If you read through the email I said that --allow-locahost likely wouldn’t work because of how Apache can interpreter localhost and override what you want.
That is why I said you needed to use a proper host name with --server-name and not use ‘localhost’. Did you try that? Repeating what I said: A better way of doing it is to change ‘--server-name localhost’ to: --server-name 127.0.0.1.xip.io Then access the site as: https://127.0.0.1.xip.io <https://127.0.0.1.xip.io/> Also read other comment I said in original email. Graham > On 18 Sep 2016, at 3:03 PM, peter hoth <hoth.pe...@gmail.com> wrote: > > I did add the option --allow-localhost and i still get the 403 Forbidden > response from the server. > > mod_wsgi-express setup-server --user admin --group admin webapp.wsgi > --startup-log --access-log \ > --port=80 --server-root=/usr/local/webapp \ > --https-port 443 --https-only --allow-localhost --server-name localhost > --ssl-certificate /usr/local/webapp/sslcerts/domain > > I manually created a httpd.conf by plucking some lines from the created > httpd.conf and i managed to get the https://localhost <https://localhost/> to > work. > > > LoadModule wsgi_module > ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/mod_wsgi/server/mod_wsgi-py27.so > > LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so' > LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so' > : > LoadModule socache_shmcb_module > ${MOD_WSGI_MODULES_DIRECTORY}/mod_socache_shmcb.so > LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so > > Listen 443 > SSLSessionCache "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)" > SSLSessionCacheTimeout 300 > > User ${MOD_WSGI_USER} > Group ${MOD_WSGI_GROUP} > > ServerName localhost > ServerRoot '${MOD_WSGI_SERVER_ROOT}' > PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid' > > ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log" > CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common > > <Directory /> > AllowOverride None > Require all denied > </Directory> > > <VirtualHost *:80> > ServerName 127.0.0.1 > > WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" > Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" > DocumentRoot "${MOD_WSGI_SERVER_ROOT}" > <Directory "${MOD_WSGI_SERVER_ROOT}"> > Options None > AllowOverride None > Require all granted > </Directory> > </VirtualHost> > > <virtualhost *:443> > ServerName 127.0.0.1 > > WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" > Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" > DocumentRoot "${MOD_WSGI_SERVER_ROOT}" > <Directory "${MOD_WSGI_SERVER_ROOT}"> > Options None > AllowOverride None > Require all granted > </Directory> > > ## SSL > SSLEngine On > SSLCertificateFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt" > SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key" > > </virtualhost> > > So i guess it's probably some commands in the mod_wsgi created httpd.conf > that is causing the "Forbidden" error. I will try to add more lines to see > what is causing the problem. One thing i noticed from the mod_wsgi created > httpd.conf is that there is the following block: > > : > <IfDefine !ONE_PROCESS> > WSGIRestrictEmbedded On > WSGISocketPrefix /usr/local/webapp/wsgi > <IfDefine MOD_WSGI_MULTIPROCESS> > : > </IfDefine> > <IfDefine !MOD_WSGI_MULTIPROCESS> > WSGIDaemonProcess localhost:80 \ > display-name='(wsgi:localhost:80:0)' \ > home='/usr/local/webapp' \ > threads=5 \ > maximum-requests=0 \ > python-path='' \ > python-eggs='/usr/local/webapp/python-eggs' \ > lang='en_US.UTF-8' \ > locale='en_US.UTF-8' \ > listen-backlog=100 \ > queue-timeout=45 \ > socket-timeout=60 \ > connect-timeout=15 \ > request-timeout=60 \ > inactivity-timeout=0 \ > startup-timeout=15 \ > deadlock-timeout=60 \ > graceful-timeout=15 \ > eviction-timeout=0 \ > shutdown-timeout=5 \ > send-buffer-size=0 \ > receive-buffer-size=0 \ > response-buffer-size=0 \ > server-metrics=Off > </IfDefine> > </IfDefine> > : > > I am not sure how the DaemonProcess works in SSL but is this correct for the > DaemonProcess to listen to localhost:80 even though i specify --https-only ? > > Regards, > Pete > > > On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote: > In general a HTTPS site should have a proper fully qualified domain name > which matches what is in the certificate. You wouldn’t use ‘localhost’ for > the server name. > > For a start, try adding the option: > > —allow-localhost > > Depending on the platform this still may not work though as I recollect that > localhost and host access controls can work strangely on Apache with some > operating systems. > > A better way of doing it is to change ‘—server-name localhost’ to: > > —server-name 127.0.0.1.xip.io <http://xip.io/> > > Then access the site as: > > https://127.0.0.1.xip.io <https://127.0.0.1.xip.io/> > > This gets around the way that Apache or the operating system can treat > localhost in a special way. > > This requires external DNS access and some Intranets can even block xip.io > <http://xip.io/>. > > In that case add an explicit entry into your /etc/hosts file for some fully > qualified name, such as: > > 127.0.0.1 www.example.com <http://www.example.com/> > > and use: > > —server-name www.example.com <http://www.example.com/> > > Graham > >> On 17 Sep 2016, at 11:38 PM, peter hoth <hoth....@ <>gmail.com >> <http://gmail.com/>> wrote: >> >> Hi, >> >> I managed to get my web app running with the following command: >> >> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi >> --startup-log --access-log --port=80 --server-root=/usr/local/mycloud >> >> Next, I managed to generate my SSL cert and performed the following: >> >> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi >> --startup-log --access-log \ >> --port=443 --server-root=/usr/local/mycloud \ >> --https-port 443 --https-only --server-name localhost --ssl-certificate >> /usr/local/mycloud/sslcerts/domain >> >> The error_log shows that my app is actually running when the apache is >> started (i.e. apachectl start) >> No errors in startup_log and access_log >> >> However, when i pointed my browser to https://localhost <https://localhost/> >> it shows the following error: >> >> Forbidden >> You don't have permission to access / on this server. >> >> The error_log has the following line: >> >> [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid >> 139664394032896] [client 127.0.0.1:40492 <http://127.0.0.1:40492/>] AH01630: >> client denied by server configuration: /usr/local/armscloud/htdocs/ >> >> I did not use htdocs when i run the web app without SSL and it was working >> fine. Do i need to add additional parameters to the mod_wsgi-express command >> for SSL ? >> >> The generated certs are confirmed working. >> >> === My environment: >> CentOS 6.8 >> port 443 is enabled in firewall >> default apache service that comes with OS is disabled >> >> python 2.7.12 >> virtualenv 15.0.3 >> pip freeze modules: >> : >> mod-wsgi-httpd=2.4.12.6 >> mod-wsgi==4.5.7 >> : >> >> === >> >> Regards, >> Pete >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>. >> To post to this group, send email to mod...@ <>googlegroups.com >> <http://googlegroups.com/>. >> Visit this group at https://groups.google.com/group/modwsgi >> <https://groups.google.com/group/modwsgi>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to modwsgi+unsubscr...@googlegroups.com > <mailto:modwsgi+unsubscr...@googlegroups.com>. > To post to this group, send email to modwsgi@googlegroups.com > <mailto:modwsgi@googlegroups.com>. > Visit this group at https://groups.google.com/group/modwsgi > <https://groups.google.com/group/modwsgi>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscr...@googlegroups.com. To post to this group, send email to modwsgi@googlegroups.com. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.