[GH-ISSUE #17] Add wsgi example #13

New issue

Closed

opened 2026-02-26 10:35:29 +03:00 by kerem · 5 comments

kerem commented 2026-02-26 10:35:29 +03:00

Owner

Copy link

Originally created by @TacoScheltema on GitHub (Mar 30, 2016).
Original GitHub issue: https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/17

Just a small suggestion to add an example configuration for running PowerDNS-Admin in apache.

I managed to get it to work on a debian 8.3 machine as follows:

My PowerDNS-Admin files are located under /opt/powerdnsadmin and I've created a user called pdnsadmin and a group called pdnsadmin.

change the owner of /opt/powerdnsadmin and everything within it:

sudo chown -R pdnsadmin:pdnsadmin /opt/powerdnsadmin

install libapache2-mod-wsgi:

sudo apt-get install libapache2-mod-wsgi

create /opt/powerdnsadmin/powerdnsadmin.wsgi with the following content:

#!flask/bin/python

import sys
sys.path.insert(0, '/opt/powerdnsadmin')

from app import app as application
from config import PORT

(I'm not sure if the line from config import PORT is needed in the wsgi file.)

add the following to your apache virtualhost:

WSGIDaemonProcess pdnsadmin user=pdnsadmin group=pdnsadmin threads=5
WSGIScriptAlias / /opt/powerdnsadmin/powerdnsadmin.wsgi

<Directory /opt/powerdnsadmin>
    WSGIProcessGroup pdnsadmin
    WSGIApplicationGroup %{GLOBAL}
    Order allow,deny
    Allow from all
    Require all granted
</Directory>

Restart apache.

This setup is working for me.

Originally created by @TacoScheltema on GitHub (Mar 30, 2016). Original GitHub issue: https://github.com/PowerDNS-Admin/PowerDNS-Admin/issues/17 Just a small suggestion to add an example configuration for running PowerDNS-Admin in apache. I managed to get it to work on a debian 8.3 machine as follows: My PowerDNS-Admin files are located under /opt/powerdnsadmin and I've created a user called pdnsadmin and a group called pdnsadmin. change the owner of /opt/powerdnsadmin and everything within it: `sudo chown -R pdnsadmin:pdnsadmin /opt/powerdnsadmin` install libapache2-mod-wsgi: `sudo apt-get install libapache2-mod-wsgi` create /opt/powerdnsadmin/powerdnsadmin.wsgi with the following content: ``` #!flask/bin/python import sys sys.path.insert(0, '/opt/powerdnsadmin') from app import app as application from config import PORT ``` (I'm not sure if the line `from config import PORT` is needed in the wsgi file.) add the following to your apache virtualhost: ``` WSGIDaemonProcess pdnsadmin user=pdnsadmin group=pdnsadmin threads=5 WSGIScriptAlias / /opt/powerdnsadmin/powerdnsadmin.wsgi <Directory /opt/powerdnsadmin> WSGIProcessGroup pdnsadmin WSGIApplicationGroup %{GLOBAL} Order allow,deny Allow from all Require all granted </Directory> ``` Restart apache. This setup is working for me.

kerem closed this issue 2026-02-26 10:35:29 +03:00

kerem commented 2026-02-26 10:35:30 +03:00

Author

Owner

Copy link

@TacoScheltema commented on GitHub (Apr 10, 2016):

I ran into a small issue when changing the reverse proxy vhost to use https, the url scheme returned by the application is http and unfortunately my knowledge about python/flask isn't enough to get this to work.

I found several suggestions on how to solve this, one that looked the most promising can be found here: http://flask.pocoo.org/snippets/35/ but I don't know how to implement it. would it be possible to add this as a feature request?

<!-- gh-comment-id:207953271 --> @TacoScheltema commented on GitHub (Apr 10, 2016): I ran into a small issue when changing the reverse proxy vhost to use https, the url scheme returned by the application is http and unfortunately my knowledge about python/flask isn't enough to get this to work. I found several suggestions on how to solve this, one that looked the most promising can be found here: http://flask.pocoo.org/snippets/35/ but I don't know how to implement it. would it be possible to add this as a feature request?

kerem commented 2026-02-26 10:35:30 +03:00

Author

Owner

Copy link

@ngoduykhanh commented on GitHub (Apr 10, 2016):

@TacoScheltema : Which software are you using as a reverse proxy ? is it nginx ? if yes, make sure you set proxy header, for example:

    proxy_set_header    X-Scheme $scheme;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

And yes, it has some redirection from https to http (when login/logout). It seems that Flask's url_for use http schema by default. Let me take a look to fix this.

<!-- gh-comment-id:207959926 --> @ngoduykhanh commented on GitHub (Apr 10, 2016): @TacoScheltema : Which software are you using as a reverse proxy ? is it nginx ? if yes, make sure you set proxy header, for example: ``` proxy_set_header X-Scheme $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ``` And yes, it has some redirection from https to http (when login/logout). It seems that Flask's `url_for` use http schema by default. Let me take a look to fix this.

kerem commented 2026-02-26 10:35:30 +03:00

Author

Owner

Copy link

@TacoScheltema commented on GitHub (Apr 10, 2016):

I use apache, I added:
RequestHeader add X-Forwarded-Ssl on
but I'll see if I can find the apache equivalent of the headers you suggest.

Thanks!

<!-- gh-comment-id:207961401 --> @TacoScheltema commented on GitHub (Apr 10, 2016): I use apache, I added: `RequestHeader add X-Forwarded-Ssl on` but I'll see if I can find the apache equivalent of the headers you suggest. Thanks!

kerem commented 2026-02-26 10:35:30 +03:00

Author

Owner

Copy link

@ngoduykhanh commented on GitHub (Apr 10, 2016):

I've pushed commit df045cb2e5 to add ProxyFix() middleware component to fix the HTTPS redirection issue. I am using nginx as reverse proxy and it work fine for me with this proxy header set:

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

I am not sure about Apache. Can you checkout the new code and use RequestHeader add X-Forwarded-Proto https in Apache SSL vhost ?

<!-- gh-comment-id:207994904 --> @ngoduykhanh commented on GitHub (Apr 10, 2016): I've pushed commit df045cb2e5e53c497aa101719c528b1f17c03a1f to add ProxyFix() middleware component to fix the HTTPS redirection issue. I am using nginx as reverse proxy and it work fine for me with this proxy header set: ``` proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ``` I am not sure about Apache. Can you checkout the new code and use `RequestHeader add X-Forwarded-Proto https` in Apache SSL vhost ?

kerem commented 2026-02-26 10:35:31 +03:00

Author

Owner

Copy link

@TacoScheltema commented on GitHub (Apr 11, 2016):

Just tried it and it works! Awesome work!

For anyone interested: my setup is as follows:

Server A:

debian 8.4
powerdns 3.4
powerdnsadmin df045cb commit installed in /opt/powerdnsadmin
Apache with:
  mod_headers (a2enmod headers)
  mod_wsgi (apt-get install libapache2-mod-wsgi)

added a user called pdnsadmin, then chown -R pdnsadmin:pdnadmin /opt/powerdnsadmin
added these lines to the apache vhost, in my case I'm using 000_default as there's no other vhosts on this server:

    WSGIDaemonProcess pdnsadmin user=pdnsadmin group=pdnsadmin threads=5
    WSGIScriptAlias / /opt/powerdnsadmin/powerdnsadmin.wsgi
    <Directory /opt/powerdnsadmin>
        WSGIProcessGroup pdnsadmin
        WSGIApplicationGroup %{GLOBAL}
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
   # add X-Forwarded-Proto header to return the correct url to the reverse proxy
   RequestHeader set X-Forwarded-Proto "https"

create the file /opt/powerdns/powerdnsadmin/powerdnsadmin.wsgi:

#!/opt/powerdns/flask/bin/python

import sys
sys.path.insert(0, '/opt/powerdnsadmin')

from app import app as application

Server B (reverse proxy server):

debian 8.4
Apache with:
  mod_proxy_http (a2enmod proxy_http)

create a virtualhost for powerdns:
'vim /etc/apache2/sites-available/powerdns.conf`
and add the following:

<IfModule mod_ssl.c>
    <VirtualHost <ip address>:443>
        ServerAdmin webmaster@localhost
        ServerName powerdns.example.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/powerdns-ssl-error.log
        CustomLog ${APACHE_LOG_DIR}/powerdns-ssl-access.log combined
        SSLEngine on
        SSLCertificateFile  /etc/letsencrypt/live/powerdns.example.com/cert.pem 
        SSLCertificateKeyFile   /etc/letsencrypt/live/powerdns.example.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/powerdns.example.com/chain.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        ProxyPreserveHost On

        ProxyPass / http://<server A address>/
        ProxyPassReverse / http://<server A address>/
    </VirtualHost>
</IfModule>

<!-- gh-comment-id:208359378 --> @TacoScheltema commented on GitHub (Apr 11, 2016): Just tried it and it works! Awesome work! For anyone interested: my setup is as follows: ## Server A: ``` debian 8.4 powerdns 3.4 powerdnsadmin df045cb commit installed in /opt/powerdnsadmin Apache with: mod_headers (a2enmod headers) mod_wsgi (apt-get install libapache2-mod-wsgi) ``` added a user called pdnsadmin, then `chown -R pdnsadmin:pdnadmin /opt/powerdnsadmin` added these lines to the apache vhost, in my case I'm using 000_default as there's no other vhosts on this server: ``` WSGIDaemonProcess pdnsadmin user=pdnsadmin group=pdnsadmin threads=5 WSGIScriptAlias / /opt/powerdnsadmin/powerdnsadmin.wsgi <Directory /opt/powerdnsadmin> WSGIProcessGroup pdnsadmin WSGIApplicationGroup %{GLOBAL} Order allow,deny Allow from all Require all granted </Directory> # add X-Forwarded-Proto header to return the correct url to the reverse proxy RequestHeader set X-Forwarded-Proto "https" ``` create the file /opt/powerdns/powerdnsadmin/powerdnsadmin.wsgi: ``` #!/opt/powerdns/flask/bin/python import sys sys.path.insert(0, '/opt/powerdnsadmin') from app import app as application ``` ## Server B (reverse proxy server): ``` debian 8.4 Apache with: mod_proxy_http (a2enmod proxy_http) ``` create a virtualhost for powerdns: 'vim /etc/apache2/sites-available/powerdns.conf` and add the following: ``` <IfModule mod_ssl.c> <VirtualHost <ip address>:443> ServerAdmin webmaster@localhost ServerName powerdns.example.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/powerdns-ssl-error.log CustomLog ${APACHE_LOG_DIR}/powerdns-ssl-access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/powerdns.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/powerdns.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/powerdns.example.com/chain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown ProxyPreserveHost On ProxyPass / http://<server A address>/ ProxyPassReverse / http://<server A address>/ </VirtualHost> </IfModule> ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

qodana-automation-1514032984

qodana-branch-20251208-1740

dependabot/pip/werkzeug-3.1.4

dependabot/pip/python-ldap-3.4.5

dependabot/pip/authlib-1.6.5

dependabot/pip/dev/authlib-1.6.5

dependabot/npm_and_yarn/dev/bootstrap-datepicker-1.10.1

dependabot/npm_and_yarn/sweetalert2-11.22.4

dependabot/pip/dev/configobj-5.0.9

dependabot/pip/dev/zxcvbn-4.5.0

dependabot/pip/dev/zipp-3.23.0

dependabot/pip/dev/sqlalchemy-1.4.54

dependabot/pip/requests-2.32.4

dependabot/pip/setuptools-78.1.1

v0.4.3

add-sentry-support

qodana-automation-1161410675

qodana-automation-1769639544

dev

1536-application-settings-editor-overhaul

1601_refactor_domain_routes

v0.5.0-dev

v0.4.1

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2

v0.1

Labels

Clear labels   

bug / broken-feature

  

bug / broken-feature

  

docs / request

  

feature / request

  

help / other

  

mod / help-wanted

No labels

bug / broken-feature

bug / broken-feature

docs / request

feature / request

help / other

mod / help-wanted

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/PowerDNS-Admin-PowerDNS-Admin#13

No description provided.