mod_wsgi 3.4 issues
17 views
Skip to first unread message
Philip Prindeville
Jul 27, 2021, 1:58:30 AM7/27/21
to mod...@googlegroups.com
Hi,
I’m using mod_wsgi 3.4, Python 3.7, Apache 2.4.48, and Flask 2.0.1 in my production environment.
This is on Amazon Linux 2.
I’m trying to figure out why the various SSL_* environment variables aren’t present when my script runs, even though I have:
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
…
SSLVerifyClient require
SSLVerifyDepth 5
…
Looking at the sources, the configure.ac file looks pretty trivial, so I don’t think it was built by Amazon with anything disabled.
I’m trying to do authentication based on both Apache’s built-in certificate verification but also on the subject DN as an identity and attribute/value pairs.
I couldn’t find any documentation on mod_ssl integration or debugging issues, other than mod_ssl needed to be loaded by mod_wsgi, which is the case in Amazon Linux 2.
Can you please point me to any documentation about using SSL with mod_wsgi?
Thanks,
-Philip
I’m using mod_wsgi 3.4, Python 3.7, Apache 2.4.48, and Flask 2.0.1 in my production environment.
This is on Amazon Linux 2.
I’m trying to figure out why the various SSL_* environment variables aren’t present when my script runs, even though I have:
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
…
SSLVerifyClient require
SSLVerifyDepth 5
…
Looking at the sources, the configure.ac file looks pretty trivial, so I don’t think it was built by Amazon with anything disabled.
I’m trying to do authentication based on both Apache’s built-in certificate verification but also on the subject DN as an identity and attribute/value pairs.
I couldn’t find any documentation on mod_ssl integration or debugging issues, other than mod_ssl needed to be loaded by mod_wsgi, which is the case in Amazon Linux 2.
Can you please point me to any documentation about using SSL with mod_wsgi?
Thanks,
-Philip
Graham Dumpleton
Jul 27, 2021, 2:01:46 AM7/27/21
to mod...@googlegroups.com
They are not passed as environment variables to the process. They are passed in the WSGI environ dictionary.
So don't use os.environ if that is what you are doing, you need to access them from the Flask request environ.
Graham
--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/90FF96C3-B45F-4F61-9901-A5B97B1B35AF%40truepic.com.
Philip Prindeville
Jul 27, 2021, 12:54:49 PM7/27/21
to mod...@googlegroups.com
Hi,
I’m doing that, but I’m only seeing:
UNIQUE_ID=YP9xAZOmSQReVqTcpfpviwAAAAA
SSL_TLS_SNI=...
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=POST
QUERY_STRING=
REQUEST_URI=/enrollment/requestEnrollment
SCRIPT_NAME=/enrollment
PATH_INFO=/requestEnrollment
PATH_TRANSLATED=/var/www/html/requestEnrollment
HTTP_HOST=...
HTTP_ACCEPT_ENCODING=identity
CONTENT_LENGTH=2182
CONTENT_TYPE=multipart/form-data; boundary=45462e42764e55dee1dcc972b3e274b5
HTTP_USER_AGENT=python-urllib3/1.26.4
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.48 () OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/3.7.10
SERVER_NAME=...
SERVER_ADDR=...
SERVER_PORT=443
REMOTE_ADDR=...
DOCUMENT_ROOT=/var/www/html
REQUEST_SCHEME=https
CONTEXT_PREFIX=
CONTEXT_DOCUMENT_ROOT=/var/www/html
SERVER_ADMIN=root@localhost
SCRIPT_FILENAME=/var/www/scripts/enrollment.wsgi
REMOTE_PORT=54857
mod_wsgi.process_group=
mod_wsgi.application_group=
mod_wsgi.callable_object=application
mod_wsgi.request_handler=wsgi-script
mod_wsgi.handler_script=
mod_wsgi.script_reloading=1
mod_wsgi.listener_host=
mod_wsgi.listener_port=443
mod_wsgi.input_chunked=0
mod_wsgi.enable_sendfile=0
mod_wsgi.queue_start=1627353345662030
wsgi.version=(1, 0)
wsgi.multithread=False
wsgi.multiprocess=True
wsgi.run_once=False
wsgi.url_scheme=https
wsgi.errors=<_io.TextIOWrapper encoding='utf-8'>
wsgi.input=<mod_wsgi.Input object at 0x7f4bc43e5770>
wsgi.file_wrapper=<built-in method file_wrapper of mod_wsgi.Adapter object at 0x7f4bb03ad2b0>
mod_wsgi.version=(3, 4)
werkzeug.request=<Request 'https://.../enrollment/requestEnrollment' [POST]>
So the +ExportCertData doesn’t seem to be doing anything.
What am I missing?
-Philip
> To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com.
I’m doing that, but I’m only seeing:
UNIQUE_ID=YP9xAZOmSQReVqTcpfpviwAAAAA
SSL_TLS_SNI=...
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=POST
QUERY_STRING=
REQUEST_URI=/enrollment/requestEnrollment
SCRIPT_NAME=/enrollment
PATH_INFO=/requestEnrollment
PATH_TRANSLATED=/var/www/html/requestEnrollment
HTTP_HOST=...
HTTP_ACCEPT_ENCODING=identity
CONTENT_LENGTH=2182
CONTENT_TYPE=multipart/form-data; boundary=45462e42764e55dee1dcc972b3e274b5
HTTP_USER_AGENT=python-urllib3/1.26.4
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.48 () OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/3.7.10
SERVER_NAME=...
SERVER_ADDR=...
SERVER_PORT=443
REMOTE_ADDR=...
DOCUMENT_ROOT=/var/www/html
REQUEST_SCHEME=https
CONTEXT_PREFIX=
CONTEXT_DOCUMENT_ROOT=/var/www/html
SERVER_ADMIN=root@localhost
SCRIPT_FILENAME=/var/www/scripts/enrollment.wsgi
REMOTE_PORT=54857
mod_wsgi.process_group=
mod_wsgi.application_group=
mod_wsgi.callable_object=application
mod_wsgi.request_handler=wsgi-script
mod_wsgi.handler_script=
mod_wsgi.script_reloading=1
mod_wsgi.listener_host=
mod_wsgi.listener_port=443
mod_wsgi.input_chunked=0
mod_wsgi.enable_sendfile=0
mod_wsgi.queue_start=1627353345662030
wsgi.version=(1, 0)
wsgi.multithread=False
wsgi.multiprocess=True
wsgi.run_once=False
wsgi.url_scheme=https
wsgi.errors=<_io.TextIOWrapper encoding='utf-8'>
wsgi.input=<mod_wsgi.Input object at 0x7f4bc43e5770>
wsgi.file_wrapper=<built-in method file_wrapper of mod_wsgi.Adapter object at 0x7f4bb03ad2b0>
mod_wsgi.version=(3, 4)
werkzeug.request=<Request 'https://.../enrollment/requestEnrollment' [POST]>
So the +ExportCertData doesn’t seem to be doing anything.
What am I missing?
-Philip
Philip Prindeville
Jul 27, 2021, 10:02:05 PM7/27/21
to mod...@googlegroups.com
Hi,
Is there an easy way to see what is being put into the environment by mod_ssl before mod_wsgi runs and sets up the script context to run?
I can’t tell if it’s not being seeded into request.environ[] properly, or if it’s never in the process to begin with because of a failure happening before mod_wsgi even comes into the picture.
Is there an easy way to figure out which one it is?
Thanks,
> To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com.
Is there an easy way to see what is being put into the environment by mod_ssl before mod_wsgi runs and sets up the script context to run?
I can’t tell if it’s not being seeded into request.environ[] properly, or if it’s never in the process to begin with because of a failure happening before mod_wsgi even comes into the picture.
Is there an easy way to figure out which one it is?
Thanks,
Philip Prindeville
Jul 28, 2021, 12:43:04 AM7/28/21
to mod...@googlegroups.com
It strikes me that:
SSL_TLS_SNI=…
SERVER_PORT=443
Are set, but:
mod_wsgi.is_https
mod_wsgi.var_lookup
Are not. According to:
https://modwsgi.readthedocs.io/en/master/release-notes/version-3.4.html#new-features
11. Access, authentication and authorisation hooks now have additional keys in the environ dictionary for ‘mod_ssl.is_https’ and ‘mod_ssl.var_lookup’. These equate to callable functions provided by mod_ssl for determining if the client connection to Apache used SSL and what the values of variables specified in the SSL certifcates, server or client, are. These are only available if Apache 2.0 or later is being used.
these should be present but aren’t. Looking through the SRPM, mod_sgi.var_lookup can get added here:
static PyObject *Adapter_environ(AdapterObject *self)
But that’s #if 0’d out.
static PyObject *Dispatch_environ(DispatchObject *self, const char *group)
Also #if 0’d out.
static PyObject *Auth_environ(AuthObject *self, const char *group)
Gated by "#if AP_SERVER_MAJORVERSION_NUMBER >= 2” but that should true.
Auth_environ() only seems to get called a “check_password” function is in the calling script, which I don’t understand. It might be the case that we want to use the client cert for something other than authentication (but maybe for identification and logging).
What is required in 3.4 to be able to access SSL_CLIENT_CERT, etc?
Thanks,
-Philip
SSL_TLS_SNI=…
SERVER_PORT=443
Are set, but:
mod_wsgi.is_https
mod_wsgi.var_lookup
Are not. According to:
https://modwsgi.readthedocs.io/en/master/release-notes/version-3.4.html#new-features
11. Access, authentication and authorisation hooks now have additional keys in the environ dictionary for ‘mod_ssl.is_https’ and ‘mod_ssl.var_lookup’. These equate to callable functions provided by mod_ssl for determining if the client connection to Apache used SSL and what the values of variables specified in the SSL certifcates, server or client, are. These are only available if Apache 2.0 or later is being used.
these should be present but aren’t. Looking through the SRPM, mod_sgi.var_lookup can get added here:
static PyObject *Adapter_environ(AdapterObject *self)
But that’s #if 0’d out.
static PyObject *Dispatch_environ(DispatchObject *self, const char *group)
Also #if 0’d out.
static PyObject *Auth_environ(AuthObject *self, const char *group)
Gated by "#if AP_SERVER_MAJORVERSION_NUMBER >= 2” but that should true.
Auth_environ() only seems to get called a “check_password” function is in the calling script, which I don’t understand. It might be the case that we want to use the client cert for something other than authentication (but maybe for identification and logging).
What is required in 3.4 to be able to access SSL_CLIENT_CERT, etc?
Thanks,
-Philip
Philip Prindeville
Jul 28, 2021, 2:56:33 AM7/28/21
to mod...@googlegroups.com
It seems that I need to have an authenticator of some sort tied into WSGI before it will expose the cert to the script, so I tried:
::: auth.wsgi :::
# from the manual
import typing
import utility
def check_password(environ: dict, user: str, password: str) -> bool:
err = request.environ['wsgi.errors']
print('user: "{0:s}"\npassword: "{1:s}"\n'.format(user, password), file = err)
return True
And into my ssl.conf file, I’ve changed it to:
...
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess enrollment threads=5
WSGIScriptAlias /enrollment /var/www/scripts/enrollment.wsgi
<Directory enrollment>
WSGIProcessGroup enrollment
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
# added this next stanza
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /var/www/scripts/auth.wsgi
Require valid-user
SSLRequireSSL
SSLOptions +StrictRequire
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
...
But I see no sign of my auth.wsgi script being run, and indeed there’s still no SSL_* stuff in request.environ other than SSL_TLS_SNI being present.
My ssl_error_log shows:
[Wed Jul 28 06:21:10.426835 2021] [ssl:info] [pid 28768] [client 174.27.8.12:56267] AH01964: Connection to child 1 established (server ...:443)
[Wed Jul 28 06:21:10.427084 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2404): [client 174.27.8.12:56267] AH02044: No matching SSL virtual host for servername ... found (using default/first virtual host)
[Wed Jul 28 06:21:10.427121 2021] [core:debug] [pid 28768] protocol.c(2349): [client 174.27.8.12:56267] AH03155: select protocol from h2,h2c,http/1.1, choices=http/1.1 for server ...
[Wed Jul 28 06:21:10.427128 2021] [core:debug] [pid 28768] protocol.c(2394): [client 174.27.8.12:56267] AH03156: select protocol, proposals=http/1.1 preferences=h2,h2c,http/1.1 configured=h2,h2c,http/1.1
[Wed Jul 28 06:21:10.427131 2021] [core:debug] [pid 28768] protocol.c(2412): [client 174.27.8.12:56267] AH03157: selected protocol=http/1.1
[Wed Jul 28 06:21:10.516433 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(510): AH00831: socache_shmcb_store (0x76 -> subcache 22)
[Wed Jul 28 06:21:10.516487 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(864): AH00847: insert happened at idx=0, data=(0:32)
[Wed Jul 28 06:21:10.516490 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(869): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/206
[Wed Jul 28 06:21:10.516493 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(531): AH00834: leaving socache_shmcb_store successfully
[Wed Jul 28 06:21:10.516505 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2257): [client 174.27.8.12:56267] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Jul 28 06:21:10.594782 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(422): [client 174.27.8.12:56267] AH02034: Initial (No.1) HTTPS request received for child 1 (server ...:443)
[Wed Jul 28 06:21:10.594893 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594898 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.594970 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594973 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.595054 2021] [:info] [pid 28768] [client 174.27.8.12:56267] mod_wsgi (pid=28768, process='', application=''): Loading WSGI script '/var/www/scripts/enrollment.wsgi’.
It’s probably something insanely trivial, but I’ve been staring at this for a day and a half now and I can’t figure it out.
Any assistance is really appreciated.
Thanks,
-Philip
> To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com.
::: auth.wsgi :::
# from the manual
import typing
import utility
def check_password(environ: dict, user: str, password: str) -> bool:
err = request.environ['wsgi.errors']
print('user: "{0:s}"\npassword: "{1:s}"\n'.format(user, password), file = err)
return True
And into my ssl.conf file, I’ve changed it to:
...
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess enrollment threads=5
WSGIScriptAlias /enrollment /var/www/scripts/enrollment.wsgi
<Directory enrollment>
WSGIProcessGroup enrollment
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
# added this next stanza
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /var/www/scripts/auth.wsgi
Require valid-user
SSLRequireSSL
SSLOptions +StrictRequire
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
...
But I see no sign of my auth.wsgi script being run, and indeed there’s still no SSL_* stuff in request.environ other than SSL_TLS_SNI being present.
My ssl_error_log shows:
[Wed Jul 28 06:21:10.426835 2021] [ssl:info] [pid 28768] [client 174.27.8.12:56267] AH01964: Connection to child 1 established (server ...:443)
[Wed Jul 28 06:21:10.427084 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2404): [client 174.27.8.12:56267] AH02044: No matching SSL virtual host for servername ... found (using default/first virtual host)
[Wed Jul 28 06:21:10.427121 2021] [core:debug] [pid 28768] protocol.c(2349): [client 174.27.8.12:56267] AH03155: select protocol from h2,h2c,http/1.1, choices=http/1.1 for server ...
[Wed Jul 28 06:21:10.427128 2021] [core:debug] [pid 28768] protocol.c(2394): [client 174.27.8.12:56267] AH03156: select protocol, proposals=http/1.1 preferences=h2,h2c,http/1.1 configured=h2,h2c,http/1.1
[Wed Jul 28 06:21:10.427131 2021] [core:debug] [pid 28768] protocol.c(2412): [client 174.27.8.12:56267] AH03157: selected protocol=http/1.1
[Wed Jul 28 06:21:10.516433 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(510): AH00831: socache_shmcb_store (0x76 -> subcache 22)
[Wed Jul 28 06:21:10.516487 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(864): AH00847: insert happened at idx=0, data=(0:32)
[Wed Jul 28 06:21:10.516490 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(869): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/206
[Wed Jul 28 06:21:10.516493 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(531): AH00834: leaving socache_shmcb_store successfully
[Wed Jul 28 06:21:10.516505 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2257): [client 174.27.8.12:56267] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Jul 28 06:21:10.594782 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(422): [client 174.27.8.12:56267] AH02034: Initial (No.1) HTTPS request received for child 1 (server ...:443)
[Wed Jul 28 06:21:10.594893 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594898 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.594970 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
[Wed Jul 28 06:21:10.594973 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
[Wed Jul 28 06:21:10.595054 2021] [:info] [pid 28768] [client 174.27.8.12:56267] mod_wsgi (pid=28768, process='', application=''): Loading WSGI script '/var/www/scripts/enrollment.wsgi’.
It’s probably something insanely trivial, but I’ve been staring at this for a day and a half now and I can’t figure it out.
Any assistance is really appreciated.
Thanks,
-Philip
Reply all
Reply to author
Forward
0 new messages