embedded mode of mod_wsgi with virtualenv

Question

conclusion of this question

1.what I wanted to do in the first place.

i wanted to allow only some user in Django can upload file. I could do write codes to do that in Django web framework. But if you set upload folder as r__ permssions, you can't upload file in the first place. I just set my upload folder as drwxrwxrwx 777 permssions to let my users in Django can upload files. leaving your folder as 777 permssion seems bad idea for security reason clearly. I wanted to set my media folder as 774 or 764.

My searching apache authentication and mod wsgi started from my wrong understanding. I thought I can allow users in django have owner or group permssion in ubuntu. for example, if you a user in Django are in a group named 'tester', you can access to a folder has 'drwxrwxr__ tester tester'.

and I thought only embedded mode is possible to use apache authentication. But that was my misunderstanding.

in conclusion, I can solve my problem by setting owner and group permission following apache default user or (more secure) user/group you set with options of WSGIDaemonProcess. Then you manage which user can upload files in your media file in Django(I would use PermissionMixin class)

additionally, This is what and how I understood in here.

1) WSGIDaemon mode is recommended in most cases. check Graham Dumpleton's article in here. It seems Embedded mode could be more efficient if you use just simple codes.

2) 'you can expect to see slowdowns once you get above a few hundred entries, and may wish to consider a different authentication method at that time'. This kind of slowdown is caused when using htpasswd file with Apache AuthUserFile. But if you let Django do authentication, it bypass the scanning of a flat file. So It is not a case when you hook Django authentication in mod wsgi.

Down below, I put link how solve when you have an error which is caused by version of mod_wsgi and version of python and explains how I fixed my codes to set embedded mode thanks to @Graham Dumpleton.

Procedure of how I solve my errors when I set embedded mode

First, I didn't have problem to work with daemon mode of mod_wsgi.

I wanted to use embedded mode of mod_wsgi with virtualenv. The reason why I wanted to use embedded mode is to use apache basic or digest authentication with mod_wsgi. according to this, 'By default the auth providers are executed in context of first interpreter created b y Python. ie., '%{GLOBAL}' and always in the Apache child processes, never in a daemon process'. I understood I can use apache basic or digest authentication with only embedded mode of mod_wsgi.

1.error because low version of mod_wsgi

If you install libapache2-mod-wsgi-py3 by apt-get in ubuntu 14 or 16, version of it is 3.4 according to this link, mod_wsgi version 4.2+ is needed for python 3.4. I installed mod_wsgi 4.5.7 following instructions in that link. no more error.

2.error with WSGIPythonPath

I followed instructions in django doc. I kept making an error and I figured out that it doesnt work with virtualenv. I found this article. I thought this is a way to solve my problem but it still doesn't work. I can't understand why it doesn't work and can't find better resource than links I mentioned.

<VirtualHost *:80>

WSGIScriptAlias / /home/cango/myproject/myproject/wsgi.py

WSGIPythonPath home/cango/myvenv/lib/python3.5/site-packages
# I also tried /home/~ I put / at very beginning. It didn't work too.

        <Directory /home/cango/myproject/myproject>
            <Files wsgi.py>
                Require all granted
            </Files>
        </Directory>
</VirtualHost>

but if I change little bit to use daemon mode like below, it works!

<VirtualHost *:80>

WSGIDaemonProcess cango python-path=/home/cango/myproject:home/cango/myvenv/lib/Python3.5/site-packages
WSGIProcessGroup cango
WSGIScriptAlias / /home/cango/myproject/myproject/wsgi.py

#WSGIPythonPath home/cango/myvenv/lib/python3.5/site-packages

        <Directory /home/cango/myproject/myproject>
            <Files wsgi.py>
                Require all granted
            </Files>
        </Directory>
</VirtualHost>

exactly same except a few lines for Daemon mode.

------------------- when I applied according to comments-------------------

1.Both WSGIPythonPath and WSGIPythonHome shouldn't be inside of a VirtualHost.

I added WSGIPythonPath in wsgi.conf under /etc/apache2/mods-available

wsgi.conf

<IfModule mod_wsgi.c>
    WSGIPythonHome /usr/local/pythonenv
    #WSGIPythonPath /usr/local/pythonenv/lib/python3.5/site-packages
    #From comment, I don't need to add WSGIPythonPath, WSGIPythonHome is enough to set

I remained wsgi.load under /etc/apache2/mode-available same like below

wsgi.load

LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi-py35.cpython-35m-x86_64-linux-gnu.so

I removed WSGIPythonPath in VirtualHost setting.

000-default.conf

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        WSGIScriptAlias / /home/cango/myproject/myproject/wsgi.py

        <Directory /home/cango/myproject/myproject>
            <Files wsgi.py>
                Require all granted
            </Files>
        </Directory>
</VirtualHost>

now I don't get a error which I had before 'WSGIPythonPath something error'. but when I hit my IP address, it shows 500 internal Server Error. If I test with python manage.py runserver 0.0.0.0:8000 and enter my IP adress:8000/, I can see Django page.

apache2ctl -M I can see wsig_module

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 setenvif_module (shared)
 status_module (shared)
 wsgi_module (shared)

service apache2 status

apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Sat 2016-11-19 03:19:36 UTC; 2min 25s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 19444 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 18407 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
  Process: 19471 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)
    Tasks: 55
   Memory: 43.2M
      CPU: 768ms
   CGroup: /system.slice/apache2.service
           ├─19488 /usr/sbin/apache2 -k start
           ├─19491 /usr/sbin/apache2 -k start
           └─19492 /usr/sbin/apache2 -k start

Nov 19 03:19:36 server4.cango.com systemd[1]: Stopped LSB: Apache2 web server.
Nov 19 03:19:36 server4.cango.com systemd[1]: Starting LSB: Apache2 web server...
Nov 19 03:19:36 server4.cango.com apache2[19471]:  * Starting Apache httpd web server apache2
Nov 19 03:19:36 server4.cango.com apache2[19471]:  *
Nov 19 03:19:36 server4.cango.com systemd[1]: Started LSB: Apache2 web server.

If I command a2dismod wsgi and then service apache2 restart, it causes an error. It seems I can't restart with disabling wsgi_mod because I set WSGIScriptAlias

Nov 19 03:22:59 server4.cango.com apache2[19746]:  * Starting Apache httpd web server apache2
Nov 19 03:22:59 server4.cango.com apache2[19746]:  *
Nov 19 03:22:59 server4.cango.com apache2[19746]:  * The apache2 configtest failed.
Nov 19 03:22:59 server4.cango.com apache2[19746]: Output of config test was:
Nov 19 03:22:59 server4.cango.com apache2[19746]: AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-def
Nov 19 03:22:59 server4.cango.com apache2[19746]: Invalid command 'WSGIScriptAlias', perhaps misspelled or defined by a
Nov 19 03:22:59 server4.cango.com apache2[19746]: Action 'configtest' failed.
Nov 19 03:22:59 server4.cango.com apache2[19746]: The Apache error log may have more information.
Nov 19 03:22:59 server4.cango.com systemd[1]: apache2.service: Control process exited, code=exited status=1
Nov 19 03:22:59 server4.cango.com systemd[1]: Failed to start LSB: Apache2 web server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has failed.
--
-- The result is failed.
Nov 19 03:22:59 server4.cango.com systemd[1]: apache2.service: Unit entered failed state.
Nov 19 03:22:59 server4.cango.com systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 19 03:23:50 server4.cango.com sudo[19822]:     root : TTY=pts/1 ; PWD=/home/cango/jaemyun ; USER=root ; COMMAND=/bin
Nov 19 03:23:50 server4.cango.com sudo[19822]: pam_unix(sudo:session): session opened for user root by root(uid=0)

Well, I wonder what I made a mistake. Still 500 Internal Server Error.

2.Nothing prevents you from using daemon mode for your WSGI application at the same time as using the authnz handlers.

From the link which I mentioned above, it says "if the authentication check is making use of the internals of some Python web framework, it is recommended that the application using that web framework also be run in embedded mode and the same application group"

So I thought I need to use embedded mode with Django framework.

-------------------------- fixed by another comment ----------------------------

I checked error log in apache. There was an error and it seems it has problem to load wsgi script in my django project. Well, above, I changed folder name 'jaemyun' to 'myproject'. there is a wsgi.py file which was automatically made by Django under /home/cango/jaemyun/jaemyun/ path. Why does it say that it can't load it???

No module named 'jaemyun', referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.525510 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058] mod_wsgi (pid=11755): Target WSGI script '/home/cango/jaemyun/jaemyun/wsgi.py' cannot be loaded as Python module.
[Sun Nov 20 10:37:24.525600 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058] mod_wsgi (pid=11755): Exception occurred processing WSGI script '/home/cango/jaemyun/jaemyun/wsgi.py'.
[Sun Nov 20 10:37:24.525801 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058] Traceback (most recent call last):
[Sun Nov 20 10:37:24.525866 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/home/cango/jaemyun/jaemyun/wsgi.py", line 16, in <module>
[Sun Nov 20 10:37:24.525872 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     application = get_wsgi_application()
[Sun Nov 20 10:37:24.525880 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/core/wsgi.py", line 13, in get_wsgi_application
[Sun Nov 20 10:37:24.525885 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     django.setup(set_prefix=False)
[Sun Nov 20 10:37:24.525893 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/__init__.py", line 22, in setup
[Sun Nov 20 10:37:24.525909 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
[Sun Nov 20 10:37:24.525917 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 53, in __getattr__
[Sun Nov 20 10:37:24.525921 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     self._setup(name)
[Sun Nov 20 10:37:24.525928 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 41, in _setup
[Sun Nov 20 10:37:24.525932 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     self._wrapped = Settings(settings_module)
[Sun Nov 20 10:37:24.525939 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 97, in __init__
[Sun Nov 20 10:37:24.525943 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     mod = importlib.import_module(self.SETTINGS_MODULE)
[Sun Nov 20 10:37:24.525950 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "/usr/local/pythonenv/lib/python3.5/importlib/__init__.py", line 126, in import_module
[Sun Nov 20 10:37:24.525954 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]     return _bootstrap._gcd_import(name[level:], package, level)
[Sun Nov 20 10:37:24.525961 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 986, in _gcd_import
[Sun Nov 20 10:37:24.525968 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 969, in _find_and_load
[Sun Nov 20 10:37:24.525975 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 944, in _find_and_load_unlocked
[Sun Nov 20 10:37:24.525982 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 222, in _call_with_frames_removed
[Sun Nov 20 10:37:24.525988 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 986, in _gcd_import
[Sun Nov 20 10:37:24.525995 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 969, in _find_and_load
[Sun Nov 20 10:37:24.526002 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058]   File "<frozen importlib._bootstrap>", line 956, in _find_and_load_unlocked
[Sun Nov 20 10:37:24.526023 2016] [wsgi:error] [pid 11755:tid 140507221055232] [client 124.80.108.6:64058] ImportError: No module named 'jaemyun'
[Sun Nov 20 10:37:24.564690 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057] mod_wsgi (pid=11755): Target WSGI script '/home/cango/jaemyun/jaemyun/wsgi.py' cannot be loaded as Python module., referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564729 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057] mod_wsgi (pid=11755): Exception occurred processing WSGI script '/home/cango/jaemyun/jaemyun/wsgi.py'., referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564889 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057] Traceback (most recent call last):, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564947 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/home/cango/jaemyun/jaemyun/wsgi.py", line 16, in <module>, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564953 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     application = get_wsgi_application(), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564961 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/core/wsgi.py", line 13, in get_wsgi_application, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564972 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     django.setup(set_prefix=False), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564981 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/__init__.py", line 22, in setup, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564985 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     configure_logging(settings.LOGGING_CONFIG, settings.LOGGING), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564992 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 53, in __getattr__, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.564997 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     self._setup(name), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565004 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 41, in _setup, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565008 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     self._wrapped = Settings(settings_module), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565015 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/site-packages/django/conf/__init__.py", line 97, in __init__, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565019 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     mod = importlib.import_module(self.SETTINGS_MODULE), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565026 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "/usr/local/pythonenv/lib/python3.5/importlib/__init__.py", line 126, in import_module, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565030 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]     return _bootstrap._gcd_import(name[level:], package, level), referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565037 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 986, in _gcd_import, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565044 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 969, in _find_and_load, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565052 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 944, in _find_and_load_unlocked, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565059 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 222, in _call_with_frames_removed, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565066 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 986, in _gcd_import, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565073 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 969, in _find_and_load, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565080 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057]   File "<frozen importlib._bootstrap>", line 956, in _find_and_load_unlocked, referer: http://169.56.70.181/
[Sun Nov 20 10:37:24.565097 2016] [wsgi:error] [pid 11755:tid 140507204269824] [client 124.80.108.6:64057] ImportError: No module named 'jaemyun', referer: http://169.56.70.181/

last change.

wsgi.conf

<IfModule mod_wsgi.c>
    WSGIPythonHome /usr/local/pythonenv
    WSGIPythonPath /home/cango/jaemyun

I had to set WSGIPythonPath and direct to my django project path. Now it works!

Explain the actual error you are getting. Nothing prevents you from using daemon mode for your WSGI application at the same time as using the authnz handlers. The main WSGI application will still run in the daemon process, and the authentication or authorization handler will be run in the Apache child processes. BTW, you cannot use ``home/cango/...``, it must be an absolute path. You should preferably use ``WSGIPythonHome`` to specify root of Python virtual environment for embedded mode, and ``python-home`` option to ``WSGIDaemonProcess`` for daemon processes. — Graham Dumpleton, Nov 18 '16 at 09:38
Both ``WSGIPythonPath`` and ``WSGIPythonHome`` shouldn't be inside of a ``VirtualHost`` though as they have to apply to the whole Apache and can't apply to just one ``VirtualHost``. — Graham Dumpleton, Nov 18 '16 at 09:40
You don't need that ``WSGIPythonPath`` you added. The ``WSGIPythonHome`` does the same thing for the paths you used and is better. You probably mean to set ``WSGIPythonPath`` to ``/home/cango/myproject``. You still haven't explained the actual error you are getting. Please define 'does not work'. — Graham Dumpleton, Nov 19 '16 at 03:17
I edited my original question after trying in a way I understood from your comments. I tried to explain in more detail this time. please check it. — Jayground, Nov 19 '16 at 03:31
When you get the 500, is there an error in the Apache error log at the same time? If there isn't, then the 500 error message is likely coming from Django. You should try turning on DEBUG in Django, or enable Django logging to log exception details to the log file. Also make sure ``LogLevel`` in Apache is at least ``info`` and not just ``warn``. By being ``info`` you can verify that mod_wsgi actually attempted to load your code. — Graham Dumpleton, Nov 19 '16 at 03:55
There is a error in apache. I checked error logs and there was errors. I updated my question with the error log. There is wsgi.py file under path /home/cango/jaemyun/jaemyun. I can't understand why it can't load it. Additionally don't you have your opinion on my idea in part of 2. Nothing prevent ~ in question? — Jayground, Nov 20 '16 at 11:05
Have you added ``WSGIPythonPath to /home/cango/jaemyun`` like I said above you likely would need to? I only said to remove ``WSGIPythonPath`` as you had it because it duplicated what ``WSGIPythonHome`` did. I said you would still need ``WSGIPythonPath`` to indicate where the parent directory of your project was. — Graham Dumpleton, Nov 20 '16 at 11:09
As to using embedded for your full WSGI application, go read http://blog.dscpl.com.au/2012/10/why-are-you-using-embedded-mode-of.html You should avoid it if you can. Only run most minimal code you can get away for authentication handler in embedded mode. — Graham Dumpleton, Nov 20 '16 at 11:10
Now it works in the embedded mode. Thanks. I read your blog post. I knew that daemon mode is recommended in general. I misunderstood that I should use the embedded mode to use basic or digest authentication in apache. well, I can manage permssion in Django like authenticated(in Django web application) user can access views(urls) or post something. But it doesnt mean that it was authenticated in apache. Now I am confused. in which case can you consider of using apache basic authentication or digest when you use django frame work? — Jayground, Nov 20 '16 at 12:21
according to [here](https://httpd.apache.org/docs/2.4/en/howto/auth.html), it says 'you can expect to see slowdowns once you get above a few hundred entries, and may wish to consider a different authentication method at that time.'. it doesn't seem its good idea that you use apache authentication if you have many users to check it. I started this because I wanted to let only user who have specific permission in django can upload pictures. but I wanted to change linux directory's permssion to +w for that user who have upload permission. currently I set it as chmod 777 to let them uploade — Jayground, Nov 20 '16 at 12:24
Yes, definitely sounds like you are confused. Why are you wanting to use Apache level authentication handler in the first place anyway? That comment about slowdown is when using htpasswd file with Apache ``AuthUserFile`` which you wouldn't be doing if using mod_wsgi auth handler hooks as the point would usually be for the authentication to be done against account database managed by Django. UNIX file permissions also has nothing to do with anything as using authentication doesn't change was UNIX user code runs as. — Graham Dumpleton, Nov 20 '16 at 19:34
I see. So if you set Django manage authentication like adding from django.contrib.auth.handlers.modwsgi import check_password, groups_for_user from django.core.handlers.wsgi import WSGIHandler, it means you dont use htpassword file because you are using Django to do that on behalf of htpassword. Did i understand correctly? So it is not a case to see slow down if you are using Django like that even if you have several thousands users? — Jayground, Nov 20 '16 at 22:20
My journey with apache basic authentication and wsgi started because i wanted to make media folder where save files or pictures writable for some specific users in Django in the first place. I searched and left questions about that in stackoverflow. But i couldnt get any clear solution yet. I thought i could do something like that with apache authentication and mod wsgi. Currently i set the media folder as chmod 777. Thats my answer for why i thought of using apache authentication in the first place — Jayground, Nov 20 '16 at 22:26
Doing authentication via Django means you use whatever database Django is using. You are bypassing the scanning of a flat file as is case with htpasswd. Doesn't sound like you should be using file system permissions at all, but use authorisation (not authentication) in Django application. That is, if a user isn't in the correct group, return an error when the upload URL is used. So you block it in the Django application itself based on known what the user is allowed to do. — Graham Dumpleton, Nov 20 '16 at 22:36
Google search pops up http://bradmontgomery.blogspot.com.au/2009/04/restricting-access-by-group-in-django.html — Graham Dumpleton, Nov 20 '16 at 22:39
Thanks for the link. Actually I can manage authorisation in Django. I know how to do it. currently, media file is drwxrwxrwx. I think it is bad idea to leave your folder chmod 777. I can see many article about security risk when you set your folder permssion like 777. I want to make drwxrwxr__ but problem is that if you set permssion like 774 or 764, you can't upload image files in Django application because permission is denied. I don't want to open my folder for any anonymous users to read, write.(and execute). I thought I could do that if i use apache authorization and mod wsgi. — Jayground, Nov 21 '16 at 00:04
Your code runs as the Apache user/group by default. You should either make the upload directory owned by, or group the same as Apache user. Alternatively, create a special UNIX user and use it as user/group with WSGIDaemonProcess. Then have upload directory owned by that special user. That would be only directory that user could write to. — Graham Dumpleton, Nov 21 '16 at 00:11
I know how to change permission for owner, group and others in Ubuntu. I wanted to find if there is any way to do that users who are in A group or A permission in Django can upload files in 774 permission folder. — Jayground, Nov 21 '16 at 00:12
You can only block even trying in the Django code so don't even attempt to write to the directory in the first place. You shouldn't be relying on blocking it in some way at file system level on per user basis as the process will always be running as the same user. You can only avoid needing to use o+rwx by matching user/group process runs as with user/group ownership of directory. — Graham Dumpleton, Nov 21 '16 at 00:14
do you mean, for example, you make user named 'tester' and put this user in 'groupt' in django. then you set folder permission like drwxrwxr__ tester groupt ... etc. so user tester in django can access the folder? not other users? — Jayground, Nov 21 '16 at 00:15
No. The ``WSGIDaemonProcess`` takes a ``user`` and ``group`` option. The default to be whatever Apache user is. So it may for example be ``wwwserv``, but depends on OS what they use. So rather than make directory ``o+rwx``, do ``sudo charge wwwserv upload-directory`` and ``sudo chmod g+w upload-directory``. This is using Apache user, but could create special UNIX user if want to be more secure and set ``user/group`` options of ``WSGIDaemonProcess`` to that UNIX user and use that UNIX user for group of upload directory. — Graham Dumpleton, Nov 21 '16 at 00:18
So has nothing to do with Django groups. Purely related to UNIX groups and what user/group the process itself runs as. That solves problem of ``o+rwx``. Then use Django authorisation groups to control whether for a Django user you even allow an upload. — Graham Dumpleton, Nov 21 '16 at 00:19
If still don't understand, use the mod_wsgi mailing list. StackOverflow is not intended for discussions and is also not that great for getting any help that doesn't have a simple answer. — Graham Dumpleton, Nov 21 '16 at 00:21
I can understand what you explained. Yes, it is getting long conversation in here because of my continuous questions and comments. Now I can understand my approach was exactly wrong. now i can understand what i should do. Thank you for your answers and patience to explain to me. I will summarize what I understood from this questions on the top of my question and end this question. — Jayground, Nov 21 '16 at 00:27
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/128591/discussion-between-jayground-and-graham-dumpleton). — Jayground, Nov 21 '16 at 01:03
Sorry, I refuse to use StackOverflow chat. That is what the mod_wsgi mailing list is for. — Graham Dumpleton, Nov 21 '16 at 01:06
oops! one more thing. You explained about setting user and group for daemon process for better security. you mentioned 'sudo charge wwserv upload-directory'. Is it typo? because I can't find charge command when I searched it. I set user name(tester), group(tester) name by options of WSGIDaemonProcess and change media folder as 'drwxrwxr_w tester tester'. But it caused permission is denied error. If i use apache default user www-data with 'drwxrwxr_x www-data www-data', it works fine. — Jayground, Nov 21 '16 at 07:34
Auto correct typo. Was meant to be ``chgrp``. But you could also have done it by making it owner and using ``chown``. Depends on whether any other user need to work with the directory how you might do it. — Graham Dumpleton, Nov 21 '16 at 07:50

embedded mode of mod_wsgi with virtualenv

conclusion of this question

Procedure of how I solve my errors when I set embedded mode

0 Answers0

Linked