I did add the option --allow-localhost and i still get the 403 Forbidden response from the server.
mod_wsgi-express setup-server --user admin --group admin webapp.wsgi -- startup-log --access-log \ --port=80 --server-root=/usr/local/webapp \ --https-port 443 --https-only --allow-localhost --server-name localhost -- ssl-certificate /usr/local/webapp/sslcerts/domain I manually created a httpd.conf by plucking some lines from the created httpd.conf and i managed to get the https://localhost to work. LoadModule wsgi_module ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/ mod_wsgi/server/mod_wsgi-py27.so LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so' LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so' : LoadModule socache_shmcb_module ${MOD_WSGI_MODULES_DIRECTORY}/ mod_socache_shmcb.so LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so Listen 443 SSLSessionCache "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 User ${MOD_WSGI_USER} Group ${MOD_WSGI_GROUP} ServerName localhost ServerRoot '${MOD_WSGI_SERVER_ROOT}' PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid' ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log" CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common <Directory /> AllowOverride None Require all denied </Directory> <VirtualHost *:80> ServerName 127.0.0.1 WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" DocumentRoot "${MOD_WSGI_SERVER_ROOT}" <Directory "${MOD_WSGI_SERVER_ROOT}"> Options None AllowOverride None Require all granted </Directory> </VirtualHost> <virtualhost *:443> ServerName 127.0.0.1 WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" DocumentRoot "${MOD_WSGI_SERVER_ROOT}" <Directory "${MOD_WSGI_SERVER_ROOT}"> Options None AllowOverride None Require all granted </Directory> ## SSL SSLEngine On SSLCertificateFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt" SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key" </virtualhost> So i guess it's probably some commands in the mod_wsgi created httpd.conf that is causing the "Forbidden" error. I will try to add more lines to see what is causing the problem. One thing i noticed from the mod_wsgi created httpd.conf is that there is the following block: : <IfDefine !ONE_PROCESS> WSGIRestrictEmbedded On WSGISocketPrefix /usr/local/webapp/wsgi <IfDefine MOD_WSGI_MULTIPROCESS> : </IfDefine> <IfDefine !MOD_WSGI_MULTIPROCESS> WSGIDaemonProcess localhost:80 \ display-name='(wsgi:localhost:80:0)' \ home='/usr/local/webapp' \ threads=5 \ maximum-requests=0 \ python-path='' \ python-eggs='/usr/local/webapp/python-eggs' \ lang='en_US.UTF-8' \ locale='en_US.UTF-8' \ listen-backlog=100 \ queue-timeout=45 \ socket-timeout=60 \ connect-timeout=15 \ request-timeout=60 \ inactivity-timeout=0 \ startup-timeout=15 \ deadlock-timeout=60 \ graceful-timeout=15 \ eviction-timeout=0 \ shutdown-timeout=5 \ send-buffer-size=0 \ receive-buffer-size=0 \ response-buffer-size=0 \ server-metrics=Off </IfDefine> </IfDefine> : I am not sure how the DaemonProcess works in SSL but is this correct for the DaemonProcess to listen to localhost:80 even though i specify --https-only ? Regards, Pete On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote: > > In general a HTTPS site should have a proper fully qualified domain name > which matches what is in the certificate. You wouldn’t use ‘localhost’ for > the server name. > > For a start, try adding the option: > > —allow-localhost > > Depending on the platform this still may not work though as I recollect > that localhost and host access controls can work strangely on Apache with > some operating systems. > > A better way of doing it is to change ‘—server-name localhost’ to: > > —server-name 127.0.0.1.xip.io > > Then access the site as: > > https://127.0.0.1.xip.io > > This gets around the way that Apache or the operating system can treat > localhost in a special way. > > This requires external DNS access and some Intranets can even block xip.io > . > > In that case add an explicit entry into your /etc/hosts file for some > fully qualified name, such as: > > 127.0.0.1 www.example.com > > and use: > > —server-name www.example.com > > Graham > > On 17 Sep 2016, at 11:38 PM, peter hoth <[email protected] <javascript:>> > wrote: > > Hi, > > I managed to get my web app running with the following command: > > mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi > --startup-log --access-log --port=80 --server-root=/usr/local/mycloud > > Next, I managed to generate my SSL cert and performed the following: > > mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi > --startup-log --access-log \ > --port=443 --server-root=/usr/local/mycloud \ > --https-port 443 --https-only --server-name localhost --ssl-certificate > /usr/local/mycloud/sslcerts/domain > > The error_log shows that my app is actually running when the apache is > started (i.e. apachectl start) > No errors in startup_log and access_log > > However, when i pointed my browser to https://localhost it shows the > following error: > > Forbidden > You don't have permission to access / on this server. > > The error_log has the following line: > > [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid > 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by > server configuration: /usr/local/armscloud/htdocs/ > > I did not use htdocs when i run the web app without SSL and it was working > fine. Do i need to add additional parameters to the mod_wsgi-express > command for SSL ? > > The generated certs are confirmed working. > > === My environment: > CentOS 6.8 > port 443 is enabled in firewall > default apache service that comes with OS is disabled > > python 2.7.12 > virtualenv 15.0.3 > pip freeze modules: > : > mod-wsgi-httpd=2.4.12.6 > mod-wsgi==4.5.7 > : > > === > > Regards, > Pete > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:> > . > Visit this group at https://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
