It works! I modify the /etc/hosts as you suggested.
Thanks Graham for your fast reply and help ! On Sunday, September 18, 2016 at 1:07:46 PM UTC+8, Graham Dumpleton wrote: > > If you read through the email I said that --allow-locahost likely wouldn’t > work because of how Apache can interpreter localhost and override what you > want. > > That is why I said you needed to use a proper host name with --server-name > and not use ‘localhost’. Did you try that? > > Repeating what I said: > > A better way of doing it is to change ‘--server-name localhost’ to: > > --server-name 127.0.0.1.xip.io > > Then access the site as: > > https://127.0.0.1.xip.io > > Also read other comment I said in original email. > > Graham > > On 18 Sep 2016, at 3:03 PM, peter hoth <hoth....@gmail.com <javascript:>> > wrote: > > I did add the option --allow-localhost and i still get the 403 Forbidden > response from the server. > > mod_wsgi-express setup-server --user admin --group admin webapp.wsgi -- > startup-log --access-log \ > --port=80 --server-root=/usr/local/webapp \ > --https-port 443 --https-only --allow-localhost --server-name localhost -- > ssl-certificate /usr/local/webapp/sslcerts/domain > > I manually created a httpd.conf by plucking some lines from the created > httpd.conf and i managed to get the https://localhost to work. > > > LoadModule wsgi_module ${MOD_WSGI_SERVER_ROOT}/lib/python2.7/site-packages > /mod_wsgi/server/mod_wsgi-py27.so > > LoadModule version_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_version.so' > LoadModule mpm_event_module > '${MOD_WSGI_MODULES_DIRECTORY}/mod_mpm_event.so' > : > LoadModule socache_shmcb_module ${MOD_WSGI_MODULES_DIRECTORY}/ > mod_socache_shmcb.so > LoadModule ssl_module ${MOD_WSGI_MODULES_DIRECTORY}/mod_ssl.so > > Listen 443 > SSLSessionCache > "shmcb:${MOD_WSGI_SERVER_ROOT}/logs/ssl_scache(512000)" > SSLSessionCacheTimeout 300 > > User ${MOD_WSGI_USER} > Group ${MOD_WSGI_GROUP} > > ServerName localhost > ServerRoot '${MOD_WSGI_SERVER_ROOT}' > PidFile '${MOD_WSGI_SERVER_ROOT}/httpd.pid' > > ErrorLog "${MOD_WSGI_SERVER_ROOT}/error_log" > CustomLog "${MOD_WSGI_SERVER_ROOT}/access_log" common > > <Directory /> > AllowOverride None > Require all denied > </Directory> > > <VirtualHost *:80> > ServerName 127.0.0.1 > > WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" > Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" > DocumentRoot "${MOD_WSGI_SERVER_ROOT}" > <Directory "${MOD_WSGI_SERVER_ROOT}"> > Options None > AllowOverride None > Require all granted > </Directory> > </VirtualHost> > > <virtualhost *:443> > ServerName 127.0.0.1 > > WSGIScriptAlias / "${MOD_WSGI_SERVER_ROOT}/webapp.wsgi" > Alias /static "${MOD_WSGI_SERVER_ROOT}/application/static" > DocumentRoot "${MOD_WSGI_SERVER_ROOT}" > <Directory "${MOD_WSGI_SERVER_ROOT}"> > Options None > AllowOverride None > Require all granted > </Directory> > > ## SSL > SSLEngine On > SSLCertificateFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.crt" > SSLCertificateKeyFile "${MOD_WSGI_SERVER_ROOT}/sslcerts/domain.key" > > </virtualhost> > > So i guess it's probably some commands in the mod_wsgi created httpd.conf > that is causing the "Forbidden" error. I will try to add more lines to see > what is causing the problem. One thing i noticed from the mod_wsgi created > httpd.conf is that there is the following block: > > : > <IfDefine !ONE_PROCESS> > WSGIRestrictEmbedded On > WSGISocketPrefix /usr/local/webapp/wsgi > <IfDefine MOD_WSGI_MULTIPROCESS> > : > </IfDefine> > <IfDefine !MOD_WSGI_MULTIPROCESS> > WSGIDaemonProcess localhost:80 \ > display-name='(wsgi:localhost:80:0)' \ > home='/usr/local/webapp' \ > threads=5 \ > maximum-requests=0 \ > python-path='' \ > python-eggs='/usr/local/webapp/python-eggs' \ > lang='en_US.UTF-8' \ > locale='en_US.UTF-8' \ > listen-backlog=100 \ > queue-timeout=45 \ > socket-timeout=60 \ > connect-timeout=15 \ > request-timeout=60 \ > inactivity-timeout=0 \ > startup-timeout=15 \ > deadlock-timeout=60 \ > graceful-timeout=15 \ > eviction-timeout=0 \ > shutdown-timeout=5 \ > send-buffer-size=0 \ > receive-buffer-size=0 \ > response-buffer-size=0 \ > server-metrics=Off > </IfDefine> > </IfDefine> > : > > I am not sure how the DaemonProcess works in SSL but is this correct for > the DaemonProcess to listen to localhost:80 even though i specify > --https-only ? > > Regards, > Pete > > > On Sunday, September 18, 2016 at 4:42:11 AM UTC+8, Graham Dumpleton wrote: >> >> In general a HTTPS site should have a proper fully qualified domain name >> which matches what is in the certificate. You wouldn’t use ‘localhost’ for >> the server name. >> >> For a start, try adding the option: >> >> —allow-localhost >> >> Depending on the platform this still may not work though as I recollect >> that localhost and host access controls can work strangely on Apache with >> some operating systems. >> >> A better way of doing it is to change ‘—server-name localhost’ to: >> >> —server-name 127.0.0.1.xip.io >> >> Then access the site as: >> >> https://127.0.0.1.xip.io >> >> This gets around the way that Apache or the operating system can treat >> localhost in a special way. >> >> This requires external DNS access and some Intranets can even block >> xip.io. >> >> In that case add an explicit entry into your /etc/hosts file for some >> fully qualified name, such as: >> >> 127.0.0.1 www.example.com >> >> and use: >> >> —server-name www.example.com >> >> Graham >> >> On 17 Sep 2016, at 11:38 PM, peter hoth <hoth....@gmail.com> wrote: >> >> Hi, >> >> I managed to get my web app running with the following command: >> >> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi >> --startup-log --access-log --port=80 --server-root=/usr/local/mycloud >> >> Next, I managed to generate my SSL cert and performed the following: >> >> mod_wsgi-express setup-server --user admin --group admin mycloud.wsgi >> --startup-log --access-log \ >> --port=443 --server-root=/usr/local/mycloud \ >> --https-port 443 --https-only --server-name localhost --ssl-certificate >> /usr/local/mycloud/sslcerts/domain >> >> The error_log shows that my app is actually running when the apache is >> started (i.e. apachectl start) >> No errors in startup_log and access_log >> >> However, when i pointed my browser to https://localhost it shows the >> following error: >> >> Forbidden >> You don't have permission to access / on this server. >> >> The error_log has the following line: >> >> [Sat Sep 17 21:34:46.119671 2016] [authz_core:error] [pid 6953:tid >> 139664394032896] [client 127.0.0.1:40492] AH01630: client denied by >> server configuration: /usr/local/armscloud/htdocs/ >> >> I did not use htdocs when i run the web app without SSL and it was >> working fine. Do i need to add additional parameters to the >> mod_wsgi-express command for SSL ? >> >> The generated certs are confirmed working. >> >> === My environment: >> CentOS 6.8 >> port 443 is enabled in firewall >> default apache service that comes with OS is disabled >> >> python 2.7.12 >> virtualenv 15.0.3 >> pip freeze modules: >> : >> mod-wsgi-httpd=2.4.12.6 >> mod-wsgi==4.5.7 >> : >> >> === >> >> Regards, >> Pete >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to modwsgi+u...@googlegroups.com. >> To post to this group, send email to mod...@googlegroups.com. >> Visit this group at https://groups.google.com/group/modwsgi. >> For more options, visit https://groups.google.com/d/optout. >> >> >> > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to modwsgi+u...@googlegroups.com <javascript:>. > To post to this group, send email to mod...@googlegroups.com <javascript:> > . > Visit this group at https://groups.google.com/group/modwsgi. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+unsubscr...@googlegroups.com. To post to this group, send email to modwsgi@googlegroups.com. Visit this group at https://groups.google.com/group/modwsgi. For more options, visit https://groups.google.com/d/optout.
