1

I've followed Graham's simple configuration instructions for hosting static files along with a wsgi application mounted at the domain root. And in fact, my site is working.

However, requests for static pages are being handled twice. Apache responds with the static content, but the wsgi app is also receiving the request. For example, a browser request to "myApp.domain.com/static/test.js" shows the test.js file contents in the browser, but the wsgi app is also invoked with "static/test.js" as the path.

Relevant Apache Configuration:

LoadModule wsgi_module modules/mod_wsgi.so
WSGISocketPrefix /var/run/wsgi

<VirtualHost *:80>
    DocumentRoot /var/www/myApp
    ServerName myApp.domain.com

    Alias /static/ /var/www/myApp/static/

    <Directory /var/www/myApp/static>
    Order deny,allow
    Allow from all
    </Directory>

    WSGIScriptAlias / /var/www/myApp/app.wsgi

    <Directory /var/www/myApp>
    Order allow,deny
    Allow from all
    </Directory>


    WSGIDaemonProcess myAppName processes=1
    WSGIProcessGroup myAppName
</VirtualHost>

What do I need to change in my apache configuration to prevent request at myApp.domain.com/static/ from being passed to the wsgi application? Hopefully I just have a typo somewhere...

Edit: Can no longer reproduce this behavior.

jmilloy
  • 223
  • 1
  • 4
  • 12

1 Answers1

0

For security reasons, you should not set:

DocumentRoot /var/www/myApp

Or more specifically, you should not set DocumentRoot to be a parent directory of where your application source code is. This is dangerous because if you accidentally comment out WSGIScriptAlias, your source code will be downloadable. Leave DocumentRoot out so uses default, or point it at an empty directory.

As for your problem, what evidence are you seeing that your application is being hit by URL for static files?

Graham Dumpleton
  • 6,090
  • 2
  • 21
  • 19
  • It's not a Django application. I just put in a `print` statement in the application method. It prints to the apache logs once if I request, say, a static javascript file through the browser. It prints three times when I go through the app (once like it should, returning html, and then once for the static css file and once for the static javascript file that are included in the html. – jmilloy Jul 18 '12 at 03:56
  • Currently there is not really any application source code, just like 15 lines in the app.wsgi file, so I'll worry about those security issues when they becomes appropriate. – jmilloy Jul 18 '12 at 03:59
  • Well now I can't reproduce. Woohoo for waiting two hours. I'll monitor but I don't know that I need more help, will probably delete the question in the morning if it's still behaving normally. – jmilloy Jul 18 '12 at 04:05
  • Did you actually print out the value of environ['PATH_INFO'] to validate what was being requested? Are you sure it wasn't your browser requesting favicon.ico? Disappointing that this got a down vote considering it points out a valid security issue with your configuration. – Graham Dumpleton Jul 18 '12 at 05:41
  • Well, I don't know who strolled by and down-voted you, and I don't really get it. The security issue doesn't really have anything to do with the question, but I always appreciate it that you are so responsive to *every* question about wsgi on stackoverflow and here. Thanks. As for the issue - is it *only* a security issues because I might accidentally comment out the script alias? – jmilloy Jul 18 '12 at 14:18
  • Yep, is only an issue if you muck things up and comment out WSGIScriptAlias. The more levels of things to protect you from inadvertent mistakes the better though. – Graham Dumpleton Jul 20 '12 at 01:51