mod_wsgi-express SSL implementation error
483 views
Skip to first unread message
peter hoth
Sep 17, 2016, 9:44:40 AM9/17/16
to modwsgi
Hi,
I managed to get my web app running with the following command:
mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi --startup-log --access-log --port=80 --server-root=/usr/local/mycloud
Next, I managed to generate my SSL cert and performed the following:
mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi --startup-log --access-log \
--port=443 --server-root=/usr/local/mycloud \
--https-port 443 --https-only --server-name localhost --ssl-certificate /usr/local/mycloud/sslcerts/domain
The error_log shows that my app is actually running when the apache is started (i.e. apachectl start)
No errors in startup_log and access_log
However, when i pointed my browser to https://localhost it shows the following error:
Forbidden
You don't have permission to access / on this server.
The error_log has the following line:
[Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by server configuration: /usr/local/armscloud/htdocs/
I did not use htdocs when i run the web app without SSL and it was working fine. Do i need to add additional parameters to the mod_wsgi-express command for SSL ?
The generated certs are confirmed working.
=== My environment:
CentOS 6.8
python 2.7.12
virtualenv 15.0.3
===
Regards,
Pete
I managed to get my web app running with the following command:
mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi --startup-log --access-log --port=80 --server-root=/usr/local/mycloud
Next, I managed to generate my SSL cert and performed the following:
mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi --startup-log --access-log \
--port=443 --server-root=/usr/local/mycloud \
--https-port 443 --https-only --server-name localhost --ssl-certificate /usr/local/mycloud/sslcerts/domain
The error_log shows that my app is actually running when the apache is started (i.e. apachectl start)
No errors in startup_log and access_log
However, when i pointed my browser to https://localhost it shows the following error:
Forbidden
You don't have permission to access / on this server.
The error_log has the following line:
[Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by server configuration: /usr/local/armscloud/htdocs/
I did not use htdocs when i run the web app without SSL and it was working fine. Do i need to add additional parameters to the mod_wsgi-express command for SSL ?
The generated certs are confirmed working.
=== My environment:
CentOS 6.8
port 443 is enabled in firewall
default apache service that comes with OS is disabled
default apache service that comes with OS is disabled
python 2.7.12
virtualenv 15.0.3
pip freeze modules:
:
mod-wsgi-httpd=2.4.12.6
mod-wsgi==4.5.7
:
:
mod-wsgi-httpd=2.4.12.6
mod-wsgi==4.5.7
:
===
Regards,
Pete
Graham Dumpleton
Sep 17, 2016, 4:42:11 PM9/17/16
to mod...@googlegroups.com
In general a HTTPS site should have a proper fully qualified domain name which matches what is in the certificate. You wouldn’t use ‘localhost’ for the server name.
For a start, try adding the option:
—allow-localhost
Depending on the platform this still may not work though as I recollect that localhost and host access controls can work strangely on Apache with some operating systems.
A better way of doing it is to change ‘—server-name localhost’ to:
—server-name 127.0.0.1.xip.io
Then access the site as:
This gets around the way that Apache or the operating system can treat localhost in a special way.
This requires external DNS access and some Intranets can even block xip.io.
In that case add an explicit entry into your /etc/hosts file for some fully qualified name, such as:
127.0.0.1 www.example.com
and use:
—server-name www.example.com
Graham
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To post to this group, send email to mod...@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
peter hoth
Sep 18, 2016, 1:03:12 AM9/18/16
to modwsgi
I did add the option --allow-localhost and i still get the 403 Forbidden response from the server.
I manually created a httpd.conf by plucking some lines from the created httpd.conf and i managed to get the https://localhost to work.
So i guess it's probably some commands in the mod_wsgi created httpd.conf that is causing the "Forbidden" error. I will try to add more lines to see what is causing the problem. One thing i noticed from the mod_wsgi created httpd.conf is that there is the following block:
I am not sure how the DaemonProcess works in SSL but is this correct for the DaemonProcess to listen to localhost:80 even though i specify --https-only ?
Regards,
Pete
mod_wsgi-express setup-server --user admin --group admin webapp.wsgi --startup-log --access-log \
--port=80 --server-root=/usr/local/webapp \
--https-port 443 --https-only --allow-localhost --server-name localhost --ssl-certificate /usr/local/webapp/sslcerts/domainI manually created a httpd.conf by plucking some lines from the created httpd.conf and i managed to get the https://localhost to work.
LoadModule wsgi_module ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/mod_wsgi/server/mod_wsgi-py27.so
LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
:
LoadModule socache_shmcb_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_socache_shmcb.so
LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so
Listen 443
SSLSessionCache "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
User ${MOD_WSGI_USER}
Group ${MOD_WSGI_GROUP}
ServerName localhost
ServerRoot '${MOD_WSGI_SERVER_ROOT}'
PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid'
ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log"
CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common
<Directory />
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:80>
ServerName 127.0.0.1
WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
<Directory "${MOD_WSGI_SERVER_ROOT}">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<virtualhost *:443>
ServerName 127.0.0.1
WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
<Directory "${MOD_WSGI_SERVER_ROOT}">
Options None
AllowOverride None
Require all granted
</Directory>
## SSL
SSLEngine On
SSLCertificateFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt"
SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key"
</virtualhost>
So i guess it's probably some commands in the mod_wsgi created httpd.conf that is causing the "Forbidden" error. I will try to add more lines to see what is causing the problem. One thing i noticed from the mod_wsgi created httpd.conf is that there is the following block:
:
<IfDefine !ONE_PROCESS>
WSGIRestrictEmbedded On
WSGISocketPrefix /usr/local/webapp/wsgi
<IfDefine MOD_WSGI_MULTIPROCESS>
:
</IfDefine>
<IfDefine !MOD_WSGI_MULTIPROCESS>
WSGIDaemonProcess localhost:80 \
display-name='(wsgi:localhost:80:0)' \
home='/usr/local/webapp' \
threads=5 \
maximum-requests=0 \
python-path='' \
python-eggs='/usr/local/webapp/python-eggs' \
lang='en_US.UTF-8' \
locale='en_US.UTF-8' \
listen-backlog=100 \
queue-timeout=45 \
socket-timeout=60 \
connect-timeout=15 \
request-timeout=60 \
inactivity-timeout=0 \
startup-timeout=15 \
deadlock-timeout=60 \
graceful-timeout=15 \
eviction-timeout=0 \
shutdown-timeout=5 \
send-buffer-size=0 \
receive-buffer-size=0 \
response-buffer-size=0 \
server-metrics=Off
</IfDefine>
</IfDefine>
:I am not sure how the DaemonProcess works in SSL but is this correct for the DaemonProcess to listen to localhost:80 even though i specify --https-only ?
Regards,
Pete
Graham Dumpleton
Sep 18, 2016, 1:07:46 AM9/18/16
to mod...@googlegroups.com
If you read through the email I said that --allow-locahost likely wouldn’t work because of how Apache can interpreter localhost and override what you want.
That is why I said you needed to use a proper host name with --server-name and not use ‘localhost’. Did you try that?
Repeating what I said:
Also read other comment I said in original email.
Graham
peter hoth
Sep 18, 2016, 1:58:52 AM9/18/16
to modwsgi
It works!
I modify the /etc/hosts as you suggested.
Thanks Graham for your fast reply and help !
I modify the /etc/hosts as you suggested.
Thanks Graham for your fast reply and help !
Reply all
Reply to author
Forward
0 new messages