Re: [modwsgi] mod_wsgi-express SSL implementation error

2016-09-17 Thread peter hoth 
It works!

I modify the /etc/hosts as you suggested. 

Thanks Graham for your fast reply and help ! 


On Sunday, September 18, 2016 at 1:07:46 PM UTC+8, Graham Dumpleton wrote:
>
> If you read through the email I said that --allow-locahost likely wouldn’t 
> work because of how Apache can interpreter localhost and override what you 
> want.
>
> That is why I said you needed to use a proper host name with --server-name 
> and not use ‘localhost’. Did you try that?
>
> Repeating what I said:
>
> A better way of doing it is to change ‘--server-name localhost’ to:
>
> --server-name 127.0.0.1.xip.io
>
> Then access the site as:
>
> https://127.0.0.1.xip.io
>
> Also read other comment I said in original email.
>
> Graham
>
> On 18 Sep 2016, at 3:03 PM, peter hoth  
> wrote:
>
> I did add the option --allow-localhost and i still get the 403 Forbidden 
> response from the server.
>
> mod_wsgi-express setup-server --user admin --group admin webapp.wsgi --
> startup-log --access-log \
> --port=80 --server-root=/usr/local/webapp \
> --https-port 443 --https-only --allow-localhost --server-name localhost --
> ssl-certificate /usr/local/webapp/sslcerts/domain
>
> I manually created a httpd.conf by plucking some lines from the created 
> httpd.conf and i managed to get the https://localhost to work.
>
>
> LoadModule wsgi_module ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages
> /mod_wsgi/server/mod_wsgi-py27.so
>
> LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
> LoadModule mpm_event_module 
> '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
> :
> LoadModule socache_shmcb_module ${MOD_WSGI_MODULES_DIRECTORY}/
> mod_socache_shmcb.so
> LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so
>
> Listen  443
> SSLSessionCache
> "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)"
> SSLSessionCacheTimeout  300
>
> User ${MOD_WSGI_USER}
> Group ${MOD_WSGI_GROUP}
>
> ServerName localhost
> ServerRoot '${MOD_WSGI_SERVER_ROOT}'
> PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid'
>
> ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log"
> CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common
>
> 
> AllowOverride None
> Require all denied
> 
> 
> 
> ServerName 127.0.0.1
> 
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> 
> Options None
> AllowOverride None
> Require all granted
> 
> 
>
> 
> ServerName 127.0.0.1
> 
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> 
> Options None
> AllowOverride None
> Require all granted
> 
> 
> ## SSL
> SSLEngine On
> SSLCertificateFile"${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt"
> SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key"   
>  
> 
>
> So i guess it's probably some commands in the mod_wsgi created httpd.conf 
> that is causing the "Forbidden" error. I will try to add more lines to see 
> what is causing the problem. One thing i noticed from the mod_wsgi created 
> httpd.conf is that there is the following block:
>
> :
> 
> WSGIRestrictEmbedded On
> WSGISocketPrefix /usr/local/webapp/wsgi
> 
> :
> 
> 
> WSGIDaemonProcess localhost:80 \
>display-name='(wsgi:localhost:80:0)' \
>home='/usr/local/webapp' \
>threads=5 \
>maximum-requests=0 \
>python-path='' \
>python-eggs='/usr/local/webapp/python-eggs' \
>lang='en_US.UTF-8' \
>locale='en_US.UTF-8' \
>listen-backlog=100 \
>queue-timeout=45 \
>socket-timeout=60 \
>connect-timeout=15 \
>request-timeout=60 \
>inactivity-timeout=0 \
>startup-timeout=15 \
>deadlock-timeout=60 \
>graceful-timeout=15 \
>eviction-timeout=0 \
>shutdown-timeout=5 \
>send-buffer-size=0 \
>receive-buffer-size=0 \
>response-buffer-size=0 \
>server-metrics=Off
> 
> 
> :
>
> I am not sure how the DaemonProcess works in SSL but is this correct for 
> the DaemonProcess to listen to localhost:80 even though i specify 
> --https-only ? 
>
> Regards,
> Pete
>
>
> On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote:
>>
>> In general a HTTPS site should have a proper fully qualified domain name 
>> which matches what is in the certificate. You wouldn’t use ‘localhost’ for 
>> the server name.
>>
>> For a start, try adding the option:
>>
>> —allow-localhost
>>
>> Depending on the platform this still may not work though as I recollect 
>> that localhost and host access controls can work strangely on Apache with 
>> some operating systems.
>>
>> A better way of doing it is to change ‘—server-name localhost’ to:
>>
>> —server-name 127.0.0.1.xip.io
>>
>> Then access the site as:
>>
>>

Re: [modwsgi] mod_wsgi-express SSL implementation error

2016-09-17 Thread Graham Dumpleton 
If you read through the email I said that --allow-locahost likely wouldn’t work 
because of how Apache can interpreter localhost and override what you want.

That is why I said you needed to use a proper host name with --server-name and 
not use ‘localhost’. Did you try that?

Repeating what I said:

A better way of doing it is to change ‘--server-name localhost’ to:

--server-name 127.0.0.1.xip.io

Then access the site as:

https://127.0.0.1.xip.io 

Also read other comment I said in original email.

Graham

> On 18 Sep 2016, at 3:03 PM, peter hoth  wrote:
> 
> I did add the option --allow-localhost and i still get the 403 Forbidden 
> response from the server.
> 
> mod_wsgi-express setup-server --user admin --group admin webapp.wsgi 
> --startup-log --access-log \
> --port=80 --server-root=/usr/local/webapp \
> --https-port 443 --https-only --allow-localhost --server-name localhost 
> --ssl-certificate /usr/local/webapp/sslcerts/domain
> 
> I manually created a httpd.conf by plucking some lines from the created 
> httpd.conf and i managed to get the https://localhost  to 
> work.
> 
> 
> LoadModule wsgi_module 
> ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages/mod_wsgi/server/mod_wsgi-py27.so
> 
> LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so'
> LoadModule mpm_event_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so'
> :
> LoadModule socache_shmcb_module 
> ${MOD_WSGI_MODULES_DIRECTORY}/mod_socache_shmcb.so
> LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so
> 
> Listen  443
> SSLSessionCache"shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)"
> SSLSessionCacheTimeout  300
> 
> User ${MOD_WSGI_USER}
> Group ${MOD_WSGI_GROUP}
> 
> ServerName localhost
> ServerRoot '${MOD_WSGI_SERVER_ROOT}'
> PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid'
> 
> ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log"
> CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common
> 
> 
> AllowOverride None
> Require all denied
> 
> 
> 
> ServerName 127.0.0.1
> 
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> 
> Options None
> AllowOverride None
> Require all granted
> 
> 
> 
> 
> ServerName 127.0.0.1
> 
> WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi"
> Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static"
> DocumentRoot "${MOD_WSGI_SERVER_ROOT}"
> 
> Options None
> AllowOverride None
> Require all granted
> 
> 
> ## SSL
> SSLEngine On
> SSLCertificateFile"${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt"
> SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key"   
>  
> 
> 
> So i guess it's probably some commands in the mod_wsgi created httpd.conf 
> that is causing the "Forbidden" error. I will try to add more lines to see 
> what is causing the problem. One thing i noticed from the mod_wsgi created 
> httpd.conf is that there is the following block:
> 
> :
> 
> WSGIRestrictEmbedded On
> WSGISocketPrefix /usr/local/webapp/wsgi
> 
> :
> 
> 
> WSGIDaemonProcess localhost:80 \
>display-name='(wsgi:localhost:80:0)' \
>home='/usr/local/webapp' \
>threads=5 \
>maximum-requests=0 \
>python-path='' \
>python-eggs='/usr/local/webapp/python-eggs' \
>lang='en_US.UTF-8' \
>locale='en_US.UTF-8' \
>listen-backlog=100 \
>queue-timeout=45 \
>socket-timeout=60 \
>connect-timeout=15 \
>request-timeout=60 \
>inactivity-timeout=0 \
>startup-timeout=15 \
>deadlock-timeout=60 \
>graceful-timeout=15 \
>eviction-timeout=0 \
>shutdown-timeout=5 \
>send-buffer-size=0 \
>receive-buffer-size=0 \
>response-buffer-size=0 \
>server-metrics=Off
> 
> 
> :
> 
> I am not sure how the DaemonProcess works in SSL but is this correct for the 
> DaemonProcess to listen to localhost:80 even though i specify --https-only ? 
> 
> Regards,
> Pete
> 
> 
> On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote:
> In general a HTTPS site should have a proper fully qualified domain name 
> which matches what is in the certificate. You wouldn’t use ‘localhost’ for 
> the server name.
> 
> For a start, try adding the option:
> 
> —allow-localhost
> 
> Depending on the platform this still may not work though as I recollect that 
> localhost and host access controls can work strangely on Apache with some 
> operating systems.
> 
> A better way of doing it is to change ‘—server-name localhost’ to:
> 
> —server-name 127.0.0.1.xip.io 
> 
> Then access the site as:
> 
> https://127.0.0.1.xip.io 
> 
> This gets around the way that Apache or the operating system can treat 
> localhost in a special way.
> 
>

Re: [modwsgi] mod_wsgi-express SSL implementation error

2016-09-17 Thread Graham Dumpleton 
In general a HTTPS site should have a proper fully qualified domain name which 
matches what is in the certificate. You wouldn’t use ‘localhost’ for the server 
name.

For a start, try adding the option:

—allow-localhost

Depending on the platform this still may not work though as I recollect that 
localhost and host access controls can work strangely on Apache with some 
operating systems.

A better way of doing it is to change ‘—server-name localhost’ to:

—server-name 127.0.0.1.xip.io 

Then access the site as:

https://127.0.0.1.xip.io 

This gets around the way that Apache or the operating system can treat 
localhost in a special way.

This requires external DNS access and some Intranets can even block xip.io 
.

In that case add an explicit entry into your /etc/hosts file for some fully 
qualified name, such as:

127.0.0.1 www.example.com

and use:

—server-name www.example.com 

Graham

> On 17 Sep 2016, at 11:38 PM, peter hoth  wrote:
> 
> Hi, 
> 
> I managed to get my web app running with the following command:
> 
> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
> --startup-log --access-log --port=80 --server-root=/usr/local/mycloud
> 
> Next, I managed to generate my SSL cert and performed the following:
> 
> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
> --startup-log --access-log \
> --port=443 --server-root=/usr/local/mycloud \
> --https-port 443 --https-only --server-name localhost --ssl-certificate 
> /usr/local/mycloud/sslcerts/domain
> 
> The error_log shows that my app is actually running when the apache is 
> started (i.e. apachectl start)
> No errors in startup_log and access_log
> 
> However, when i pointed my browser to https://localhost it shows the 
> following error:
> 
> Forbidden
> You don't have permission to access / on this server.
> 
> The error_log has the following line:
> 
> [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid 
> 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by server 
> configuration: /usr/local/armscloud/htdocs/
> 
> I did not use htdocs when i run the web app without SSL and it was working 
> fine. Do i need to add additional parameters to the mod_wsgi-express command 
> for SSL ?
> 
> The generated certs are confirmed working.
> 
> === My environment:
> CentOS 6.8
> port 443 is enabled in firewall
> default apache service that comes with OS is disabled
> 
> python 2.7.12
> virtualenv 15.0.3
> pip freeze modules:
> :
> mod-wsgi-httpd=2.4.12.6
> mod-wsgi==4.5.7
> :
> 
> ===
> 
> Regards,
> Pete
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to modwsgi+unsubscr...@googlegroups.com 
> .
> To post to this group, send email to modwsgi@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/modwsgi 
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.

[modwsgi] mod_wsgi-express SSL implementation error

2016-09-17 Thread peter hoth 
Hi, 

I managed to get my web app running with the following command:

mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
--startup-log --access-log --port=80 --server-root=/usr/local/mycloud

Next, I managed to generate my SSL cert and performed the following:

mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi 
--startup-log --access-log \
--port=443 --server-root=/usr/local/mycloud \
--https-port 443 --https-only --server-name localhost --ssl-certificate 
/usr/local/mycloud/sslcerts/domain

The error_log shows that my app is actually running when the apache is 
started (i.e. apachectl start)
No errors in startup_log and access_log

However, when i pointed my browser to https://localhost it shows the 
following error:

Forbidden
You don't have permission to access / on this server.

The error_log has the following line:

[Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid 
139664394032896] [client 127.0.0.1:40492] AH01630: client denied by server 
configuration: /usr/local/armscloud/htdocs/

I did not use htdocs when i run the web app without SSL and it was working 
fine. Do i need to add additional parameters to the mod_wsgi-express 
command for SSL ?

The generated certs are confirmed working.

=== My environment:
CentOS 6.8
port 443 is enabled in firewall
default apache service that comes with OS is disabled

python 2.7.12
virtualenv 15.0.3
pip freeze modules:
:
mod-wsgi-httpd=2.4.12.6
mod-wsgi==4.5.7
:

===

Regards,
Pete

-- 
You received this message because you are subscribed to the Google Groups 
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to modwsgi+unsubscr...@googlegroups.com.
To post to this group, send email to modwsgi@googlegroups.com.
Visit this group at https://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.