Apologies for the top-post in advance.
So, I am still catching up to this and I don’t very well understand apache2 config, so I’ll try to briefly describe what the setup should be and perhaps it can be translated into apache2 config. Since this thread is mostly about Web stuff, I am not going to talk about mail setup, but replacing web server with mta and appropriate port changes are the only major differences in mail setup.
Postorius (using Django library/web framework) speaks WSGI and can be run using a WSGI Server. There are multiple options for choosing a WSGI server like uwsgi, gunicorn etc. There are also some common web server plugins like mod_wsgi, which are essentially WSGI servers implemented as Apache2 plugin.
Web server reverse proxies the WSGI server which runs Postorius/Hyperkitty. You want WSGI Server to be configured to listen on either a socket or a port and then also configure web server to reverse proxy the socket or port.
*Ideally* you want to terminate TLS/SSL at the web server level and proxy the HTTP request to the local WSGI server. You don’t need to do anything special for Mailman for SSL if you do this, just follow the regular Web server documentation for SSL for any domains you are supporting in Mailman.
If you don’t want to terminate TLS at web server and instead want it down to the last step, WSGI server itself, then the setup is something we don’t have any docs for at the moment but if you go to the respective WSGI server’s docs, I think you’ll find some.
uwsgi is a WSGI server implementation, but it is a lot more than that, resulting in a bit more complicated configuration and issues, even though it is stable. The documentation for it exists, but it can be hard to parse if you don’t know a lot about WSGI stuff.
A few notable things about uWSGI that Mailman documentation uses are, (1) Ability to manage a daemon process like systemd and (2) ability to speak a new custom protocol called uWSGI with Web Server instead of HTTP that most other WSGI servers use to talk to Web Servers.
(1): This is specified as a part of the the “attach-daemon” configuration in the uwsgi.ini file. For Mailman, we use
# Setup the django_q related worker processes. attach-daemon = /opt/mailman/venv/bin/mailman-web qcluster
Which will essentially start mailman-web qcluster command which starts and a daemon and manage that daemon. Putting it in the uWSGI makes it easy to manage the lifecycle of this and the WSGI server together. If you were using something else like gunicorn, this would be a separate systemd service which you’d start/stop along with mailman-web.
(2): This is *probably* what is causing the issue for you from what I can gather in this thread, but I am not sure. Web Server <—> uWSGI communication can be either HTTP or (named exactly same as the package name itself, which causes confusion I suppose) uWSGI protocol. Depending on how you configure uWSGI, you want to update your web server configuration to talk the same protocol.
uwsgi-socket = /run/mailman3-web/uwsgi.sock
or
uwsgi-socket = 0.0.0.0:8000
is the config to talk uwsgi protocol and you want to configure Web server to Proxy using the same protocol. You can find that in the uwsgi docs here: https://uwsgi-docs.readthedocs.io/en/latest/Apache.html You probably need an apache module to speak uwsgi, the docs should have the details.
Notice the URL is uwsgi:// instead of http://.
Other way is to configure uWSGI to speak HTTP, which can be done by replacing "uwsgi-socket" by "http-socket” in the uwsgi.ini configuration. This might be the easiest for you to try, do make sure to restart the mailman-web service after making the change in uwsgi.ini.
Abhilash
On Aug 16, 2021, at 9:34 AM, Stephen J. Turnbull <turnbull.stephen.fw@u.tsukuba.ac.jp> wrote:
Richard,
Thanks for the details and the pointer to the full configs. That makes it possible to take a look, but I can't spend much time on it until next week.
I'll see if I can prod Abhilash who is more expert than I on all this stuff (I just use mod_wsgi), but there's some more urgent (sorry, but it's security) stuff going on, and his absence speaks for his $DAYJOB, I guess.
Richard Rosner writes:
That is entirely possible @Stephen. You can see the entire apache config a few posts back plus the additions from @Mark and mine from the last post. As I interpret it, apache is reverse proxying to the uwsgi app, now through http instead of the socket. But I have no idea if that's the right way round. I'm not sure is the config file templates for apache, nginx and uwsgi that you get with the Debian packages are added by the Debian team or if they are there any way and just have been modified to the Debian file layout, but I'd guess either way it's not that likely that they wrote it the wrong way around. But I'm not too experienced to be able to translate the nginx config to apache to see if that would result in something different.
Also, while the nginx config is written as a standalone website, the apache config seems to have been written to just create a /mailman3 site under an existing website, while I use it as a standalone site. So it's entirely possible that I missed something when I modified the website from mailman2 to serve mailman3, but then it shouldn't have been able to show the website at the beginning.
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)