Cannot setup HTTPS support for mailman3-web
Ubuntu 20.04 mailman3 3.2.2-1 mailman3-web 0+20180916-10 python3-django 2:2.2.9-2ubuntu1
In /etc/mailman3/uwsgi.ini (example.org is defined in the local /etc/hosts as 10.0.0.1):
[uwsgi]
# Port on which uwsgi will be listening.
### suwsgi: uwsgi protocol over TLS
uwsgi-socket = example.org:8430
# https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.html?highlight=ssl
https = /etc/ssl/example.org.crt,/etc/ssl/example.org_rsakey.pem.decrypted,HIGH
...
# Drop privileges and don't run as root.
uid = www-data
gid = www-data
...
I suppose that uwsgi reads the certificate & its private key before dropping root privileges. Right now, uwsgi cannot access them as www-data.
In /etc/mailman3/mailman-web.py (symlinked to django settings.py) :
...
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
# Other security settings
# SECURE_SSL_REDIRECT = True
# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
# contains at least this line:
# SECURE_REDIRECT_EXEMPT = [
# "archives/api/mailman/.*", # Request from Mailman.
# ]
# SESSION_COOKIE_SECURE = True
# SECURE_CONTENT_TYPE_NOSNIFF = True
# SECURE_BROWSER_XSS_FILTER = True
# CSRF_COOKIE_SECURE = True
# CSRF_COOKIE_HTTPONLY = True
# X_FRAME_OPTIONS = 'DENY'
...
POSTORIUS_TEMPLATE_BASE_URL = 'https://example.org:8430'
In /etc/nginx/sites-enabled/example.org.conf
...
location /
{
include /etc/nginx/uwsgi_params;
# upstream app server
uwsgi_pass suwsgi://example.org:8430;
}
uwsgi is listening on the right address/port:
# networks-list-connections.sh | grep :8430
tcp 0 0 10.0.0.1:8430 0.0.0.0:* LISTEN 33 54336045 1768187/uwsgi
Despite those settings and all the relevant systemd services restarted, I get 502 Bad Gateway while browsing to https://example.org/postorius/lists/?all-lists (or any other page) with the following error nginx message:
*1 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.0.0.1, server: example.org, request: "GET /postorius/lists/?all-lists HTTP/2.0", upstream: "suwsgi://10.0.0.1:8430", host: "example.org", referrer: "https://example.org/postorius/lists/"
Of course, without those specific https/suwsgi settings, everything works fine. What am I missing/doing incorrectly? Does uwsgi need access to the certificate/private key while running as non-root for instance?
On 1/10/20 4:13 AM, jean-christophe manciot wrote:
Of course, without those specific https/suwsgi settings, everything works fine. What am I missing/doing incorrectly? Does uwsgi need access to the certificate/private key while running as non-root for instance?
I think so. Have you tried making the key file group readable and group www-data?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Giving group read access for www-data to both certificate and private key files leads to the exact same error.
On Sat, Jan 11, 2020, at 4:42 AM, jean-christophe manciot wrote:
Giving group read access for www-data to both certificate and private key files leads to the exact same error.
I personally think you might find better help in one of the uwsgi supports lists. I almost always use just uwsgi protocol between nginx and uwsgi and SSL termination happens at the Nginx, so I don't have a sample configuration to help you out with.
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
-- thanks, Abhilash Raj (maxking)
participants (3)
-
Abhilash Raj -
jean-christophe manciot -
Mark Sapiro