# Virtual host for HTTP connections. Note it is assumed that appropriate
# 'Listen' and 'NameVirtualHost' directives for port 80 have been set
# elsewhere in your Apache configuration.

<VirtualHost *:80>

# The host name on which connections will be accepted.

ServerName web2py.example.com

# Define a daemon process group in context of 'web2py.example.com'. By
# defining this inside of the virtual host, only this virtual host,
# including any virtual host for same server name but on a different
# port, can access this using WSGIProcessGroup. The 'user' and 'group'
# options should be set to the user who has write access to the
# directory where 'web2py' was setup. You do not need to set 'user' and
# 'group' if you made the 'web2py' installation directory writable to
# the user that Apache runs as by default. The 'display-name' option
# is so that process name appears in 'ps' output as '(wsgi:web2py)'
# instead of as name of Apache web server executable. As no 'processes'
# or 'threads' options specified, the daemon process group will have a
# single process with 15 threads running within that process. This is
# usually more than adequate for most sites and should be left as is.
# If overriding it, do not use 'processes=1' as doing so will disable
# any in browser WSGI debugging tools that check the 'wsgi.multiprocess'
# flag. This is because any use of the 'processes' option will cause
# that flag to be set to true, even if a single process and such tools
# expect that it be set to false. Note that if your own application code
# or some third party extension module you are using with Python is not
# thread safe, instead use options 'processes=5 threads=1'. This will
# create five processes in the daemon process group where each process
# is single threaded. You might consider using 'maximum-requests=1000'
# if your application leaks Python objects through inability for them
# to be garbage collected properly.

WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}

# Delegate running of all WSGI applications to the daemon process group
# that was configured using the WSGIDaemonProcess directive.

WSGIProcessGroup web2py

# Mount the web2py application. In this case it is mounted at the root
# of the web site. Not known how to get web2py to mount at a sub URL as
# doesn't appear to be a good WSGI citizen and work out where it is
# mounted from value of SCRIPT_NAME and then automatically adjust
# everything appropriately without further manual user configuration.

WSGIScriptAlias / /users/www-data/web2py/wsgihandler.py

# Need to allow Apache permission to access the WSGI script file.
# Normally would just allow permission to the whole directory the WSGI
# script file is located in, but cant do that with web2py, as it places
# the WSGI script file in a directory which contains other source code,
# including the file containing the admin interface password. Opening up
# the whole directory would cause security issues, because technically
# Apache would be given permission to serve all the files up to a user
# if there was any way of traversing to that directory via a mapped URL.
# To avoid security problems, explicitly deny access to the contents of
# the directory, except for the WSGI script file and prohibit a user
# from doing any overrides from a .htaccess file to be extra safe.

<Directory /users/www-data/web2py>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>

# Mount any directories within applications containing static files. We
# are only mounting the directories called 'static' and not the whole
# applications directory or even the intermediate subdirectories, as the
# applications directory also contains source code and we do not want to
# inadvertantly give access to the code to a remote user. Note that if
# you don't have this mapping for static files, the web2py application
# will still serve up the files, but it will be quite a bit slower.

AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2

# Allow Apache permission to serve the files from just the 'static'
# directories of applications

<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>

# The web2py admin application shouldn't be used via HTTP. If accessed via
# HTTP it gives an obscure error about being unable to access password when
# not setup. Better to just deny access to the URL. Don't need to use the
# SSLRequireSSL directive as this rule only applies for HTTP port anyway.
# Don't need to protect the static directory for admin application as this
# will block access to that as well.

<Location /admin>
Deny from all
</Location>

# Access to any application specific admin interface should also be blocked
# via HTTP.

<LocationMatch ^/([^/]+)/appadmin>
Deny from all
</LocationMatch>

# Setup separate access and error logs for this host and if desired
# increase logging level to 'info' so get additional information dumped
# out to error log about what mod_wsgi is doing.

CustomLog /private/var/log/apache2/web2py.example.com-access_log common
ErrorLog /private/var/log/apache2/web2py.example.com-error_log

#LogLevel info

</VirtualHost>

# Virtual host for HTTPS connections. Note it is assumed that appropriate
# 'Listen' and 'NameVirtualHost' directives for port 443 have been set
# elsewhere in your Apache configuration. If you are only interested in
# HTTP access then following virtual host definition can be deleted.

<VirtualHost *:443>

# The host name on which connections will be accepted. Same as that for
# port 80 virtual host definition for same site.

ServerName web2py.example.com

# Enable SSL and supply location of SSL certificate files.

SSLEngine on
SSLCertificateFile /etc/apache2/vhosts/web2py-server.crt
SSLCertificateKeyFile /etc/apache2/vhosts/web2py-server.key

# There is no need to define a daemon process group again, as we can point
# at existing daemon process group specified in virtual host for port 80
# and same server name. Still must delegate running of all WSGI applications
# to that daemon process group however.

WSGIProcessGroup web2py

# The mounting of the WSGI application and static directories, and giving
# permission to Apache to serve of files from these locations is the same
# as for port 80 variant of the virtual host.

WSGIScriptAlias / /users/www-data/web2py/wsgihandler.py

<Directory /users/www-data/web2py>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>

AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2

<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>

# Setup separate access and error logs for this host and if desired
# increase logging level to 'info' so get additional information dumped
# out to error log about what mod_wsgi is doing.

CustomLog /private/var/log/apache2/web2py.example.com-access_log common
ErrorLog /private/var/log/apache2/web2py.example.com-error_log

#LogLevel info

</VirtualHost>