Apache and mod_wsgi prevent user from viewing source

Question

I'm running a WSGI application written in Python with flask on Apache. I have so far configured my vhost correctly to use my application.

<VirtualHost *:80>
ServerName mydomain.com

ErrorLog /var/www/abizeitung/error.log
LogLevel warn
CustomLog /var/www/abizeitung/access.log combined

WSGIDaemonProcess abizeitung user=www-data group=www-data threads=5
WSGIScriptAlias / /var/www/abizeitung/abizeitung.wsgi

<Directory /var/www/abizeitung>
    WSGIProcessGroup abizeitung
    WSGIApplicationGroup %{GLOBAL}
    Order deny,allow
    Allow from all
</Directory>
</VirtualHost>

My problem is that I'm able to view the source e.g. "localhost/abizeitung/app.py". Just changing "Allow from all" to "Deny from all" blocks all access to the application.

score 0 · Answer 1 · answered Sep 12 '13 at 17:59

0

You could setup a deny rule based on <FileType>, or you could configure your document root to point somewhere else. You only need the document root for your static content. And, if you define a Alias like `Alias /static /var/www/abizeitung/static' (or wherever your static is), you don't even need a document root.

BTW, why is:

WSGIProcessGroup abizeitung
WSGIApplicationGroup %{GLOBAL}

In your <Directory> block?

answered Sep 12 '13 at 17:59

Halfgaar

8,084
6
45
86

In other words, never stick your Python web application source code under the directory that DocumentRoot for the server points at. So move your source code out of /var/www/abizeitung. – Graham Dumpleton Sep 12 '13 at 21:57

Apache and mod_wsgi prevent user from viewing source

1 Answers1