Using runmodwsgi with Django I can get it working on port 80 but not 443. - client denied by server configuration error.

[Marcos Georgopoulos]

 Hi,

 

I am trying to get my web application working over https. I am using Centos7. I have disabled the firewall and selinux ( temporarily for testing )

The following works with no issues for http on port 80.

sudo python3.6 manage.py runmodwsgi --setup-only --port=80 --user apache --group apache --server-root=/etc/mod_wsgi-express-80

I get the following error when trying to access it over https/443. Below is the command I run to set it up.

sudo python3.6 manage.py runmodwsgi --setup-only --user=apache --group=apache --server-root=/etc/mod_wsgi-express-443 --https-only --https-port=443 --ssl-certificate-file=/etc/pki/tls/certs/localhost.crt  --ssl-certificate-key-file=/etc/pki/tls/private/localhost.key  --server-name=myhost.local 

Web browser

  Forbidden

  You don't have permission to access /login/ on this server.

Error Log

[Wed Apr 11 18:47:33.429059 2018] [mpm_event:notice] [pid 12053:tid 140251110680704] AH00489: Apache/2.4.6 (CentOS) mod_wsgi/4.6.4 Python/3.6 OpenSSL/1.0.2k-fips configured -- resuming normal operations

[Wed Apr 11 18:47:33.429098 2018] [core:notice] [pid 12053:tid 140251110680704] AH00094: Command line: 'httpd (mod_wsgi-express) -f /etc/mod_wsgi-express-443/httpd.conf -D MOD_WSGI_VIRTUAL_HOST -D MOD_WSGI_WITH_HTTPS -D MOD_WSGI_HTTPS_ONLY -D MOD_WSGI_MPM_ENABLE_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_EVENT_MODULE -D MOD_WSGI_MPM_EXISTS_WORKER_MODULE -D MOD_WSGI_MPM_EXISTS_PREFORK_MODULE'

[Wed Apr 11 18:47:50.725314 2018] [authz_core:error] [pid 12061:tid 140251110143744] [client 10.16.18.11:63623] AH01630: client denied by server configuration: /etc/mod_wsgi-express-443/htdocs/login

Many thanks.

[Graham Dumpleton]

Does accessing the root of the site work?

Add the option:

    --access-log

and show me the series of requests which are then logged in it.

Is there anything in the directory:

   /etc/mod_wsgi-express-443/htdocs

IOW, what do you get when you run:

    ls -las /etc/mod_wsgi-express-443/htdocs

Graham

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To post to this group, send email to mod...@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

[Marcos Georgopoulos]

Thanks Graham,

I noticed that if I change my server name to 127.0.0.1 I can now access it locally but not externally. Here is the new command and the requested output. 

sudo python3.6 manage.py runmodwsgi --setup-only --user=apache --group=apache --server-root=/etc/mod_wsgi-express-test2 --https-only --https-port=443 --ssl-certificate-file=/etc/pki/tls/certs/localhost.crt  --ssl-certificate-key-file=/etc/pki/tls/private/localhost.key  --server-name=127.0.0.1  --access-log

Access log

---------------

127.0.0.1 - - [11/Apr/2018:20:10:19 -0400] "GET / HTTP/1.1" 404 2377

127.0.0.1 - - [11/Apr/2018:20:10:24 -0400] "GET /login/ HTTP/1.1" 200 6087

10.200.123.212 - - [11/Apr/2018:20:10:33 -0400] "GET /favicon.ico HTTP/1.1" 403 213

10.200.123.212 - - [11/Apr/2018:20:10:33 -0400] "GET / HTTP/1.1" 403 202

10.200.123.212 - - [11/Apr/2018:20:10:34 -0400] "GET /login/ HTTP/1.1" 403 208

10.200.123.212 - - [11/Apr/2018:20:10:35 -0400] "GET /login/ HTTP/1.1" 403 208

ls -las /etc/mod_wsgi-express-test2/htdocs

total 0

0 drwxr-xr-x 2 root root   6 Apr 11 20:09 .

0 drwxr-xr-x 4 root root 250 Apr 11 20:10 ..

[Marcos Georgopoulos]

Sorry I forgot to answer part of your question.

No access '/' has the same issue.

On Thursday, April 12, 2018 at 10:05:18 AM UTC+10, Graham Dumpleton wrote:

[Graham Dumpleton]

The argument to --server-name should be the same host name you use in the URL otherwise it likely will not work. You can't use 'localhost' or any other internal name which isn't what is used in the URL.

Also try not supplying:

    --https-only

See if normal 'http' URL access works, and then with 'https' URL.

Am wondering whether it is some issues around the redirection from http to https.

Graham

[Marcos Georgopoulos]

Hi Graham,

Ok I can access both but only through the server name. 

We are working on getting CA signed certs and DNS sorted but in the mean time I was hoping to access it via IP address over HTTPs. This is an internal site on private IP and not accessible from the internet.

Is there a way to temporarily permit this  with mod_wsgi?

Many thanks.

Graham

To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscribe@googlegroups.com.

To post to this group, send email to mod...@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.

To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscribe@googlegroups.com.

[Graham Dumpleton]

Use a nip.io address.

So use:

    --server-name A.B.C.D.nip.io

replacing A.B.C.D with your IP address.

Have everyone use:

    https://A.B.C.D.nip.io

See:

    http://nip.io/

for more information on these magic hostnames.

Hopefully your organisation doesn't block DNS for them, some do.

Graham

[Marcos Georgopoulos]

Thanks Graham, I didn't know about nip.io.

and many thanks for all of your hard work with mod_wsgi!

Graham

To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.

[Graham Dumpleton]

Does that mean it has solved the problem for now?

Graham

[Marcos Georgopoulos]

Hi Graham,

Yes the problem is solved. Many thanks