mod_python and mod_wsgi no longer compatible

[Mike L]

Per: https://www.modwsgi.org/en/develop/user-guides/installation-issues.html

Using mod_python and mod_wsgi together is no longer supported and recent versions of mod_wsgi will cause the startup of Apache to be aborted if both are loaded at the same time.

This is true now of these versions of mod_wsgi in the last two Ubuntu releases:

libapache2-mod-wsgi-py3/jammy-updates,jammy-security,now 4.9.0-1ubuntu0.1 amd64

libapache2-mod-wsgi-py3/noble 5.0.0-1build2 amd64

I get the same error from both:

The mod_python module can not be used in conjunction with mod_wsgi 4.0+. Remove the mod_python module from the Apache configuration.
AH00016: Configuration Failed

Is there a workaround for this or fix planned? I need to run subversion in the same webserver instance so standalone trac webserver isn't viable (also with standalone server our pentests flag http-only cookies as vulnerability).

The cookies:
Set-Cookie: trac_form_token=***replaced***; HttpOnly; Path=/
Set-Cookie: trac_session=***replaced***; expires=Tue, 01 Apr 2025 07:19:16 GMT; HttpOnly; Path=/
are missing the "secure" attribute

I'd proxy standalone to get my subversion working, but don't think that fixes http-only cookies

[Jun Omae]

On Wed, Jan 22, 2025 at 5:54 Mike L <orob...@gmail.com> wrote:

Per: https://www.modwsgi.org/en/develop/user-guides/installation-issues.html

Using mod_python and mod_wsgi together is no longer supported and recent versions of mod_wsgi will cause the startup of Apache to be aborted if both are loaded at the same time.

This is true now of these versions of mod_wsgi in the last two Ubuntu releases:

libapache2-mod-wsgi-py3/jammy-updates,jammy-security,now 4.9.0-1ubuntu0.1 amd64

libapache2-mod-wsgi-py3/noble 5.0.0-1build2 amd64

I get the same error from both:

The mod_python module can not be used in conjunction with mod_wsgi 4.0+. Remove the mod_python module from the Apache configuration.
AH00016: Configuration Failed

That is not an issue of Trac. Ask on mod_wsgi forum, not here.

Is there a workaround for this or fix planned? I need to run subversion in the same webserver instance so standalone trac webserver isn't viable (also with standalone server our pentests flag http-only cookies as vulnerability).

The cookies:
Set-Cookie: trac_form_token=***replaced***; HttpOnly; Path=/
Set-Cookie: trac_session=***replaced***; expires=Tue, 01 Apr 2025 07:19:16 GMT; HttpOnly; Path=/
are missing the "secure" attribute

I'd proxy standalone to get my subversion working, but don't think that fixes http-only cookies

Use [trac] secure_cookies option.

https://trac.edgewall.org/wiki/TracIni#trac-secure_cookies-option

[Mike L]

Thanks for the pointer to secure_cookies option.

The trac installation instructions say:

• ​Apache with
  • ​mod_wsgi, see TracModWSGI and ​ModWSGI IntegrationWithTrac.
  • ​mod_python 3.5.0, see TracModPython

So as it stands now it isn't possible to run trac under apache because of this conflict. This is what I'm hoping is going to be remedied in a future release.

[Jun Omae]

On 2025/01/22 15:36, Mike L wrote:
> Thanks for the pointer to secure_cookies option.
>
> The trac installation instructions say:
>

> # ​Apache <https://httpd.apache.org/> with
>
> * ​mod_wsgi <https://github.com/GrahamDumpleton/mod_wsgi>, see TracModWSGI <https://trac.edgewall.org/wiki/TracModWSGI> and ​ModWSGI IntegrationWithTrac <https://code.google.com/p/modwsgi/wiki/IntegrationWithTrac>.
> * ​mod_python 3.5.0 <https://modpython.org/>, see TracModPython <https://trac.edgewall.org/wiki/TracModPython>

The mod_wsgi and mod_python cannot be used in the same time. If you want to use mod_wsgi, mod_python must be disabled (or uninstalled). If you want to use mod_python, mod_wsgi must be disabled (or uninstalled).

> So as it stands now it isn't possible to run trac under apache because of this conflict. This is what I'm hoping is going to be remedied in a future release.

Impossible. That is a technical issue of Python interpreter in mod_wsgi and mod_python. That is not a Trac issue.

--
Jun Omae <jun...@gmail.com> (大前 潤)

[Daniel Sahlberg]

onsdag 22 januari 2025 kl. 08:34:25 UTC+1 skrev Jun Omae:

On 2025/01/22 15:36, Mike L wrote:
> Thanks for the pointer to secure_cookies option.
>
> The trac installation instructions say:
>
> # ​Apache <https://httpd.apache.org/> with
>
> * ​mod_wsgi <https://github.com/GrahamDumpleton/mod_wsgi>, see TracModWSGI <https://trac.edgewall.org/wiki/TracModWSGI> and ​ModWSGI IntegrationWithTrac <https://code.google.com/p/modwsgi/wiki/IntegrationWithTrac>.
> * ​mod_python 3.5.0 <https://modpython.org/>, see TracModPython <https://trac.edgewall.org/wiki/TracModPython>

The mod_wsgi and mod_python cannot be used in the same time. If you want to use mod_wsgi, mod_python must be disabled (or uninstalled). If you want to use mod_python, mod_wsgi must be disabled (or uninstalled).

I understand the intended meaning but it could be interpreted the wrong way. How about adding some small words to make it explicit that mod_wsgi and mod_python are mutually exclusive?

[[[

Index: INSTALL.rst
===================================================================
--- INSTALL.rst (revision 17872)
+++ INSTALL.rst (working copy)
@@ -155,12 +155,12 @@
 Alternatively you can configure Trac to run in any of the following
 environments:

--  `Apache <https://httpd.apache.org/>`__ with
+-  `Apache <https://httpd.apache.org/>`__ with one of:

    -  `mod_wsgi <https://github.com/GrahamDumpleton/mod_wsgi>`__, see
       `TracModWSGI <https://trac.edgewall.org/wiki/TracModWSGI>`__ and
       `ModWSGI
-      IntegrationWithTrac <https://code.google.com/p/modwsgi/wiki/IntegrationWithTrac>`__.
+      IntegrationWithTrac <https://code.google.com/p/modwsgi/wiki/IntegrationWithTrac>`__, or:
    -  `mod_python 3.5.0 <http://modpython.org/>`__, see
       `TracModPython <https://trac.edgewall.org/wiki/TracModPython>`__

]]]

Kind regards,

Daniel