setup server from scratch (with or without apache?)

[News123]

Hi,


So far I never really had to ask this question and this is also, why I
am stil a little shaky on this topic:

So far the typical LAMP server existed already and contained already a
lot of existing PHP web applications, which I couldn't remove.
Therefore I just used mod_python to implement some minor functionality
next to it.

Now I have the opportunity to setup a server from scratch.
90% of the content will be non visual content over https with client AND
server certificates.
Access privileges will depend on the client certificate.

I will only have one IP address and only port 443.

1.) What alternatives would exist compared to apache / mod_python

2.) What disadvantage would I have using apache and mod_python compared
to other solutions

3.) What's the stability / security aspect of other solutions,
especially concerning client / server certificates

4.) How could I prepare for the case, that customer might lateron
require PHP? (not very probably, but who knows.

5.) What about mod_wsgi vs. mod_python

Thanks a lot for suggestions / ideas.

 

[Kruptein]

I think that apache and mod_python are good enough, but I'm not an
expert.

but I think that the security aspect for a large part depends on how
secure your code is.

You can have a very secure server setting, but somewhere a bug in your
code that makes it insecure.

 

[Paul Rubin]

1.) What alternatives would exist compared to apache / mod_python

I think you could use stunnel to listen on port 443 and forward it to a
local port, where you'd have a python httpd, perhaps using the
SimpleHTTPServer module. Stunnel uses OpenSSL which handles client
certificates pretty well as far as I can tell. There are various Python
openssl bindings that I haven't used and I get they impression that at
least some of them are sloppy about certificates at either end.

I've never used stunnel but have been wanting to.

mod_python is pretty dead. Frankly I've always used apache whenever
I've used https for web pages. You could use mod_wsgi (I haven't tried
this yet) or again, set it up as a proxy forwarding to a local port for
a python httpd to listen to. Or for that matter, you use old-fashioned
cgi's. That's what I usually do if there's not a load issue.

 

[alex23]

mod_python is pretty dead.

It's now totally dead[1]. (Not pining for the fjords, either.)

1: http://blog.dscpl.com.au/2010/06/modpython-project-is-now-officially.html

 

[Stefan Behnel]

News123, 20.06.2010 13:12:

Now I have the opportunity to setup a server from scratch.
90% of the content will be non visual content over https with client AND
server certificates.
Access privileges will depend on the client certificate.

I will only have one IP address and only port 443.

1.) What alternatives would exist compared to apache / mod_python
> 5.) What about mod_wsgi vs. mod_python

As others have pointed out, mod_wsgi is preferable over mod_python. In any
case, you want your code to run on top of WSGI, as it makes it independent
of a specific web server environment (i.e. much more future proof).

I've read happy comments on nginx as an HTTP/S server for WSGI apps, both
for being easy to install and set up, and for being fast, versatile and
resource friendly. I'd try that before going for an Apache installation.

I'd also second the advice to start with a WSGI setup on top of CGI that's
simple to set up, redeploy and test, and then move on to more involved and
less agile deployments when you see that you need them.

Stefan

 

[Bruno Desthuilliers]

News123 a écrit :

Hi,


So far I never really had to ask this question and this is also, why I
am stil a little shaky on this topic:

So far the typical LAMP server existed already and contained already a
lot of existing PHP web applications, which I couldn't remove.
Therefore I just used mod_python to implement some minor functionality
next to it.

Now I have the opportunity to setup a server from scratch.
90% of the content will be non visual content over https with client AND
server certificates.
Access privileges will depend on the client certificate.

I will only have one IP address and only port 443.

1.) What alternatives would exist compared to apache / mod_python

wsgi + any wsgi-compatible web server.

2.) What disadvantage would I have using apache and mod_python compared
to other solutions

Err... I guess you already got the most important answer on this !-)

3.) What's the stability / security aspect of other solutions,
especially concerning client / server certificates

Can't tell, sorry.

4.) How could I prepare for the case, that customer might lateron
require PHP? (not very probably, but who knows.

Just make sure you can run PHP with the web server you choose.

 

[News123]

Hi,


So far I never really had to ask this question and this is also, why I
am stil a little shaky on this topic:

So far the typical LAMP server existed already and contained already a
lot of existing PHP web applications, which I couldn't remove.
Therefore I just used mod_python to implement some minor functionality
next to it.

Now I have the opportunity to setup a server from scratch.
90% of the content will be non visual content over https with client AND
server certificates.
Access privileges will depend on the client certificate.

Thanks a lot for all your answers.


So it seems it's rather smart to not stick with mod_python,
though it might be, that it's just restin' .


As a first test I tried to use
apache with mod_wsgi and a hello world python wsgi script.

This works fine.


Almost everything of my mod_python code should translate rather easily.

The one problem, that I have is following.

my mod_python code uses:
req.add_common_vars()
ssh_dn_o = req.ssl_var_lookup("SSL_CLIENT_S_DN_O")


How could I obtain apache's SSL variable 'SSL_CLIENT_S_DN_O'

I'd like, that my script reacts differently depending on the client's
SSL certificate.


If that problem is solved then I could probably get rid of mod_python.

 

[News123]

Hi Kruptein,

I think that apache and mod_python are good enough, but I'm not an
expert.

but I think that the security aspect for a large part depends on how
secure your code is.

You can have a very secure server setting, but somewhere a bug in your
code that makes it insecure.

Agreed. There's a lot of potential to make stupid things in one's own code.

In my case however I'd like to reject access to anybody not having a
client certificate.

Though users should be identified by their certificcates it would (in my
current case) not be a major disaster if one user would gain control
over another user's data.

The group of users is limited and all users are trusted during the live
time of their certificate.

Most important for me is, that my python script is only called when the
certificate is valid.