On 23 January 2015 at 16:33, Graham Dumpleton <[email protected]> wrote: > Why were you even using: > > WSGIScriptAlias /wsgi-scripts/ /home/nitin/wsgi-scripts/index.py > > in the first place? > > What is significant about the /wsgi-scripts/ URL prefix?
This was from the previous apache installation which was working. Also then I had configures SSL with this configuration. > > Is that actually relied on by anything if so, how? > > What else is in the /home/nitin/wsgi-scripts directory besides .py, .py~, > httpd.conf and the linked subdirectories? This is a Demo for a proof of concept, which I am preparing for a Department / organisation. For the sake of running the demo I am not putting too many security features. Running from my laptop for proof of concept / demo. > > This mix of file types and the fact that you had DocumentRoot set to that > directory meant you potentially have a huge security hole where your source > code could be downloaded by accessing the editor backup files. It would also > have been possible to download your httpd.conf and possibly whatever was in > the calimgs and fullcalendar-1.5.1 directories. Or do you also have some > requirement in the case of the subdirectories that they exist so static file > assets can be accessed from a browser? > > There is one very very big reason why it is a good idea to use a web > framework. That is because the people who write them design them so they have > good security and follow best practices. Your setup with the way you have > arranged things and trying to use WSGI is opening yourself up to big security > issues were stuff isn't protected because you are putting it into a directory > that Apache serves up files from. I really don't know if I can guide you in > fixing those problems as it simply is a bad way of going about it. > In the previous installation, All these, security, things were working. And I did not need to use any framework then. When the full blown application gets developed then all the features will be incorporated, like no directory listing, SSL, etc. Please just need to give this Demo of proof of concept. So configure accordingly. Thanks Nitin > Graham > > On 23/01/2015, at 9:01 PM, nitin chandra <[email protected]> wrote: > >> List of scripts in /home/nitin/wsgi-scripts >> >> addusers.py >> addusers.py~ >> admin.py >> admin.py~ >> calimgs --> Directory >> continuePh.py >> continuePh.py~ >> continue.py >> continue.py~ >> dateWiseList.py >> dateWiseList.py~ >> editPatient.py >> editPatient.py~ >> fullcalendar-1.5.1 --> Directory >> home.py >> home.py~ >> httpd.conf >> index.py >> index.py~ >> insertBasic.py >> insertNew.py >> insertNew.py~ >> .... more (abridged list) >> >> flow of application >> >> when we enter healthcare.in browser, first page >> >> index.py --> enter username and password. As this is still in >> development, I enter my name and both. Same is set in DB too. >> >> when we login successfully >> >> home.py --> this page has links to other pages like, insertBasic.py, >> editPatient.py, dateWiseList.py, etc >> >> Please dont advice to use a frame work. I am VERY HAPPY with just mod_wsgi. >> :) >> >> my index.py and login.py are pasted below. >> ============================================================== >> >> index.py >> ----------- >> >> #!/usr/bin/env python >> >> import os, re, sys >> from datetime import datetime >> from pymongo import MongoClient >> >> class Handler: >> def do(self, environ, start_response): >> >> html = """ >> <html><head><title>Informatics</title> >> </head><body bgcolor=aquamarine> >> <form method="post" action="login.py"> >> User Name :<input type="text" name="uname"><br><br> >> Password   :<input type="password" name="paswd1"><br><br> >> <input type="submit" Value="Log In"> >> </form> >> </center> >> </body></html>""" >> >> output = html >> mimeType = "text/html" >> >> status = "200 OK" >> response_headers = [("Content-type", mimeType), >> ("Content-length", str(len(output)))] >> >> start_response(status, response_headers) >> return [output] >> >> # wsgi entry point >> def application(environ, start_response): >> handler = Handler() >> return handler.do(environ, start_response) >> >> ======================================= >> login.py >> ------------ >> #!/usr/bin/env python >> >> import os, sys, string >> import cgi, base64 >> from pymongo import MongoClient >> >> class Handler: >> def do(self, environ, start_response): >> form = cgi.FieldStorage(fp=environ['wsgi.input'], >> environ=environ) >> >> html = """ >> <html><head><title>Informatics</title> >> </head><body bgcolor=aquamarine> >> """ >> uname = form.getvalue('uname').lower() >> paswdT = form.getvalue('paswd1').lower() >> paswd1 = base64.b64encode(paswdT) >> >> connection = MongoClient('localhost', 27017) >> db = connection.health >> tc = list(db.tb_users.find({'user' : uname}))[0] --> work >> in python prompt >> # tc = db.tb_users --> Old code >> #html = ''+ str(uname)+'<br><br>' --> Old code >> #userT = tc.find_one( { 'user' : uname } ) --> Old code >> user = str(tc.pop('user')) --> work in python prompt >> password = tc.pop('password') --> work in python prompt >> >> if all ( [ uname == user, paswd1 == password ] ): >> >> html = """ >> <meta http-equiv="refresh" >> content="0;url=http://www.healthcare.in/home.py"; /> >> """ >> else: >> html = '<center><b><h3>User / Password dont >> match.</h3></b></center>' >> html += '<center><b><h3>Click on \'Back\' button on >> browser to try again.</h3></b></center>' >> html += """</center> >> </body></html>""" >> >> output = html >> mimeType = "text/html" >> >> status = "200 OK" >> response_headers = [("Content-type", mimeType), >> ("Content-length", str(len(output)))] >> >> start_response(status, response_headers) >> return [output] >> >> # wsgi entry point >> def application(environ, start_response): >> handler = Handler() >> return handler.do(environ, start_response) >> ================================================ >> home.py >> ------------ >> >> #!/usr/bin/env python >> >> import os, re, sys >> from pymongo import MongoClient >> import base64 >> >> class Handler: >> def do(self, environ, start_response): >> connection = MongoClient('localhost', 27017) >> db = connection.health >> tc = db.tb_users >> tcT = db.tb_users.count() >> paswd = base64.b64encode('admin123') >> if tcT == 0 : >> tc.insert({'user' : 'admin', 'password' : paswd}) >> else : >> pass >> >> html = """ >> <html><head><title>Informatics</title></head><body >> bgcolor=aquamarine><body> >> >>           >> <A HREF="patient.py">New Patient</a> >>           >> <A HREF="intense.py">Intensive Phase</A> >>           >> <A HREF="continue.py">Continuation Phase</A><br><BR> >> <A HREF="admin.py">Admin >> Page</A>          >> <A HREF="patientInfo.py">Edit >> Patient</A>          >> <a href="reportsList.py">Reports</a><br><br><br> >> <A href="index.py">Log Out</a> >> </center> >> </body></html>""" >> >> output = html >> mimeType = "text/html" >> >> status = "200 OK" >> response_headers = [("Content-type", mimeType), >> ("Content-length", str(len(output)))] >> >> start_response(status, response_headers) >> return [output] >> >> # wsgi entry point >> def application(environ, start_response): >> handler = Handler() >> return handler.do(environ, start_response) >> >> >> On 23 January 2015 at 03:34, Graham Dumpleton >> <[email protected]> wrote: >>> What do you actually have in the directory: >>> >>> /home/nitin/wsgi-scripts >>> >>> Up till now you have given the impression you only have a single WSGI >>> application script file called index.py. >>> >>> You are now mentioning a home.py file, which suggests you have more than >>> one WSGI script file in that directory. >>> >>> Your prior description overall of what you expect to happen when you visit >>> different URLs therefore appears to be incomplete. >>> >>> So can you describe better how your overall WSGI application hangs together >>> and whether you are using one WSGI script file with some sort of framework >>> which does routing or whether you have separate WSGI script files for >>> different URLs. >>> >>> If you have multiple WSGI script files, then the configuration required >>> would be different. >>> >>> If you don't but you are not using a framework, then you are likely not >>> constructing relative links for access over resources in your application >>> correctly. >>> -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
