[mod_python] DocumentRoot / security / directory structure questions

David Geller dg at sponsera.com
Mon Feb 9 00:04:59 EST 2004


1. I hope this doesn't sound *too* naive, but I have this question. For 
cgi scripts, books tell you not to include the scripts within your 
document root, for "security" reasons (not exactly sure why this is, but 
I suppose this is a bit of extra security to prevent folks from viewing 
the raw python files via some apache backdoor....). So typically, with 
ScriptAlias, your cgi directory can be anywhere (and outside the 
DocumentRoot) and life is good.

With mod_python, is it possible to keep your python files outside the 
DocumentRoot?  I guess it is, with all python files other than the one 
containing the handler,  but can you put the handler file outside the 
document root as well?

I have read through most of the mod_python mail archives, and issues 
related to this are mentioned, but not his exactly (I think).

2. Related question - (I think this was answered, but not quite 
sure...). If you want *all* your requests to come through your python 
handler, and you are *not* serving *directly* html or img, how do you do 
this? AND, you basically want to obfiscate the fact you are using 
python, and want only very generic-looking  file names to appear in the 
"url" bar (top browser bar).  Of course, your python might itself 
generate html that will contain references to images, javascript etc - 
and for these resources, it is fine, for them to be inside your document 

3. And another related question: I have seen apps (e.g., written in PHP) 
that always have the same (original, simple) url appear in the top URL 
bar, no matter which URL's are generated by the underlying program (eg., 
during POST requests). How is this done?

Much obliged!

David Geller

More information about the Mod_python mailing list