Apache Howto
This page describes how to use Apache in a real installation to control access to a PyFlag installation. This does not describe how to run PyFlag from mod_python, but rather how to integrate several different instances of PyFlag into the same Apache URL tree.
Requirements
Often a requirement of a PyFlag installation is to have access control and possibly SSL encryption. Sometimes a requirement is to run an instance of PyFlag with a reduced set of plugins (for example to provide restricted functionality to users - maybe not allow users to remove cases for example).
The best way to achieve this is through Apache's mod_proxy. This way a standard Apache installation can be used to control access to PyFlag (as well as provide standard apache static content or other web applications if needed).
It is also recommended that PyFlag installations be password protected. Although PyFlag has user access controls, it is best to allow Apache to do this task, through the standard Apache user access controls.
Solution
This is very distribution specific but is usually done using something like:
apt-get install apache2
SSL support can be done by creating a Virtual host (usually in /etc/apache2/sites-enabled/siteconf):
<VirtualHost www.domain.com:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/"
ServerName www.domain.com:443
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/www.domain.com.cert
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/www.domain.com.key
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
## This stuff is to handle pyflag redirection:
## Some authentication required:
<Location "/pyflag/">
Options Indexes FollowSymLinks
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /etc/httpd/passwd
Require user username
</Location>
## Flick requests off to pyflag server
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPass /pyflag/ http://127.0.0.1:8000/
ProxyPassReverse /pyflag/ http://127.0.0.1:8000/
</IfModule>
</VirtualHost>
The last clause causes URL of the form *http://www.domain.com/pyflag/* to be fetched from the pyflag server running on 127.0.0.1 port 8000. The listening port can be adjusted by the --httpserver_port command line option to pyflag.
In this way it is possible to have several different pyflag servers running (each with a different--httpserver_port port), some of these servers may be running a reduced set of plugins specified by the --plugins command line option.
