Issues in django deployment with two subdomains using Apache auth

Question

I'm deploying a Django 1.5 with two sites, each one is independent from the other one (each one has its own database), but these two sites are subdomains: one is new.mydomain.com and the other dev.mydomain.com. I'm using Apache with mod_wsgi.

The problem is: I'm Authenticating against Django’s user database from Apache correctly, but when I try to use Django groups with the Apache authentication I get the following situation:

I can login to one of the subdomains e.g. new without problems, but if I try to login to the other one (dev) I can't. Apache says that the user isn't in the allowed groups. Then if I restart Apache and try to login to dev (which was impossible before) then there is no problem here, but now it's impossible to login with the other subdomain new!

To sum up: I can't login to the two sudomains at the same time, no matter which (allowed) users I use.

The virtualhost for new subdomain is (the other one looks like this one changing paths):

<VirtualHost *:80>
    ServerName new.mydomain.com
    ServerAlias www.new.mydomain.com
    ServerAdmin caumons@gmail.com

    Alias /robots.txt /var/www/sites/master/EurekaStart.git/EurekaStart/robots.txt
    Alias /favicon.ico /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected/img/favicon.ico

    Alias /static/ /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected/

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected>
        Order deny,allow
        Allow from all
    </Directory>

    Alias /media/ /var/www/sites/master/EurekaStart.git/EurekaStart/media/

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart/media>
        Order deny,allow
        Allow from all
    </Directory>

    WSGIDaemonProcess eureka-startups.com python-path=/var/www/sites/master/EurekaStart.git:/var/www/sites/master/EurekaStart.git/env/lib/python2.7/site-packages
    WSGIProcessGroup eureka-startups.com

    WSGIScriptAlias / /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart>
        <Files wsgi.py>
            Order deny,allow
            Allow from all
        </Files>
    </Directory>

    <Location "/">
        AuthType Basic
        AuthName "Enter your guest user & password"
        Require group guest
        Require valid-user
        AuthBasicProvider wsgi
        WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
        WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
    </Location>

    ErrorLog /var/www/sites/master/EurekaStart.git/logs/apache/error.log
    TransferLog /var/www/sites/master/EurekaStart.git/logs/apache/access.log
</VirtualHost>

The wsgi.py file for new subdomain looks like (the wsgi file for dev is exactly like this one):

import os
import sys
from django.core.handlers.wsgi import WSGIHandler

# We need to add the site's root path to sys.path when using Django Authentication for WSGI
SITE_PKG_PATH = os.path.abspath(os.path.dirname(__file__))
SITE_ROOT_PATH = os.path.abspath(os.path.join(SITE_PKG_PATH, '..'))
sys.path.append(SITE_ROOT_PATH)

os.environ.setdefault("DJANGO_SETTINGS_MODULE", "EurekaStart.settings")


# This import MUST be done after setting `DJANGO_SETTINGS_MODULE`
import django.contrib.auth.handlers.modwsgi as modwsgi


def check_password(environ, user, password):
    return modwsgi.check_password(environ, user, password)


def groups_for_user(environ, user):
    return modwsgi.groups_for_user(environ, user)


application = WSGIHandler()

UPDATE 1:

Many thanks to@GrahamDumpleton :)

I've updated the apache config files and the way I was setting DJANGO_SETTINGS_MODULE. Now, the configuration regarding WSGI for Apache looks like:

In new site:

WSGIDaemonProcess eureka-startups.com python-path=/var/www/sites/master/EurekaStart.git:/var/www/sites/master/EurekaStart.git/env/lib/python2.7/site-packages
WSGIProcessGroup eureka-startups.com

<Location "/">
    AuthType Basic
    AuthName "Enter your guest user & password"
    AuthBasicProvider wsgi
    Require group guest
    Require valid-user
    WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=eureka-startups.com
    WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=eureka-startups.com
</Location>

In dev site:

WSGIDaemonProcess dev.eureka-startups.com python-path=/var/www/sites/dev/EurekaStart-dev.git:/var/www/sites/dev/EurekaStart-dev.git/env/lib/python2.7/site-packages
WSGIProcessGroup dev.eureka-startups.com

<Location "/">
    AuthType Basic
    AuthName "Eureka-Startups staff members only"
    AuthBasicProvider wsgi
    Require group dev
    Require valid-user
    WSGIAuthUserScript /var/www/sites/dev/EurekaStart-dev.git/EurekaStart/wsgi.py application-group=dev.eureka-startups.com
    WSGIAuthGroupScript /var/www/sites/dev/EurekaStart-dev.git/EurekaStart/wsgi.py application-group=dev.eureka-startups.com
</Location>

Graham Dumpleton · Accepted Answer · 2013-09-30T04:48:06.953

1

How are you setting SESSION_COOKIE_DOMAIN?

https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-domain

and SESSION_COOKIE_NAME?

https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-name

Are they the same for both sites? The one for the domain should at least refer to the sub domain and not the main domain.

UPDATE 1

Instead of:

WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py

use:

WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=new.mydomain.com
WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=new.mydomain.com

The Python code run by WSGIAuthUserScript and WSGIAuthGroupScript always runs in the Apache child worker processes, never in daemon mode process where the main web application is.

More of a problem in your case is that by default the code runs in the main interpreter (application group) context. Because you have two sites, the code will not be separated.

By using application-group option on those directives, you can force the code for each separate site to run in different sub interpreters of the process they run in. Use a different value for application-group for the other site.

You also cannot use:

os.environ.setdefault("DJANGO_SETTINGS_MODULE", "EurekaStart.settings")

you must use:

os.environ["DJANGO_SETTINGS_MODULE"] = "EurekaStart.settings"

Using dict.setdefault() causes problems when used by more than one site in the same process, even though in different sub interpreters. For more details see:

http://blog.dscpl.com.au/2012/10/requests-running-in-wrong-django.html

edited Sep 30 '13 at 04:48

answered Sep 30 '13 at 04:11

Graham Dumpleton

57,726
6
119
134

I didn't set this values in settings. I've now tried setting `SESSION_COOKIE_DOMAIN = 'new.eureka-startups.com'` in one and `SESSION_COOKIE_DOMAIN = 'dev.eureka-startups.com'` in the other, but still happens the same... :( I haven't changed `SESSION_COOKIE_NAME`, does it really matter? – Caumons Sep 30 '13 at 04:25
Sorry, assumed you were using normal Django login, not Apache basic authentication with custom password authenticator. See update above. – Graham Dumpleton Sep 30 '13 at 04:44
**Thanks A LOT** for your response, you're a sir! It works well now! :) I've updated my question to reflect the changes done. However, I have a few doubts: I've tried to include the directive `WSGIApplicationGroup` instead of using `application-group`, but it doesn't work. Wouldn't it be the same? In the `wsgi.py` I don't know which is the difference between using `application = WSGIHandler()` and `application = get_wsgi_application()`. Does it matter? And... is it bad to use the same name for `WSGIDaemonProcess` and `WSGIProcessGroup` for the same virtualhost, as I'm doing? Again, thanks! :) – Caumons Sep 30 '13 at 13:28
P.D. The info provided in the link you attached is really good :) – Caumons Sep 30 '13 at 13:31
The only way to override the application group for the user/group auth scripts is application-group option. WSGIApplicationGroup only applies to the main web application setup using WSGIScriptAlias. WSGIScriptAlias can also take an application-group option which will override anything else. – Graham Dumpleton Sep 30 '13 at 23:10
The WSGIHandler in Django is older way. Newer Django versions supply get_wsgi_application() and internally just create an instance of WSGIHandler. – Graham Dumpleton Sep 30 '13 at 23:10
WSGIProcessGroup name must match the name for the WSGIDaemonProcess directive you want to use. WSGIDaemonProcess defines the set of processes. WSGIProcessGroup is saying to run stuff in that process group. http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIProcessGroup – Graham Dumpleton Sep 30 '13 at 23:12
Thanks for your answers! OK, I included the `application-group` option as stated, changed the `wsgi.py` to use the newest method `get_wsgi_application()` and the `WSGIProcessGroup` and `WSGIProcessGroup` have the same names (per site). I definitely think that this should be explained in the Django docs! I've accepted and upvoted you to give you +25 rep. You've been really helpful. Greetings from Spain (at the other side of the world!) :) – Caumons Oct 01 '13 at 02:23

Issues in django deployment with two subdomains using Apache auth

1 Answers1