Menu
My django app (let me call it partlysecureapp)has an index page which is visible to all.All the other pages (reachable from links on index page) need the user to log in. I want to use the app with SSL in apache2.
I already have an app(say mysecureapp) deployed on apache with SSL, which has all pages needing login by the user. I have set the configurations for this as follows.
My apache2 is at /etc/apache2 which has the following directory structure.
/etc/apache2/
|--conf.d---*charset,security,localized-error-pages*
|---mods-available---...
|---mods-enabled---...
|---sites-available---default,default-ssl,ssl
|---sites-enabled---shortcut to ssl
|---apach2.conf
|---httpd.conf
|---ports.conf
|---magic
|---envvars
For the secureapp, I have set this in file sites-available/ssl
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /home/dev/python/django/mysecureapp
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
...
WSGIScriptAlias /mysecureapp /home/dev/python/django/mysecureapp/mysecureapp.wsgi
Alias /site_media/ /home/dev/python/django/mysecureapp/media/
</VirtualHost>
This works perfectly..
To deploy my partlysecureapp,
http://127.0.0.1:8080/partlysecureapp/ need to show index page which is accessible to all.
but
../partlysecureapp/link1/
../partlysecureapp/link2/
../partlysecureapp/link3/
require login and should be served through ssl .
I think, I need to add another WSGIScriptAlias for my partlysecureapp. Do I need to add another DocumentRoot for the partlysecureapp? How to tell apache to serve the index page from port 8080 and others through ssl port?
As of now the /etc/apache2/httpd.conf is blank. Only the sites-available/ssl file has a VirtualHost element.
275
First of all, let's separate the concerns here: one thing is to require login, other is to require SSL. The former is specific to Django, and should be handled in your views; and for the latter, IMHO you should consider the possibiilty of serving everything through SSL, that would simplify your setup a lot. Sure, there's some overhead, and it's up to you to decide whether it matters or not for your particular case.
That said, for your proposed scenario:
To serve anything from plain HTTP, you need to listen to the port 80 (or, in your case, 8080). So you need a separate VirtualHost bound to that port, with a separate WSGI application for itself.
To allow a single path (your index file) from this virtual host, but require everything else to be served by the SSL protected one, you can use mod_rewrite:
RewriteEngine On
RewriteRule ^/partlysecureapp$ - [L,NC]
RewriteRule (.*) https://127.0.0.1/partlysecureapp%{REQUEST_URI} [L,R=301]
The first rule tells Apache not to perform any redirect if the path is exactly like your root path; the second redirects everything else to https (which will be handled by your *:443 virtual host).
(Note: you might want to serve /site_media without SSL as well)
Then you can simply add your WSGI alias; even if Django sends the user to a different page, Apache will ensure that page is served through SSL.
You final code would be something like:
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /home/dev/python/django/partlysecureapp
RewriteEngine On
RewriteRule ^/partlysecureapp$ - [L,NC]
RewriteRule ^/site_media - [L,NC]
RewriteRule (.*) https://127.0.0.1/partlysecureapp%{REQUEST_URI} [L,R=301]
...
WSGIScriptAlias /partlysecureapp /home/dev/python/django/partlysecureapp/partlysecureapp.wsgi
Alias /site_media/ /home/dev/python/django/partlysecureapp/media/
</VirtualHost>
And your code for the SSL protected virtual host would be identical to the mysecureapp one (using partlysecureapp instead, of course; note also that you can have both apps running side-by-side, just pay attention to your MEDIA and STATIC paths).
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
