On 15 Apr 2015, at 3:21 pm, Larry Davis <[email protected]> wrote: Hello All,
After fighting with Apache, Django, and mod_wsgi for almost a week, I discovered and installed mod_wsgi-httpd and mod_wsgi 4.4.11 today. Looks great and works right out of the box -- thanks Graham! My question is about using the server in production security. In it's present, newly installed state, is it hardened and ready for use on the Internet, or do we need to apply our own modifications like turning off ServerSignature? ServerSignature if Off. If we do have to apply our own mods, what's the best way to do it? What sort of other modifications would you normally make? Always happy to add more things if helps lock it down further as default if necessary. For cases where some customisation is necessary, one can use the —include-file option to include a Apache configuration snippet file. This will be included after all of the generated configuration, so depending a bit on what directives you are setting, will override what has already been set. I ran the configuration from my Django project directory where my manage.py file resides. I'm running the server using the apachectl script as user and group apache on port 80 with the configuration in a subdirectory in /etc/. Setting the —server-root directory as a directory under /etc is good, but you also probably want to set —log-directory to be a directory under /var/log. Next thing to contemplate is how you want to deal with log file truncation/rotation. If you use the —rotate-logs option, logs will be rotated after 5MBs have been logged. There is nothing in mod_wsgi-express to clean up older log files and don’t believe Apache itself removes old ones, so may want to incorporate something into system cron to remove old log files as necessary. Also be aware that access logging is not on by default, if you want that then use —access-log. If enabled it is also influenced by —rotate-logs. Finally, SSL can be enabled if have certificate and haven’t done that already. If using SSL there is an option to force use of SSL only. There is also an option to specify a HSTS policy ( http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). My Internet access will soon be non existent for day or so and possibly then off by choice until end of weekend, but if got any other questions let me know. Graham On 15 April 2015 at 15:21, Larry Davis <[email protected]> wrote: > Hello All, > > After fighting with Apache, Django, and mod_wsgi for almost a week, I > discovered and installed mod_wsgi-httpd and mod_wsgi 4.4.11 today. > > Looks great and works right out of the box -- thanks Graham! > > My question is about using the server in production security. In it's > present, newly installed state, is it hardened and ready for use on the > Internet, or do we need to apply our own modifications like turning off > ServerSignature? If we do have to apply our own mods, what's the best way > to do it? > > I ran the configuration from my Django project directory where my > manage.py file resides. I'm running the server using the apachectl script > as user and group apache on port 80 with the configuration in a > subdirectory in /etc/. > > Larry > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
