Fwd: [modwsgi] mod_wsgi 3.4 issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I asked this on modwsgi@xxxxxxxxxxxxxxxx but didn't hear back.

The documentation with modwsgi only references Apache 1.3, 2.0, and 2.2 authentication.

I need to get this up and running quickly, but I can't figure out why the authentication isn't happening.  See the configuration information below (it's mod_wsgi 3.4 on Amazon Linux 2, Apache 2.4.48, and Python 3.7, etc).

Also not sure why authentication needs to be enabled via scripting in order to export certificate data to the modwsgi script... seems to be orthogonal in some cases.

I might, for instance, want Apache to do the certificate verification, but have a portal where users can connect and have their certificate revoked (if they're done with it), or renewed (if they need a new validity window and serial #), etc.  In that case, the script isn't performing authentication but it *does* need to see the certificate data.

It's probably something simple but I've been staring at this too long and can't see the forest for the trees at this point.

I've slightly redacted my original posting below for clarity.

Any hints appreciated.

Thanks,

-Philip



> Begin forwarded message:
> 
> From: Philip Prindeville <philip@xxxxxxxxxxx>
> Subject: Re: [modwsgi] mod_wsgi 3.4 issues
> Date: July 28, 2021 at 12:56:29 AM MDT
> To: modwsgi@xxxxxxxxxxxxxxxx
> 
> It seems that I need to have an authenticator of some sort tied into WSGI before it will export the cert into the script, so I tried:
> 
> ::: auth.wsgi :::
> 
> # from the manual
> 
> import typing
> import utility
> 
> def check_password(environ: dict, user: str, password: str) -> bool:
>   err = request.environ['wsgi.errors']
>   print('user: "{0:s}"\npassword: "{1:s}"\n'.format(user, password), file = err)
> 
>   return True
> 
> 
> And into my ssl.conf file, I’ve changed it (added to the end) to:
> 
> 
> ...
> WSGIApplicationGroup %{GLOBAL}
> 
> WSGIDaemonProcess enrollment threads=5
> WSGIScriptAlias /enrollment /var/www/scripts/enrollment.wsgi
> <Directory enrollment>
>   WSGIProcessGroup enrollment
>   WSGIApplicationGroup %{GLOBAL}
>   Order deny,allow
>   Allow from all
> 
>   # added this next stanza
>   AuthType Basic
>   AuthName "Top Secret"
>   AuthBasicProvider wsgi
>   WSGIAuthUserScript /var/www/scripts/auth.wsgi
>   Require valid-user
> 
>   SSLRequireSSL
>   SSLOptions +StrictRequire
> 
>   SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
> 
>   SSLVerifyClient require
>   SSLVerifyDepth 5
> </Directory>
> </VirtualHost>
> 
> 
> But I see no sign of my auth.wsgi script being run, and indeed there’s still no SSL_* stuff in request.environ other than SSL_TLS_SNI being present.
> 
> My ssl_error_log shows:
> 
> [Wed Jul 28 06:21:10.426835 2021] [ssl:info] [pid 28768] [client 174.27.8.12:56267] AH01964: Connection to child 1 established (server ...:443)
> [Wed Jul 28 06:21:10.427084 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2404): [client 174.27.8.12:56267] AH02044: No matching SSL virtual host for servername ... found (using default/first virtual host)
> [Wed Jul 28 06:21:10.427121 2021] [core:debug] [pid 28768] protocol.c(2349): [client 174.27.8.12:56267] AH03155: select protocol from h2,h2c,http/1.1, choices=http/1.1 for server ...
> [Wed Jul 28 06:21:10.427128 2021] [core:debug] [pid 28768] protocol.c(2394): [client 174.27.8.12:56267] AH03156: select protocol, proposals=http/1.1 preferences=h2,h2c,http/1.1 configured=h2,h2c,http/1.1
> [Wed Jul 28 06:21:10.427131 2021] [core:debug] [pid 28768] protocol.c(2412): [client 174.27.8.12:56267] AH03157: selected protocol=http/1.1
> [Wed Jul 28 06:21:10.516433 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(510): AH00831: socache_shmcb_store (0x76 -> subcache 22)
> [Wed Jul 28 06:21:10.516487 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(864): AH00847: insert happened at idx=0, data=(0:32)
> [Wed Jul 28 06:21:10.516490 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(869): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/206
> [Wed Jul 28 06:21:10.516493 2021] [socache_shmcb:debug] [pid 28768] mod_socache_shmcb.c(531): AH00834: leaving socache_shmcb_store successfully
> [Wed Jul 28 06:21:10.516505 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(2257): [client 174.27.8.12:56267] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> [Wed Jul 28 06:21:10.594782 2021] [ssl:debug] [pid 28768] ssl_engine_kernel.c(422): [client 174.27.8.12:56267] AH02034: Initial (No.1) HTTPS request received for child 1 (server ...:443)
> [Wed Jul 28 06:21:10.594893 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
> [Wed Jul 28 06:21:10.594898 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
> [Wed Jul 28 06:21:10.594970 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of Require all granted: granted
> [Wed Jul 28 06:21:10.594973 2021] [authz_core:debug] [pid 28768] mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result of <RequireAny>: granted
> [Wed Jul 28 06:21:10.595054 2021] [:info] [pid 28768] [client 174.27.8.12:56267] mod_wsgi (pid=28768, process='', application=''): Loading WSGI script '/var/www/scripts/enrollment.wsgi’.
> 
> 
> It’s probably something insanely trivial, but I’ve been staring at this for a day and a half now and I can’t figure it out.
> 
> Any assistance is really appreciated.
> 
> Thanks,
> 
> -Philip
> 
> 
> 
>> On Jul 27, 2021, at 12:01 AM, Graham Dumpleton <Graham.Dumpleton@xxxxxxxxx> wrote:
>> 
>> They are not passed as environment variables to the process. They are passed in the WSGI environ dictionary.
>> 
>> So don't use os.environ if that is what you are doing, you need to access them from the Flask request environ.
>> 
>> https://flask.palletsprojects.com/en/2.0.x/api/?highlight=environ#flask.Request.environ
>> 
>> Graham
>> 
>>> On 27 Jul 2021, at 3:19 pm, 'Philip Prindeville' via modwsgi <modwsgi@xxxxxxxxxxxxxxxx> wrote:
>>> 
>>> Hi,
>>> 
>>> I’m using mod_wsgi 3.4, Python 3.7, Apache 2.4.48, and Flask 2.0.1 in my production environment.
>>> 
>>> This is on Amazon Linux 2.
>>> 
>>> I’m trying to figure out why the various SSL_* environment variables aren’t present when my script runs, even though I have:
>>> 
>>> SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
>>> …
>>> SSLVerifyClient require
>>> SSLVerifyDepth 5
>>> …
>>> 
>>> Looking at the sources, the configure.ac file looks pretty trivial, so I don’t think it was built by Amazon with anything disabled.
>>> 
>>> I’m trying to do authentication based on both Apache’s built-in certificate verification but also on the subject DN as an identity and attribute/value pairs.
>>> 
>>> I couldn’t find any documentation on mod_ssl integration or debugging issues, other than mod_ssl needed to be loaded by mod_wsgi, which is the case in Amazon Linux 2.
>>> 
>>> Can you please point me to any documentation about using SSL with mod_wsgi?
>>> 
>>> Thanks,
>>> 
>>> -Philip
>>> 
>>> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux