I did add the option --allow-localhost and i still get the 403 Forbidden 
response from the server.

mod_wsgi-express setup-server --user admin --group admin webapp.wsgi --
startup-log --access-log \
--port=80 --server-root=/usr/local/webapp \
--https-port 443 --https-only --allow-localhost --server-name localhost --
ssl-certificate /usr/local/webapp/sslcerts/domain

I manually created a httpd.conf by plucking some lines from the created 
httpd.conf and i managed to get the https://localhost to work.


LoadModule wsgi_module ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/
mod_wsgi/server/mod_wsgi-py27.so

LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
:
LoadModule socache_shmcb_module ${MOD_WSGI_MODULES_DIRECTORY}/
mod_socache_shmcb.so
LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so

Listen                  443
SSLSessionCache        
"shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

User ${MOD_WSGI_USER}
Group ${MOD_WSGI_GROUP}

ServerName localhost
ServerRoot '${MOD_WSGI_SERVER_ROOT}'
PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid'

ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log"
CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common

<Directory />
    AllowOverride None
    Require all denied
</Directory>
    
<VirtualHost *:80>
    ServerName 127.0.0.1
    
    WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
    Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
    DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
    <Directory "${MOD_WSGI_SERVER_ROOT}">
        Options None
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

<virtualhost *:443>
    ServerName 127.0.0.1
    
    WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
    Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
    DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
    <Directory "${MOD_WSGI_SERVER_ROOT}">
        Options None
        AllowOverride None
        Require all granted
    </Directory>
        
    ## SSL
    SSLEngine On
    SSLCertificateFile    "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt"
    SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key"     
   
</virtualhost>

So i guess it's probably some commands in the mod_wsgi created httpd.conf 
that is causing the "Forbidden" error. I will try to add more lines to see 
what is causing the problem. One thing i noticed from the mod_wsgi created 
httpd.conf is that there is the following block:

:
<IfDefine !ONE_PROCESS>
WSGIRestrictEmbedded On
WSGISocketPrefix /usr/local/webapp/wsgi
<IfDefine MOD_WSGI_MULTIPROCESS>
:
</IfDefine>
<IfDefine !MOD_WSGI_MULTIPROCESS>
WSGIDaemonProcess localhost:80 \
   display-name='(wsgi:localhost:80:0)' \
   home='/usr/local/webapp' \
   threads=5 \
   maximum-requests=0 \
   python-path='' \
   python-eggs='/usr/local/webapp/python-eggs' \
   lang='en_US.UTF-8' \
   locale='en_US.UTF-8' \
   listen-backlog=100 \
   queue-timeout=45 \
   socket-timeout=60 \
   connect-timeout=15 \
   request-timeout=60 \
   inactivity-timeout=0 \
   startup-timeout=15 \
   deadlock-timeout=60 \
   graceful-timeout=15 \
   eviction-timeout=0 \
   shutdown-timeout=5 \
   send-buffer-size=0 \
   receive-buffer-size=0 \
   response-buffer-size=0 \
   server-metrics=Off
</IfDefine>
</IfDefine>
:

I am not sure how the DaemonProcess works in SSL but is this correct for 
the DaemonProcess to listen to localhost:80 even though i specify 
--https-only ? 

Regards,
Pete


On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote:
>
> In general a HTTPS site should have a proper fully qualified domain name 
> which matches what is in the certificate. You wouldn’t use ‘localhost’ for 
> the server name.
>
> For a start, try adding the option:
>
>     —allow-localhost
>
> Depending on the platform this still may not work though as I recollect 
> that localhost and host access controls can work strangely on Apache with 
> some operating systems.
>
> A better way of doing it is to change ‘—server-name localhost’ to:
>
>     —server-name 127.0.0.1.xip.io
>
> Then access the site as:
>
>     https://127.0.0.1.xip.io
>
> This gets around the way that Apache or the operating system can treat 
> localhost in a special way.
>
> This requires external DNS access and some Intranets can even block xip.io
> .
>
> In that case add an explicit entry into your /etc/hosts file for some 
> fully qualified name, such as:
>
>     127.0.0.1 www.example.com
>
> and use:
>
>     —server-name www.example.com
>
> Graham
>
> On 17 Sep 2016, at 11:38 PM, peter hoth <hoth....@gmail.com <javascript:>> 
> wrote:
>
> Hi, 
>
> I managed to get my web app running with the following command:
>
> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
> --startup-log --access-log --port=80 --server-root=/usr/local/mycloud
>
> Next, I managed to generate my SSL cert and performed the following:
>
> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
> --startup-log --access-log \
> --port=443 --server-root=/usr/local/mycloud \
> --https-port 443 --https-only --server-name localhost --ssl-certificate 
> /usr/local/mycloud/sslcerts/domain
>
> The error_log shows that my app is actually running when the apache is 
> started (i.e. apachectl start)
> No errors in startup_log and access_log
>
> However, when i pointed my browser to https://localhost it shows the 
> following error:
>
> Forbidden
> You don't have permission to access / on this server.
>
> The error_log has the following line:
>
> [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid 
> 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by 
> server configuration: /usr/local/armscloud/htdocs/
>
> I did not use htdocs when i run the web app without SSL and it was working 
> fine. Do i need to add additional parameters to the mod_wsgi-express 
> command for SSL ?
>
> The generated certs are confirmed working.
>
> === My environment:
> CentOS 6.8
> port 443 is enabled in firewall
> default apache service that comes with OS is disabled
>
> python 2.7.12
> virtualenv 15.0.3
> pip freeze modules:
> :
> mod-wsgi-httpd=2.4.12.6
> mod-wsgi==4.5.7
> :
>
> ===
>
> Regards,
> Pete
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to modwsgi+u...@googlegroups.com <javascript:>.
> To post to this group, send email to mod...@googlegroups.com <javascript:>
> .
> Visit this group at https://groups.google.com/group/modwsgi.
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

Reply via email to