Version 4.3.0

Version 4.3.0 of mod_wsgi can be obtained from:

Known Issues

1. The makefiles for building mod_wsgi on Windows are currently broken and need updating. As most new changes relate to mod_wsgi daemon mode, which is not supported under Windows, you should keep using the last available binary for version 3.X on Windows instead.

Bugs Fixed

1. Performing authorization using the WSGIAuthGroupScript was not working correctly on Apache 2.4 due to changes in how auth providers and authentication/authorization works. The result could be that a user could gain access to a resource even though they were not in the required group.

2. Under Apache 2.4, when creating the environ dictionary for passing into access/authentication/authorisation handlers, the behvaiour of Apache 2.4 as it pertained to the WSGI application, whereby it blocked the passing of any HTTP headers with a name which did not contain just alphanumerics or ‘-’, was not being mirrored. This created the possibility of HTTP header spoofing in certain circumstances. Such headers are now being ignored.

3. When home option was used with WSGIDaemonProcess directive an empty string was added to sys.path. This meant current working directory would be searched. This was fine so long as the current working directory wasn’t changed, but if it was, it would no longer look in the home directory. Need to use the actual home directory instead.

4. Fixed Django management command integration so would work for versions of Django prior to 1.6 where BASE_DIR didn’t exist in Django settings module.

Features Changed

1. In Apache 2.4, any headers with a name which does not include only alphanumerics or ‘-’ are blocked from being passed into a WSGI application when the CGI like WSGI environ dictionary is created. This is a mechanism to prevent header spoofing when there are multiple headers where the only difference is the use of non alphanumerics in a specific character position.

This protection mechanism from Apache 2.4 is now being restrospectively applied even when Apache 2.2 is being used and even though Apache itself doesn’t do it. This may technically result in headers that were previously being passed, no longer being passed. The change is also technically against what the HTTP RFC says is allowed for HTTP header names, but such blocking would occur in Apache 2.4 anyway due to changes in Apache. It is also understood that other web servers such as nginx also perform the same type of blocking. Reliance on HTTP headers which use characters other than alphanumerics and ‘-’ is therefore dubious as many servers will now discard them when needing to be passed into a system which requires the headers to be passed as CGI like variables such as is the case for WSGI.

2. In Apache 2.4, only wsgi-group is allowed when using the Require directive for group authorisation. In prior Apache versions group would also be accepted and matched by the wsgi auth provider. The inability to use group is due to a change in Apache itself and not mod_wsgi. To avoid any issues going forward though, the mod_wsgi code will now no longer check for group even if for some reason Apache still decides to pass the authorisation check off to mod_wsgi even when it shouldn’t.

New Features

1. The value of the REMOTE_USER variable for an authenticated user when user Basic authentication can now be overridden from an authentication handler specified using the WSGIAuthUserScript. To override the name used to identify the user, instead of returning True when indicating that the user is allowed, return the name to be used for that user as a string. That value will then be passed through in REMOTE_USER in place of any original value:

def check_password(environ, user, password):
    if user == 'spy':
        if password == 'secret':
            return 'grumpy'
        return False
    return None

2. Added the --debug-mode option to mod_wsgi-express which results in Apache and the WSGI application being run in a single process which is left attached to stdin/stdout of the shell where the script was run. Only a single thread will be used to handle any requests.

This feature enables the ability to interactively debug a Python WSGI application using the Python debugger (pdb). The simplest way to break into the Python debugger is by adding to your WSGI application code:

import pdb; pdb.set_trace()

3. Added the --application-type option to mod_wsgi-express. This defaults to script indicating that the target WSGI application provided to mod_wsgi-express is a WSGI script file defined by a relative or absolute file system path.

In addition to script, it is also possible to supply for the application type module and paste.

For the case of module, the target WSGI application will be taken to reside in a Python module with the specified name. This module will be loaded using the standard Python module import system and so must reside on the Python module search path.

For the case of paste, the target WSGI application will be taken to be a Paste deployment configuration file. In loading the Paste deployment configuration file, any WSGI application pipeline specified by the configuration will be constructed and the resulting top level WSGI application entry point returned used as the WSGI application.

Note that the code file for the WSGI script file, Python module, or Paste deployment configuration file, if modified, will all result in the WSGI application being automatically reloaded on the next web request.

4. Added the --auth-user-script and --auth-type options to mod_wsgi-express to enable the hosted site to implement user authentication using either HTTP Basic or Digest authentication mechanisms. The check_password() or get_realm_hash() functions should follow the same form as if using the WSGIAuthUserScript direct with mod_wsgi when using manual configuration.

5. Added the --auth-group-script and --auth-group options to mod_wsgi-express to enable group authorization to be performed using a group authorization script, in conjunction with a user authentication script. The groups_for_user() function should follow the same form as if using the WSGIAuthGroupScript direct with mod_wsgi when using manual configuration.

By default any users must be a member of the wsgi group. The name of this group though can be overridden using the --auth-group option. It is recommended that this be overridden rather than changing your own application to use the wsgi group.

6. Added the --directory-index option to mod_wsgi-express to enable a index resource to be added to the document root directory which would take precedence over the WSGI application for the root page for the site.

7. Added the --with-php5 option to mod_wsgi-express to enable the concurrent hosting of a PHP web application in conjunction with the WSGI application. Due to the limitations of PHP, this is currently only supported if using prefork MPM.

8. Added the --server-name option to mod_wsgi-express. When this is used and set to the host name for the web site, a virtual host will be created to ensure that the server only accepts web requests for that host name.

If the host name starts with www. then web requests will also be accepted against the parent domain, that is the host name without the www., but those requests will be automatically redirected to the specified host name on the same port as that used for the original request.

When the --server-name option is being used, the --server-alias option can also be specified, multiple times if need be, to setup alternate names for the web site on which web requests should also be accepted. Wildcard aliases may be used in the name if wishing to match multiple sub domains in one go.

If for some reason you do still need to be able to access the server via localhost when a virtual host for a set server name is being used, you can supply the --allow-localhost option.

9. Added the --rotate-logs option to mod_wsgi-express to enable log file rotation. By default the error log and access log, if enabled, will be rotated when they reach 5MB in size. To change the size at which the log files will be rotated, use the --max-log-size option. If the rotatelogs command is not being found properly, its location can be specified using the --rotatelogs-executable option.

10. Added the --ssl-port and --ssl-certificate options to mod_wsgi-express. When both are set, with the latter being the stub path for the SSL certificate .crt and .key file, then HTTPS requests will be handled over the designated SSL port.

When --https-only is supplied, any requests made over HTTP to the non SSL port will be automatically redirected so as to use a HTTPS connection over the SSL connection.

Note that if using the --allow-localhost option, redirection from a HTTP to HTTPS connection will not occur when access via localhost.

11. Added the --setenv option to mod_wsgi-express to enable request specific name/value pairs to be added to the WSGI environ dictionary. The values are restricted to string values.

Also added a companion --passenv option to mod_wsgi-express to indicate the names of normal process environment variables which should be added to the per request WSGI environ dictionary.

12. Added the WSGIMapHEADToGET directive for overriding the previous behaviour of automatically mapping any HEAD request to a GET request when an Apache output filter was registered that may want to see the complete response in order to generate correct response headers.

The directive can be set to be either Auto (the default), On which will always map a HEAD to GET even if no output filters detected and Off to always preserve the original request method type.

The original behaviour was to avoid problems with users trying to optimise for HEAD requests and then breaking caching mechanisms because the response headers for a HEAD request for a resource didn’t match a GET request against the same resource as required by HTTP.

If using mod_wsgi-express, the --map-head-to-get option can be used with the same values.

12. Added the --compress-responses option to mod_wsgi-express to enable compression of common text based responses such as plain text, HTML, XML, CSS and Javascript.