Moving deployed TurboGears website from HTTP to HTTPS under Apache on Ubuntu 13.10

406 views Asked by At

I have a TurboGears (either v2.2.1 or v2.3.1) website up and running on HTTP under Apache. The HTTP website works fine but I am trying to move it to HTTPS and am hitting a wall. I have two .conf files and tried copying the configuration block from the running HTTP configuration to the HTTPS configuration.

The Apache setup is as follows:

/etc/apache2/sites-enabled/000-default.conf -> /etc/sites-available/000-default.conf
/etc/apache2/sites-enabled/default-ssl.conf -> /etc/sites-available/default-ssl.conf

My configuration with the website working on HTTP is:

/etc/apache2/sites-available/000-default.conf:

WSGIPythonHome /usr/local/pythonenv/BASELINE
WSGIPythonPath /usr/local/pythonenv/myapp/lib/python2.7/site-packages

<VirtualHost *:80>
ServerAdmin [email protected]
ServerName myhost.mydomain.com
DocumentRoot /var/www
<Directory />
    ...
</Directory>
<Directory /var/www/>
    ...
</Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
    ...
</Directory>

    # Start website configuration

    Alias /myapp/img /usr/local/turbogears/myapp/myapp/public/img
    Alias /myapp/css /usr/local/turbogears/myapp/myapp/public/css
    Alias /myapp/javascript /usr/local/turbogears/myapp/myapp/public/javascript

    WSGIDaemonProcess myapp threads=10 processes=3
    WSGIProcessGroup myapp
    WSGIScriptAlias /myapp /usr/local/turbogears/myapp/apache/myapp.wsgi

    # Directory Permissions.
    <Directory /usr/local/turbogears/myapp/apache>
        Order deny,allow    
        allow from ...
        deny from all
    </Directory>
    # End website configuration

... #more entries for Trac and Doxygen websites
</VirtualHost>

/etc/apache2/sites-available/default-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLEngine On
DocumentRoot /var/www/ssl

    # THIS IS WHERE I TRY CUT/PASTING THE CONFIGURATION BLOCK FROM THE HTTP WEBSITE

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>
            BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

ports.conf:

Listen 80    
<IfModule mod_ssl.c>
    Listen 443
</IfModule>    
<IfModule mod_gnutls.c>
    Listen 443
</IfModule>
SSLCertificateFile /admin/webcerts/mycert.cer
SSLCertificateKeyFile /admin/webcerts/myprivate.key

In apache2.conf:

...
Include mods-enabled/*.load
Include mods-enabled/*.conf
Include ports.conf
Include sites-enabled/
Include /etc/phpmyadmin/apache.conf
LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-4.0.5/libout/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/1.9.1/gems/passenger-4.0.5
PassengerDefaultRuby /usr/bin/ruby1.9.1
...

To deploy the website on HTTPS, I moved the website configuration block from 000-default.conf to default-ssl.conf and restart apache but I get a 404 error:

Not Found
The requested URL /myapp was not found on this server.

I have tried moving the global WSGIPythonHome and WSGIPythonPath directives into default-ssl.conf in case that file was read first (it should not be as far as I know) but that did not help. The log files do not contain any useful information that I can see.

I have little Apache experience but from other SO threads, there seems to be some things that changed with Ubuntu 13. For example, the DocumentRoot directive in default-ssl.conf does not work for me which may be important. Adding a global value for DocumentRoot in /etc/apache2/apache2.conf does work but the problem is that it is global.

The 404 page on port 443 lists these as the modules that Apache has loaded:

Apache/2.4.6 (Ubuntu)
PHP/5.5.3-1ubuntu2
mod_python/3.3.1
Python/2.7.5+
OpenSSL/1.0.1e
mod_wsgi/3.4
Phusion_Passenger/4.0.5

Any help would be appreciated while I still have some hair left!

1

There are 1 answers

0
billyshaneguy On

The (annoying) solution for me was to change

<VirtualHost *:443>

to

<VirtualHost _default_:443>

This worked at first but failed later. What seemed to st

<VirtualHost servers.main.ip.address:443>

One factor may be that the server has four network interfaces.

To get to this solution, I first noticed that the SSL access logs in /var/log/apache2 were empty suggesting that the SSL site was not even being served. I then tried running the SSL site on 127.0.0.1 and testing locally which worked - it did complain about the SSL certificate since that was created with a DNS entry. Some more searching led me to the solution above. If this is not a good solution, please let me know however it seems to work fine for me.