> On 30 Jan 2018, at 2:55 am, Philip White <[email protected]> wrote:
>
> We're using mod_wsgi-express to run a Flask app under Apache, hosted in a
> Docker container (on an EC2 instance in AWS).
> All is well, but a corporate security scan is throwing up a few suggested
> security lockdowns, namely disabling TRACE support and universally adding a
> couple of HTTP headers (X-Content-Type-Options and
> Strict-Transport-Security). From what I see that seems to mean adding and
> configuring a couple of Apache modules: rewrite_module (for the TRACE) and
> headers_module.
>
> Is there any way to do this via mod_wsgi-express so it can still be launched
> from a single command line? I've looked for a command line option that does
> something like importing a user configuration block, but don't see it.
> Or is the only option to use --setup-only to generate the httpd.conf then
> script something to dynamically add the required configuration?
You want either the --include-file option or --rewrite-rules options.
--include-file FILE-PATH
Specify the path to an additional web server
configuration file to be included at the end of the
generated web server configuration file.
--rewrite-rules FILE-PATH
Specify an alternate server configuration file which
contains rewrite rules. Defaults to using the
'rewrite.conf' stored under the server root directory.
Because rewrite rules are sensitive to where they are placed, the
--rewrite-rules option should be used if they need to be within the Directory
block corresponding to the document directory which is first mapped when doing
URL resolution.
If you don't know if the Apache module you need is already loaded, use the
following form:
<IfModule !version_module>
LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
</IfModule>
MOD_WSGI_MODULES_DIRECTORY will be set as environment variable to correct
directory where Apache modules are installed.
For strict transport security also see:
--hsts-policy PARAMS Specify the HSTS policy that should be applied when
HTTPS only connections are being enforced.
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
