2
0

apache-auth.txt 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138
  1. ==============================================================
  2. How to authenticate against Django's user database from Apache
  3. ==============================================================
  4. Since keeping multiple authentication databases in sync is a common problem when
  5. dealing with Apache, you can configure Apache to authenticate against Django's
  6. :doc:`authentication system </topics/auth/index>` directly. This requires Apache
  7. version >= 2.2 and mod_wsgi >= 2.0. For example, you could:
  8. * Serve static/media files directly from Apache only to authenticated users.
  9. * Authenticate access to a Subversion_ repository against Django users with
  10. a certain permission.
  11. * Allow certain users to connect to a WebDAV share created with mod_dav_.
  12. .. note::
  13. If you have installed a :ref:`custom user model <auth-custom-user>` and
  14. want to use this default auth handler, it must support an ``is_active``
  15. attribute. If you want to use group based authorization, your custom user
  16. must have a relation named 'groups', referring to a related object that has
  17. a 'name' field. You can also specify your own custom mod_wsgi
  18. auth handler if your custom cannot conform to these requirements.
  19. .. _Subversion: https://subversion.apache.org/
  20. .. _mod_dav: https://httpd.apache.org/docs/2.2/mod/mod_dav.html
  21. Authentication with ``mod_wsgi``
  22. ================================
  23. .. note::
  24. The use of ``WSGIApplicationGroup %{GLOBAL}`` in the configurations below
  25. presumes that your Apache instance is running only one Django application.
  26. If you are running more than one Django application, please refer to the
  27. `Defining Application Groups`_ section of the mod_wsgi docs for more
  28. information about this setting.
  29. Make sure that mod_wsgi is installed and activated and that you have
  30. followed the steps to set up :doc:`Apache with mod_wsgi
  31. </howto/deployment/wsgi/modwsgi>`.
  32. Next, edit your Apache configuration to add a location that you want
  33. only authenticated users to be able to view:
  34. .. code-block:: apache
  35. WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
  36. WSGIPythonPath /path/to/mysite.com
  37. WSGIProcessGroup %{GLOBAL}
  38. WSGIApplicationGroup %{GLOBAL}
  39. <Location "/secret">
  40. AuthType Basic
  41. AuthName "Top Secret"
  42. Require valid-user
  43. AuthBasicProvider wsgi
  44. WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
  45. </Location>
  46. The ``WSGIAuthUserScript`` directive tells mod_wsgi to execute the
  47. ``check_password`` function in specified wsgi script, passing the user name and
  48. password that it receives from the prompt. In this example, the
  49. ``WSGIAuthUserScript`` is the same as the ``WSGIScriptAlias`` that defines your
  50. application :doc:`that is created by django-admin startproject
  51. </howto/deployment/wsgi/index>`.
  52. .. admonition:: Using Apache 2.2 with authentication
  53. Make sure that ``mod_auth_basic`` and ``mod_authz_user`` are loaded.
  54. These might be compiled statically into Apache, or you might need to use
  55. LoadModule to load them dynamically in your ``httpd.conf``:
  56. .. code-block:: apache
  57. LoadModule auth_basic_module modules/mod_auth_basic.so
  58. LoadModule authz_user_module modules/mod_authz_user.so
  59. Finally, edit your WSGI script ``mysite.wsgi`` to tie Apache's authentication
  60. to your site's authentication mechanisms by importing the ``check_password``
  61. function::
  62. import os
  63. os.environ["DJANGO_SETTINGS_MODULE"] = "mysite.settings"
  64. from django.contrib.auth.handlers.modwsgi import check_password
  65. from django.core.handlers.wsgi import WSGIHandler
  66. application = WSGIHandler()
  67. Requests beginning with ``/secret/`` will now require a user to authenticate.
  68. The mod_wsgi `access control mechanisms documentation`_ provides additional
  69. details and information about alternative methods of authentication.
  70. .. _Defining Application Groups: https://modwsgi.readthedocs.io/en/develop/user-guides/configuration-guidelines.html#defining-application-groups
  71. .. _access control mechanisms documentation: https://modwsgi.readthedocs.io/en/develop/user-guides/access-control-mechanisms.html
  72. Authorization with ``mod_wsgi`` and Django groups
  73. -------------------------------------------------
  74. mod_wsgi also provides functionality to restrict a particular location to
  75. members of a group.
  76. In this case, the Apache configuration should look like this:
  77. .. code-block:: apache
  78. WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
  79. WSGIProcessGroup %{GLOBAL}
  80. WSGIApplicationGroup %{GLOBAL}
  81. <Location "/secret">
  82. AuthType Basic
  83. AuthName "Top Secret"
  84. AuthBasicProvider wsgi
  85. WSGIAuthUserScript /path/to/mysite.com/mysite/wsgi.py
  86. WSGIAuthGroupScript /path/to/mysite.com/mysite/wsgi.py
  87. Require group secret-agents
  88. Require valid-user
  89. </Location>
  90. To support the ``WSGIAuthGroupScript`` directive, the same WSGI script
  91. ``mysite.wsgi`` must also import the ``groups_for_user`` function which
  92. returns a list groups the given user belongs to.
  93. .. code-block:: python
  94. from django.contrib.auth.handlers.modwsgi import check_password, groups_for_user
  95. Requests for ``/secret/`` will now also require user to be a member of the
  96. "secret-agents" group.