I have been trying to add force https for login with apache directives to
no avail. Ideally, I would have a redirect, rather than simply "access
denied" (not fair to expect a user to know to try https and type it in
manually like we all do for admin and appadmin). I guess I don't get
regexp or apache.
Note that for apache config on ubuntu, symlinks are used to access the
virtual hosts for ports 80 and 443, so each is in a separate file instead
of one big httpd.conf file.
I can't get apache to load and the error suggests that the aliasmatch
directives are either in the wrong place or are expressed incorrectly.
If someone has a recipe/slice for this, that would be great. You could
skip the remaining, gory details... !
Here are the port 80 (http) directives I tried using RewriteRules:
<VirtualHost *:80>
> ServerAdmin m...@me.org
> Alias /Test /var/www/Test
> WSGIScriptAlias /myapp "/usr/local/www/wsgi-scripts/myapp/myapp.wsgi"
> <Directory "/usr/local/www/wsgi-scripts/myapp">
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
RewriteEngine On
> RewriteCond %{HTTPS} !=on
> RewriteRule ^/?(.*)/user/(.*) https://%{SERVER_NAME}/user/$1 [R,L]
>
> #routing for web2py
>
> WSGIDaemonProcess web2py user=www-data group=www-data
> WSGIProcessGroup web2py
> WSGIScriptAlias / /var/web2py/wsgihandler.py
> <Directory /var/web2py>
> AllowOverride None
> Order Allow,Deny
> Deny from all
> <Files wsgihandler.py>
> Allow from all
> </Files>
> </Directory>
#aliases to pages that must be visible outside of web2py
> AliasMatch ^/([^/]+)/static/(.*) \
> /var/web2py/applications/$1/static/$2
> <Directory /var/web2py/applications/*/static/>
> Options -Indexes
> Order Allow,Deny
> Allow from all
> </Directory>
> <Location /admin>
> Deny from all
> </Location>
> <LocationMatch ^/([^/]+)/appadmin>
> Deny from all
> </LocationMatch>
Here are the port 443 (https:) directives:
<IfModule mod_ssl.c>
> <VirtualHost *:443>
> ServerAdmin m...@me.org
> # DocumentRoot /var/www # I never understood this part!
> # <Directory />
> # Options FollowSymLinks
> # AllowOverride None
> # </Directory>
> # <Directory /var/www/>
> # Options Indexes FollowSymLinks MultiViews
> # AllowOverride None
> # Order allow,deny
> # allow from all
> # </Directory>
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
> <Directory "/usr/lib/cgi-bin">
> AllowOverride None
> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> Order allow,deny
> Allow from all
> </Directory>
> Alias /phppgadmin /usr/share/phppgadmin
> <Directory /usr/share/phppgadmin>
> AllowOverride None
> Order Allow,Deny
> Allow from all
> </Directory>
>
> Alias /phpmyadmin /usr/share/phpmyadmin
> <Directory /usr/share/phpmyadmin>
> AllowOverride None
> Order Allow,Deny
> Allow from all
> </Directory>
>
> # routings for web2py admin interface via ssl only (port 443)
> WSGIProcessGroup web2py
> WSGIScriptAlias / /var/web2py/wsgihandler.py
> <Directory /var/web2py>
> AllowOverride None
> Order Allow,Deny
> Deny from all
> <Files wsgihandler.py>
> Allow from all
> </Files>
> </Directory>
> AliasMatch ^/([^/]+)/static/(.*) \
> /var/web2py/applications/$1/static/$2
> <Directory /var/web2py/applications/*/static/>
> Options -Indexes
> ExpiresActive On
> ExpiresDefault "access plus 1 hour"
> Order Allow,Deny
> Allow from all
> </Directory>
>
>
> # other settings
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel warn
> CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
> Alias /doc/ "/usr/share/doc/"
> <Directory "/usr/share/doc/">
> Options Indexes MultiViews FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> Allow from 127.0.0.0/255.0.0.0 ::1/128
> </Directory>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> # A self-signed (snakeoil) certificate can be created by installing
> # the ssl-cert package. See
> # /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
> # If both key and certificate are stored in the same file, only the
> # SSLCertificateFile directive is needed.
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Here is the Apache log (error on last line):
[Wed May 16 08:05:22 2012] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Wed May 16 08:05:22 2012] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Wed May 16 08:05:22 2012] [warn] mod_wsgi: Compiled for Python/2.7.2rc1.
> [Wed May 16 08:05:22 2012] [warn] mod_wsgi: Runtime using Python/2.7.2+.
> [Wed May 16 08:05:22 2012] [notice] Apache/2.2.20 (Ubuntu)
> PHP/5.3.6-13ubuntu3.3 with Suhosin-Patch mod_ssl/2.2.20 OpenSSL/1.0.0e
> mod_wsgi/3.3 Python/2.7.2+ configured -- resuming normal operations
> [Wed May 16 08:12:57 2012] [notice] caught SIGTERM, shutting down
> [Wed May 16 08:12:58 2012] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Wed May 16 08:12:58 2012] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA == TRUE !?)
> [Wed May 16 08:12:58 2012] [warn] mod_wsgi: Compiled for Python/2.7.2rc1.
> [Wed May 16 08:12:58 2012] [warn] mod_wsgi: Runtime using Python/2.7.2+.
> [Wed May 16 08:12:58 2012] [notice] Apache/2.2.20 (Ubuntu)
> PHP/5.3.6-13ubuntu3.3 with Suhosin-Patch mod_ssl/2.2.20 OpenSSL/1.0.0e
> mod_wsgi/3.3 Python/2.7.2+ configured -- resuming normal operations
> [Wed May 16 08:13:48 2012] [error] [client 76.104.195.84] File does not
> exist: /var/web2py/applications/pyjokes/static/css/images, referer:
> http://www.lewcl.com/pyjokes
It would be great to have a recipe for this as everyone should do it. Note
that I also tried to do with RedirectMatch but I never got that to work
either.
Thanks,
Lewis
(BTW, I gave up on Cherokee/uwsgi if you saw that post. Simply not worth
the time. I only wanted to do that because I thought it might be simpler
to implement ssl for auth. But, it was just a step into its very own
(unnecessary) morass of twisty, dark config passages. Better to stick with
the tried and true.)
