Astra Linux 1.6
mod_wsgi 4.5
python 3.5
ALD
конфиг апача:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName server.domain.name
DocumentRoot /var/www/html/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combinedWSGIDaemonProcess app python-path=/home/administrator/Work/PycharmProjects/FapRosgvard/:/home/administrator/Work/PycharmProjects/FapRosgvard/venv/lib/python3.5/site-packages
WSGIProcessGroup app
WSGIScriptAlias / /home/administrator/Work/PycharmProjects/FapRosgvard/fap_wsgi.wsgi<Directory /home/administrator/Work/PycharmProjects/FapRosgvard/>
AuthType Kerberos
KrbAuthRealms ASTRA.NTC
KrbServiceName HTTP/q.astra.ntc
Krb5Keytab /etc/apache2/keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-userRequestHeader set MYMACLABEL «%m:%c»
KrbSaveCredentials on
#AddHandler cgi-script .py
Options +ExecCGI
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warnCustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Когда пользователь пытается войти — ошибка Permission deny. Т.к сокет создается от имени www-data c группой root.
Если выдавать права доступа на сокет 777 — проблема уходит, ровно до того момента пока апач не перезагружаем.
решение предложенное здесь никак не помогло: https://old.lab50.net/questions/question/apache-%d1%81-wsgi-%d0%bf%d0%be%d0%b4-ald/
Борюсь с этой ошибкой уже очень долго. После удаления WSGIDaemonProcess апач стал падать с ошибкой 500, нигде в логах причина не отображается. я и WSGIPythonPath прописывал, и все папки и файлы администратора понижал в правах chmod 777. Пробовал пересобирать mod_wsgi со строкой #define MTM_ITK, ничего не решает проблему. на данный момент костылю — после рестарта сервера разрешаю доступ к сокету всем и вся. но это не дело, как заставить Apache работать вместе с mod_wsgi на астре
одинаковое поведение что на скаченном с репозитория астры, что на собранном из исходников, на данный момент стоит из репозитория
2 ответа
[Thu Nov 28 14:40:01.611403 2019] [mpm_prefork:notice] [pid 948] AH00163: Apache/2.4.25 (AstraLinuxSE) mod_auth_kerb/5.4 mod_wsgi/4.5.11 Python/3.5 configured — resuming normal operations
[Thu Nov 28 14:40:01.686712 2019] [core:notice] [pid 948] AH00094: Command line: ‘/usr/sbin/apache2’
[Thu Nov 28 14:41:57.772222 2019] [mpm_prefork:notice] [pid 948] AH00169: caught SIGTERM, shutting down
[Thu Nov 28 14:41:57.850639 2019] [mpm_prefork:notice] [pid 1400] AH00163: Apache/2.4.25 (AstraLinuxSE) mod_auth_kerb/5.4 mod_wsgi/4.5.11 Python/3.5 configured — resuming normal operations
[Thu Nov 28 14:41:57.852012 2019] [core:notice] [pid 1400] AH00094: Command line: ‘/usr/sbin/apache2′
[Thu Nov 28 14:42:22.463160 2019] [core:debug] [pid 1404] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:22.463423 2019] [core:debug] [pid 1404] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:22.463446 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37290] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:22.494081 2019] [core:debug] [pid 1404] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:22.494140 2019] [core:debug] [pid 1404] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:22.494151 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37290] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:22.494172 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(1483): [client 192.168.122.69:37290] Acquiring creds for HTTP/q.astra.ntc
[Thu Nov 28 14:42:22.495312 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(1906): [client 192.168.122.69:37290] Verifying client data using KRB5 GSS-API
[Thu Nov 28 14:42:22.495857 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(1922): [client 192.168.122.69:37290] Client delegated us their credential
[Thu Nov 28 14:42:22.495872 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(1941): [client 192.168.122.69:37290] GSS-API token of length 22 bytes will be sent back
[Thu Nov 28 14:42:22.499159 2019] [authz_core:debug] [pid 1404] mod_authz_core.c(809): [client 192.168.122.69:37290] AH01626: authorization result of Require valid-user : granted
[Thu Nov 28 14:42:22.499187 2019] [authz_core:debug] [pid 1404] mod_authz_core.c(809): [client 192.168.122.69:37290] AH01626: authorization result of <RequireAny>: granted
[Thu Nov 28 14:42:22.499247 2019] [core:debug] [pid 1404] core.c(4678): astra_mode — core_switch_user
[Thu Nov 28 14:42:22.512084 2019] [core:debug] [pid 1404] config.c(442): astra_mode — get user name
[Thu Nov 28 14:42:22.512150 2019] [core:debug] [pid 1404] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:22.512160 2019] [core:debug] [pid 1404] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:22.512167 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37290] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:22.512180 2019] [auth_kerb:debug] [pid 1404] src/mod_auth_kerb.c(2093): [client 192.168.122.69:37290] matched previous auth request
[Thu Nov 28 14:42:22.512187 2019] [authz_core:debug] [pid 1404] mod_authz_core.c(809): [client 192.168.122.69:37290] AH01626: authorization result of Require valid-user : granted
[Thu Nov 28 14:42:22.512191 2019] [authz_core:debug] [pid 1404] mod_authz_core.c(809): [client 192.168.122.69:37290] AH01626: authorization result of <RequireAny>: granted
[Thu Nov 28 14:42:22.512208 2019] [core:debug] [pid 1404] core.c(4678): astra_mode — core_switch_user
[Thu Nov 28 14:42:22.552398 2019] [wsgi:info] [pid 1404] [client 192.168.122.69:37290] mod_wsgi (pid=1404, process=», application=’server.domain.name|’): Loading WSGI script ‘/home/administrator/Work/PycharmProjects/FapRosgvard/fap_wsgi.wsgi’.
[Thu Nov 28 14:42:23.317293 2019] [wsgi:debug] [pid 1404] src/server/mod_wsgi.c(2348): [client 192.168.122.69:37290] mod_wsgi (pid=1404): Client closed connection.
[Thu Nov 28 14:42:23.417155 2019] [core:debug] [pid 1401] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:23.417473 2019] [core:debug] [pid 1401] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:23.417502 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37294] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:23.429282 2019] [core:debug] [pid 1401] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:23.429344 2019] [core:debug] [pid 1401] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:23.429355 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37294] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:23.429379 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(1483): [client 192.168.122.69:37294] Acquiring creds for HTTP/q.astra.ntc
[Thu Nov 28 14:42:23.430064 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(1906): [client 192.168.122.69:37294] Verifying client data using KRB5 GSS-API
[Thu Nov 28 14:42:23.430696 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(1922): [client 192.168.122.69:37294] Client delegated us their credential
[Thu Nov 28 14:42:23.430714 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(1941): [client 192.168.122.69:37294] GSS-API token of length 22 bytes will be sent back
[Thu Nov 28 14:42:23.435052 2019] [authz_core:debug] [pid 1401] mod_authz_core.c(809): [client 192.168.122.69:37294] AH01626: authorization result of Require valid-user : granted
[Thu Nov 28 14:42:23.435071 2019] [authz_core:debug] [pid 1401] mod_authz_core.c(809): [client 192.168.122.69:37294] AH01626: authorization result of <RequireAny>: granted
[Thu Nov 28 14:42:23.435132 2019] [core:debug] [pid 1401] core.c(4678): astra_mode — core_switch_user
[Thu Nov 28 14:42:23.439925 2019] [core:debug] [pid 1401] config.c(442): astra_mode — get user name
[Thu Nov 28 14:42:23.439997 2019] [core:debug] [pid 1401] request.c(290): astra_mode — set process caps, unshare
[Thu Nov 28 14:42:23.440008 2019] [core:debug] [pid 1401] request.c(401): astra_mode — disable without auth
[Thu Nov 28 14:42:23.440015 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(2155): [client 192.168.122.69:37294] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Nov 28 14:42:23.440037 2019] [auth_kerb:debug] [pid 1401] src/mod_auth_kerb.c(2093): [client 192.168.122.69:37294] matched previous auth request
[Thu Nov 28 14:42:23.440044 2019] [authz_core:debug] [pid 1401] mod_authz_core.c(809): [client 192.168.122.69:37294] AH01626: authorization result of Require valid-user : granted
[Thu Nov 28 14:42:23.440049 2019] [authz_core:debug] [pid 1401] mod_authz_core.c(809): [client 192.168.122.69:37294] AH01626: authorization result of <RequireAny>: granted
[Thu Nov 28 14:42:23.440066 2019] [core:debug] [pid 1401] core.c(4678): astra_mode — core_switch_user
[Thu Nov 28 14:42:23.477622 2019] [wsgi:info] [pid 1401] [client 192.168.122.69:37294] mod_wsgi (pid=1401, process=», application=’server.domain.name|’): Loading WSGI script ‘/home/administrator/Work/PycharmProjects/FapRosgvard/fap_wsgi.wsgi’.
[Thu Nov 28 14:42:23.892456 2019] [wsgi:debug] [pid 1401] src/server/mod_wsgi.c(2348): [client 192.168.122.69:37294] mod_wsgi (pid=1401): Client closed connection.
Логи на DEBUG
Рекомендуем использовать системный mod_wsgi
Удалить WSGIDaemonProcess
Удалить WSGIProcessGroup app
И можно использовать просто <Directory />:
<Directory />
AuthType Kerberos
Krb5Keytab XXX
KrbServiceName YYY
KrbMethodNegotiate on
KrbMethodK5Passwd off
Require valid-user
AllowOverride NoneOrder allow,deny
Allow from all
Require all granted
</Directory>
mod_wsgi системный?