP:8080',
'127.0.0.1',
'http://www.mproject.org/',
'https://www.mproject.org/',
'mproject.org/']
CORS_ORIGIN_WHITELIST = (
'https://localhost:4200',
'https://localhost:8000',
'https://localhost:8080',
'https://backend.IP:8080',
'http://backend.IP:8080',
'https://backend.IP:80',
'http://backend.IP:80',
)
CORS_ALLOW_CREDENTIALS = True
In the wsgi.py:
os.environ['HTTPS'] = "on"
I am completely new to these stuffs, and I followed several tutorials to reach this point but I am still missing something to allow the http requests after the setting the STL/SSL up.

Ubuntu Apache taking long time to respond and getting This site can’t be reached

Hi Guys I am trying to route my domain to server 139.5X.X.XXX
Following is My DNS record Details in Hostinger :-
Type Name Priority Content IP-V4 TTL
A www 0 139.5X.X.XXX 600
A # 0 139.5X.X.XXX 14400
Now I am seeing default apache page while browsing the domain (Server serving default apache page (Digital Ocean Ubuntu Droplet)) .
But after configuring a Django service to domain it taking too long to respond and ending up with "This Site can't be Reached"
following is the conf file which I am using
<VirtualHost *:80>
ServerName tellie.in
ServerAlias www.tellie.in
Redirect permanent / https://tellie.in/
RewriteEngine on
RewriteCond %{SERVER_NAME} =tellie.in [OR]
RewriteCond %{SERVER_NAME} =www.tellie.in
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin#tellie.in
ServerName tellie.in
ServerAlias www.tellie.in
DocumentRoot /home/srv/telli
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/srv/telli/telli/static
<Directory /home/srv/telli/telli/static>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Alias /media /home/srv/telli/telli/media
<Directory /home/srv/telli/telli/media>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /home/srv/telli/telli/telli>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess telli python-path=/home/srv/telli/telli python-home=/home/srv/telli/venv
WSGIProcessGroup telli
WSGIScriptAlias / /home/srv/telli/telli/telli/wsgi.py
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/tellie.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tellie.in/privkey.pem
</VirtualHost>
Is there anything wrong that could cause the problem I am facing
Make sure that Apache has rx access to the directories under /home/srv/, It is better to move the code out of HOME and in a general mountpoint as /var or /data

Configure apache to respond with error page for incorrect hosts

django docs:
You should also configure the Web server that sits in front of Django to validate the host. It should respond with a static error page or ignore requests for incorrect hosts instead of forwarding the request to Django. This way you’ll avoid spurious errors in your Django logs (or emails if you have error reporting configured that way). For example, on nginx you might setup a default server to return “444 No Response” on an unrecognized host:
I am using Apache and this works:
http://serverip -> 404 error
http://www.example.com -> https://www.example.com -> django site
http://example.com -> https://example.com -> django site
Now I have a problem with https://serverip
I get a not secure message by my browser because I only have a SSL Cert for example.com, www.example.com and after I accept the security warning I see the django site but I want 404 error page.
How can I achieve this or do I misunderstand the django docs?
Update Config:
assume the django site is /var/www/html/index.html for simplification
000-default.conf:
<VirtualHost *:80>
Redirect 404 /
</VirtualHost>
example.com.conf:
<VirtualHost *:80>
ServerAdmin example#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
example.com-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin example#example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

going to www version of site url receives 404 on django site

I can get to the route of my site without issues like this: http://example.com
When I go to http://www.example.com I get a 404 error.
How can I handle going to www and delivering the user to the route of the site?
I don't think it is related, but here is my httpd.conf:
WSGISocketPrefix /var/run/wsgi
<VirtualHost *:80>
WSGIDaemonProcess example.com display-name=%{GROUP}
WSGIProcessGroup example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /example
WSGIScriptAlias / /example/wsgi.py
</VirtualHost>
Alias /static/ /example
<Directory /example>
Order deny,allow
Allow from all
</Directory>
WSGIPythonPath /example
<Directory /example>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
Change ALLOWED_HOSTS in the settings.py to something like this
ALLOWED_HOSTS = ['www.example.com', 'example.com']
According to Django Documentation, ALLOWED_HOSTS defines
A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent an attacker from poisoning caches and triggering password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.
For more ALLOWED_HOSTS

Deploying a Django app on Apache + mod_wsgi with HTTP auth

Is it possible to deploy a Django app on Apache + mod_wsgi (the standard way) but with HTTP authentication in front of the whole thing?
Basically, I need an extra layer of HTTP security before any user, Django-authenticated or anonymous, is even able to reach the app.
Is this possible? If so, where do the Apache auth directives go?
Yes, it's possible.
With mod_wsgi on /, any resources to be provided by apache need to be listed as aliases.
Auth directives and host restrictions live in Location directives.
So I've disabled any apache access restrictions on things like css, and provided host/ip based access to another directory.
<VirtualHost *:80>
Servername app.domain.example
CustomLog logs/access_log combined
ErrorLog logs/error_log
DocumentRoot "/home/app/apache/app/html"
Alias /media/ /home/app/apache/app/html/media/
<Location />
Options None
AuthType Basic
AuthName "Login Prompt"
AuthUserFile /path/to/passwd.file
Require valid-user
</Location>
<Location /media>
Order allow,deny
Allow from all
Satisfy any
</Location>
WSGIDaemonProcess app user=app group=app processes=5 threads=1 display-name=app_WSGI
WSGIProcessGroup app
WSGIScriptAlias / /home/app/apache/app.wsgi
</VirtualHost>
Sure, here is example from one site:
<VirtualHost *:80>
ServerName djangoproject.domain.biz
DocumentRoot "/home/user/websites/djangoproject/website/"
WSGIDaemonProcess djangoproject python-path=/home/user/.virtualenvs/djangoproject/lib/python2
.6/site-packages/ user=user group=user threads=1
WSGIProcessGroup djangoproject
WSGIScriptAlias / /home/user/websites/djangoproject/website/django.wsgi
<Directory "/home/user/websites/djangoproject/website/">
Order deny,allow
Allow from all
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /etc/apache2/passwords
Require valid-user
</Directory>
</VirtualHost>