Mod_wsgi https错误连接被拒绝 [英] Mod_wsgi https Error Connection Refused
问题描述
我的团队正在开发REST API,以使用Django的REST框架支持iPhone应用程序.现在该是我们从通过开发WSGI接口进行托管过渡到mod_wsgi apache接口的时候了.我们已经决定使用mod_wsgi-httpd作为Apache实例.
My team is developing a REST API to support an iPhone app using Django's REST Framework. It has come time for us to switch from hosting via the development WSGI interface to the mod_wsgi apache interface. We've decided to use mod_wsgi-httpd as the Apache instance.
我们无法让mod_wsgi通过HTTPS托管.
我们在django应用程序设置文件(settings.py)中包含了mod_wsgi
We've included mod_wsgi in our django application settings file (settings.py)
INSTALLED_APPS = (
'sslserver',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'mod_wsgi.server',
)
并且可以使用以下命令成功启动mod_wsgi服务器:
And can successfully launch the mod_wsgi server using this command:
python manage.py runmodwsgi --host 0.0.0.0 --port 8000 --https-port 8001 --ssl-certificate/path/to/cert/and/key
python manage.py runmodwsgi --host 0.0.0.0 --port 8000 --https-port 8001 --ssl-certificate /path/to/cert/and/key
HTTP服务器运行良好.我们所有仅HTTP的API方法都按预期进行侦听和响应.HTTPS端不合作.尝试访问仅HTTPS方法时,连接被拒绝.
The HTTP server works wonderfully. All of our HTTP only API methods listen and respond as expected. The HTTPS side is not cooperating. When attempting to access an HTTPS only method the connection is refused.
例如,当尝试使用Google Chrome浏览器连接到该方法时...
For example when attempting to connect to the method using Google Chrome...
https://ipaddress:8001/ldapauth/(ldapauth是HTTPS方法)
https://ipaddress:8001/ldapauth/ (ldapauth is an HTTPS method)
Chrome随即吐出...
Chrome spits back...
类似地,在客户端Swift中形成的请求也被拒绝了连接.
Similarly requests formed in client-side Swift have connections refused.
通常我认为这是一个更根本的问题,但是我们成功使用开发WSGI sslserver(也在项目的settings.py INSTALLED_APPS中)使我认为这是mod_wsgi或mod_wsgi-httpd的问题.使用此命令,我们可以通过成功的请求/响应通过SSL托管我们的API:
Normally I would think this is a more fundamental issue, however our success in using the development WSGI sslserver (also in project's settings.py INSTALLED_APPS) makes me think this is an issue with mod_wsgi or mod_wsgi-httpd. Using this command we can host our API over SSL with successful requests/responses:
python manage.py runtimeslserver 0.0.0.0:8001 --key/path/to/key --cert/path/to/cert
python manage.py runsslserver 0.0.0.0:8001 --key /path/to/key --cert /path/to/cert
任何想法在配置mod_wsgi或mod_wsgi-httpd时可能会错过什么?非常感谢您的帮助,请继续!
Any ideas what I could have missed in configuring mod_wsgi or mod_wsgi-httpd? Thanks so much for any help, go SO!
推荐答案
您需要指定-server-name 选项,以及使用https地址可访问的站点名称.该名称应与设置SSL证书时使用的名称相匹配.
You need to specify the --server-name option with the name of the site it is accessible as using the https address. This should match the name the SSL certificates have been set up with.
python manage.py runmodwsgi --host 0.0.0.0 --port 8000 --https-port 8001 --ssl-certificate /path/to/cert/and/key --server-name host.example.com
然后您将使用带有FQDN的URL对其进行访问:
You would then access it using the URL with the FQDN:
https://host.example.com:8001
如果希望能够从本地主机(同一系统)访问它而无需提供FQDN主机名,则可以使用-allow-localhost 选项.
If you want to be able to access it from localhost (same system) without needing to provide a FQDN host name, you would use the --allow-localhost option.
python manage.py runmodwsgi --host 0.0.0.0 --port 8000 --https-port 8001 --ssl-certificate /path/to/cert/and/key --server-name host.example.com --allow-localhost
对于后者,即使使用正式证书作为主机名,您也会收到浏览器警告,说明证书不匹配.对于wget和curl等命令行HTTP工具,在这种情况下,您必须告诉他们这是一个不安全的站点.
With the latter, even if using an official certificate for the hostname, you will get the browser warning about certificate not matching. For command line HTTP tools like wget and curl you would have to tell them it is an insecure site in these cases.
这是因为这违背了通常使用HTTPS和SSL证书的方式,仅出于测试目的才允许从本地主机访问除正确服务器名称以外的名称.
It is because it is going against how HTTPS and SSL certificates would normally be used, access by name other than the proper server name is only allowed from localhost for testing purposes.
简而言之,在使用HTTPS时,实际上应该在访问站点时始终使用正确的主机名而不是IP地址.如有必要,可以在系统的主机服务文件中创建虚拟主机映射.
In short, when using HTTPS, you should really always be using a proper host name and not an IP address when accessing the site. If necessary you can create a dummy host mapping in host service file for your system.
例如,在/etc/hosts 文件中,您可以添加:
For example, in a /etc/hosts file you could add:
127.0.0.1 host.example.com
有关更多信息,建议您使用mod_wsgi邮件列表.我不习惯在这里闲逛或在此处回答有关mod_wsgi的问题,而这个问题很偶然地引起了我的注意.
For further information it is recommended that you use the mod_wsgi mailing list. I don't as a habit hang out here or answer questions about mod_wsgi here any more and it was by chance this question came to my attention.
这篇关于Mod_wsgi https错误连接被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
