Howto configure secure connection for a private webtiddly?
118 views
Skip to first unread message
Birgit Ducarroz
Apr 20, 2016, 7:02:57 AM4/20/16
to TiddlyWeb
Hi,
I try to configure my server for https connection (http works actually fine), but I run into the following error:
Actuel server URL: http://server:8000/recipes/default/tiddlers.wiki (works fine).
My config problem and my question: what is wrong in my apache2 ssl config? Even if reloading apache2 indicates an error in line 11 I'am sure I miss something else. - Any help appreciated:
vi
Path and config files:
Thank you a lot!
Regards,
Birgit
I try to configure my server for https connection (http works actually fine), but I run into the following error:
* Reloading web server apache2
*
* The apache2 configtest failed. Not doing anything.
Output of config test was:
AH00526: Syntax error on line 11 of /etc/apache2/sites-enabled/ssl.server.domain.ch:
Invalid command 'WSGIDaemonProcess', perhaps misspelled or defined by a module not included in the server configurationActuel server URL: http://server:8000/recipes/default/tiddlers.wiki (works fine).
My config problem and my question: what is wrong in my apache2 ssl config? Even if reloading apache2 indicates an error in line 11 I'am sure I miss something else. - Any help appreciated:
vi
/etc/apache2/sites-enabled/ssl.server.domain.ch:
<VirtualHost *:8000>
ServerName server.domain.ch
AllowEncodedSlashes On
Alias /tiddly /home/data/www-sysadmin/Sysadmin/tiddly
<Directory /home/data/www-sysadmin/Sysadmin/tiddly>
Order allow,deny
Allow from all
</Directory>
WSGIDaemonProcess server.domain.ch user=33 processes=1 threads=10
WSGIProcessGroup server.domain.ch
WSGIPassAuthorization On
WSGIScriptAlias /tiddly /home/data/www-sysadmin/Sysadmin/tiddly/tiddlywebconfig.py
</VirtualHost>Path and config files:
/home/data/www-sysadmin/Sysadmin/tiddly# ls -la
total 43
drwxrwxr-x 5 root www-data 11 Apr 20 11:26 .
drwxrwxr-x 5 root www-data 8 Apr 18 13:54 ..
drwxrwxr-x 5 root www-data 7 Feb 17 13:37 store
lrwxrwxrwx 1 root www-data 27 Feb 8 12:49 templates -> tiddlywebplugins/templates/
-rw-rw-r-- 1 root www-data 493 Apr 20 09:19 tiddlywebconfig.py
-rw-r--r-- 1 www-data www-data 499 Apr 20 09:19 tiddlywebconfig.pyc
-rw-rw-r-- 1 root www-data 21902 Apr 12 12:08 tiddlyweb.log
drwxrwxr-x 3 root www-data 7 Feb 25 13:44 tiddlywebplugins
drwxrwxr-x 3 501 www-data 9 Feb 5 10:37 tiddlywebplugins.wimporter-0.10.0
-rw-rw-r-- 1 root www-data 5224 Jan 9 06:23 tiddlywebplugins.wimporter-0.10.0.tar.gz
-rw-rw-r-- 1 root www-data 3359 Feb 5 11:07 wsgiapp.pyExcerpt of my tiddlywebconfig.py
'server_host': { 'scheme': 'https', 'host': 'server', # <-- i put my actual server name here 'port': '8000', # }
vi /etc/mod_wsgi-express-8000/handler.wsgi working_directory = '/home/data/www-sysadmin/Sysadmin/tiddly' entry_point = '/home/data/www-sysadmin/Sysadmin/tiddly/wsgiapp.py'
Thank you a lot!
Regards,
Birgit
chris...@gmail.com
Apr 21, 2016, 8:41:22 AM4/21/16
to TiddlyWeb
On Wed, 20 Apr 2016, Birgit Ducarroz wrote:
> I try to configure my server for https connection (http works actually
> fine), but I run into the following error:
From the information you've provided I think there may be two issues:
> I try to configure my server for https connection (http works actually
> fine), but I run into the following error:
* You've not enabled the mod_wsgi module. You may need to:
sudo a2enmod wsgi
* It looks like you haven't turned on SSL for your virtual host.
Usually this involves setting 'SSLEngine On'. There more info
about SSL and Apache here:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
--
Chris Dent http://burningchrome.com/
[...]
Birgit Ducarroz
Apr 22, 2016, 8:24:02 AM4/22/16
to TiddlyWeb
Not really easy... :-(
Isn't there any tutorial? When googeling around, it seems I am the first one who tries this...
As root:
Permissions:
Isn't there any tutorial? When googeling around, it seems I am the first one who tries this...
aptitude install libapache2-mod-wsgi
a2enmod wsgi && sudo invoke-rc.d apache2 restart
pip install pyopenssl ndg-httpsclient pyasn1
pip install --upgrade ndg-httpsclient
As root:
DEFAULT_OPTIONS="--document-root=/home/data/www-sysadmin/Sysadmin/tiddly --log-to-terminal --log-level info --server-status --access-log --startup-log"
HTTPS_OPTIONS=" --https-only --ssl-certificate-file /etc/apache2/ssl/server.crt.pem --ssl-certificate-key-file /etc/apache2/ssl/server.key --https-port 8000 --server-name server.domain.ch --allow-localhost"
mod_wsgi-express start-server $DEFAULT_OPTIONS ${HTTPS_OPTIONS} --reload-on-changes /home/data/www-sysadmin/Sysadmin/tiddly/wsgiapp.py --user=www-data --group=www-data
Server URL : http://servername.domain.ch:8000/
Server URL (HTTPS) : https://servername.domain.ch:8000/
Server Status : http://servernamedomain.ch:8000/server-status
Server Root : /tmp/mod_wsgi-localhost:8000:0
Server Conf : /tmp/mod_wsgi-localhost:8000:0/httpd.conf
Error Log File : /dev/stderr (info)
Access Log File : /dev/stdout
Startup Log File : /dev/stderr
Request Capacity : 5 (1 process * 5 threads)
Request Timeout : 60 (seconds)
Queue Backlog : 100 (connections)
Queue Timeout : 45 (seconds)
Server Capacity : 20 (event/worker), 20 (prefork)
Server Backlog : 500 (connections)
Locale Setting : en_US.UTF-8
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:8000
[Fri Apr 22 14:01:39.103675 2016] [ssl:info] [pid 2729:tid 139994751272832] AH02200: Loading certificate & private key of SSL-aware server 'servername:443'
[Fri Apr 22 14:01:39.103971 2016] [ssl:info] [pid 2729:tid 139994751272832] AH02200: Loading certificate & private key of SSL-aware server 'localhost:8000'
[Fri Apr 22 14:01:39.104161 2016] [ssl:info] [pid 2729:tid 139994751272832] AH01887: Init: Initializing (virtual) servers for SSL
[Fri Apr 22 14:01:39.104185 2016] [ssl:info] [pid 2729:tid 139994751272832] AH01914: Configuring server servername:443 for SSL protocol
[Fri Apr 22 14:01:39.104541 2016] [ssl:info] [pid 2729:tid 139994751272832] AH01914: Configuring server localhost:8000 for SSL protocol
[Fri Apr 22 14:01:39.104719 2016] [ssl:warn] [pid 2729:tid 139994751272832] AH01909: RSA certificate configured for localhost:8000 does NOT include an ID which matches the server name
[Fri Apr 22 14:01:39.104827 2016] [ssl:warn] [pid 2729:tid 139994751272832] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Fri Apr 22 14:01:39.104854 2016] [ssl:info] [pid 2729:tid 139994751272832] AH01876: mod_ssl/2.4.7 compiled against Server: Apache/2.4.7, Library: OpenSSL/1.0.1f
[Fri Apr 22 14:01:39.110204 2016] [core:crit] [pid 2729:tid 139994751272832] (22)Invalid argument: AH00069: make_sock: for address [::]:8000, apr_socket_opt_set: (IPV6_V6ONLY)
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:8000
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8000
[Fri Apr 22 14:01:39.110281 2016] [mpm_event:alert] [pid 2729:tid 139994751272832] no listening sockets available, shutting down
[Fri Apr 22 14:01:39.110289 2016] [:emerg] [pid 2729:tid 139994751272832] AH00019: Unable to open logs, exitinguser@servername:/home/data/www-sysadmin/Sysadmin/tiddly$ mod_wsgi-express setup-server wsgiapp.py --port=8000 --user www-data --group www-data --server-root=/etc/mod_wsgi-express-8000 --https-only --ssl-certificate-file /etc/apache2/ssl/servername.crt.pem --ssl-certificate-key-file /etc/apache2/ssl/servername.key --https-port 8000 --server-name servername.domain.ch --allow-localhost
Traceback (most recent call last):
File "/usr/local/bin/mod_wsgi-express", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python2.7/dist-packages/mod_wsgi/server/__init__.py", line 3059, in main
cmd_setup_server(args)
File "/usr/local/lib/python2.7/dist-packages/mod_wsgi/server/__init__.py", line 2329, in cmd_setup_server
_cmd_setup_server('setup-server', args, vars(options))
File "/usr/local/lib/python2.7/dist-packages/mod_wsgi/server/__init__.py", line 2907, in _cmd_setup_server
generate_wsgi_handler_script(options)
File "/usr/local/lib/python2.7/dist-packages/mod_wsgi/server/__init__.py", line 1506, in generate_wsgi_handler_script
with open(path, 'w') as fp:
IOError: [Errno 13] Permission denied: '/etc/mod_wsgi-express-8000/handler.wsgi'Permissions:
-rwxr-xr-x 1 root root 3013 Apr 22 13:56 /etc/mod_wsgi-express-8000/handler.wsgichris...@gmail.com
Apr 25, 2016, 8:25:57 AM4/25/16
to TiddlyWeb
On Fri, 22 Apr 2016, Birgit Ducarroz wrote:
> Not really easy... :-(
> Isn't there any tutorial? When googeling around, it seems I am the first
> one who tries this...
What operating environment are you in? If you're in a common Linux
> Not really easy... :-(
> Isn't there any tutorial? When googeling around, it seems I am the first
> one who tries this...
distro I don't think you'll needed mod_wsgi-express.
Based on the output below it looks like this is tryin to start a
new apache server on port 8000 when there is already something else
(maybe your existing apache) running that is listening to port 8000.
What you want to do is:
* adjust the configuration of your already installed apache2 so it
has ssl and mod_wsgi configured to run (which is done with
a2enmod)
* change the configuration of an existing or new virtual host to use
that ssl and mode wsgi
Here's a sample I'm using to run Tank <https://tank.peermore.com/>,
with some details excluded. This may give you some guidance. Also
look in the contenst of wsgiapp.py
<https://github.com/tiddlyweb/tiddlyweb/blob/master/wsgiapp.py>
You'll need to make some adjustments, including: changing the 443 to
your port number, adjusting the ServerName and updating paths and
usernames to be appropriate to your environment.
I hope this helps. I'm sorry it's not more simple. If you're still
struggling you might check with apache support forums on how to
mount wsgi applications with SSL. This isn't a problem that is
specific to tiddlyweb. If you're able to get general help on hosting
wsgi applications, then that advice ought to apply to tiddlyweb.
```
<VirtualHost *:443>
ServerName tank.peermore.com
AllowEncodedSlashes On
# Create a wsgi process
WSGIDaemonProcess tank user=cdent processes=2 threads=20 stack-size=524288 display-name=%{GROUP} maximum-requests=500
WSGIProcessGroup tank
DocumentRoot /home/cdent/public_html/tank.peermore.com
<Directory /home/cdent/public_html/tank.peermore.com>
Order allow,deny
Allow from all
</Directory>
# Turn on ssl
Allow from all
</Directory>
SSLEngine on
# Point at ssl cert files
SSLCertificateFile /etc/letsencrypt/live/tank.peermore.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tank.peermore.com-0001/privkey.pem
SSLCACertificateFile ssl/ca.pem
CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog /var/log/apache2/tank.peermore.com-error.log
CustomLog /var/log/apache2/tank.peermore.com-access.log combined
# Point a to the wsgi app
WSGIScriptAlias / /home/cdent/tiddlywebs/tank.peermore.com/wsgiapp.py
</VirtualHost>
> *As root:*
Reply all
Reply to author
Forward
0 new messages