Geek Answers Handbook

Settings in apache for django application which requires ssl for some pages

In my django application (let me call it partlysecureapp ) there is an index page that is visible to everyone. All other pages (accessible from links on the index page) must be logged in. I want to use an SSL application in apache2.

I already have an application (say mysecureapp ) deployed on apache with SSL, which has all the pages that require user login. I set the following configurations for this as follows.

My apache2 is located in /etc/apache2 , which has the following directory structure.

 /etc/apache2/ |--conf.d---*charset,security,localized-error-pages* |---mods-available---... |---mods-enabled---... |---sites-available---default,default-ssl,ssl |---sites-enabled---shortcut to ssl |---apach2.conf |---httpd.conf |---ports.conf |---magic |---envvars

For secureapp I installed this in the sites-available/ssl file

 <VirtualHost *:443> ServerAdmin webmaster@localhost DocumentRoot /home/dev/python/django/mysecureapp SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key ... WSGIScriptAlias /mysecureapp /home/dev/python/django/mysecureapp/mysecureapp.wsgi Alias /site_media/ /home/dev/python/django/mysecureapp/media/ </VirtualHost>

This works great.

To deploy my partlysecureapp ,

http://127.0.0.1:8080/partlysecureapp/ you must show the index page, accessible to all. but

 ../partlysecureapp/link1/ ../partlysecureapp/link2/ ../partlysecureapp/link3/

login is required and must be sent via ssl.

I think I need to add more WSGIScriptAlias for my partlysecureapp . Do I need to add another DocumentRoot for partlysecureapp ? How to tell apache to serve the index page from port 8080 and others via ssl port?

At the moment, /etc/apache2/httpd.conf empty. Only the sites-available/ssl file has a VirtualHost element.

+7
source share
1 answer

First of all, let me separate the concern here: you need to require a login, and the other is to require SSL. The first relates to Django and should be handled in your views; and for the latter, IMHO, you should consider serving everything through SSL, which will simplify your setup. Of course, there is some overhead, and it is up to you to decide whether this matters or not for your particular case.

However, for your proposed scenario:

  • To serve any of the simple HTTP, you need to listen on port 80 (or, in your case, 8080 ). Therefore, you need a separate VirtualHost bound to this port, with a separate WSGI application for yourself.

  • To allow a single path (your index file) from this virtual host, but require that everything else be protected by secure SSL, you can use mod_rewrite :

     RewriteEngine On RewriteRule ^/partlysecureapp$ - [L,NC] RewriteRule (.*) https://127.0.0.1/partlysecureapp%{REQUEST_URI} [L,R=301]

    The first rule tells Apache not to redirect if the path is exactly like your root path; the second redirects everything else to https (which will be processed by your virtual host *:443 ).

    (Note: you can use /site_media without SSL)

  • Then you can simply add your WSGI alias; even if Django sends the user to another page, Apache guarantees that the page will be served over SSL.

The final code will look something like this:

 <VirtualHost *:8080> ServerAdmin webmaster@localhost DocumentRoot /home/dev/python/django/partlysecureapp RewriteEngine On RewriteRule ^/partlysecureapp$ - [L,NC] RewriteRule ^/site_media - [L,NC] RewriteRule (.*) https://127.0.0.1/partlysecureapp%{REQUEST_URI} [L,R=301] ... WSGIScriptAlias /partlysecureapp /home/dev/python/django/partlysecureapp/partlysecureapp.wsgi Alias /site_media/ /home/dev/python/django/partlysecureapp/media/ </VirtualHost>

And your code for the SSL-protected virtual host will be identical to mysecureapp one (instead, using partlysecureapp , note also that you can have both applications running on the -side side, just pay attention to the MEDIA and STATIC ).

+5
source

More articles:


All Articles