WSGI/Django: pass username back to Apache for access log

My Django app, deployed in mod_wsgi under Apache using Django's standard WSGIHandler, authenticates users via form login on the Django side. So to Apach开发者_开发百科e, the user is anonymous. This makes the Apache access log less useful.

Is there a way to pass the username back through the WSGI wrapper to Apache after handling the request, so that it appears in the Apache access log?

(Versions: Django 1.1.1, mod_wsgi 2.5, Apache 2.2.9)

You can only do it if using embedded mode and only if you use a separate package called apswigpy, which provides a Python binding for original Apache request object. The mod_wsgi package provides an optional mechanism for allowing original Apache request object to be passed as Python CObject reference in WSGI environment. You use that in conjunction with apswigpy something like:

from apache.httpd import request_rec
r = request_rec(environ['apache.request_rec'])
r.user = user

At least I think that will setup the appropriate information which access logging can then use.

You should really take this discussion over to the mod_wsgi mailing list.

You could use mod_auth_tkt. An auth_tkt is a signed cookie with the user id that Apache can understand. Your web application would have to set the cookie when the user logs in and out. Apache can derive a REMOTE_USER from the cookie, pass it to your web app or a non-Django web application running on the same server, include it in logs, whatever.

This probably isn't what you're expecting, but you could use the username in your URL scheme. That way the user will be in the path section of your apache logs.

You'd need to modify your authentication so that auth-required responses are obvious in the apache logs, otherwise when viewing the logs you may attribute unauthenticated requests to authenticated users. E.g. return a temporary redirect to the login page if the request isn't authenticated.

Correct me if I'm wrong, but what's stopping you from creating some custom middleware that sets a cookie equal to the display name of the current user logged in. This middleware will run on every view, so even though technically the user could spoof his username to display whatever he wants it to display, it'll just be reset anyway and it's not like its a security risk because the username itself is just for log purposes, not at all related to the actual user logged in. This seems like a simple enough solution, and then Apache log can access cookies so that gives you easiest access. I know some people wouldn't like the idea of a given user spoofing his own username, but i think this is the most trivial solution that gets the job done. Especially, in my case, when it's an iPhone app and the user doesn't have any direct access to a javascript console or the cookies itself.

for latest (Django 2.x, Apache 2.4) Tested

source https://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration

you need to add WSGIPassAuthorization on in either server config, virtual host, directory or .htaccess