setup server from scratch (with or without apache?)
in [Python]
|
Prev: Pick items from list with probability based upon property of listmember ?
Next: Pick items from list with probability based upon property of list member ?
From: Bruno Desthuilliers on 21 Jun 2010 06:00 News123 a �crit : > Hi, > > > So far I never really had to ask this question and this is also, why I > am stil a little shaky on this topic: > > So far the typical LAMP server existed already and contained already a > lot of existing PHP web applications, which I couldn't remove. > Therefore I just used mod_python to implement some minor functionality > next to it. > > Now I have the opportunity to setup a server from scratch. > 90% of the content will be non visual content over https with client AND > server certificates. > Access privileges will depend on the client certificate. > > I will only have one IP address and only port 443. > > 1.) What alternatives would exist compared to apache / mod_python wsgi + any wsgi-compatible web server. > 2.) What disadvantage would I have using apache and mod_python compared > to other solutions Err... I guess you already got the most important answer on this !-) > 3.) What's the stability / security aspect of other solutions, > especially concerning client / server certificates Can't tell, sorry. > 4.) How could I prepare for the case, that customer might lateron > require PHP? (not very probably, but who knows. Just make sure you can run PHP with the web server you choose.
From: Christian Heimes on 21 Jun 2010 06:25 > I will only have one IP address and only port 443. > > 1.) What alternatives would exist compared to apache / mod_python You can use a combination of mod_proxy and mod_rewrite to set up a forwarding proxy in your Apache server. Let Apache deal with SSL, virtual hosting etc. Then bind your application to a local port (e.g. localhost:8080) and configure the Apache proxy to rewrite your requests. Pound offers a similar setup. Christian
From: News123 on 21 Jun 2010 20:19 News123 wrote: > Hi, > > > So far I never really had to ask this question and this is also, why I > am stil a little shaky on this topic: > > So far the typical LAMP server existed already and contained already a > lot of existing PHP web applications, which I couldn't remove. > Therefore I just used mod_python to implement some minor functionality > next to it. > > Now I have the opportunity to setup a server from scratch. > 90% of the content will be non visual content over https with client AND > server certificates. > Access privileges will depend on the client certificate. Thanks a lot for all your answers. So it seems it's rather smart to not stick with mod_python, though it might be, that it's just restin' . As a first test I tried to use apache with mod_wsgi and a hello world python wsgi script. This works fine. Almost everything of my mod_python code should translate rather easily. The one problem, that I have is following. my mod_python code uses: req.add_common_vars() ssh_dn_o = req.ssl_var_lookup("SSL_CLIENT_S_DN_O") How could I obtain apache's SSL variable 'SSL_CLIENT_S_DN_O' I'd like, that my script reacts differently depending on the client's SSL certificate. If that problem is solved then I could probably get rid of mod_python.
From: News123 on 21 Jun 2010 20:37
Hi Kruptein, Kruptein wrote: > I think that apache and mod_python are good enough, but I'm not an > expert. > > but I think that the security aspect for a large part depends on how > secure your code is. > > You can have a very secure server setting, but somewhere a bug in your > code that makes it insecure. Agreed. There's a lot of potential to make stupid things in one's own code. In my case however I'd like to reject access to anybody not having a client certificate. Though users should be identified by their certificcates it would (in my current case) not be a major disaster if one user would gain control over another user's data. The group of users is limited and all users are trusted during the live time of their certificate. Most important for me is, that my python script is only called when the certificate is valid. |