Hi :)
I am having troubles with web2py behind Apache with multiple SSL
virtualhosts, each serving different web2py application and encrypted with
a different letsencrypt SSL key. All are served from the same IP address. I
have only one web2py instance in my setup.
If I set-up up to 3 VirtualHosts (serving 3 applications), it works. But as
soon as I add more applications in my setup, all HTTPS end up in
SSL_ERROR_RX_RECORD_TOO_LONG.
Versions: Web2py 2.16.1, Apache 2.4.10, libapache2-mod-wsgi 4.3.0-1 (Debian
Jessie)
My config follows; to make it concise I removed the portions dealing with
static files, logging etc. which are not related to the problem:
<Macro Web2PySSL $domain>
<VirtualHost *:80>
ServerName $domain
WSGIDaemonProcess $domain user=www-data group=www-data
display-name=%{GROUP}
WSGIScriptAlias / /opt/web2py/wsgihandler.py
WSGIProcessGroup $domain
<Location /admin>
Require all denied
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Require all denied
</LocationMatch>
<Directory /opt/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem
ServerName $domain
WSGIScriptAlias / /opt/web2py/wsgihandler.py
WSGIProcessGroup $domain
WSGIPassAuthorization On
<Directory /opt/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
</VirtualHost>
</Macro>
And one-liners in sites-enabled:
Use Web2PySSL www.domain1.com
Use Web2PySSL www.domain2.com
Use Web2PySSL www.domain3.com
...
SSL certificates are symlinked to /etc/apache2/ssl/letsencrypt.
routes.py:
routers = dict(
BASE=dict(
domains = {
'www.domain1.com' : 'domain1',
'www.domain3.com' : 'domain2',
'www.domain3.com' : 'domain3',
#...
}
),
)
I made several experiments to help to identify the cause.
1) Instead of domain-specific letsencrypt certificates I tried one
self-signed certificate for all domains. It increased the number of
applications which work in my scenario from 3 to 5, but as soon as I add
one more, it starts failing again. I think the main difference of the
self-signed certificate in the context of the error is that it does not
have any chain.
2) In order to find out if it is not a problem of Apache, I tried to set-up
plain Apache virtualhosts with SSL support. It works. There are no problems
with SSL at all, regardless to the number of virtualhosts.
<Macro testSSL $domain>
<VirtualHost *:80>
ServerName $domain
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName $domain
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</Macro>
And:
Use testSSL www.domain1.com
Use testSSL www.domain2.com
Use testSSL www.domain3.com
...
3) In order to find out if it is not a problem of mod-wsgi, I tried the
following. Again, no problems. Both HTTP and HTTPS is working well.
Simple WSGI handler in /var/www/wsgi/test.wsgi:
def application(environ, start_response):
status = '200 OK'
output = 'Just testing...'
response_headers = [('Content-type', 'text/plain'),('Content-Length',
str(len(output)))]
start_response(status, response_headers)
return [output]
And related config:
<Macro testSSLWSGI $domain>
<VirtualHost *:80>
ServerName $domain
WSGIDaemonProcess $domain user=www-data group=www-data
display-name=%{GROUP}
WSGIScriptAlias / /var/www/wsgi/test.wsgi
WSGIProcessGroup $domain
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName $domain
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/letsencrypt/$domain/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/letsencrypt/$domain/privkey.pem
WSGIScriptAlias / /var/www/wsgi/test.wsgi
WSGIProcessGroup $domain
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</Macro>
And:
Use testSSLWSGI www.domain1.com
Use testSSLWSGI www.domain2.com
Use testSSLWSGI www.domain3.com
...
So, my conclusion is that the problem indeed has something to do with
web2py. But I am not sure what to try as a next step. :(
Thank you very much for any idea!
with regards
David
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
