403 Forbidden using mod_wsgi-express with https on apache2

[Joel]

I am using the following command to start mod_wsgi-express for my django project:

mod_wsgi-express start-server --log-to-terminal --startup-log --https-port 443 --server-name mysite.com --ssl-certificate-file ssl-certs/cert.pem --ssl-certificate-key-file ssl-certs/privkey.pem --user www-data --group www-data --host mysite.com

When loading https://mysite.com/, I get a 403 Forbidden error: You don't have permission to access / on this server.

The terminal shows the following lines:

root@localhost:/home/joel/new/myappointments# mod_wsgi-express start-server --log-to-terminal --startup-log --https-port 443 --server-name mysite.com --ssl-certificate-file ssl-certs/cert.pem --ssl-certificate-key-file ssl-certs/privkey.pem --user www-data --group www-data --host mysite.com
Server URL         : http://mysite.com:8000/
Server URL (HTTPS) : https://mysite.com/
Server Root        : /tmp/mod_wsgi-mysite.com:8000:0
Server Conf        : /tmp/mod_wsgi-mysite.com:8000:0/httpd.conf
Error Log File     : /dev/stderr (warn)
Startup Log File   : /dev/stderr
Request Capacity   : 5 (1 process * 5 threads)
Request Timeout    : 60 (seconds)
Startup Timeout    : 15 (seconds)
Queue Backlog      : 100 (connections)
Queue Timeout      : 45 (seconds)
Server Capacity    : 20 (event/worker), 20 (prefork)
Server Backlog     : 500 (connections)
Locale Setting     : en_US.UTF-8
[Sat Sep 08 20:51:37.800732 2018] [ssl:warn] [pid 5130:tid 140248589061056] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Sep 08 20:51:37.803786 2018] [mpm_event:notice] [pid 5130:tid 140248589061056] AH00489: Apache/2.4.29 (Ubuntu) mod_wsgi/4.6.4 Python/3.6 OpenSSL/1.1.0g configured -- resuming normal operations
[Sat Sep 08 20:51:37.804264 2018] [core:notice] [pid 5130:tid 140248589061056] AH00094: Command line: 'apache2 (mod_wsgi-express) -f /tmp/mod_wsgi-mysite.com:8000:0/httpd.conf -E /dev/stderr -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_WITH_LISTENER_HOST -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D MOD_WSGI_MPM_EXISTS_PREFORK_MODULE -D FOREGROUND'
[Sat Sep 08 20:51:44.573958 2018] [authz_core:error] [pid 5133:tid 140248492054272] [client 62.58.165.208:33302] AH01630: client denied by server configuration: /tmp/mod_wsgi-mysite.com:8000:0/htdocs/
[Sat Sep 08 20:51:45.084675 2018] [authz_core:error] [pid 5133:tid 140248491788032] [client 72.68.14.235:62556] AH01630: client denied by server configuration: /tmp/mod_wsgi-mysite.com:8000:0/htdocs/favicon.ico, referer: https://mysite.com/

The generated conf /tmp/mod_wsgi-mysite.com:8000:0/httpd.conf shows:

<IfModule !version_module>
LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
</IfModule>


ServerName mysite.com
ServerRoot '/tmp/mod_wsgi-mysite.com:8000:0'
PidFile '/tmp/mod_wsgi-mysite.com:8000:0/httpd.pid'


<IfVersion >= 2.4>
DefaultRuntimeDir '/tmp/mod_wsgi-mysite.com:8000:0'
</IfVersion>


ServerTokens ProductOnly
ServerSignature Off


User ${MOD_WSGI_USER}
Group ${MOD_WSGI_GROUP}


<IfDefine MOD_WSGI_WITH_LISTENER_HOST>
Listen mysite.com:8000
</IfDefine>
<IfDefine !MOD_WSGI_WITH_LISTENER_HOST>
Listen 8000
</IfDefine>


<IfVersion < 2.4>
LockFile '/tmp/mod_wsgi-mysite.com:8000:0/accept.lock'
</IfVersion>


<IfVersion >= 2.4>
<IfDefine MOD_WSGI_WITH_PHP5>
<IfModule !mpm_event_module>
<IfModule !mpm_worker_module>
<IfModule !mpm_prefork_module>
<IfDefine MOD_WSGI_MPM_EXISTS_PREFORK_MODULE>
LoadModule mpm_prefork_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_prefork.so'
</IfDefine>
</IfModule>
</IfModule>
</IfModule>
</IfDefine>
</IfVersion>


<IfVersion >= 2.4>
<IfModule !mpm_event_module>
<IfModule !mpm_worker_module>
<IfModule !mpm_prefork_module>
<IfDefine MOD_WSGI_MPM_ENABLE_EVENT_MODULE>
LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
</IfDefine>
<IfDefine MOD_WSGI_MPM_ENABLE_WORKER_MODULE>
LoadModule mpm_worker_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_worker.so'
</IfDefine>
<IfDefine MOD_WSGI_MPM_ENABLE_PREFORK_MODULE>
LoadModule mpm_prefork_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_prefork.so'
</IfDefine>
</IfModule>
</IfModule>
</IfModule>
</IfVersion>


<IfDefine MOD_WSGI_WITH_HTTP2>
LoadModule http2_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_http2.so'
</IfDefine>


<IfVersion >= 2.4>
<IfModule !access_compat_module>
LoadModule access_compat_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_access_compat.so'
</IfModule>
<IfModule !unixd_module>
LoadModule unixd_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_unixd.so'
</IfModule>
<IfModule !authn_core_module>
LoadModule authn_core_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authn_core.so'
</IfModule>
<IfModule !authz_core_module>
LoadModule authz_core_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authz_core.so'
</IfModule>
</IfVersion>


<IfModule !authz_host_module>
LoadModule authz_host_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authz_host.so'
</IfModule>
<IfModule !mime_module>
LoadModule mime_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mime.so'
</IfModule>
<IfModule !rewrite_module>
LoadModule rewrite_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_rewrite.so'
</IfModule>
<IfModule !alias_module>
LoadModule alias_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_alias.so'
</IfModule>
<IfModule !dir_module>
LoadModule dir_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_dir.so'
</IfModule>
<IfModule !env_module>
LoadModule env_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_env.so'
</IfModule>
<IfModule !headers_module>
LoadModule headers_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_headers.so'
</IfModule>
<IfModule !filter_module>
LoadModule filter_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_filter.so'
</IfModule>


<IfDefine MOD_WSGI_DIRECTORY_LISTING>
<IfModule !autoindex_module>
LoadModule autoindex_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_autoindex.so'
</IfModule>
</IfDefine>


<IfVersion >= 2.2.15>
<IfModule !reqtimeout_module>
LoadModule reqtimeout_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_reqtimeout.so'
</IfModule>
</IfVersion>


<IfDefine MOD_WSGI_COMPRESS_RESPONSES>
<IfModule !deflate_module>
LoadModule deflate_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_deflate.so'
</IfModule>
</IfDefine>


<IfDefine MOD_WSGI_AUTH_USER>
<IfModule !auth_basic_module>
LoadModule auth_basic_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_auth_basic.so'
</IfModule>
<IfModule !auth_digest_module>
LoadModule auth_digest_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_auth_digest.so'
</IfModule>
<IfModule !authz_user_module>
LoadModule authz_user_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authz_user.so'
</IfModule>
</IfDefine>


<IfDefine MOD_WSGI_WITH_PROXY>
<IfModule !proxy_module>
LoadModule proxy_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_proxy.so
</IfModule>
<IfModule !proxy_http_module>
LoadModule proxy_http_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_proxy_http.so
</IfModule>
</IfDefine>


<IfModule mpm_prefork_module>
<IfDefine MOD_WSGI_WITH_PHP5>
<IfModule !php5_module>
Loadmodule php5_module '${MOD_WSGI_MODULES_DIRECTORY}/libphp5.so'
</IfModule>
AddHandler application/x-httpd-php .php
</IfDefine>
</IfModule>


<IfDefine MOD_WSGI_LOAD_PYTHON_DYLIB>
LoadFile ''
</IfDefine>


LoadModule wsgi_module '/usr/local/lib/python3.6/dist-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-x86_64-linux-gnu.so'


<IfDefine MOD_WSGI_SERVER_METRICS>
<IfModule !status_module>
LoadModule status_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_status.so'
</IfModule>
</IfDefine>


<IfDefine MOD_WSGI_CGID_SCRIPT>
<IfModule !cgid_module>
LoadModule cgid_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_cgid.so'
</IfModule>
</IfDefine>


<IfDefine MOD_WSGI_CGI_SCRIPT>
<IfModule !cgi_module>
LoadModule cgi_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_cgi.so'
</IfModule>
</IfDefine>


<IfVersion < 2.4>
DefaultType text/plain
</IfVersion>


TypesConfig '/etc/mime.types'


HostnameLookups Off
MaxMemFree 64
Timeout 60
ListenBacklog 500


<IfDefine MOD_WSGI_WITH_HTTP2>
Protocols h2 h2c http/1.1
</IfDefine>


<IfVersion >= 2.2.15>
RequestReadTimeout header=15-30,MinRate=500 body=15,MinRate=500
</IfVersion>


LimitRequestBody 10485760


<Directory />
    AllowOverride None
<IfVersion < 2.4>
    Order deny,allow
    Deny from all
</IfVersion>
<IfVersion >= 2.4>
    Require all denied
</IfVersion>
</Directory>


WSGIPythonHome '/usr'


WSGIVerboseDebugging 'Off'


<IfDefine MOD_WSGI_WITH_SOCKET_PREFIX>
WSGISocketPrefix None/wsgi
</IfDefine>
<IfDefine !MOD_WSGI_WITH_SOCKET_PREFIX>
WSGISocketPrefix /tmp/mod_wsgi-mysite.com:8000:0/wsgi
</IfDefine>


WSGISocketRotation Off


<IfDefine !ONE_PROCESS>
WSGIRestrictEmbedded On
<IfDefine MOD_WSGI_MULTIPROCESS>
WSGIDaemonProcess mysite.com:8000 \
   display-name='(wsgi:mysite.com:8000:0)' \
   home='/home/joel/new/myappointments' \
   processes=1 \
   threads=5 \
   maximum-requests=0 \
   python-path='' \
   python-eggs='/tmp/mod_wsgi-mysite.com:8000:0/python-eggs' \
   lang='en_US.UTF-8' \
   locale='en_US.UTF-8' \
   listen-backlog=100 \
   queue-timeout=45 \
   socket-timeout=60 \
   connect-timeout=15 \
   request-timeout=60 \
   inactivity-timeout=0 \
   startup-timeout=15 \
   deadlock-timeout=60 \
   graceful-timeout=15 \
   eviction-timeout=0 \
   restart-interval=0 \
   cpu-time-limit=0 \
   shutdown-timeout=5 \
   send-buffer-size=0 \
   receive-buffer-size=0 \
   header-buffer-size=0 \
   response-buffer-size=0 \
   response-socket-timeout=0 \
   server-metrics=Off
</IfDefine>
<IfDefine !MOD_WSGI_MULTIPROCESS>
WSGIDaemonProcess mysite.com:8000 \
   display-name='(wsgi:mysite.com:8000:0)' \
   home='/home/joel/new/myappointments' \
   threads=5 \
   maximum-requests=0 \
   python-path='' \
   python-eggs='/tmp/mod_wsgi-mysite.com:8000:0/python-eggs' \
   lang='en_US.UTF-8' \
   locale='en_US.UTF-8' \
   listen-backlog=100 \
   queue-timeout=45 \
   socket-timeout=60 \
   connect-timeout=15 \
   request-timeout=60 \
   inactivity-timeout=0 \
   startup-timeout=15 \
   deadlock-timeout=60 \
   graceful-timeout=15 \
   eviction-timeout=0 \
   restart-interval=0 \
   cpu-time-limit=0 \
   shutdown-timeout=5 \
   send-buffer-size=0 \
   receive-buffer-size=0 \
   response-buffer-size=0 \
   response-socket-timeout=0 \
   server-metrics=Off
</IfDefine>
</IfDefine>


WSGICallableObject 'application'
WSGIPassAuthorization On
WSGIMapHEADToGET Auto


<IfDefine ONE_PROCESS>
WSGIRestrictStdin Off
<IfDefine MOD_WSGI_WITH_PYTHON_PATH>
WSGIPythonPath ''
</IfDefine>
</IfDefine>


<IfDefine MOD_WSGI_SERVER_METRICS>
ExtendedStatus On
</IfDefine>


WSGIServerMetrics Off


<IfDefine MOD_WSGI_SERVER_STATUS>
<Location /server-status>
    SetHandler server-status
<IfVersion < 2.4>
    Order deny,allow
    Deny from all
    Allow from localhost
</IfVersion>
<IfVersion >= 2.4>
    Require all denied
    Require host localhost
</IfVersion>
</Location>
</IfDefine>


<IfDefine MOD_WSGI_KEEP_ALIVE>
KeepAlive On
KeepAliveTimeout 0
</IfDefine>
<IfDefine !MOD_WSGI_KEEP_ALIVE>
KeepAlive Off
</IfDefine>


<IfDefine MOD_WSGI_COMPRESS_RESPONSES>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/json
</IfDefine>


<IfDefine MOD_WSGI_ROTATE_LOGS>
ErrorLog "|/usr/bin/rotatelogs \
    /dev/stderr.%Y-%m-%d-%H_%M_%S 5M"
</IfDefine>
<IfDefine !MOD_WSGI_ROTATE_LOGS>
ErrorLog "/dev/stderr"
</IfDefine>
LogLevel warn


<IfDefine MOD_WSGI_ERROR_LOG_FORMAT>
ErrorLogFormat "None"
</IfDefine>


<IfDefine MOD_WSGI_ACCESS_LOG>
<IfModule !log_config_module>
LoadModule log_config_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_log_config.so
</IfModule>
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
LogFormat "undefined" custom
<IfDefine MOD_WSGI_ROTATE_LOGS>
CustomLog "|/usr/bin/rotatelogs \
    /dev/stdout.%Y-%m-%d-%H_%M_%S 5M" common
</IfDefine>
<IfDefine !MOD_WSGI_ROTATE_LOGS>
CustomLog "/dev/stdout" common
</IfDefine>
</IfDefine>


<IfDefine MOD_WSGI_CHUNKED_REQUEST>
WSGIChunkedRequest On
</IfDefine>


<IfDefine MOD_WSGI_WITH_PROXY_HEADERS>
WSGITrustedProxyHeaders
</IfDefine>
<IfDefine MOD_WSGI_WITH_TRUSTED_PROXIES>
WSGITrustedProxies
</IfDefine>


<IfDefine MOD_WSGI_WITH_HTTPS>
<IfModule !ssl_module>
LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so
</IfModule>
</IfDefine>


<IfModule mpm_prefork_module>
<IfDefine !ONE_PROCESS>
ServerLimit 20
StartServers 1
MaxClients 20
MinSpareServers 1
MaxSpareServers 2
</IfDefine>
<IfDefine ONE_PROCESS>
ServerLimit 1
StartServers 1
MaxClients 1
MinSpareServers 1
MaxSpareServers 1
</IfDefine>
MaxRequestsPerChild 0
</IfModule>


<IfModule mpm_worker_module>
<IfDefine !ONE_PROCESS>
ServerLimit 2
ThreadLimit 10
StartServers 1
MaxClients 20
MinSpareThreads 10
MaxSpareThreads 10
ThreadsPerChild 10
</IfDefine>
<IfDefine ONE_PROCESS>
ServerLimit 1
ThreadLimit 1
StartServers 1
MaxClients 1
MinSpareThreads 1
MaxSpareThreads 1
ThreadsPerChild 1
</IfDefine>
MaxRequestsPerChild 0
ThreadStackSize 262144
</IfModule>


<IfModule mpm_event_module>
<IfDefine !ONE_PROCESS>
ServerLimit 2
ThreadLimit 10
StartServers 1
MaxClients 20
MinSpareThreads 10
MaxSpareThreads 10
ThreadsPerChild 10
</IfDefine>
<IfDefine ONE_PROCESS>
ServerLimit 1
ThreadLimit 1
StartServers 1
MaxClients 1
MinSpareThreads 1
MaxSpareThreads 1
ThreadsPerChild 1
</IfDefine>
MaxRequestsPerChild 0
ThreadStackSize 262144
</IfModule>


<IfDefine !MOD_WSGI_VIRTUAL_HOST>
<IfVersion < 2.4>
NameVirtualHost *:8000
</IfVersion>
<VirtualHost _default_:8000>
</VirtualHost>
</IfDefine>


<IfDefine MOD_WSGI_VIRTUAL_HOST>


<IfVersion < 2.4>
NameVirtualHost *:8000
</IfVersion>
<VirtualHost _default_:8000>
<Location />
<IfVersion < 2.4>
Order deny,allow
Deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
<IfDefine MOD_WSGI_ALLOW_LOCALHOST>
Allow from localhost
</IfDefine>
</Location>
</VirtualHost>
<IfDefine !MOD_WSGI_HTTPS_ONLY>
<VirtualHost *:8000>
ServerName mysite.com
<IfDefine MOD_WSGI_SERVER_ALIAS>
ServerAlias None
</IfDefine>
</VirtualHost>
<IfDefine MOD_WSGI_REDIRECT_WWW>
<VirtualHost *:8000>
ServerName unspecified
Redirect permanent / http://mysite.com:8000/
</VirtualHost>
</IfDefine>
</IfDefine>


<IfDefine MOD_WSGI_HTTPS_ONLY>
<VirtualHost *:8000>
ServerName mysite.com
<IfDefine MOD_WSGI_SERVER_ALIAS>
ServerAlias None
</IfDefine>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://mysite.com:443%{REQUEST_URI}
</VirtualHost>
<IfDefine MOD_WSGI_REDIRECT_WWW>
<VirtualHost *:8000>
ServerName unspecified
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://mysite.com:443%{REQUEST_URI}
</VirtualHost>
</IfDefine>
</IfDefine>


</IfDefine>


<IfDefine MOD_WSGI_VIRTUAL_HOST>


<IfDefine MOD_WSGI_WITH_HTTPS>
<IfDefine MOD_WSGI_WITH_LISTENER_HOST>
Listen mysite.com:443
</IfDefine>
<IfDefine !MOD_WSGI_WITH_LISTENER_HOST>
Listen 443
</IfDefine>
<IfVersion < 2.4>
NameVirtualHost *:443
</IfVersion>
<VirtualHost _default_:443>
<Location />
<IfVersion < 2.4>
Order deny,allow
Deny from all
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
<IfDefine MOD_WSGI_ALLOW_LOCALHOST>
Allow from localhost
</IfDefine>
</Location>
SSLEngine On
SSLCertificateFile /home/joel/new/myappointments/ssl-certs/cert.pem
SSLCertificateKeyFile /home/joel/new/myappointments/ssl-certs/privkey.pem
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
</VirtualHost>
<VirtualHost *:443>
ServerName mysite.com
<IfDefine MOD_WSGI_SERVER_ALIAS>
ServerAlias None
</IfDefine>
SSLEngine On
SSLCertificateFile /home/joel/new/myappointments/ssl-certs/cert.pem
SSLCertificateKeyFile /home/joel/new/myappointments/ssl-certs/privkey.pem
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
<IfDefine MOD_WSGI_HTTPS_ONLY>
<IfDefine MOD_WSGI_HSTS_POLICY>
Header set Strict-Transport-Security None
</IfDefine>
</IfDefine>
<IfDefine MOD_WSGI_SSL_ENVIRONMENT>
SSLOptions +StdEnvVars
</IfDefine>
</VirtualHost>
<IfDefine MOD_WSGI_REDIRECT_WWW>
<VirtualHost *:443>
ServerName unspecified
Redirect permanent / https://mysite.com:443/
SSLEngine On
SSLCertificateFile /home/joel/new/myappointments/ssl-certs/cert.pem
SSLCertificateKeyFile /home/joel/new/myappointments/ssl-certs/privkey.pem
<IfDefine MOD_WSGI_VERIFY_CLIENT>
SSLCACertificateFile None
SSLVerifyClient none
</IfDefine>
<IfDefine MOD_WSGI_CERTIFICATE_CHAIN>
SSLCertificateChainFile None
</IfDefine>
</VirtualHost>
</IfDefine>
</IfDefine>


</IfDefine>


DocumentRoot '/tmp/mod_wsgi-mysite.com:8000:0/htdocs'


AccessFileName .htaccess


<Directory '/tmp/mod_wsgi-mysite.com:8000:0'>
    AllowOverride None
<Files handler.wsgi>
<IfVersion < 2.4>
    Order allow,deny
    Allow from all
</IfVersion>
<IfVersion >= 2.4>
    Require all granted
</IfVersion>
</Files>
</Directory>


<Directory '/tmp/mod_wsgi-mysite.com:8000:0/htdocs/'>
    AllowOverride None
<IfDefine MOD_WSGI_DIRECTORY_INDEX>
    DirectoryIndex None
</IfDefine>
<IfDefine MOD_WSGI_DIRECTORY_LISTING>
    Options +Indexes
</IfDefine>
<IfDefine MOD_WSGI_CGI_SCRIPT>
    Options +ExecCGI
</IfDefine>
<IfDefine MOD_WSGI_CGID_SCRIPT>
    Options +ExecCGI
</IfDefine>
    RewriteEngine On
    Include /tmp/mod_wsgi-mysite.com:8000:0/rewrite.conf
<IfDefine !MOD_WSGI_STATIC_ONLY>
    RewriteCond %{REQUEST_FILENAME} !-f
<IfDefine MOD_WSGI_DIRECTORY_INDEX>
    RewriteCond %{REQUEST_FILENAME} !-d
</IfDefine>
<IfDefine MOD_WSGI_SERVER_STATUS>
    RewriteCond %{REQUEST_URI} !/server-status
</IfDefine>
    RewriteRule .* - [H=wsgi-handler]
</IfDefine>
<IfVersion < 2.4>
    Order allow,deny
    Allow from all
</IfVersion>
<IfVersion >= 2.4>
    Require all granted
</IfVersion>
</Directory>


<IfDefine MOD_WSGI_ERROR_OVERRIDE>
WSGIErrorOverride On
</IfDefine>


<IfDefine MOD_WSGI_HOST_ACCESS>
<Location />
    WSGIAccessScript 'None'
</Location>
</IfDefine>


<IfDefine MOD_WSGI_AUTH_USER>
<Location />
    AuthType Basic
    AuthName 'mysite.com:8000'
    AuthBasicProvider wsgi
    WSGIAuthUserScript 'None'
<IfDefine MOD_WSGI_AUTH_GROUP>
    WSGIAuthGroupScript 'None'
</IfDefine>
<IfVersion < 2.4>
    Require valid-user
<IfDefine MOD_WSGI_AUTH_GROUP>
    Require wsgi-group 'wsgi'
</IfDefine>
</IfVersion>
<IfVersion >= 2.4>
    <RequireAll>
    Require valid-user
<IfDefine MOD_WSGI_AUTH_GROUP>
    Require wsgi-group 'wsgi'
</IfDefine>
    </RequireAll>
</IfVersion>
</Location>
</IfDefine>


<IfDefine !ONE_PROCESS>
WSGIHandlerScript wsgi-handler '/tmp/mod_wsgi-mysite.com:8000:0/handler.wsgi' \
    process-group='mysite.com:8000' application-group=%{GLOBAL}
WSGIImportScript '/tmp/mod_wsgi-mysite.com:8000:0/handler.wsgi' \
    process-group='mysite.com:8000' application-group=%{GLOBAL}
</IfDefine>


<IfDefine ONE_PROCESS>
WSGIHandlerScript wsgi-handler '/tmp/mod_wsgi-mysite.com:8000:0/handler.wsgi' \
    process-group='%{GLOBAL}' application-group=%{GLOBAL}
WSGIImportScript '/tmp/mod_wsgi-mysite.com:8000:0/handler.wsgi' \
    process-group='%{GLOBAL}' application-group=%{GLOBAL}
</IfDefine>




Alias /__wsgi__/docs '/usr/local/lib/python3.6/dist-packages/mod_wsgi/docs'
Alias /__wsgi__/images '/usr/local/lib/python3.6/dist-packages/mod_wsgi/images'


<Directory '/usr/local/lib/python3.6/dist-packages/mod_wsgi/docs'>
    DirectoryIndex index.html
<IfVersion < 2.4>
    Order allow,deny
    Allow from all
</IfVersion>
<IfVersion >= 2.4>
    Require all granted
</IfVersion>
</Directory>


<Directory '/usr/local/lib/python3.6/dist-packages/mod_wsgi/images'>
<IfVersion < 2.4>
    Order allow,deny
    Allow from all
</IfVersion>
<IfVersion >= 2.4>
    Require all granted
</IfVersion>
</Directory>




<IfDefine MOD_WSGI_VERIFY_CLIENT>
<Location '/'>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
</IfDefine>

How can I solve this?

Going by another thread I tried installing the latest development version of mod_wsgi, but I got a .so file error, so I reverted.

[Graham Dumpleton]

You would not usually set --host with an argument of a hostname, but an IP address. You would only use that though if absolutely needed and have multiple interfaces and need to restrict which connections can come in on. Based on the error though, even though suggest not using it, I don't believe that is the issue.

The usual reason for getting forbidden is that because you have used '--server-name mysite.com', you can only connect when using that hostname in the URL. You can't connect to it with an IP address or other hostname. If behind a proxy, that may be a problem.

If trying to connect via 'localhost' or '127.0.0.1', you can add '--allow-localhost'.

    optparse.make_option('--allow-localhost', action='store_true',

            default=False, help='Flag indicating whether access via '

            'localhost should still be allowed when a server name has been '

            'specified and a name based virtual host has been configured.'),

If connecting remotely, from memory you can use '--server-alias *'.

    optparse.make_option('--server-alias', action='append',

            dest='server_aliases', metavar='HOSTNAME', help='A secondary '

            'host name for the web server. May include wildcard patterns.'),

The use of the wildcard of just '*' says allow connecting with any hostname. This should work even though it doesn't match what you expect to be used and what the certificate is set up. You may as a result get warnings about original hostname used not then matching the certificate.

Graham

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To post to this group, send email to mod...@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

[Graham Dumpleton]

I should clarify, use these options in addition to --server-name with the value you have now. Don't drop --server-name as must use that when using certificate.

[Joel Mathew]

When I do it like:

mod_wsgi-express start-server --log-to-terminal --startup-log
--https-port 443 --server-name myopip.com --ssl-certificate-file
ssl-certs/cert.pem --ssl-certificate-key-file ssl-certs/privkey.pem
--user www-data --group www-data --host mysite.com --host 17.104.53.57

where the last is the ip of my server, I get the `My web site runs on
Malt Whiskey ` message. Not my actual site.

Without the --host mysite.com, again I get the malt whiskey page


Joel G Mathew

[Graham Dumpleton]

> On 9 Sep 2018, at 12:27 pm, Joel Mathew <jo...@joel.su> wrote:
>
> When I do it like:
>
> mod_wsgi-express start-server --log-to-terminal --startup-log
> --https-port 443 --server-name myopip.com --ssl-certificate-file
> ssl-certs/cert.pem --ssl-certificate-key-file ssl-certs/privkey.pem
> --user www-data --group www-data --host mysite.com --host 17.104.53.57
>
> where the last is the ip of my server, I get the `My web site runs on
> Malt Whiskey ` message. Not my actual site.

Which is expected as you haven't given it as argument the path to the WSGI script file for your application.

> Without the --host mysite.com, again I get the malt whiskey page

Either way, I am saying you shouldn't use --host argument unless you have a specific reason to.

[Joel Mathew]

Thank you. The problem is fixed.
My final command line:
mod_wsgi-express setup-server wsgi.py --https-port 443 --https-only

--server-name mysite.com --ssl-certificate-file ssl-certs/cert.pem
--ssl-certificate-key-file ssl-certs/privkey.pem --user www-data

--group www-data --url-alias /appointments/static
./appointments/static

I wrote a short blog on using letsencrypt certificates with
mod_wsgi-express:
http://blog.droidzone.in/2018/09/08/using-letsencrypt-certificate-files-with-mod_wsgi-express-for-https-on-django/

Thank you for the great utility, Graham Dumpleton

[Graham Dumpleton]

You shouldn't need:

try:
application = get_wsgi_application()
except Exception:
# Error loading applications
if 'mod_wsgi' in sys.modules:
traceback.print_exc()
os.kill(os.getpid(), signal.SIGINT)
time.sleep(2.5)

When using mod_wsgi-express it has a default startup-timeout of 15 seconds.

optparse.make_option('--startup-timeout', type='int', default=15,
metavar='SECONDS', help='Maximum number of seconds allowed '
'to pass waiting for the application to be successfully '
'loaded and started by a worker process. When this timeout '
'has been reached without the application having been '
'successfully loaded and started, the worker process will '
'be forced to restart. Defaults to 15 seconds.'),

This means that if the WSGI script doesn't load, the whole daemon process will be restarted automatically.

This gets around transient problems when doing Django initialisation, and Django initialisation not being able to be called a second time in the same process, which is what that try/except hack is about.

So you can use just:

application = get_wsgi_application()

Also, when using mod_wsgi-express you don't need:

sys.path.append('/home/joel/myappointments/venv/lib/python3.6/site-packages')

as it will automatically use what virtual environment mod_wsgi was installed in. You shouldn't try and force it to use site-packages from a separate virtual environment.

Finally:

sys.path.append('/home/joel/myappointments')

isn't needed if that is the current directory when you run mod_wsgi-express, or is the directory the WSGI script file is in.

If needing to force the home directory for the WSGI application, better to use:

--home=/home/joel/myappointments

option. This will cause modules search to be performed from that directory as well.

If need to add additional directories, use:

--python-path=/home/joel/myappointments

This option can be used more than once.

Graham

[Graham Dumpleton]

Should mention that if configuring Apache/mod_wsgi yourself, you can set startup-timeout yourself on WSGIDaemonProcess. It isn't enabled by default in that case.

[Joel Mathew]

Thank you for the awesome explanation. I confess that I was hacking
around with a script I found on your blog without fully understanding!
:)

Joel G Mathew

[Graham Dumpleton]

That restart hack was required a long time ago, but the startup timeout avoids it when using daemon mode.