New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Ideal Secure Folder structure for Django on RedHat or Fedora #849
Comments
The recommendations in the first StackOverflow post are still valid. As to Thomas Ward's post, do keep in mind that that post relates to static HTML or maybe PHP code. You should never put Python project code of your application under the Apache The location of the virtual environments in the third post are an example only and not a recommendation. You can keep it collocated with your project code if you want. Important thing is not to rely on anything under your personal home directory. Do not open up permissions on your home directory or use groups to provide access to it. So do not put a distinct virtual environment under your home directory and do not use per user Python package installs. |
So following on your advice, I plan to do the following:
Am I missing anything? |
If when you say "non-admin" you mean a user that does not have "sudo" access, then yes. It should not be a user that has any extra privileges. As to a WSGI script file, it doesn't need to be, and shouldn't be under the Apache document root (/var/www/html) if possible as then it could be viewed as a static raw file. Create a separate directory (eg., /var/www/wsgi-scripts) under the Apache root and the The only time would put the WSGI script file under the Apache document root is if you had no choice and had to use |
@GrahamDumpleton yeah, thats very helpful & clear.
I'm hoping to not to have to start all over again, since I already have httpd+mod_wsgi installed as the admin user called
PS: Please rest assured, I am compiling all the knowledge you are providing into a video tutorial/walkthrough .. to help those who may want to install the whole stack or just a part of it. I am hoping it would be helpful to the community at large. Thank you so far! |
You don't need a separate Apache/httpd installation or instance. When When you specify It is normal that Apache runs as |
Cool. A small question that arises at the end of that is ... what is the standard or ideal way of checking that mod_wsgi is actually running as the user we defined i.e., the directive is being 'ignored' or 'implemented'. |
@GrahamDumpleton First the CONTEXT: But I'm getting this error when I try to access my 127.0.0.1
this is my custom additional httpd config file:
QUESTION 1: I'm not 100% sure (but pretty sure), that it seems like Apache is not able to access the .wsgi file? I already tried setting permissions of 755 to the folders & wsgi.py for testing purpose. Am I missing something here? QUESTION 2: Interesting according to Django documentation for SCRIPTALIAS we use wsgi.py .. which is a python script and not a wsgi script. Is this serving as an entry point that you talked about earlier? or is it still treated as a wsgi script.. So I am guessing in this case I don't need 'Add Handler wsgi-script .wsgi ' directive at all? Or is this still expected by mod_wsgi somewhere? QUESTION 3: As you may notice in my httpd config, to further close down permissions, I was planning on using Inside the expected directory/location to only open up permissions there. Will mod_wsgi have issues with this? My main concern is that the project's |
You definitely do not need What do you get when you run:
The safest way is NOT to have As I said before, have a
You don't need the The
and if necessary this could configure host specific environment variable configs etc. |
@GrahamDumpleton
Q1:Does this mean I have to open up the home directory even at top level? I'm doing it the way you suggested.. since I want to have the safest route. Q2: Now since project.wsgi is supposed to have .wsgi extension.. so we need the Add Handler? If not, how will it recognize wsgi scripts? Is there something else that is already doing it? Q3: I created project_01.wsgi under /var/www/wsgi-scripts About what is inside it (project_01.wsgi), I think you meant
and NOT just
Also, I made the changes to the django_httpd.conf (as you suggested) |
When the home directory is not readable to others like that, the Apache user cannot serve static files out of there when using You do not need No I did mean:
That will look for the Python package with directory name It would work because you had:
thus it will find If you used:
It would look for a Python package with directory name So Python package/module imports are different and |
You also should not need:
in the |
Also a bad idea to use If you site experiences very high throughput then this only serves to cause the processes to restart more often, which is bad when you are under load. If you want to restart periodically, you are better off looking at |
@GrahamDumpleton Most interesting indeed!! I get the rest of it, but the question about where to serve the static and media files from remains. This 'djangouser' does not have any sensitive files (since it was created for the sole purpose of running mod_wsgi+Django as ) except the python virtual env and Django files themselves I am assuming that the static/media folder is being accessed as 'Apache' because we are using Alias ? So Apache is serving them directly? One possible solution that comes to mind is to make a static/media folder under /var/www (chown djangouser? 755 for perms?) to do Django's 'collectstatic' command on it Or opening up home folder of djangouser is fine? |
This is my current django_httpd.conf Edit: For testing only (until your answer) I did go ahead and chmod /home/djangouser to 755, and fixed a typo that was causing me issue.. and now django starter page is perfectly fine.. on 127.0.0.1 |
@GrahamDumpleton I am hoping to hear from you regarding this part. I am not sure if opening up perms is the right way. |
Not much else I can tell you. There is no ideal folder structure as each has it's own pros and cons. Opening up permissions for the home directory of the user reduces security a little, but might be more convenient than having to generate static files to a directory under /var/www from your Django project. The safest scenario is where the Apache user would never be allowed to serve up or even read directories containing your Python source code. Also that whatever user runs your code under Apache cannot write to directories holding the source code. The only thing the user your code runs as might need write access to is media upload directories or a database directory if using sqlite. The thing is though, is that Apache itself is unlikely to be your weakest point. What you have to worry about more is that the Python code of your web application is written correctly and doesn't have vulnerabilities, especially if it interfaces with a database. You seemed to be spending a lot of time worrying about Apache when you should be worrying about your Python web application code more. |
Hi, I'm working on Fedora 38, already have apache with mod_wsgi installed (built mod_wsgi from source, instead of pip). MariaDB for DB.
Now my question is this that what is the ideal folder structure for securely running Django with virtual environment
Currently:
/var/www is owned by root:root
/var/www/mypy/pyvenv_01 is the python virtual environment, where /var/www/mypy is owned by user:user
/var/www/djangosite/project1 is the first python project created, where /var/www/djangosite is owned by user:user
I was looking at your answer here, from 10 years ago.. but not sure if its still completely correct
https://stackoverflow.com/questions/16408079/secure-django-file-permissions
I was additionally looking at Thomas Ward's reasoning about file permissions here
https://askubuntu.com/questions/767504/permissions-problems-with-var-www-html-and-my-own-home-directory-for-a-website/767534#767534
mod_wsgi documentation briefly mentions placing the venv in /usr/local/venvs/example
https://modwsgi.readthedocs.io/en/develop/user-guides/virtual-environments.html
Django documentation, just says put it in /home/mycode .. HOWEVER I read somewhere, that this is not good.
https://docs.djangoproject.com/en/4.2/intro/tutorial01/
For now I'm planning to run only Django based website/app .. but I need room to be able to add other stuff as well (nothing particular in mind yet)
It would be really helpful, if you can shed some light on this Mr. Graham.
The text was updated successfully, but these errors were encountered: