It strikes me that: SSL_TLS_SNI=… SERVER_PORT=443
Are set, but: mod_wsgi.is_https mod_wsgi.var_lookup Are not. According to: https://modwsgi.readthedocs.io/en/master/release-notes/version-3.4.html#new-features 11. Access, authentication and authorisation hooks now have additional keys in the environ dictionary for ‘mod_ssl.is_https’ and ‘mod_ssl.var_lookup’. These equate to callable functions provided by mod_ssl for determining if the client connection to Apache used SSL and what the values of variables specified in the SSL certifcates, server or client, are. These are only available if Apache 2.0 or later is being used. these should be present but aren’t. Looking through the SRPM, mod_sgi.var_lookup can get added here: static PyObject *Adapter_environ(AdapterObject *self) But that’s #if 0’d out. static PyObject *Dispatch_environ(DispatchObject *self, const char *group) Also #if 0’d out. static PyObject *Auth_environ(AuthObject *self, const char *group) Gated by "#if AP_SERVER_MAJORVERSION_NUMBER >= 2” but that should true. Auth_environ() only seems to get called a “check_password” function is in the calling script, which I don’t understand. It might be the case that we want to use the client cert for something other than authentication (but maybe for identification and logging). What is required in 3.4 to be able to access SSL_CLIENT_CERT, etc? Thanks, -Philip > On Jul 27, 2021, at 10:54 AM, Philip Prindeville <[email protected]> wrote: > > Hi, > > I’m doing that, but I’m only seeing: > > UNIQUE_ID=YP9xAZOmSQReVqTcpfpviwAAAAA > SSL_TLS_SNI=... > GATEWAY_INTERFACE=CGI/1.1 > SERVER_PROTOCOL=HTTP/1.1 > REQUEST_METHOD=POST > QUERY_STRING= > REQUEST_URI=/enrollment/requestEnrollment > SCRIPT_NAME=/enrollment > PATH_INFO=/requestEnrollment > PATH_TRANSLATED=/var/www/html/requestEnrollment > HTTP_HOST=... > HTTP_ACCEPT_ENCODING=identity > CONTENT_LENGTH=2182 > CONTENT_TYPE=multipart/form-data; boundary=45462e42764e55dee1dcc972b3e274b5 > HTTP_USER_AGENT=python-urllib3/1.26.4 > SERVER_SIGNATURE= > SERVER_SOFTWARE=Apache/2.4.48 () OpenSSL/1.0.2k-fips mod_wsgi/3.4 > Python/3.7.10 > SERVER_NAME=... > SERVER_ADDR=... > SERVER_PORT=443 > REMOTE_ADDR=... > DOCUMENT_ROOT=/var/www/html > REQUEST_SCHEME=https > CONTEXT_PREFIX= > CONTEXT_DOCUMENT_ROOT=/var/www/html > SERVER_ADMIN=root@localhost > SCRIPT_FILENAME=/var/www/scripts/enrollment.wsgi > REMOTE_PORT=54857 > mod_wsgi.process_group= > mod_wsgi.application_group= > mod_wsgi.callable_object=application > mod_wsgi.request_handler=wsgi-script > mod_wsgi.handler_script= > mod_wsgi.script_reloading=1 > mod_wsgi.listener_host= > mod_wsgi.listener_port=443 > mod_wsgi.input_chunked=0 > mod_wsgi.enable_sendfile=0 > mod_wsgi.queue_start=1627353345662030 > wsgi.version=(1, 0) > wsgi.multithread=False > wsgi.multiprocess=True > wsgi.run_once=False > wsgi.url_scheme=https > wsgi.errors=<_io.TextIOWrapper encoding='utf-8'> > wsgi.input=<mod_wsgi.Input object at 0x7f4bc43e5770> > wsgi.file_wrapper=<built-in method file_wrapper of mod_wsgi.Adapter object at > 0x7f4bb03ad2b0> > mod_wsgi.version=(3, 4) > werkzeug.request=<Request 'https://.../enrollment/requestEnrollment' [POST]> > > > So the +ExportCertData doesn’t seem to be doing anything. > > What am I missing? > > -Philip > > > >> On Jul 27, 2021, at 12:01 AM, Graham Dumpleton <[email protected]> >> wrote: >> >> They are not passed as environment variables to the process. They are passed >> in the WSGI environ dictionary. >> >> So don't use os.environ if that is what you are doing, you need to access >> them from the Flask request environ. >> >> https://flask.palletsprojects.com/en/2.0.x/api/?highlight=environ#flask.Request.environ >> >> Graham >> >>> On 27 Jul 2021, at 3:19 pm, 'Philip Prindeville' via modwsgi >>> <[email protected]> wrote: >>> >>> Hi, >>> >>> I’m using mod_wsgi 3.4, Python 3.7, Apache 2.4.48, and Flask 2.0.1 in my >>> production environment. >>> >>> This is on Amazon Linux 2. >>> >>> I’m trying to figure out why the various SSL_* environment variables aren’t >>> present when my script runs, even though I have: >>> >>> SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire >>> … >>> SSLVerifyClient require >>> SSLVerifyDepth 5 >>> … >>> >>> Looking at the sources, the configure.ac file looks pretty trivial, so I >>> don’t think it was built by Amazon with anything disabled. >>> >>> I’m trying to do authentication based on both Apache’s built-in certificate >>> verification but also on the subject DN as an identity and attribute/value >>> pairs. >>> >>> I couldn’t find any documentation on mod_ssl integration or debugging >>> issues, other than mod_ssl needed to be loaded by mod_wsgi, which is the >>> case in Amazon Linux 2. >>> >>> Can you please point me to any documentation about using SSL with mod_wsgi? >>> >>> Thanks, >>> >>> -Philip >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "modwsgi" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/modwsgi/90FF96C3-B45F-4F61-9901-A5B97B1B35AF%40truepic.com. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "modwsgi" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/2330DADF-5DCF-4FC8-8548-D8A1BB98BB13%40truepic.com.
