Selective ErrorDocument Django WSGI

96 views
Skip to first unread message

Mitch

unread,
Sep 17, 2015, 1:55:51 PM9/17/15
to modwsgi
overview: for this project i am implementing an API that is typically called via curl, and all output back to the client (curl) is required to be JSON formatted.

i have Django server code that in some instances returns specifically formatted text to the client with specific HTTP error codes; in other cases, e.g. authorization failure that doesn't get to my server code, i want Apache ErrorDocument to call a script to format text with the error code back to the client.

i have not been successful in getting this to work in my Apache con file using  "WSGIErrorOverride On" with "ErrorDocument nun /script" as with this configuration if my Django server code sends back an HTTP error code in ErrorDocument that overrides what that script intended to be sent by calling the ErrorDocument /script.

i also tried ensuring that the ErrorDocument HTTP codes and those sent by my server script were mutually exclusive. in that case, the HTTP error text and code sent from my Django server script is not sent back to the client since there is no corresponding ErrorDocument.

any ideas on how to get this work are appreciated!


Mitch

unread,
Sep 17, 2015, 3:25:05 PM9/17/15
to modwsgi
if there was some way that my ErrorDocument /script had some notion of context on the flow to its invocation, e.g. client -> apache -> wsgi -> django -> my-server-code -> /script, then /script might be able to not override what was sent in my-server-code; and when it knows that my-server-code was not in the flow, it can do the more generic error processing, e.g. for an auth error.

Graham Dumpleton

unread,
Sep 17, 2015, 3:58:05 PM9/17/15
to mod...@googlegroups.com
Can you confirm whether all error codes are being generated by either Django or your server code? If so, you could use your own WSGI middleware around Django.

Graham

On 17 Sep 2015, at 3:25 pm, Mitch <mitch.g...@gmail.com> wrote:

if there was some way that my ErrorDocument /script had some notion of context on the flow to its invocation, e.g. client -> apache -> wsgi -> django -> my-server-code -> /script, then /script might be able to not override what was sent in my-server-code; and when it knows that my-server-code was not in the flow, it can do the more generic error processing, e.g. for an auth error.

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To post to this group, send email to mod...@googlegroups.com.
Visit this group at http://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Mitch

unread,
Sep 17, 2015, 4:14:08 PM9/17/15
to modwsgi
  1. error codes and text from my django server-side script work if i disable WSGIErrorOverride, i.e. i see them back to the client.
  2. however, in that state, any HTTP error code that occurs before it gets to my django server-side script does not feed through the error-script i specify in the Apache con ErrorDocument directive.
my goal is for 1 as above, and for 2 to call the ErrorDocument error-script vs. the canned django reply (not form my django-server-side-script), e.g. for a 404.
Message has been deleted

Mitch

unread,
Sep 17, 2015, 4:40:04 PM9/17/15
to modwsgi
perhaps this will help as there might something i am doing wrong in here...

<VirtualHost *:80>
 RewriteEngine on
 RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R=permanent]
 SSLCACertificateFile /etc/httpd/conf/rootCA.crt
 SSLCACertificatePath /etc/httpd/conf/
</VirtualHost>

WSGIRestrictStdout Off
WSGISocketPrefix run/wsgi

WSGIScriptAlias /auth  /usr/local/lib/python2.7/site-packages/sis/auth/sissite/wsgi.py
WSGIScriptAlias /medv3 /usr/local/lib/python2.7/site-packages/medv3/wsgi.py
WSGIScriptAlias /      /usr/local/lib/python2.7/site-packages/medv3/wsgi.py

LDAPVerifyServerCert off

ScriptAlias /apierrors /usr/local/lib/python2.7/site-packages/medv3/threats/api/api_https_error.py

<Location "/apierrors">
 # enable Apache to process the following HTTP error codes
 WSGIErrorOverride On
 #
 # 400 Bad Request
 ErrorDocument 400 /apierrors
 # 401 Unauthorized
 ErrorDocument 401 /apierrors
 # 403 Forbidden
 ErrorDocument 403 /apierrors
 # 404 Not Found
 ErrorDocument 404 /apierrors
 # 406 Not Found
 ErrorDocument 406 /apierrors
 # 500 Internal Server Error
 ErrorDocument 500 /apierrors

 Order deny,allow
 Allow from all
</Location>

<Location "/medv3/api/v1">
 AuthName "MEDv3 API LDAP"
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative off
 AuthLDAPUrl ldaps://<SERVER>:636/dc=zzz,dc=aaa,dc=bbb,dc=tld
 Require ldap-group cn=medv3,ou=group,dc=zzz,dc=aaa,dc=bbb,dc=tld
 Require valid-user
 WSGIPassApacheRequest On

 # enable Apache to process the following HTTP error codes
 WSGIErrorOverride On
 #
 # 400 Bad Request
 ErrorDocument 400 /apierrors
 # 401 Unauthorized
 ErrorDocument 401 /apierrors
 # 403 Forbidden
 ErrorDocument 403 /apierrors
 # 404 Not Found
 ErrorDocument 404 /apierrors
 # 406 Not Found
 ErrorDocument 406 /apierrors
 # 500 Internal Server Error
 ErrorDocument 500 /apierrors

 Order deny,allow
 Allow from ALL
</Location>

Graham Dumpleton

unread,
Sep 17, 2015, 7:17:31 PM9/17/15
to mod...@googlegroups.com
WSGIErrorOverride only does anything if you are using daemon mode. Your configuration suggests you are using embedded mode.

One should always use daemon mode unless you have a good reason not to. Is there a reason you are using  embedded mode?

Even if using daemon mode, WSGIErrorOverride has no effect on error code returned by auth handlers. Apache dictates what they are.

Graham

Mitch

unread,
Sep 17, 2015, 7:30:50 PM9/17/15
to modwsgi
Another Apache *.conf is invoked prior to the one included above containing

WSGIDaemonProcess app user=apache processes=3 threads=1

Bottom line: how can I get Apache to call the script named in ErrorDocument while any Django HttpResponse return from my server-side-django-script does NOT activate and call the ErrorDocument script? I.e. my django-server-side-script implementing my API can return JSON text with specified HTTP error codes directly to the client without triggering the ErrorDocument script, AND any HTTP error encountered in Apache BEFORE getting to my django-server-side-script will invoke the ErrorDocument script. I could also tolerate a configuration where Apache trapped error codes, e.g. Unauthorized, somehow call a function within my django-server-side-script.

The issue is that as-is now, Apache caught errors work fine, but any Django HttpResponse return from my server-side-django-script is also triggering and running the ErrorDocument script which looses the text and HTTP error code that was sent as per the Django HttpResponse return from my server-side-django-script and intended to get to the client.

Reply all
Reply to author
Forward
0 new messages