Securing django app on single SSL certificate using apache - django

In the Django documentation I read that the app shouldn't be placed in the htdocs folder, thefore I have placed the folder in /home/django-apps/myapp
In my SSL virtual host I have the following:
Alias /media/ /home/django-apps/myapp/static/
WSGIScriptAlias / /home/django-apps/myapp/apache/django.wsgi
<Directory /home/django-apps>
Order allow,deny
Allow from all
</Directory>
I have removed the various bit of the SSL certificate for security and brevity reasons.
Everything works fine, I just want to make sure that I haven't introduced a security hole with the Directory directive settings for django-apps.
Thanks

Looks good to me. As far as I know theres is no problem, as long as directory permissions are set right. You also should place your .py files outside /htdocs or /httpdocs to prevent showing them by default apache configuration.
Hope this helps.

Related

Is it possible to serve more than one django project under same domain?

I have a site say, localdjangosite.com and I already have a django application running on that domain at url localdjangosite.com/site1/. For this I have a virtual host set up inside apache sites-available directory as follows, I used mod_wsgi also.
WSGIScriptAlias /site1 /path/to/the/django/codebase/wsgi.py
<Directory /path/to/the/django/codebase/>
Require all granted
</Directory>
And with that, that site1 is working well.
Now I want to have one more site under the same domain like localdjangosite.com/site2/. And when I tried to configure apache like below I face page not found error.
WSGIScriptAlias /site2 /path/to/the/django/codebase/for/site2/wsgi.py
<Directory /path/to/the/django/codebase/for/site2/>
Require all granted
</Directory>
When I configured like that and visited the url localdjangosite.com/site2/, It shows Page not found error and it displays the url configurations of the site1 instead of site2. Here site1 and site2 are really two different django projects and they have different apps inside and server different purpose.
So I really don't understand what is going on? what is wrong?
Could someone please help me to understand it and host two or more django projects under same domain?
Yes, just use different port, for example:
localdjangosite.com:80 and localdjangosite.com:84

Host Django Rest API on AWS ec2 using Apache

I have built a very basic API using the Django Rest Framework following this tutorial: https://scotch.io/tutorials/build-a-rest-api-with-django-a-test-driven-approach-part-1
I have confirmed that this works on my local machine by following the instructions of the tutorial. Now I need to host this API on the internet. The easiest way to do this seems to be with AWS using Apache2 on an ec2, which I have attempted to do, but I can't seem to figure out how to make this work. I understand that I need to configure Apache2 for my application, which I have done following this tutorial: http://www.nickpolet.com/blog/deploying-django-on-aws/koAayBejnjdNwYfc6 modifying values as needed. My Apache2 configuration file is located
here: /etc/apache2/sites-enabled/djangorest.conf
and contains the following:
WSGIScriptAlias / /home/ubuntu/API/djangorest/djangorest/wsgi.py
WSGIPythonPath /home/ubuntu/API/djangorest
<Directory /home/ubuntu/API/djangorest/djangorest>
<Files wsgi.py>
Order deny,allow
Require all granted
</Files>
</Directory>
Alias /media/ /home/ubuntu/API/djangorest/media/
Alias /static/ /home/ubuntu/API/djangorest/static/
<Directory /home/ubuntu/API/djangorest/static>
Require all granted
</Directory>
<Directory /home/ubuntu/API/djangorest/media>
Require all granted
</Directory>
My project is housed in the home directory of the ec2 instance like so: ~/API/djangorest/...
From here, shouldn't it be a simple matter of configuring Apache? I've waded through documentation for hours to no avail. When I type the public dns into a browser, I get the following message: "Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request."
This is basically the first project I've ever done that isn't a console application, so It's likely that I'm missing something obvious. In short, I just need to know how to host this API so that I can make calls to it and modify my database. If there's an easier approach than what I'm taking, or if there's a better tutorial to follow, I would appreciate any help.

Django user login works with dev server but not with apache2 on bitnami djangostack

I have worked through the Learning Website Development with DJango book, which takes you through the creation of a basic bookmark-sharing site, and this all works as described in the book as long as I run it on the Django development server. I am now trying to set it up using apache on a virtual machine running Ubuntu 14.04 on which I have installed the bitnami django stack (https://bitnami.com/stack/django).
I had to modify httpd-app.conf, and settings.py to take account of the fact that the project files are not in the top-level folder for the project (which the development server appears to take account of automatically), and I can access individual pages of the site.
The site includes a simple user login system through django.contrib.auth which means that a user has to login before being able to access some pages, and this works fine on the development server, but it does not appear to be working with apache and I am just returned back to the same page after hitting the submit button on the login page. I did find one reference to this via a Google search, but there was no solution provided.
The django documentation does include information on authorization (https://docs.djangoproject.com/en/1.7/howto/deployment/wsgi/apache-auth/) but a) this appears to refer to blocking access to site folders rather than authorization for individual views (which is what the application from the book does), and b) I have made the changes that are described there, and it appears to make no difference.
I have also gone through many web pages unearthed via google that refer to user authorization, but most of these refer to earlier versions of django and reference functions or settings that do not appear to be in django 1.7 (which I am using) or don't directly address my problem. After having spent quite a few hours on this, as a django newbie I am pretty thoroughly confused. I think it must be a trivial problem, and am pretty sure that there is a combination of settings that will solve it, but I just can't seem to figure it out, and any help or links to tutorials / guides on how to do so would be much appreciated. Most of the training materials I can find for django all use the built-in development server (not unreasonably) and even when they refer to deployment on a production server basically just say it's outside their scope and don't provide anything of use.
I am posting the what I think are the relevant files below:
httpd-app.conf (from the django project conf folder):
<IfDefine !IS_DJANGOSTACK_LOADED>
Define IS_DJANGOSTACK_LOADED
WSGIDaemonProcess wsgi-djangostack processes=2 threads=15 display-name=%{GROUP}
</IfDefine>
<Directory "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02">
Options +MultiViews
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
WSGIProcessGroup wsgi-djangostack
WSGIApplicationGroup %{GLOBAL}
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
</Directory>
Alias /static "/home/george/djangostack-1.7.4-0/apps/django/lib/python2.7/site-packages/django/contrib/admin/static"
WSGIScriptAlias /django_webtest_02 '/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02/wsgi.py'
httpd-vhosts.conf
<VirtualHost *:8080>
ServerName djangostack.example.com
ServerAlias www.djangostack.example.com
DocumentRoot "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02"
Include "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/httpd-app.conf"
</VirtualHost>
<VirtualHost *:8443>
ServerName djangostack.example.com
ServerAlias www.djangostack.example.com
DocumentRoot "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02"
SSLEngine on
SSLCertificateFile "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/certs/server.crt"
SSLCertificateKeyFile "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/certs/server.key"
Include "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/httpd-app.conf"
</VirtualHost>
From the apache httpd.conf file (the file is very long to post in its entirety, and so I am showing here just the final section where I have added content based on the various web sites I have looked at):
Include "conf/deflate.conf"
Include conf/pagespeed.conf
Include conf/pagespeed_libraries.conf
WSGIScriptAlias / /home/george/.virtualenvs/django_webtest_02/wsgi.py
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /home/george/djangostack-1.7.4-0/python
# virtualenv
WSGIPythonPath /home/george/.virtualenvs/django_webtest_02/lib/python2.7/site-packages
WSGIPassAuthorization On
# The following lines prevent .user.ini PHP settings files from being viewed by Web clients.
<Files ".user.ini">
<IfVersion < 2.3 >
Order allow,deny
Deny from all
</IfVersion>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
</Files>
# Security
ServerSignature Off
ServerTokens Prod
TraceEnable Off
Include "/home/george/djangostack-1.7.4-0/apache2/conf/ssi.conf"
Include "/home/george/djangostack-1.7.4-0/apache2/conf/bitnami/bitnami.conf"
Include "/home/george/djangostack-1.7.4-0/apps/django/conf/django.conf"
A final point is that I am using virtualenv but have followed the instructions here (https://community.bitnami.com/t/how-to-get-virtualenv-working-on-djangostack/765) and as far as I can tell, there are not any problems with this.
Any help or guidance would be greatly appreciated.
I had been using MySQL Workbench to look at the users table and that looked OK, which suggested that the database was functioning as expected, BUT when I tried to do a migration, it came up with an error message indicating that python-mysqldb was not installed. The bitnami django stack includes mysql but a couple of comments I found online suggest that python-mysqldb is not included by default, so I installed it with pip.
I had previously managed to create several users through my django app, so I'm not sure I understand how I did that if python-mysqldb was required but missing.
I still couldn't login though, so I checked the Apache error log (which I should have done before) and it said that the user that I had been trying to logon with was not authorized, and so I cleared the users table from the database and created some new users, and it let me login with one of the new users without a problem.
This underlines for me the value of just having someone to bounce things off - I could have spent another day (or more) trying to figure it out, but the comments got me doing something different and looking at the problem a different way, which got me to the solution. Thanks again.

Only the home route working on my EC2 instance server for AWS for Laravel 4

I am trying to set up my laravel project on my EC2 Instance for AWS. I have successfully uploaded the files to the server using SFTP, and I rewrote the 000-default.conf file to point to the public folder of the project.
The home route is loading fine, but none of the other routes are working? Any idea what is going on here? They all work fine on local host (MAMP) and on other servers.
All of the other routes show a NOT FOUND page (The requested URL /fans was not found on this server (for instance) )
This worked for me:
First in 000-default.conf
Make Document Root point to your public folder:
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/your/laravel-project-folder/public/
Then add this to end of the 000-default.conf:
<Directory "/var/www/html/your/laravel-project-folder/">
AllowOverride All
</Directory>
Last two steps:
run this as root user:
1. sudo a2enmod rewrite
2. service apache2 restart
Now everything was working fine for me.
Hope this helps :)
For people who have this issue in the future:
All I had to do was add:
<Directory /var/www>
AllowOverride All
</Directory>
to my 000-default.conf file in /etc/apache2/sites-available directory.
Place it right under the DocumentRoot line.
Cheers.
I met the same problem when I use Laravel5.2 on AWS.
Can you see the welcome page after you deploy laravel on AWS? You can use the following to access the welcome page.
/public/index.php
If you can do above, then you modify your route.php in the app/Http/ folder, like this:
Route::get('/convert/{name}', function ($name) {
return str_plural($name);
});
After that you can try "/public/index.php/convert/123".
Then you will see "123s" on the screen.
It is really tricky to visit your route with /public/index.php/, it waste long time for me to fix this problem.

Apache only serves first level of Django static files directory

I have a site I made with Django, and I'm trying to deploy it on an Apache server I have lying around (using mod_wsgi as recommended by the official docs) and for the most part, everything's going great. I am having a problem getting Apache to correctly serve the static files associated with my project. Judging by comparing the source of the rendered HTML with my server's file structure, I would say that my app is requesting the right files from the right locations, but for whatever reason Apache throws me a 404. Here's my config for apache:
<VirtualHost *:80>
ServerName book
ServerAlias www.book.dev book.dev
DocumentRoot /var/www/book
Alias /static/ /var/www/book/static
Alias /media/ /var/www/book/media
<Directory /var/www/book/static>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias / /home/rich/sites/book/apache/django.wsgi
<Directory /home/rich/sites/book>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
If I navigate to STATIC_ROOT in my web browser (in this case www.book.dev/static) I see a (correct) listing of the first level in the directory structure on the server. However, trying to follow the links to sub-directories, or even files in the root directory, yields only a 404. I'm using Django 1.3, Python 2.6, and some version of apache in the 2.X range (whatever is the most recent version in debian's package repo)
Any help is appreciated.
EDIT: (The plot thickens!)
So, after fiddling some more, I found something that I thought was interesting. I discovered that if I run the development server, the URL's from which static content is fetched are identical to the static file URL's which are generated when Apache is serving the files. This is to say, they all take the form /static/<file> as configured in settings.py, but sometimes it doesn't work.
Try having:
Alias /static/ /var/www/book/static/
Alias /media/ /var/www/book/media/
If using trailing slashes for a sub URL, the target file system path should have a trailing slash as well.
Compare to documentation at:
http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines#Hosting_Of_Static_Files
Please double check your settings.py. Look for commas and logic of directory structure. Especially about STATIC_ROOT and MEDIA ... dirs.
Problems are often not where they came from.
And you can create a symink to apache dir... and take it to where it was on your project at dev file structure... Try it may show your errors in templates if they exist...