safely hosting a django project over apache using centos - django

Error can be seen at: http://djaffry.selfip.com:8080/
I had a project working great, but I had all the files under /var/www/ and with my limited understanding it's bad, according to django's site:
"If your background is in PHP, you’re probably used to putting code under the Web server’s document root (in a place such as /var/www). With Django, you don’t do that. It’s not a good idea to put any of this Python code within your Web server’s document root, because it risks the possibility that people may be able to view your code over the Web. That’s not good for security.
Put your code in some directory outside of the document root, such as /home/mycode."
So I went to /home/tipu/stuff/ and executed django-admin.py startproject twingle. Then I went to apache and did
<VirtualHost *:8080>
ServerName tweet_search_engine
DocumentRoot /home/tipu/stuff/twingle/
</VirtualHost>
<Directory /home/tipu/stuff/twingle>
SetHandler python-program
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE settings
PythonOption django.root /home/tipu/stuff/twingle
PythonDebug On
PythonPath "['/home/tipu/stuff/', '/home/tipu/stuff/twingle/'] + sys.path"
</Directory>
Now I am getting a 403 Forbidden error.. any idea what I'm doing wrong? I'm newer to Linux (CentOS) and django, so I could be over looking some very simple things.

This is almost certainly just an access rights issue. The Apache user needs rights to access all the directories in the path to your project - home, home/tipu, home/tipu/stuff, home/tipu/stuff/twingle, and so on. You'll need to find out what user Apache is running as, and grant read rights to those directories.
As Ignacio suggests, /srv is probably a better place to put this - but the same rights issues still apply.

Well, under /home is not the right place, thanks to SELinux. Put the app under /srv instead.

Related

Set Apache to prompt a password for a Django site?

I have a Django wsgi site that I would put online soon. I would rather the site to not be accessible except through an Apache login prompt until it is ready.
I investigated and found limited or outdated information about how to do it (which I tried anyway).
There is more information to make it work with a plain Apache served webpage and I was able to made it work on my default Apache welcome page, but Django seems less documented in that regard.
For example I added something like this in my .conf file:
<Directory "/path/to/djangosite">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
where /path/to/djangosite is where wsgi.py resides. Password was set in .htpasswd successfully.
How are you all doing this?

Django user login works with dev server but not with apache2 on bitnami djangostack

I have worked through the Learning Website Development with DJango book, which takes you through the creation of a basic bookmark-sharing site, and this all works as described in the book as long as I run it on the Django development server. I am now trying to set it up using apache on a virtual machine running Ubuntu 14.04 on which I have installed the bitnami django stack (https://bitnami.com/stack/django).
I had to modify httpd-app.conf, and settings.py to take account of the fact that the project files are not in the top-level folder for the project (which the development server appears to take account of automatically), and I can access individual pages of the site.
The site includes a simple user login system through django.contrib.auth which means that a user has to login before being able to access some pages, and this works fine on the development server, but it does not appear to be working with apache and I am just returned back to the same page after hitting the submit button on the login page. I did find one reference to this via a Google search, but there was no solution provided.
The django documentation does include information on authorization (https://docs.djangoproject.com/en/1.7/howto/deployment/wsgi/apache-auth/) but a) this appears to refer to blocking access to site folders rather than authorization for individual views (which is what the application from the book does), and b) I have made the changes that are described there, and it appears to make no difference.
I have also gone through many web pages unearthed via google that refer to user authorization, but most of these refer to earlier versions of django and reference functions or settings that do not appear to be in django 1.7 (which I am using) or don't directly address my problem. After having spent quite a few hours on this, as a django newbie I am pretty thoroughly confused. I think it must be a trivial problem, and am pretty sure that there is a combination of settings that will solve it, but I just can't seem to figure it out, and any help or links to tutorials / guides on how to do so would be much appreciated. Most of the training materials I can find for django all use the built-in development server (not unreasonably) and even when they refer to deployment on a production server basically just say it's outside their scope and don't provide anything of use.
I am posting the what I think are the relevant files below:
httpd-app.conf (from the django project conf folder):
<IfDefine !IS_DJANGOSTACK_LOADED>
Define IS_DJANGOSTACK_LOADED
WSGIDaemonProcess wsgi-djangostack processes=2 threads=15 display-name=%{GROUP}
</IfDefine>
<Directory "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02">
Options +MultiViews
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
WSGIProcessGroup wsgi-djangostack
WSGIApplicationGroup %{GLOBAL}
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
</Directory>
Alias /static "/home/george/djangostack-1.7.4-0/apps/django/lib/python2.7/site-packages/django/contrib/admin/static"
WSGIScriptAlias /django_webtest_02 '/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02/wsgi.py'
httpd-vhosts.conf
<VirtualHost *:8080>
ServerName djangostack.example.com
ServerAlias www.djangostack.example.com
DocumentRoot "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02"
Include "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/httpd-app.conf"
</VirtualHost>
<VirtualHost *:8443>
ServerName djangostack.example.com
ServerAlias www.djangostack.example.com
DocumentRoot "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/django_webtest_02"
SSLEngine on
SSLCertificateFile "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/certs/server.crt"
SSLCertificateKeyFile "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/certs/server.key"
Include "/home/george/djangostack-1.7.4-0/apps/django/django_projects/django_webtest_02/conf/httpd-app.conf"
</VirtualHost>
From the apache httpd.conf file (the file is very long to post in its entirety, and so I am showing here just the final section where I have added content based on the various web sites I have looked at):
Include "conf/deflate.conf"
Include conf/pagespeed.conf
Include conf/pagespeed_libraries.conf
WSGIScriptAlias / /home/george/.virtualenvs/django_webtest_02/wsgi.py
LoadModule wsgi_module modules/mod_wsgi.so
WSGIPythonHome /home/george/djangostack-1.7.4-0/python
# virtualenv
WSGIPythonPath /home/george/.virtualenvs/django_webtest_02/lib/python2.7/site-packages
WSGIPassAuthorization On
# The following lines prevent .user.ini PHP settings files from being viewed by Web clients.
<Files ".user.ini">
<IfVersion < 2.3 >
Order allow,deny
Deny from all
</IfVersion>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
</Files>
# Security
ServerSignature Off
ServerTokens Prod
TraceEnable Off
Include "/home/george/djangostack-1.7.4-0/apache2/conf/ssi.conf"
Include "/home/george/djangostack-1.7.4-0/apache2/conf/bitnami/bitnami.conf"
Include "/home/george/djangostack-1.7.4-0/apps/django/conf/django.conf"
A final point is that I am using virtualenv but have followed the instructions here (https://community.bitnami.com/t/how-to-get-virtualenv-working-on-djangostack/765) and as far as I can tell, there are not any problems with this.
Any help or guidance would be greatly appreciated.
I had been using MySQL Workbench to look at the users table and that looked OK, which suggested that the database was functioning as expected, BUT when I tried to do a migration, it came up with an error message indicating that python-mysqldb was not installed. The bitnami django stack includes mysql but a couple of comments I found online suggest that python-mysqldb is not included by default, so I installed it with pip.
I had previously managed to create several users through my django app, so I'm not sure I understand how I did that if python-mysqldb was required but missing.
I still couldn't login though, so I checked the Apache error log (which I should have done before) and it said that the user that I had been trying to logon with was not authorized, and so I cleared the users table from the database and created some new users, and it let me login with one of the new users without a problem.
This underlines for me the value of just having someone to bounce things off - I could have spent another day (or more) trying to figure it out, but the comments got me doing something different and looking at the problem a different way, which got me to the solution. Thanks again.

my website urls via apache2 dont work

my first question for this site, i hope it goes well!!
I have, ubuntu, apache2, python, django and mod_python.
All is installed properly.
I have created a website project which works properly when i run it locally.
But i cant get it working the same way on apache.
I can access my website project directories, but i cant access my website projects URL's
I think this has something to do with incorrectly configuring my directives in the httpd.conf file. Also when i type the server name in the web browser i get a server not found
a quick rundown:
My project lives in /home/jamie/mysite
django, apache, modpython on root directory
in /etc/apache2/sites-available/http.conf i have:
NameVirtualHost 111.22.33.44
<VirtualHost 111.22.33.44>
ServerName www.example.com
DocumentRoot /home/jamie/mysite
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Location "/mysite">
SetHandler python-program
PythonHandler django.core.handlers.modpython
#removed line -PythonHandler mod_python.publisher- didnt work#
SetEnv DJANGO_SETTINGS_MODULE mysite.settings
PythonPath "['/home/jamie/', '/usr/local/lib/python2.6/dist-packages'] + sys.path"
PythonAutoReload On
PythonDebug On
</Location>
</VirtualHost>
ANybody that can help me i will give 1 BILLION DOLLARS to
ok akonsu cheers for this.
http//localhost/templates points to my templates folder and shows all the files and subdirectories. http//localhost/templates/homepage.html will show the homepage.html located in the templates folder with all the ugly django tags that go with it.
I want run my website app on apache the same way as if i ran it locally, via the urls.
example. http//localhost/homepage would point directly to the file homepage.html which is located in the templates folder as this is how it is set out in the urls.py file and would not show the ugly django tags.
If i do type in http//localhost/homepage via the apache server i get the url /homepage does not exist on this server
The django book tells me to point DJANGO_SETTINGS_MODULE to my apps settings file, which i have done 'DJANGO_SETTINGS_MODULE mysite.settings' The settings file points to the urls file which points to the views file which in turn renders with template files and so on and so forth. Thus if i typed http//localhost/homepage it should work as homepage has been configured properly in my urls.py file. I believe i have done what they have asked but still no luck. Either im getting the DJANGO_SETTINGS_MODULE part wrong or starting with /localhost is wrong.
I dont know what difference this makes but if i change the servername in the httpd.conf file to say www.blabla.com it wont throw an error when i restart apache server, meaning it's configured right. But when i type www.blabla.com in the browser i get an error saying this site does not exist.
try removing PythonHandler mod_python.publisher

I need help on configuring mod_wsgi and Django

Apache & mod_wsgi are configured correctly (I've created a hello
world .html apache file and a hello world mod_wsgi application with
no problems). I now need my Django app to work with my django.wsgi
file. What makes me think that it's not recognizing my wsgi file is that I
went into my django.wsgi file I created and completely deleted all of
the code in the file and restarted Apache and it still gives me the
same page (a listing of the files from Django app, not my actual
Django application. Configuring Apache and mod_wsgi went really well
but I'm at a loss of how to fix this. Here are some details:
Here is my current django.wsgi file:
import os
import sys
sys.path.append('/srv/www/duckling.org/store/')
os.environ['DJANGO_SETTINGS_MODULE'] = 'store.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
I've tried a few different versions of the django.wsgi file
(including a version like the one over at http://www.djangoproject.com/).
This version of my wsgi is from here:
http://library.linode.com/frameworks/django-apache-mod-wsgi/ubuntu-10...
Also, here is my vhost apache configuration file below. I think these
are the main files that are suppose to do the job for me. Let me know if
you see any errors in what I'm doing and what else I might do to fix
this. The django app runs fine on the django's built-in development
server so I'm thinking it might have something with my paths.
No errors in my apache error.log file as well. It's acting as there's
no problem at all, which is not the case...the project isn't loading,
like I said just a listing of my files and directories of my Django
project. Here is my apache config file:
<VirtualHost 1.2.3.4:80>
ServerAdmin hi#duckling.org
ServerName duckling.org
ServerAlias www.duckling.org
DocumentRoot /srv/www/duckling.org/store/
<Directory /srv/www/duckling.org/store/>
Order Allow,Deny
Allow from all
</Directory>
Alias /static/ /srv/www/duckling.org/store/static/
<Directory /srv/www/duckling.org/store/static>
Order deny,allow
Allow from all
</Directory>
WSGIScriptAlias store/ /srv/www/duckling.org/store/wsgi-scripts/django.wsgi
<Directory /srv/www/wsgi-scripts>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
And here are versions of the stack that I'm using, I saw over at the
mod_wsgi site that you all would like the versions of what I'm using
on the server:
Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch
mod_python/3.3.1 Python/2.6.5 mod_wsgi/2.8
thanks,
j.
For a start, you should definitely not keep your Django files under your DocumentRoot. There's no need for them to be there, and it's a potential security risk - as you've seen, your current misconfiguration allows Apache to serve up your files directly: an attacker could guess that and download your settings.py, complete with your database password.
So, get rid of that DocumentRoot directive completely, as well as the first Directory section which allows direct access to /srv/www/duckling.org/store/. (You probably don't need the one serving up /srv/www/wsgi-scripts either.) That should make things a bit better.
By the way, this configuration will serve your website under duckling.org/store - is that what you want? If you want it under the root, you should just use:
WSGIScriptAlias / /srv/www/duckling.org/store/wsgi-scripts/django.wsgi

django site doesn't see urls.py

I just moved my site to an actual apache server (was developing locally before) and the site can't seem to find the urls.py file. basically what happens is that the homepage works, which is weird in itself considering that if i go to any url, e.g. website/about/, i will get a 404 error with text {'path': u'about/'}.
I tried ROOT_URLCONF set to mysite.urls and just urls, and if i move the urls.py it will continue to behave the same way.
I don't know if its related but I also can't seem to access my site media folder, it seems as though the server is still reading it in its old path, but the settings.py file is correct. (tried restarting apache, rebooting server, etc..)
I would be more worried about it not finding the media directory, that's pure apache. If that part of the equation isn't working, nothing else will. Work with apache's httpd.conf until you can browse to the media directory correctly first.
Update:
I copied in my working conf file and substituted your values. Your django.root might need to be "" or not set at all, as I've found that it shouldn't end with a /:
<Location "/">
SetHandler python-program
PythonHandler django.core.handlers.modpython
SetEnv DJANGO_SETTINGS_MODULE fikdusite.settings
PythonOption django.root ""
PythonDebug On
PythonPath "['/django_apps/', '/django_apps/fikdusite/'] + sys.path"
</Location>
And make sure that the .profile of the user that apache runs your site as, has:
export DJANGO_SETTINGS_MODULE='fikdusite.settings'
export PYTHONPATH=$PYTHONPATH:/django_apps:/django_apps/fikdusite
First, don't use mod_python, use mod_wsgi.
Secondly, don't forget that you need to restart Apache every time you make a code change in Django.