If you read through the email I said that --allow-locahost likely wouldn’t work
because of how Apache can interpreter localhost and override what you want.
That is why I said you needed to use a proper host name with --server-name and
not use ‘localhost’. Did you try that?
Repeating what I said:
A better way of doing it is to change ‘--server-name localhost’ to:
--server-name 127.0.0.1.xip.io
Then access the site as:
https://127.0.0.1.xip.io <https://127.0.0.1.xip.io/>
Also read other comment I said in original email.
Graham
> On 18 Sep 2016, at 3:03 PM, peter hoth <hoth.pe...@gmail.com> wrote:
>
> I did add the option --allow-localhost and i still get the 403 Forbidden
> response from the server.
>
> mod_wsgi-express setup-server --user admin --group admin webapp.wsgi
> --startup-log --access-log \
> --port=80 --server-root=/usr/local/webapp \
> --https-port 443 --https-only --allow-localhost --server-name localhost
> --ssl-certificate /usr/local/webapp/sslcerts/domain
>
> I manually created a httpd.conf by plucking some lines from the created
> httpd.conf and i managed to get the https://localhost <https://localhost/> to
> work.
>
>
> LoadModule wsgi_module
> ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/mod_wsgi/server/mod_wsgi-py27.so
>
> LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
> LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
> :
> LoadModule socache_shmcb_module
> ${MOD_WSGI_MODULES_DIRECTORY}/mod_socache_shmcb.so
> LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so
>
> Listen 443
> SSLSessionCache "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)"
> SSLSessionCacheTimeout 300
>
> User ${MOD_WSGI_USER}
> Group ${MOD_WSGI_GROUP}
>
> ServerName localhost
> ServerRoot '${MOD_WSGI_SERVER_ROOT}'
> PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid'
>
> ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log"
> CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common
>
> <Directory />
> AllowOverride None
> Require all denied
> </Directory>
>
> <VirtualHost *:80>
> ServerName 127.0.0.1
>
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> <Directory "${MOD_WSGI_SERVER_ROOT}">
> Options None
> AllowOverride None
> Require all granted
> </Directory>
> </VirtualHost>
>
> <virtualhost *:443>
> ServerName 127.0.0.1
>
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> <Directory "${MOD_WSGI_SERVER_ROOT}">
> Options None
> AllowOverride None
> Require all granted
> </Directory>
>
> ## SSL
> SSLEngine On
> SSLCertificateFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt"
> SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key"
>
> </virtualhost>
>
> So i guess it's probably some commands in the mod_wsgi created httpd.conf
> that is causing the "Forbidden" error. I will try to add more lines to see
> what is causing the problem. One thing i noticed from the mod_wsgi created
> httpd.conf is that there is the following block:
>
> :
> <IfDefine !ONE_PROCESS>
> WSGIRestrictEmbedded On
> WSGISocketPrefix /usr/local/webapp/wsgi
> <IfDefine MOD_WSGI_MULTIPROCESS>
> :
> </IfDefine>
> <IfDefine !MOD_WSGI_MULTIPROCESS>
> WSGIDaemonProcess localhost:80 \
> display-name='(wsgi:localhost:80:0)' \
> home='/usr/local/webapp' \
> threads=5 \
> maximum-requests=0 \
> python-path='' \
> python-eggs='/usr/local/webapp/python-eggs' \
> lang='en_US.UTF-8' \
> locale='en_US.UTF-8' \
> listen-backlog=100 \
> queue-timeout=45 \
> socket-timeout=60 \
> connect-timeout=15 \
> request-timeout=60 \
> inactivity-timeout=0 \
> startup-timeout=15 \
> deadlock-timeout=60 \
> graceful-timeout=15 \
> eviction-timeout=0 \
> shutdown-timeout=5 \
> send-buffer-size=0 \
> receive-buffer-size=0 \
> response-buffer-size=0 \
> server-metrics=Off
> </IfDefine>
> </IfDefine>
> :
>
> I am not sure how the DaemonProcess works in SSL but is this correct for the
> DaemonProcess to listen to localhost:80 even though i specify --https-only ?
>
> Regards,
> Pete
>
>
> On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote:
> In general a HTTPS site should have a proper fully qualified domain name
> which matches what is in the certificate. You wouldn’t use ‘localhost’ for
> the server name.
>
> For a start, try adding the option:
>
> —allow-localhost
>
> Depending on the platform this still may not work though as I recollect that
> localhost and host access controls can work strangely on Apache with some
> operating systems.
>
> A better way of doing it is to change ‘—server-name localhost’ to:
>
> —server-name 127.0.0.1.xip.io <http://xip.io/>
>
> Then access the site as:
>
> https://127.0.0.1.xip.io <https://127.0.0.1.xip.io/>
>
> This gets around the way that Apache or the operating system can treat
> localhost in a special way.
>
> This requires external DNS access and some Intranets can even block xip.io
> <http://xip.io/>.
>
> In that case add an explicit entry into your /etc/hosts file for some fully
> qualified name, such as:
>
> 127.0.0.1 www.example.com <http://www.example.com/>
>
> and use:
>
> —server-name www.example.com <http://www.example.com/>
>
> Graham
>
>> On 17 Sep 2016, at 11:38 PM, peter hoth <hoth....@ <>gmail.com
>> <http://gmail.com/>> wrote:
>>
>> Hi,
>>
>> I managed to get my web app running with the following command:
>>
>> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi
>> --startup-log --access-log --port=80 --server-root=/usr/local/mycloud
>>
>> Next, I managed to generate my SSL cert and performed the following:
>>
>> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi
>> --startup-log --access-log \
>> --port=443 --server-root=/usr/local/mycloud \
>> --https-port 443 --https-only --server-name localhost --ssl-certificate
>> /usr/local/mycloud/sslcerts/domain
>>
>> The error_log shows that my app is actually running when the apache is
>> started (i.e. apachectl start)
>> No errors in startup_log and access_log
>>
>> However, when i pointed my browser to https://localhost <https://localhost/>
>> it shows the following error:
>>
>> Forbidden
>> You don't have permission to access / on this server.
>>
>> The error_log has the following line:
>>
>> [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid
>> 139664394032896] [client 127.0.0.1:40492 <http://127.0.0.1:40492/>] AH01630:
>> client denied by server configuration: /usr/local/armscloud/htdocs/
>>
>> I did not use htdocs when i run the web app without SSL and it was working
>> fine. Do i need to add additional parameters to the mod_wsgi-express command
>> for SSL ?
>>
>> The generated certs are confirmed working.
>>
>> === My environment:
>> CentOS 6.8
>> port 443 is enabled in firewall
>> default apache service that comes with OS is disabled
>>
>> python 2.7.12
>> virtualenv 15.0.3
>> pip freeze modules:
>> :
>> mod-wsgi-httpd=2.4.12.6
>> mod-wsgi==4.5.7
>> :
>>
>> ===
>>
>> Regards,
>> Pete
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to modwsgi+u...@ <>googlegroups.com <http://googlegroups.com/>.
>> To post to this group, send email to mod...@ <>googlegroups.com
>> <http://googlegroups.com/>.
>> Visit this group at https://groups.google.com/group/modwsgi
>> <https://groups.google.com/group/modwsgi>.
>> For more options, visit https://groups.google.com/d/optout
>> <https://groups.google.com/d/optout>.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to modwsgi+unsubscr...@googlegroups.com
> <mailto:modwsgi+unsubscr...@googlegroups.com>.
> To post to this group, send email to modwsgi@googlegroups.com
> <mailto:modwsgi@googlegroups.com>.
> Visit this group at https://groups.google.com/group/modwsgi
> <https://groups.google.com/group/modwsgi>.
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
