| 1 |
========================================================= |
|---|
| 2 |
Authenticating against Django's user database from Apache |
|---|
| 3 |
========================================================= |
|---|
| 4 |
|
|---|
| 5 |
Since keeping multiple authentication databases in sync is a common problem when |
|---|
| 6 |
dealing with Apache, you can configuring Apache to authenticate against Django's |
|---|
| 7 |
`authentication system`_ directly. For example, you could: |
|---|
| 8 |
|
|---|
| 9 |
* Serve static/media files directly from Apache only to authenticated users. |
|---|
| 10 |
|
|---|
| 11 |
* Authenticate access to a Subversion_ repository against Django users with |
|---|
| 12 |
a certain permission. |
|---|
| 13 |
|
|---|
| 14 |
* Allow certain users to connect to a WebDAV share created with mod_dav_. |
|---|
| 15 |
|
|---|
| 16 |
Configuring Apache |
|---|
| 17 |
================== |
|---|
| 18 |
|
|---|
| 19 |
To check against Django's authorization database from a Apache configuration |
|---|
| 20 |
file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along |
|---|
| 21 |
with the standard ``Auth*`` and ``Require`` directives:: |
|---|
| 22 |
|
|---|
| 23 |
<Location /example/> |
|---|
| 24 |
AuthType Basic |
|---|
| 25 |
AuthName "example.com" |
|---|
| 26 |
Require valid-user |
|---|
| 27 |
|
|---|
| 28 |
SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|---|
| 29 |
PythonAuthenHandler django.contrib.auth.handlers.modpython |
|---|
| 30 |
</Location> |
|---|
| 31 |
|
|---|
| 32 |
.. admonition:: Using the authentication handler with Apache 2.2 |
|---|
| 33 |
|
|---|
| 34 |
If you're using Apache 2.2, you'll need to take a couple extra steps. |
|---|
| 35 |
|
|---|
| 36 |
You'll need to ensure that ``mod_auth_basic`` and ``mod_authz_user`` |
|---|
| 37 |
are loaded. These might be compiled statically into Apache, or you might |
|---|
| 38 |
need to use ``LoadModule`` to load them dynamically (as shown in the |
|---|
| 39 |
example at the bottom of this note). |
|---|
| 40 |
|
|---|
| 41 |
You'll also need to insert configuration directives that prevent Apache |
|---|
| 42 |
from trying to use other authentication modules, as well as specifying |
|---|
| 43 |
the ``AuthUserFile`` directive and pointing it to ``/dev/null``. Depending |
|---|
| 44 |
on which other authentication modules you have loaded, you might need one |
|---|
| 45 |
or more of the following directives:: |
|---|
| 46 |
|
|---|
| 47 |
AuthBasicAuthoritative Off |
|---|
| 48 |
AuthDefaultAuthoritative Off |
|---|
| 49 |
AuthzLDAPAuthoritative Off |
|---|
| 50 |
AuthzDBMAuthoritative Off |
|---|
| 51 |
AuthzDefaultAuthoritative Off |
|---|
| 52 |
AuthzGroupFileAuthoritative Off |
|---|
| 53 |
AuthzOwnerAuthoritative Off |
|---|
| 54 |
AuthzUserAuthoritative Off |
|---|
| 55 |
|
|---|
| 56 |
A complete configuration, with differences between Apache 2.0 and |
|---|
| 57 |
Apache 2.2 marked in bold, would look something like: |
|---|
| 58 |
|
|---|
| 59 |
.. parsed-literal:: |
|---|
| 60 |
|
|---|
| 61 |
**LoadModule auth_basic_module modules/mod_auth_basic.so** |
|---|
| 62 |
**LoadModule authz_user_module modules/mod_authz_user.so** |
|---|
| 63 |
|
|---|
| 64 |
... |
|---|
| 65 |
|
|---|
| 66 |
<Location /example/> |
|---|
| 67 |
AuthType Basic |
|---|
| 68 |
AuthName "example.com" |
|---|
| 69 |
**AuthUserFile /dev/null** |
|---|
| 70 |
**AuthBasicAuthoritative Off** |
|---|
| 71 |
Require valid-user |
|---|
| 72 |
|
|---|
| 73 |
SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|---|
| 74 |
PythonAuthenHandler django.contrib.auth.handlers.modpython |
|---|
| 75 |
</Location> |
|---|
| 76 |
|
|---|
| 77 |
By default, the authentication handler will limit access to the ``/example/`` |
|---|
| 78 |
location to users marked as staff members. You can use a set of |
|---|
| 79 |
``PythonOption`` directives to modify this behavior: |
|---|
| 80 |
|
|---|
| 81 |
================================ ========================================= |
|---|
| 82 |
``PythonOption`` Explanation |
|---|
| 83 |
================================ ========================================= |
|---|
| 84 |
``DjangoRequireStaffStatus`` If set to ``on`` only "staff" users (i.e. |
|---|
| 85 |
those with the ``is_staff`` flag set) |
|---|
| 86 |
will be allowed. |
|---|
| 87 |
|
|---|
| 88 |
Defaults to ``on``. |
|---|
| 89 |
|
|---|
| 90 |
``DjangoRequireSuperuserStatus`` If set to ``on`` only superusers (i.e. |
|---|
| 91 |
those with the ``is_superuser`` flag set) |
|---|
| 92 |
will be allowed. |
|---|
| 93 |
|
|---|
| 94 |
Defaults to ``off``. |
|---|
| 95 |
|
|---|
| 96 |
``DjangoPermissionName`` The name of a permission to require for |
|---|
| 97 |
access. See `custom permissions`_ for |
|---|
| 98 |
more information. |
|---|
| 99 |
|
|---|
| 100 |
By default no specific permission will be |
|---|
| 101 |
required. |
|---|
| 102 |
================================ ========================================= |
|---|
| 103 |
|
|---|
| 104 |
Note that sometimes ``SetEnv`` doesn't play well in this mod_python |
|---|
| 105 |
configuration, for reasons unknown. If you're having problems getting |
|---|
| 106 |
mod_python to recognize your ``DJANGO_SETTINGS_MODULE``, you can set it using |
|---|
| 107 |
``PythonOption`` instead of ``SetEnv``. Therefore, these two Apache directives |
|---|
| 108 |
are equivalent:: |
|---|
| 109 |
|
|---|
| 110 |
SetEnv DJANGO_SETTINGS_MODULE mysite.settings |
|---|
| 111 |
PythonOption DJANGO_SETTINGS_MODULE mysite.settings |
|---|
| 112 |
|
|---|
| 113 |
.. _authentication system: ../authentication/ |
|---|
| 114 |
.. _Subversion: http://subversion.tigris.org/ |
|---|
| 115 |
.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html |
|---|
| 116 |
.. _custom permissions: ../authentication/#custom-permissions |
|---|
