Allow squid/mod_wsgi to pass the HTTP_AUTHORIZATION header to Apache

July 16, 2009 - Remco - django - apache - authorization - django-piston - modwsgi - squid - webservice - Software

So we had some issues using django-piston (a webservice framework for Django) in combination with HTTP Basic authorization. By default both Squid and mod_wsgi will not forward the HTTP_AUTHORIZATION headers to the next layer. So if you have a wsgi application that does its own authorization you need to do the following:

In your squid.conf you need to add the login=PASS to the cache_peer entries that add apache as cache_peer to Squid. We tend to bind apache on the localhost interface and have Squid take care of port 80 on the public interface:

cache_peer parent 80 0 no-query originserver login=PASS

see: Squid FAQ

Then for mod_wsgi you need to do the same by adding the WSGIPassAuthorization On setting to your vhost file

WSGIDaemonProcess mysite processes=10 threads=15 maximum-requests=10000 user=mysite group=sites
WSGIRestrictStdout Off

<VirtualHost *:80>

    ServerSignature Off

    LogLevel warn
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    WSGIProcessGroup mysite
    WSGIPassAuthorization On

    <Directory /srv/sites/mysite/>
            Order Deny,Allow
            Allow from all

    WSGIScriptAlias / /srv/sites/mysite/django.wsgi


see: mod_wsgi configuration directives

Latest Tweets