Apache Error 403 Forbidden on Request to .wsgi or .py

Question

I have compiled the latest mod_wsgi from sources, installed, but the scripts are not opened in browser.

When I open localhost/python.wsgi in a browser, it gives Error 403 'Forbidden'. Can not understand why.

The script is located at: /var/www/html/python.wsgi

Module mod_wsgi is installed and loaded. Handler is added for extension. Handler is set to FilesMatch's regexp. The folder is readable. The file is readable. Why 'Forbidden' ?

apache2.conf is default:

DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

List of loaded configurations:

/etc/apache2/conf-enabled$ ls

apache2-doc.conf
localized-error-pages.conf
security.conf
charset.conf
other-vhosts-access-log.conf
serve-cgi-bin.conf

Loaded Modules:

/etc/apache2/mods-enabled$ ls

access_compat.load
alias.conf
alias.load
auth_basic.load
authn_core.load
authn_file.load
authz_core.load
authz_host.load
authz_user.load
autoindex.conf
autoindex.load
deflate.conf
deflate.load
dir.conf
dir.load
env.load
filter.load
mime.conf
mime.load
mpm_prefork.conf
mpm_prefork.load
negotiation.conf
negotiation.load
php7.0.conf
php7.0.load
reqtimeout.conf
reqtimeout.load
setenvif.conf
setenvif.load
status.conf
status.load
wsgi.conf
wsgi.load

wsgi.load:

LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so

wsgi.conf:

<IfModule mod_wsgi.c>

    #AddHandler wsgi-script .wsgi # unsafe!
    #AddHandler wsgi-script .py # unsafe!

    <FilesMatch ".+\.wsgi$">
    SetHandler wsgi-script
    Require all granted
    </FilesMatch>

    <FilesMatch ".+\.py$">
    SetHandler wsgi-script
    Require all granted
    </FilesMatch>

</IfModule>

Answer 1

I have found an answer at last. You need to set a ExecCGI Option to make script executable. Executable flag in OS does not matter.

So, the answer is to add special directory for such scripts and modify configuration of a virtual host:

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias "/wsgi" "/var/www/wsgi-scripts"
    <Directory "/var/www/wsgi-scripts">
        Require all granted
        Options +ExecCGI
    </Directory>

</VirtualHost>

Now i can access my hello-worldish script at http://127.0.0.1/wsgi/python.wsgi

P.S.

Forgot to say that usage of 'AddHandler' construction in Apache is a critical security hole in the server, as it thinks that a.wsgi.jpg is still 'wsgi'. It is better not to use 'AddHandler' and use RegExp instead of them.

:-)