Login/Register
Flask + mod_wsgi + httpd: All resources tried on DocumentRoot?
Asked Answered
apacheamazon-ec2flaskmod-wsgierror-log
T

0

6

In Brief

I have a WSGI script mounted at /app. If I request /app/resource, I get a correct response. But I also get an entry in my error log as if I had requested /resource. What could cause this?

In Detail

I have a Flask application deployed with Apache 2.4 + mod_wsgi on AWS EC2:

  1. The application lives at /my/app/path
  2. The app.wsgi file lives at /var/www/wsgi and points to /my/app/path
  3. The Apache config for the www.website.com vhost points to the WSGI script:
    WSGIScriptAlias /app /var/www/wsgi/app.wsgi

When I GET www.website.com/app/some_resource/..., I receive the expected response for that resource with code 200.

However, when I check the Apache error logs, I find loads of entries for denied requests, e.g.:

[authz_core:error] [pid XXXXX] [client XXXXX] XXXXX: client denied by server configuration: /var/www/html/some_resource

The logged errors correspond 1-to-1 with requests that, as stated, come back 200.

Now, /var/www/html is the default DocumentRoot, but the request is sent to the /app location, and is correctly passed-to and handled-by the WSGI application via the alias directive.

And so: Why might I find these entries in my error logs, in which the /app path is removed, and the resource path appended directly (and correctly denied) on the root?

Follow-Up

To respond to Graham's suggestions in the comments:

  1. There are no Apache rewrite rules defined.
  2. Apache is not setup with MultiViews
  3. These are JSON resources; the errors are not the result of sub-requests from a loaded document.
  4. Issue persists without symlinks.

Update

A colleague tells me he has encountered the same issue on AWS EC2 instances.

Tancred answered 18/5, 2016 at 8:41 Comment(9)
What are the resources? Look in the access log to see the URLs that have 4xx errors. Browsers will automatically request things like favicon.ico etc and depending on permissions that can fail.Boony
@GrahamDumpleton The example GET request, and resulting record in the error log, are accurate templates (including the ellipsis). Substitute an arbitrary string for some_resource in the example GET request, and a corresponding line will appear in the error log.Tancred
Are you saying that '...' literally appears in the URL? Sounds a bit like what ever page you are accessing is then fetching other resources but the URL for those isn't being constructed by your application properly.Boony
@GrahamDumpleton No, I am saying that what follows the final / before the ellipsis in the example request does not affect the entry in the error_log.Tancred
@GrahamDumpleton To clarify: my application is working correctly. In order for my application to work correctly, Apache/mod_wsgi must be correctly parsing incoming URLs, stripping the mount-path (sub-URL, aka "/app"), and passing the remainder (aka "/some_resource/...") to the WSGI application. In which case, why does the error_log contain this entry in which the "remainder" is simply appended to the DocumentRoot, with apparently no effect on the handling of the request?Tancred
Do you have any Apach rewrite rules defined? Or is Apache setup to use MultiViewsMatch? If you use curl from the command line to access the URL, do you still see multiple requests and the failures? If you see them with curl then it is something strange about your Apache setup. If you don't see them from curl but do from browser, suggestive of sub requests from main resources. BTW, if by points to you mean a symlink, they can sometimes cause issues with Apache resource matching. Can you not use the symlink.Boony
Let us continue this discussion in chat.Tancred
What does the vhost config look like?Sicilia
@user866762 I am leery of being more descriptive, as a matter of security. What would you be looking out for?Tancred

© 2022 - 2024 — McMap. All rights reserved.