It seems that I need to have an authenticator of some sort tied into WSGI
before it will expose the cert to the script, so I tried:
::: auth.wsgi :::
# from the manual
import typing
import utility
def check_password(environ: dict, user: str, password: str) -> bool:
err = request.environ['wsgi.errors']
print('user: "{0:s}"\npassword: "{1:s}"\n'.format(user, password), file =
err)
return True
And into my ssl.conf file, I’ve changed it to:
...
WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess enrollment threads=5
WSGIScriptAlias /enrollment /var/www/scripts/enrollment.wsgi
<Directory enrollment>
WSGIProcessGroup enrollment
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
# added this next stanza
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider wsgi
WSGIAuthUserScript /var/www/scripts/auth.wsgi
Require valid-user
SSLRequireSSL
SSLOptions +StrictRequire
SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
...
But I see no sign of my auth.wsgi script being run, and indeed there’s still no
SSL_* stuff in request.environ other than SSL_TLS_SNI being present.
My ssl_error_log shows:
[Wed Jul 28 06:21:10.426835 2021] [ssl:info] [pid 28768] [client
174.27.8.12:56267] AH01964: Connection to child 1 established (server ...:443)
[Wed Jul 28 06:21:10.427084 2021] [ssl:debug] [pid 28768]
ssl_engine_kernel.c(2404): [client 174.27.8.12:56267] AH02044: No matching SSL
virtual host for servername ... found (using default/first virtual host)
[Wed Jul 28 06:21:10.427121 2021] [core:debug] [pid 28768] protocol.c(2349):
[client 174.27.8.12:56267] AH03155: select protocol from h2,h2c,http/1.1,
choices=http/1.1 for server ...
[Wed Jul 28 06:21:10.427128 2021] [core:debug] [pid 28768] protocol.c(2394):
[client 174.27.8.12:56267] AH03156: select protocol, proposals=http/1.1
preferences=h2,h2c,http/1.1 configured=h2,h2c,http/1.1
[Wed Jul 28 06:21:10.427131 2021] [core:debug] [pid 28768] protocol.c(2412):
[client 174.27.8.12:56267] AH03157: selected protocol=http/1.1
[Wed Jul 28 06:21:10.516433 2021] [socache_shmcb:debug] [pid 28768]
mod_socache_shmcb.c(510): AH00831: socache_shmcb_store (0x76 -> subcache 22)
[Wed Jul 28 06:21:10.516487 2021] [socache_shmcb:debug] [pid 28768]
mod_socache_shmcb.c(864): AH00847: insert happened at idx=0, data=(0:32)
[Wed Jul 28 06:21:10.516490 2021] [socache_shmcb:debug] [pid 28768]
mod_socache_shmcb.c(869): AH00848: finished insert, subcache:
idx_pos/idx_used=0/1, data_pos/data_used=0/206
[Wed Jul 28 06:21:10.516493 2021] [socache_shmcb:debug] [pid 28768]
mod_socache_shmcb.c(531): AH00834: leaving socache_shmcb_store successfully
[Wed Jul 28 06:21:10.516505 2021] [ssl:debug] [pid 28768]
ssl_engine_kernel.c(2257): [client 174.27.8.12:56267] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Jul 28 06:21:10.594782 2021] [ssl:debug] [pid 28768]
ssl_engine_kernel.c(422): [client 174.27.8.12:56267] AH02034: Initial (No.1)
HTTPS request received for child 1 (server ...:443)
[Wed Jul 28 06:21:10.594893 2021] [authz_core:debug] [pid 28768]
mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result
of Require all granted: granted
[Wed Jul 28 06:21:10.594898 2021] [authz_core:debug] [pid 28768]
mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result
of <RequireAny>: granted
[Wed Jul 28 06:21:10.594970 2021] [authz_core:debug] [pid 28768]
mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result
of Require all granted: granted
[Wed Jul 28 06:21:10.594973 2021] [authz_core:debug] [pid 28768]
mod_authz_core.c(818): [client 174.27.8.12:56267] AH01626: authorization result
of <RequireAny>: granted
[Wed Jul 28 06:21:10.595054 2021] [:info] [pid 28768] [client
174.27.8.12:56267] mod_wsgi (pid=28768, process='', application=''): Loading
WSGI script '/var/www/scripts/enrollment.wsgi’.
It’s probably something insanely trivial, but I’ve been staring at this for a
day and a half now and I can’t figure it out.
Any assistance is really appreciated.
Thanks,
-Philip
> On Jul 27, 2021, at 12:01 AM, Graham Dumpleton <[email protected]>
> wrote:
>
> They are not passed as environment variables to the process. They are passed
> in the WSGI environ dictionary.
>
> So don't use os.environ if that is what you are doing, you need to access
> them from the Flask request environ.
>
> https://flask.palletsprojects.com/en/2.0.x/api/?highlight=environ#flask.Request.environ
>
> Graham
>
>> On 27 Jul 2021, at 3:19 pm, 'Philip Prindeville' via modwsgi
>> <[email protected]> wrote:
>>
>> Hi,
>>
>> I’m using mod_wsgi 3.4, Python 3.7, Apache 2.4.48, and Flask 2.0.1 in my
>> production environment.
>>
>> This is on Amazon Linux 2.
>>
>> I’m trying to figure out why the various SSL_* environment variables aren’t
>> present when my script runs, even though I have:
>>
>> SSLOptions +StdEnvVars -FakeBasicAuth +ExportCertData +StrictRequire
>> …
>> SSLVerifyClient require
>> SSLVerifyDepth 5
>> …
>>
>> Looking at the sources, the configure.ac file looks pretty trivial, so I
>> don’t think it was built by Amazon with anything disabled.
>>
>> I’m trying to do authentication based on both Apache’s built-in certificate
>> verification but also on the subject DN as an identity and attribute/value
>> pairs.
>>
>> I couldn’t find any documentation on mod_ssl integration or debugging
>> issues, other than mod_ssl needed to be loaded by mod_wsgi, which is the
>> case in Amazon Linux 2.
>>
>> Can you please point me to any documentation about using SSL with mod_wsgi?
>>
>> Thanks,
>>
>> -Philip
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/modwsgi/90FF96C3-B45F-4F61-9901-A5B97B1B35AF%40truepic.com.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/modwsgi/0443D3CE-F9D3-4776-BFC3-6D29615EE850%40gmail.com.
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/modwsgi/A5F7DA11-36C1-4607-82C2-552F1821EAED%40truepic.com.
