Deploying a Django app on Apache + mod_wsgi with HTTP auth - django

Is it possible to deploy a Django app on Apache + mod_wsgi (the standard way) but with HTTP authentication in front of the whole thing?
Basically, I need an extra layer of HTTP security before any user, Django-authenticated or anonymous, is even able to reach the app.
Is this possible? If so, where do the Apache auth directives go?

Yes, it's possible.
With mod_wsgi on /, any resources to be provided by apache need to be listed as aliases.
Auth directives and host restrictions live in Location directives.
So I've disabled any apache access restrictions on things like css, and provided host/ip based access to another directory.
<VirtualHost *:80>
Servername app.domain.example
CustomLog logs/access_log combined
ErrorLog logs/error_log
DocumentRoot "/home/app/apache/app/html"
Alias /media/ /home/app/apache/app/html/media/
<Location />
Options None
AuthType Basic
AuthName "Login Prompt"
AuthUserFile /path/to/passwd.file
Require valid-user
</Location>
<Location /media>
Order allow,deny
Allow from all
Satisfy any
</Location>
WSGIDaemonProcess app user=app group=app processes=5 threads=1 display-name=app_WSGI
WSGIProcessGroup app
WSGIScriptAlias / /home/app/apache/app.wsgi
</VirtualHost>

Sure, here is example from one site:
<VirtualHost *:80>
ServerName djangoproject.domain.biz
DocumentRoot "/home/user/websites/djangoproject/website/"
WSGIDaemonProcess djangoproject python-path=/home/user/.virtualenvs/djangoproject/lib/python2
.6/site-packages/ user=user group=user threads=1
WSGIProcessGroup djangoproject
WSGIScriptAlias / /home/user/websites/djangoproject/website/django.wsgi
<Directory "/home/user/websites/djangoproject/website/">
Order deny,allow
Allow from all
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /etc/apache2/passwords
Require valid-user
</Directory>
</VirtualHost>

Related

Apache Error: While writing python logs into file outside the project directory

I am working on a Django project and using Apache as web server. Everything is working fine with
python manage.py runserver
But while running the application through apache I am not able to write my python app logs into the stated path which is outside the project directory.
Project directory /home/ubuntu/saas-DocumentProcessing
Log files are in
/home/ubuntu/log/SaasAap/SaasAap.log and /home/ubuntu/log/error/error.log
My 000-default.conf content
<VirtualHost *:8000>
ServerAdmin abc#xyz.com
ServerName my_ip
ServerAlias my_ip
DocumentRoot /home/ubuntu/saas-DocumentProcessing/
WSGIScriptAlias / /home/ubuntu/saas-DocumentProcessing/src/wsgi.py
Alias /static/ /home/ubuntu/saas-DocumentProcessing/static/
ErrorLog /home/ubuntu/log/error.log
CustomLog /home/ubuntu/log/custom.log combined
<Location "/static/">
Options -Indexes
AllowOverride All
Require all granted
</Location>
<Location "/">
AllowOverride All
Require all granted
</Location>
<Directory /home/ubuntu/saas-DocumentProcessing/static>
Order allow,deny
Allow from all
</Directory>
<Directory /home/ubuntu/log>
Order allow,deny
Allow from all
</Directory>
WSGIDaemonProcess saas-DocumentProcessing python-path=/home/ubuntu/
saas-DocumentProcessing python-home=/home/ubuntu/saas-DocumentProcessing/ve
nv
WSGIProcessGroup saas-DocumentProcessing
</VirtualHost>

Django to pass through some urls to base apache

Is there a way for Django to pass through some urls to whatever apache would resolve them too?
For instance, if I type in: http://< my-ip >. Is there a way to have django just serve up whatever is in /var/www/html/index.html?
Similarly, if I type in http://< my-ip >/devel, is there a way to make django simply serve what's in /var/www/html/devel/?
Basically, I want some urls to "not be touched".
Thanks!
Edit
Following Anentropic's comment, I'd like Apache to call Django only if it can't match the url. How would I need to change httpd.conf to do that? Let's say I want Django to respond to only /polls/, /admin/ and /accounts/.
Here's the relevant portion from my httpd conf file:
<VirtualHost *:80>
#DocumentRoot /home/ec2-user/srv/mysite
DocumentRoot /var/www/html/
ServerName <My IP ADDRESS>
WSGIScriptAlias / /home/ec2-user/srv/mysite/apache/wsgi.py
# Alias /phpmyadmin /var/www/html/phpmyadmin
# <Location /phpmyadmin>
# SetHandler None
# </Location>
<Directory /home/ec2-user/srv/mysite/media>
Order deny,allow
Allow from all
</Directory>
<Directory /home/ec2-user/srv/mysite/apache>
Order deny,allow
Allow from all
</Directory>
LogLevel warn
Alias /media/ /home/ec2-user/srv/mysite/media/
Alias /static/ /home/ec2-user/srv/mysite/static/
<Directory /home/ec2-user/srv/mysite/static>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
If you'd like to serve static html pages you could use the flatpages app.
Again if you'd like to use different languages (php etc) I believe that you'd have to set up different virtual host in you apache config file to catch the url before it gets served to Django and redirect it to the correct folder. i.e:
<VirtualHost *:80>
ServerName staging.mydomain.com
DocumentRoot /var/www/html/mydomain.com/staging/
</VirtualHost>
<VirtualHost *:80>
ServerName dev.mydomain.com
DocumentRoot /var/www/html/mydomain.com/dev/
</VirtualHost>
EDIT
<VirtualHost *:80>
#DocumentRoot /home/ec2-user/srv/mysite
DocumentRoot /var/www/html/
ServerName <My IP ADDRESS>
Alias /phpmyadmin /var/www/html/phpmyadmin
<Location /phpmyadmin>
SetHandler None
</Location>
<Directory /home/ec2-user/srv/mysite/media>
Order deny,allow
Allow from all
</Directory>
<Directory /home/ec2-user/srv/mysite/apache>
Order deny,allow
Allow from all
</Directory>
LogLevel warn
WSGIScriptAlias /polls /home/ec2-user/srv/mysite/apache/wsgi.py
WSGIScriptAlias /admin /home/ec2-user/srv/mysite/apache/wsgi.py
WSGIScriptAlias /accounts /home/ec2-user/srv/mysite/apache/wsgi.py
Alias /media/ /home/ec2-user/srv/mysite/media/
Alias /static/ /home/ec2-user/srv/mysite/static/
<Directory /home/ec2-user/srv/mysite/static>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>

mod_wsgi apache and django configuration not working

*Using Django 1.5, mod_WSGI 3.3 and Apache 2.2*
The Mod_WSGI module has been successfully installed into Apache.
I have also created a very basic project using django-admin.py called "check"
So now according to the Django Documentation on how to configure mod_wsgi
I have entered the following code into the Apache httpd.conf where it looks like this -
<VirtualHost 192.254.132.95:80>
ServerName bangtestwsgi.mbox140.com
ServerAlias www.bangtestwsgi.mbox140.com
DocumentRoot /home/bangwsgi/public_html
ServerAdmin webmaster#bangtestwsgi.mbox140.com
UseCanonicalName Off
CustomLog /usr/local/apache/domlogs/bangtestwsgi.mbox140.com combined
CustomLog /usr/local/apache/domlogs/bangtestwsgi.mbox140.com-bytes_log "%{%s}t %I .\n%{%s}t %O ."
## User bangwsgi # Needed for Cpanel::ApacheConf
UserDir enabled bangwsgi
<IfModule mod_suphp.c>
suPHP_UserGroup bangwsgi bangwsgi
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup bangwsgi bangwsgi
</IfModule>
</IfModule>
WSGIScriptAlias / /home/bangwsgi/check/check/wsgi.py
WSGIPythonPath /home/bangwsgi/check
<Directory /home/bangwsgi/check/check>
<Files wsgi.py>
Order deny,allow
Require all granted
</Files>
</Directory>
</VirtualHost>
Currently my DNS hasn't propagated so I am using 192.254.132.95/~bangwsgi/ to access the app (as told to me by Hostgator)
The thing is that nothing is happening. There is nothing in the Apache error log. There seems to be sign that the wsgi script is even running. Can someone tell me what I can do differently to make this work?
I'm not sure why you are going to /~bangwsgi/. Your WSGI app is being served at /, as defined by the first parameter to WSGIScriptAlias.
It works on removing the line
WSGIPythonPath /home/bangwsgi/check
And changing Require all granted
to Allow from all

Django Based framework virtual host setup https on Apache

I am using a django based framework and have successfully figured Apache settings for http mode. Basically I have done the setting correctly on <VirtualHost *:80> ... </VirtualHost> and when I do, http://mysite.domain.com I get routed correctly to my site and the site pages and the skins get render correctly.
I have setup https://mysite.domain.com to work with shibboleth, shibboleth is working and when use the https I get routed to login credential page via shibboleth server, and after successful login I get redirect to https://mysite.domain.com but site doesn't get rendered correctly and skins don't show up as same as http://mysite.domain.com.
Here is my Apache settings, I am trying to understand what I am doing wrong here
<VirtualHost *:443>
ServerAdmin myname#mydomain.com
DocumentRoot /code/vEnviornment/mysite
ServerName mydomain.com
#<LocationMatch "^(?!/admin)">
#<LocationMatch "^(?!/m)">
# RewriteEngine on
# RewriteRule django.wsgi(.*)$ https://mydomain.com:443$1 [L,R=301]
#</LocationMatch>
SSLEngine on
#your SSL keys
#I have removed this wasn't comfortable putting SSL key info
#Alias /admin/media/ /usr/local/lib/python2.6/site-packages/django/contrib/admin/media/
Alias /admin/media/ /usr/local/lib/python2.7/dist-packages/django/contrib/admin/media/
WSGIScriptAlias /m/ /code/vEnviornment/mysite/django.wsgi
<Directory "/">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user
</Directory>
Alias /Shibboleth.sso /tmp
# CustomLog /var/log/httpd/mysite/access_log common
# ErrorLog /var/log/httpd/mysite/error_log
CustomLog /var/log/apache2/mysite/access_log common
ErrorLog /var/log/apache2/mysite/error_log
</VirtualHost>
And here is how I have hetup http:
<VirtualHost *:80>
ServerAdmin myname#mydomain.com
DocumentRoot /code/vEnviornment/mysite
ServerName mysite.mydomain.com
#aliases to serve static media directly
#will probably need adjustment
Alias /m/ /code/vEnviornment/mysite/static/
Alias /upfiles/ /code/vEnviornment/mysite/myframework/upfiles/
<DirectoryMatch "/code/vEnviornment/mysite/myframework/skins/([^/]+)/media">
Order deny,allow
Allow from all
</DirectoryMatch>
<Directory "/code/vEnviornment/mysite/myframework/upfiles">
Order deny,allow
Allow from all
</Directory>
#must be a distinct name within your apache configuration
WSGIDaemonProcess mysite2
WSGIProcessGroup mysite2
WSGIScriptAlias / /code/vEnviornment/mysite/django.wsgi
#make all admin stuff except media go through secure connection
<LocationMatch "/admin(?!/media)">
RewriteEngine on
RewriteRule /admin(.*)$ https://128.101.35.71/admin$1 [L,R=301]
</LocationMatch>
# CustomLog /var/log/httpd/mysite/access_log common
# ErrorLog /var/log/httpd/mysite/error_log
CustomLog /var/log/apache2/mysite/access_log common
ErrorLog /var/log/apache2/mysite/error_log
LogLevel debug
</VirtualHost>
What am I doing wrong here to render the site incorrectly via https?
Alias /m/ /code/vEnviornment/mysite/static/
Alias /upfiles/ /code/vEnviornment/mysite/myframework/upfiles/
These two lines are missing in https virual host
and
your WSGIScriptAlias should point to / not /m/

Two Django projects running simultaneously and mod_wsgi acting werid

I'm trying to run two Django projects simultaneously. I happened to be using mod_wsgi, and found the site is acting weird. Perhaps there would be a workaround, but I'd like to know what I'm missing and how to solve the problem.
In the apache configuration
# Setup the Python environment
# As root owns basically everything on a Amazon AMI and root
# cannot be used. Create a folder under /var/run/wsgi
# with the owner as ec2-user and group ec2-user.
WSGISocketPrefix /var/run/wsgi
# Call your daemon process a name
WSGIDaemonProcess pydaemon processes=1 threads=5
# Call your daemon process group a name
WSGIProcessGroup pydaemon
# Point to where the handler file is. This will be different
# If you are using some other framework.
WSGIScriptAlias /test /var/www/html/test/wsgi.py
WSGIScriptAlias /proto /var/www/html/proto/wsgi.py
After Apache restarts, if I connect to '/proto', then the proto site is shown. However, then I connect to '/test', without restarting Apache, the proto site is still shown, and I cannot access to the test site.
Now I restart Apache, this time I go to '/test' first. The test site comes up! However, if I go to '/proto' it still shows the test site, not the proto site.
What could make this happen? I added SESSION_COOKIE_PATH differently for each application just in case, but the problem still exists.
[UPDATED]
I also tried as the following, to give different WSGI application group names, but without luck.
Alias /cuedit /var/local/test/wsgi.py
<Location /test>
SetHandler wsgi-script
Options +ExecCGI
WSGIApplicationGroup test
</Location>
Alias /proto /var/local/proto/wsgi.py
<Location /proto>
SetHandler wsgi-script
Options +ExecCGI
WSGIApplicationGroup proto
</Location>
[UPDATED]
I changed from the daemon mode to the embedded mode. I guess the problem was two instances shared the same mod_wsgi daemon process so their namespace collide.
I would expect they should be handled correctly, but in the daemon mode I couldn't get it right.
Use this as a workaround:
WSGIDaemonProcess pydaemon-1 processes=1 threads=5
WSGIDaemonProcess pydaemon-2 processes=1 threads=5
WSGIScriptAlias /test /var/www/html/test/wsgi.py
<Location /test>
WSGIProcessGroup pydaemon-1
WSGIApplicationGroup %{GLOBAL}
</Location>
WSGIScriptAlias /proto /var/www/html/proto/wsgi.py
<Location /proto>
WSGIProcessGroup pydaemon-2
WSGIApplicationGroup %{GLOBAL}
</Location>
This will force each application into separate daemon process group and no way they should be able to interfere with each other.
If that still doesn't work, you have problems with your WSGI script file somehow.
I also have 2 Django projects however each one is running on a different port (httpd config), it looks something like this:
<VirtualHost *:80>
ServerAdmin xx
ServerName xx
ServerAlias xx
ErrorLog /path/to/first/project/logs/error.log
CustomLog /path/to/first/project/logs/access.log combined
Alias /static/ /path/to/first/project/sitestatic
WSGIDaemonProcess app processes=1 threads=15 display-name=%{GROUP}
WSGIProcessGroup app
WSGIScriptAlias / /path/to/first/project/django.wsgi
<Directory /path/to/first/project/apache>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:8080>
ServerAdmin xx
ServerName xx
ServerAlias xx
ErrorLog /path/to/second/project/logs/error.log
CustomLog /path/to/second/project/logs/access.log combined
WSGIDaemonProcess app1 processes=1 threads=15 display-name=%{GROUP}
WSGIProcessGroup app1
WSGIScriptAlias / /path/to/second/project/apache/django.wsgi
<Directory /path/to/second/project/apache>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
The problem might be related to Apache sharing the Python sub interpreter between WSGI applications. Try adding this to the Apache configuration to avoid sharing:
WSGIApplicationGroup %{GLOBAL}
Check this blog post for in-depth explanation and additional tips (check the comments too).
Can't comment on the answer given by Graham, so adding one of my own.
The problem for me really was the Python Interpreter, but I also had to add the python-path for each interpreter. Here follows an example configuration:
WSGIDaemonProcess py_app1 processes=1 threads=5 python-path=/path/to/app1
WSGIScriptAlias /app1 /path/to/app1/wsgi.py
<Directory /path/to/app1>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
<Location /app1>
WSGIProcessGroup py_app1
WSGIApplicationGroup %{GLOBAL}
</Location>
WSGIDaemonProcess py_app2 processes=1 threads=5 python-path=/path/to/app2
WSGIScriptAlias /app2 /path/to/app2/wsgi.py
<Directory /path/to/app2>
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
<Location /app2>
WSGIProcessGroup py_app2
WSGIApplicationGroup %{GLOBAL}
</Location>