[mod_python] Configuring mod_python via reverse proxy

Graham Dumpleton grahamd at dscpl.com.au
Wed Dec 14 18:14:57 EST 2005

Jorey Bump wrote ..
> Roberto C. Sanchez wrote:
> > Jim Gallacher wrote:
> > 
> >>This maybe too obvious but is AllowOverride perhapas set to None such
> >>that your .htaccess file is not getting processed?
> >>
> >>Jim
> >>
> > 
> > OK.  I feel like a complete retard.  In copying over the VirtualHost
> > settings for the instance of apache running from $HOME, I accidentally
> > copied the wrong AllowOverride line.  It was set to None.  Thus, when
> I
> > accessed mod_python from the main apache server running on port 80, it
> > worked since it was allowing the override.  When I proxied to the
> > instance on port 8080, it failed, as the overrides were not allowed.
> > 
> > Thanks for the blinding insight.
> This is why I suggested using your custom configuration file instead of
> .htaccess, and still recommend it if you're running your own instance of
> apache.
> It's up to you to decide if it's safe to share the directory between 
> multiple instances of apache. You risk an information leak by leaving 
> source code in public_html.

Another non obvious problem which arises because of this arrangement is
that if the second instance of Apache you are running has write access
to the directories, it will dump Python .pyc files. If you are then only
using AddHandler and not SetHandler, there will be nothing to stop
someone specifying a URL which targets the .pyc files and they will be
able to download them also and then decompile them, thus potentially
getting access to sensitive information.

Good idea to have an excplicit rule:

  <Files *.pyc>
  deny from all


More information about the Mod_python mailing list