[mod_python] DocumentRoot / security / directory structure questions

Byron Ellacott bje at apnic.net
Tue Feb 10 09:22:14 EST 2004 

On Mon, 2004-02-09 at 15:04, David Geller wrote:
> With mod_python, is it possible to keep your python files outside the 
> DocumentRoot?  I guess it is, with all python files other than the one 
> containing the handler,  but can you put the handler file outside the 
> document root as well?

<Directory /my/app>
  PythonInterpreter myapp
  SetHandler python-program
  PythonHandler myhandler
</Directory>

As long as myhandler is somewhere in sys.path, this will work just
fine.  Note that you can modify sys.path via the PythonPath directive:

  PythonPath "sys.path.append('/opt/my/app/lib')"

As long as your program doesn't further mess with sys.path, this is also
quite efficient, since mod_python doesn't redo PythonPath directives
it's already done.

> 2. Related question - (I think this was answered, but not quite 
> sure...). If you want *all* your requests to come through your python 
> handler, and you are *not* serving *directly* html or img, how do you do 
> this? AND, you basically want to obfiscate the fact you are using 
> python, and want only very generic-looking  file names to appear in the 
> "url" bar (top browser bar).  Of course, your python might itself 
> generate html that will contain references to images, javascript etc - 
> and for these resources, it is fine, for them to be inside your document 
> root

The above <Directory ...> directives (or the same directives in a
.htaccess) will pass all requests through myhandler.handler().  You can
fetch http://your.site/my/app/images/modpy_logo.png and it will call
your handler, even though those files don't exist.

The only gotcha is that DirectoryIndex won't work as expected.  Because
it tests for the existence of various files directly, it won't redirect
to index.html unless that file exists on disk.  I haven't looked into
solving the problem, but I'm sure you can. :)

> 3. And another related question: I have seen apps (e.g., written in PHP) 
> that always have the same (original, simple) url appear in the top URL 
> bar, no matter which URL's are generated by the underlying program (eg., 
> during POST requests). How is this done?

<form method="POST">
<input type="hidden" name="target" value="custdetails">
...
</form>

You can then check for "target" to know what you're supposed to do. 
Whether this is a useful or good practice is another matter, though. :)

-- 
bje

More information about the Mod_python mailing list