Issues in django deployment with two subdomains using Apache auth

https://stackoverflow.com/questions/19085505

29-06-2022
|

Question

I'm deploying a Django 1.5 with two sites, each one is independent from the other one (each one has its own database), but these two sites are subdomains: one is new.mydomain.com and the other dev.mydomain.com. I'm using Apache with mod_wsgi.

The problem is: I'm Authenticating against Django’s user database from Apache correctly, but when I try to use Django groups with the Apache authentication I get the following situation:

I can login to one of the subdomains e.g. new without problems, but if I try to login to the other one (dev) I can't. Apache says that the user isn't in the allowed groups. Then if I restart Apache and try to login to dev (which was impossible before) then there is no problem here, but now it's impossible to login with the other subdomain new!

To sum up: I can't login to the two sudomains at the same time, no matter which (allowed) users I use.

The virtualhost for new subdomain is (the other one looks like this one changing paths):

<VirtualHost *:80>
    ServerName new.mydomain.com
    ServerAlias www.new.mydomain.com
    ServerAdmin caumons@gmail.com

    Alias /robots.txt /var/www/sites/master/EurekaStart.git/EurekaStart/robots.txt
    Alias /favicon.ico /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected/img/favicon.ico

    Alias /static/ /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected/

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart/static_collected>
        Order deny,allow
        Allow from all
    </Directory>

    Alias /media/ /var/www/sites/master/EurekaStart.git/EurekaStart/media/

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart/media>
        Order deny,allow
        Allow from all
    </Directory>

    WSGIDaemonProcess eureka-startups.com python-path=/var/www/sites/master/EurekaStart.git:/var/www/sites/master/EurekaStart.git/env/lib/python2.7/site-packages
    WSGIProcessGroup eureka-startups.com

    WSGIScriptAlias / /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py

    <Directory /var/www/sites/master/EurekaStart.git/EurekaStart>
        <Files wsgi.py>
            Order deny,allow
            Allow from all
        </Files>
    </Directory>

    <Location "/">
        AuthType Basic
        AuthName "Enter your guest user & password"
        Require group guest
        Require valid-user
        AuthBasicProvider wsgi
        WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
        WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
    </Location>

    ErrorLog /var/www/sites/master/EurekaStart.git/logs/apache/error.log
    TransferLog /var/www/sites/master/EurekaStart.git/logs/apache/access.log
</VirtualHost>

The wsgi.py file for new subdomain looks like (the wsgi file for dev is exactly like this one):

import os
import sys
from django.core.handlers.wsgi import WSGIHandler

# We need to add the site's root path to sys.path when using Django Authentication for WSGI
SITE_PKG_PATH = os.path.abspath(os.path.dirname(__file__))
SITE_ROOT_PATH = os.path.abspath(os.path.join(SITE_PKG_PATH, '..'))
sys.path.append(SITE_ROOT_PATH)

os.environ.setdefault("DJANGO_SETTINGS_MODULE", "EurekaStart.settings")


# This import MUST be done after setting `DJANGO_SETTINGS_MODULE`
import django.contrib.auth.handlers.modwsgi as modwsgi


def check_password(environ, user, password):
    return modwsgi.check_password(environ, user, password)


def groups_for_user(environ, user):
    return modwsgi.groups_for_user(environ, user)


application = WSGIHandler()

UPDATE 1:

Many thanks to@GrahamDumpleton :)

I've updated the apache config files and the way I was setting DJANGO_SETTINGS_MODULE. Now, the configuration regarding WSGI for Apache looks like:

In new site:

WSGIDaemonProcess eureka-startups.com python-path=/var/www/sites/master/EurekaStart.git:/var/www/sites/master/EurekaStart.git/env/lib/python2.7/site-packages
WSGIProcessGroup eureka-startups.com

<Location "/">
    AuthType Basic
    AuthName "Enter your guest user & password"
    AuthBasicProvider wsgi
    Require group guest
    Require valid-user
    WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=eureka-startups.com
    WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=eureka-startups.com
</Location>

In dev site:

WSGIDaemonProcess dev.eureka-startups.com python-path=/var/www/sites/dev/EurekaStart-dev.git:/var/www/sites/dev/EurekaStart-dev.git/env/lib/python2.7/site-packages
WSGIProcessGroup dev.eureka-startups.com

<Location "/">
    AuthType Basic
    AuthName "Eureka-Startups staff members only"
    AuthBasicProvider wsgi
    Require group dev
    Require valid-user
    WSGIAuthUserScript /var/www/sites/dev/EurekaStart-dev.git/EurekaStart/wsgi.py application-group=dev.eureka-startups.com
    WSGIAuthGroupScript /var/www/sites/dev/EurekaStart-dev.git/EurekaStart/wsgi.py application-group=dev.eureka-startups.com
</Location>

Solution

How are you setting SESSION_COOKIE_DOMAIN?

https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-domain

and SESSION_COOKIE_NAME?

https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-name

Are they the same for both sites? The one for the domain should at least refer to the sub domain and not the main domain.

UPDATE 1

Instead of:

WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py
WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py

use:

WSGIAuthUserScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=new.mydomain.com
WSGIAuthGroupScript /var/www/sites/master/EurekaStart.git/EurekaStart/wsgi.py application-group=new.mydomain.com

The Python code run by WSGIAuthUserScript and WSGIAuthGroupScript always runs in the Apache child worker processes, never in daemon mode process where the main web application is.

More of a problem in your case is that by default the code runs in the main interpreter (application group) context. Because you have two sites, the code will not be separated.

By using application-group option on those directives, you can force the code for each separate site to run in different sub interpreters of the process they run in. Use a different value for application-group for the other site.

You also cannot use:

os.environ.setdefault("DJANGO_SETTINGS_MODULE", "EurekaStart.settings")

you must use:

os.environ["DJANGO_SETTINGS_MODULE"] = "EurekaStart.settings"

Using dict.setdefault() causes problems when used by more than one site in the same process, even though in different sub interpreters. For more details see:

http://blog.dscpl.com.au/2012/10/requests-running-in-wrong-django.html

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow