It seems that I need to have an authenticator of some sort tied into WSGI before it will expose the cert to the script, so I tried:
::: auth.wsgi :::
# from the manual
import typing
import utility
def check_password(environ: dict, user: str, password: str) -> bool:
err = request.environ['wsgi.errors']
print('user: "{0:s}"\npassword: "{1:s}"\n'.format(user, password), file = err)
return True
And into my ssl.conf file, I’ve changed it to:
...
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess enrollment threads=5
WSGIScriptAlias /enrollment /var/www/scripts/enrollment.wsgi
<Directory enrollment>
WSGIProcessGroup enrollment
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
# added this next stanza
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /var/www/scripts/auth.wsgi
Require valid-user
SSLRequireSSL
SSLOptions +StrictRequire
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
...
But I see no sign of my auth.wsgi script being run, and indeed there’s still no SSL_* stuff in request.environ other than SSL_TLS_SNI being present.
My ssl_error_log shows:
[Wed Jul 28 06:21:10.426835 2021] [ssl:info] [pid 28768] [client
174.27.8.12:56267] AH01964: Connection to child 1 established (server ...:443)
[Wed Jul 28 06:21:10.427084 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2404): [client
174.27.8.12:56267] AH02044: No matching SSL virtual host for servername ... found (using default/first virtual host)
[Wed Jul 28 06:21:10.427121 2021] [core:debug] [pid 28768] protocol.c(2349): [client
174.27.8.12:56267] AH03155: select protocol from h2,h2c,http/1.1, choices=http/1.1 for server ...
[Wed Jul 28 06:21:10.427128 2021] [core:debug] [pid 28768] protocol.c(2394): [client
174.27.8.12:56267] AH03156: select protocol, proposals=http/1.1 preferences=h2,h2c,http/1.1 configured=h2,h2c,http/1.1
[Wed Jul 28 06:21:10.427131 2021] [core:debug] [pid 28768] protocol.c(2412): [client
174.27.8.12:56267] AH03157: selected protocol=http/1.1
[Wed Jul 28 06:21:10.516433 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(510): AH00831: socache_shmcb_store (0x76 -> subcache 22)
[Wed Jul 28 06:21:10.516487 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(864): AH00847: insert happened at idx=0, data=(0:32)
[Wed Jul 28 06:21:10.516490 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(869): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/206
[Wed Jul 28 06:21:10.516493 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(531): AH00834: leaving socache_shmcb_store successfully
[Wed Jul 28 06:21:10.516505 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2257): [client
174.27.8.12:56267] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Jul 28 06:21:10.594782 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(422): [client
174.27.8.12:56267] AH02034: Initial (No.1) HTTPS request received for child 1 (server ...:443)
[Wed Jul 28 06:21:10.594893 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client
174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594898 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client
174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.594970 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client
174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594973 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client
174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.595054 2021] [:info] [pid 28768] [client
174.27.8.12:56267] mod_wsgi (pid=28768, process='', application=''): Loading WSGI script '/var/www/scripts/enrollment.wsgi’.
It’s probably something insanely trivial, but I’ve been staring at this for a day and a half now and I can’t figure it out.
Any assistance is really appreciated.
Thanks,
-Philip
> To view this discussion on the web visit
https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com.