Re: [modwsgi] djang-nginx-mod_wsgi-ssl + moin?

71 views
Skip to first unread message

Graham Dumpleton

unread,
Jul 14, 2012, 7:56:49 PM7/14/12
to mod...@googlegroups.com
Yes you can have more than one WSGIScriptAlias. The order is important
though. Have that for the sub URL before that for root of '/'.

WSGIScriptAlias /suburl /some/path/app1.wsgi
WSGIScriptAlias / /some/path/app2.wsgi

Can you post the actual configuration snippet you are using rather
than refer to an old post as can only assume that you are actually
entering it in correct?

Graham

On 12 July 2012 22:52, DougE <helpde...@gmail.com> wrote:
> Sorry to bother -- I have done this: setup and I have spent a week breaking
> it by trying to add moin on this site as a sub url. I was trying two
> <virtualhost>'s based on different ports, no luck.
>
> Can a single <virtualhost> tag contain more than one WSGIScriptAlias
> directive?
>
> Can someone provide guidance on best way to call two completely different
> wsgi scripts from Apache?
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/FvtkKpOlu9gJ.
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.

DougE

unread,
Jul 15, 2012, 4:17:24 AM7/15/12
to mod...@googlegroups.com
Okay, this just works!  Amazing...


http { # nginx setup for proxy to apache/django + ssl

upstream backend_apache {
    }

server {
...
# ****************************
# added as per Vitaly Babiy
# The proxy to Apache/Django
#*****************************
location / {
include /etc/nginx/proxy.conf;
proxy_set_header X-Forwarded-Protocol http;
            proxy_pass http://backend_apache;
        }
...
location /static {
alias /somedirectory/root_django_project/static/;
        }
...
}
server {
...
listen       443;
...
location /static {
alias /somedirectory/root_django_project/static/;
}
...
[ssl directives]
...
location /moin {
include /etc/nginx/proxy.conf;
proxy_set_header X-Forwarded-Protocol http;
        }
...
location / {
include /etc/nginx/proxy.conf;
proxy_set_header X-Forwarded-Protocol https;
}
location /other_encrypted_url {
...
#
#********************************************
# nginx basic http auth
#********************************************
auth_basic "Restricted";
auth_basic_user_file /some_directory/passwords;
#
...
}
 
}
# This is the main Apache server configuration file.
...
### Section 1: Global Environment
...
...
### Section 2: 'Main' server configuration
...
...
### Section 3: Virtual Hosts
...
NameVirtualHost *:8080
...
WSGISocketPrefix run/wsgi
...
#***********************************************
# IfModule configuration according to Vitaly Babiy
# This did work, but virtual host config
# seemed more parsimonious
#***********************************************
#<IfModule mod_ssl.c>
# Listen backend_apache 443
#</IfModule>
#***********************************************
<VirtualHost *:8080>
ServerName my_domain.net
# Tell Apache this is an HTTPS request without actually using 
# mod_ssl.c and port 443 on localhost
SetEnvIf X-Forwarded-Proto "^https$" HTTPS=on
#
WSGIScriptAlias /moin /default_directory/moin/server/moin.wsgi
WSGIDaemonProcess moin user=apache group=apache display-name=%{GROUP}
WSGIProcessGroup moin
#
WSGIScriptAlias / /some_directory/django_project_root/wsgi_handler.py
WSGIDaemonProcess yourhelpdesk user=apache group=apache display-name=%{GROUP}
WSGIProcessGroup yourhelpdesk
#

</VirtualHost>
> modwsgi+unsubscribe@googlegroups.com.

DougE

unread,
Jul 16, 2012, 8:34:34 PM7/16/12
to mod...@googlegroups.com
Well, it works -- kind of.  Django is sending me some emails about this strange side effect.  It is strange because Apache is looking at the wrong wsgi ap, and it should never be looking at port 80 since I have it bound to 8080.  Here is what django is telling me after calling the wsgi scrip on the /moin suburl:

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 150, in get_response
    response = callback(request, **param_dict)

  File "/usr/lib/python2.7/site-packages/django/utils/decorators.py", line 93, in _wrapped_view
    response = view_func(request, *args, **kwargs)

  File "/usr/lib/python2.7/site-packages/django/views/defaults.py", line 18, in page_not_found
    t = loader.get_template(template_name) # You need to create a 404.html template.

  File "/usr/lib/python2.7/site-packages/django/template/loader.py", line 157, in get_template
    template, origin = find_template(template_name)

  File "/usr/lib/python2.7/site-packages/django/template/loader.py", line 138, in find_template
    raise TemplateDoesNotExist(name)

TemplateDoesNotExist: 404.html


<WSGIRequest
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
"""CSRF is a django artifact, don't really understand why it is here"""
META:{'CSRF_COOKIE': '41bd340808e6201039389f5b379293b1',
"""Don't know where the following path is coming from"""
 'DOCUMENT_ROOT': '/etc/httpd/htdocs',
 'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTPS': 'on',
 'HTTP_ACCEPT': 'image/png,image/*;q=0.8,*/*;q=0.5',
 'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
 'HTTP_ACCEPT_LANGUAGE': 'en-us,en;q=0.5',
 'HTTP_CONNECTION': 'close',
 'HTTP_DNT': '1',
 'HTTP_HOST': 'mydomain.com',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1',
 'HTTP_X_FORWARDED_PROTOCOL': 'https',
 'HTTP_X_FORWRDED_FOR': '98.23.50.238',
 'HTTP_X_REAL_IP': '98.23.50.238',
"""don't know where following is referenced although it looks like something from moin"""
 'PATH_INFO': u'/favicon.ico',
 'PATH_TRANSLATED': '/directory_to/django_app/not_moin/wsgi_handler.py/favicon.ico',
 'QUERY_STRING': '',
 'REMOTE_ADDR': '127.0.0.1',
 'REMOTE_PORT': '56932',
 'REQUEST_METHOD': 'GET',
 'REQUEST_URI': '/favicon.ico',
 'SCRIPT_FILENAME': '/directory_to/django_app/not_moin/wsgi_handler.py',
 'SCRIPT_NAME': u'',
 'SERVER_ADDR': '127.0.0.1',
 'SERVER_ADMIN': 'root@localhost',
 'SERVER_NAME': 'mydomain.com',
"""Port 80 should never be happening"""
 'SERVER_PORT': '80',
 'SERVER_PROTOCOL': 'HTTP/1.0',
 'SERVER_SIGNATURE': '<address>Apache/2.2.17 (Fedora) Server at mydomain.com Port 80</address>\n',
 'SERVER_SOFTWARE': 'Apache/2.2.17 (Fedora)',
 'mod_wsgi.application_group': 'mydomain|',
 'mod_wsgi.callable_object': 'application',
 'mod_wsgi.handler_script': '',
 'mod_wsgi.input_chunked': '0',
 'mod_wsgi.listener_host': '127.0.0.1',
 'mod_wsgi.listener_port': '8080',
 'mod_wsgi.process_group': 'mydomain',
 'mod_wsgi.request_handler': 'wsgi-script',
 'mod_wsgi.script_reloading': '1',
 'mod_wsgi.version': (3, 2),
 'wsgi.errors': <mod_wsgi.Log object at 0x7f3e8ca1c730>,
 'wsgi.file_wrapper': <built-in method file_wrapper of mod_wsgi.Adapter object at 0x7f3e8ca06378>,
 'wsgi.input': <mod_wsgi.Input object at 0x7f3e8c9c3ef0>,
 'wsgi.multiprocess': False,
 'wsgi.multithread': True,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 1)}>


On Saturday, July 14, 2012 7:56:49 PM UTC-4, Graham Dumpleton wrote:

Graham Dumpleton

unread,
Jul 16, 2012, 9:23:32 PM7/16/12
to mod...@googlegroups.com, mod...@googlegroups.com
If only web application in that daemon process group, force WSGIApplicationGroup to %{GLOBAL}.

That will avoid two copies of application. I'll explain properly later.

Graham 
To view this discussion on the web visit https://groups.google.com/d/msg/modwsgi/-/vPRlg3namnoJ.

To post to this group, send email to mod...@googlegroups.com.
To unsubscribe from this group, send email to modwsgi+u...@googlegroups.com.

DougE

unread,
Jul 16, 2012, 9:39:18 PM7/16/12
to mod...@googlegroups.com
Graham --

That seems to have cleared it up.  I was wondering why the default WSGIApplicationGroup %{RESOURCE} did not do the trick, so yeah, some background would be good, not at all urgent, when you have time.

Once again, Graham, thanks.

Graham Dumpleton

unread,
Jul 17, 2012, 2:36:01 AM7/17/12
to mod...@googlegroups.com
A little bit more detail.

If you have a site on 8080 and something connects on that port, but
the Host header doesn't match properly the ServerName/ServerAlias,
Apache will fallback to using the very first VirtualHost it found when
parsing the configuration files. This means the request would be
served in that case by port 80 VirtualHost definition.

Best practice would be to define a _default_ VirtualHost for port 80
as very first one Apache finds:

<VirtualHost _default_:*>
Deny from all
</VirtualHost>

So, if something goes wrong with virtual host, will be refused. See:

http://httpd.apache.org/docs/2.2/vhosts/examples.html#default

See if when you do that you get a forbidden indicating that host
mapping wasn't find a match.

Graham
>>> > modwsgi+u...@googlegroups.com.
>>> > For more options, visit this group at
>>> > http://groups.google.com/group/modwsgi?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/modwsgi/-/vPRlg3namnoJ.
>> To post to this group, send email to mod...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> modwsgi+u...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/modwsgi?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/VpWCLnZSXlkJ.
>
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.

DougE

unread,
Jul 17, 2012, 2:24:40 PM7/17/12
to mod...@googlegroups.com
For the record, I was unable to get Apache to accept 'Deny' in that context.

I think my httpd.conf was problematic because although main server was bound to 127.0.0.1:8080, my virtual server was defined with *:8080.  

Also, by accident I discovered that although the /moin suburl was called with the https: scheme on the page, I could successfully ask my browser to go to http://mydomain/moin and this not only was successful; it broke things.

By specifying my virtual server as 127.0.0.1:8080 and rewriting the http://.../moin to https://... everything seems to be working .

Given the nature of this anomaly, port 80 and https served with http and inability to specify _default_ virtualhost, can anyone see any un-addressed vulnerability?

>>> > For more options, visit this group at
>>> > http://groups.google.com/group/modwsgi?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/modwsgi/-/vPRlg3namnoJ.
>> To post to this group, send email to mod...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> For more options, visit this group at
>> http://groups.google.com/group/modwsgi?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/VpWCLnZSXlkJ.
>
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to

Graham Dumpleton

unread,
Jul 17, 2012, 7:57:58 PM7/17/12
to mod...@googlegroups.com
On 17 July 2012 11:24, DougE <helpde...@gmail.com> wrote:
> For the record, I was unable to get Apache to accept 'Deny' in that context.

Try instead:

<VirtualHost _default_:*>
<Location />
Deny from all
</Location>
</VirtualHost>

But your description does sound like it may have been falling back to
the first VirtualHost after not matching the others properly.

Graham
>> >>> > modwsgi+u...@googlegroups.com.
>> >>> > For more options, visit this group at
>> >>> > http://groups.google.com/group/modwsgi?hl=en.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "modwsgi" group.
>> >> To view this discussion on the web visit
>> >> https://groups.google.com/d/msg/modwsgi/-/vPRlg3namnoJ.
>> >> To post to this group, send email to mod...@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> modwsgi+u...@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/modwsgi?hl=en.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "modwsgi" group.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msg/modwsgi/-/VpWCLnZSXlkJ.
>> >
>> > To post to this group, send email to mod...@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > modwsgi+u...@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/modwsgi?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/IZQNo7dO2A4J.
>
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+u...@googlegroups.com.

DougE

unread,
Jul 17, 2012, 8:04:06 PM7/17/12
to mod...@googlegroups.com
Yes, that parsed okay.
>> >>> > modwsgi+unsubscribe@googlegroups.com.
>> >>> > For more options, visit this group at
>> >>> > http://groups.google.com/group/modwsgi?hl=en.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "modwsgi" group.
>> >> To view this discussion on the web visit
>> >> https://groups.google.com/d/msg/modwsgi/-/vPRlg3namnoJ.
>> >> To post to this group, send email to mod...@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> modwsgi+unsubscribe@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/modwsgi?hl=en.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "modwsgi" group.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msg/modwsgi/-/VpWCLnZSXlkJ.
>> >
>> > To post to this group, send email to mod...@googlegroups.com.
>> > To unsubscribe from this group, send email to
>> > modwsgi+unsubscribe@googlegroups.com.
>> > For more options, visit this group at
>> > http://groups.google.com/group/modwsgi?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/modwsgi/-/IZQNo7dO2A4J.
>
> To post to this group, send email to mod...@googlegroups.com.
> To unsubscribe from this group, send email to
> modwsgi+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages