Authenticating against Django’s user database from Apache

Warning

Support for mod_python has been deprecated within Django. At that time, this method of authentication will no longer be provided by Django. The community is welcome to offer its own alternate solutions using WSGI middleware or other approaches.

Since keeping multiple authentication databases in sync is a common problem when dealing with Apache, you can configuring Apache to authenticate against Django’s authentication system directly. For example, you could:

  • Serve static/media files directly from Apache only to authenticated users.
  • Authenticate access to a Subversion repository against Django users with a certain permission.
  • Allow certain users to connect to a WebDAV share created with mod_dav.

Configuring Apache

To check against Django’s authorization database from a Apache configuration file, you’ll need to use mod_python’s PythonAuthenHandler directive along with the standard Auth* and Require directives:

<Location /example/>
    AuthType Basic
    AuthName "example.com"
    Require valid-user

    SetEnv DJANGO_SETTINGS_MODULE mysite.settings
    PythonAuthenHandler django.contrib.auth.handlers.modpython
</Location>

Using the authentication handler with Apache 2.2

If you’re using Apache 2.2, you’ll need to take a couple extra steps.

You’ll need to ensure that mod_auth_basic and mod_authz_user are loaded. These might be compiled statically into Apache, or you might need to use LoadModule to load them dynamically (as shown in the example at the bottom of this note).

You’ll also need to insert configuration directives that prevent Apache from trying to use other authentication modules, as well as specifying the AuthUserFile directive and pointing it to /dev/null. Depending on which other authentication modules you have loaded, you might need one or more of the following directives:

AuthBasicAuthoritative Off
AuthDefaultAuthoritative Off
AuthzLDAPAuthoritative Off
AuthzDBMAuthoritative Off
AuthzDefaultAuthoritative Off
AuthzGroupFileAuthoritative Off
AuthzOwnerAuthoritative Off
AuthzUserAuthoritative Off

A complete configuration, with differences between Apache 2.0 and Apache 2.2 marked in bold, would look something like:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_user_module modules/mod_authz_user.so

...

<Location /example/>
    AuthType Basic
    AuthName "example.com"
    AuthUserFile /dev/null
    AuthBasicAuthoritative Off
    Require valid-user

    SetEnv DJANGO_SETTINGS_MODULE mysite.settings
    PythonAuthenHandler django.contrib.auth.handlers.modpython
</Location>

By default, the authentication handler will limit access to the /example/ location to users marked as staff members. You can use a set of PythonOption directives to modify this behavior:

PythonOption Explanation
DjangoRequireStaffStatus

If set to on only “staff” users (i.e. those with the is_staff flag set) will be allowed.

Defaults to on.

DjangoRequireSuperuserStatus

If set to on only superusers (i.e. those with the is_superuser flag set) will be allowed.

Defaults to off.

DjangoPermissionName

The name of a permission to require for access. See custom permissions for more information.

By default no specific permission will be required.

Note that sometimes SetEnv doesn’t play well in this mod_python configuration, for reasons unknown. If you’re having problems getting mod_python to recognize your DJANGO_SETTINGS_MODULE, you can set it using PythonOption instead of SetEnv. Therefore, these two Apache directives are equivalent:

SetEnv DJANGO_SETTINGS_MODULE mysite.settings
PythonOption DJANGO_SETTINGS_MODULE mysite.settings
comments powered by Disqus