I notice a peculiar error when serving Django app through mod_wsgi.
In my document root, I have /admin directory that is restricted to 127.0.0.1 using LocationMatch directive. I also have /admin URLConf mounted on / in Django app, which is standard path for Django's autogenerated admin interface. The app itself is under /app path, configured with WSGIScriptAlias directive.
Now, Apache somehow treats each request for /app/admin and it's subpaths as directed to both app and document root. I get Django's admin displayed, but error.log contains line like this one:
[Tue Feb 14 01:25:35.538501 2017] [authz_core:error] [pid 29235] [client 32.135.203.150:36412] AH01630: client denied by server configuration: /var/www/html/admin/
This is almost non-issue, apart from two things:
- I had to turn off fail2ban,
- I can't upload files in admin, and I suspect this is the reason why, because this error appear each time i try (receiving 500 as response).
This is solved by either renaming my html directory or Django's admin app, but I would really like to find the right solution that lets me have both.
Apache configuration in Debian is split in multiple files, but I believe the relevant parts are as follows:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Include conf-available/default.conf
DocumentRoot /var/www/html
<LocationMatch ^/admin>
Require ip 127.0.0.1 ::1
</LocationMatch>
<LocationMatch ^/admin/status>
SetHandler server-status
</LocationMatch>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
SetEnvIf Request_URI "/admin/status" nolog
CustomLog ${APACHE_LOG_DIR}/access.log combined env=!nolog
</VirtualHost>
default.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
DirectoryIndex disabled
AllowOverride Indexes
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
Alias /app/static/ /var/www/app/static/
Alias /app/media/ /var/www/app/media/
<Directory /var/www/app/static>
Require all granted
</Directory>
<Directory /var/www/app/media>
Require all granted
</Directory>
WSGIDaemonProcess pbf.net.pl python-path=/var/www/app:/usr/local/virtualenvs/app/lib/python3.4/site-packages/
WSGIProcessGroup app
WSGIScriptAlias /app /var/www/app/wsgi.py process-group=app
# WSGIPythonPath /var/www/app/
<Directory /var/www/app>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
