CODEWITHSUNDEEP
sslhttpsgunicorn
dmyung
dmyung

Reputation: 8039

Running gunicorn on https?

We've got a few Django setups that go through a proxy (Apache and Nginx) that eventually make their way to the actual Django runtime.

We need to have HTTPS end to end even once it's in our network. We've been revisiting Gunicorn due to its success and performance in our other setups, but needed to test with HTTPS end to end to be consistent.

Our topology is as such:

https://foo.com -> [Public facing proxy] -> (https) -> [internal server https://192...:8001]

How does one configure Gunicorn to listen on HTTPS with a self signed certificate?

Upvotes: 81

Views: 119331

Answers (4)

Gaurav Singla
Gaurav Singla

Reputation: 1451

In addition to certfile and keyfile you need to add ca-certs as well. Without passing ca-certs, I was getting Trust anchor for certification path not found. on Android devices.

Sample command:

/usr/bin/python3 /usr/local/bin/gunicorn --bind 0.0.0.0:443 wsgi:app --workers=8 --access-logfile=/root/app/logs/access.log --error-logfile=/root/app/logs/error.log --certfile=/root/app/certificate.crt --keyfile=/root/app/private.key --ca-certs=/root/app/ca_bundle.crt --daemon

Upvotes: 5

greysou1
greysou1

Reputation: 376

If you're using a gunicorn.config.py or similar gunicorn config file you can add the certificate file and key file.

certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'

Config files can be used to initialise settings as env variables and can be helpful if you had lots of settings. To use config file

  • Create a config file by creating a file named gunicorn.config.py

  • Some usual settings would be

      bind = "0.0.0.0:8000"
  workers = 4
  pidfile = 'pidfile'
  errorlog = 'errorlog'
  loglevel = 'info'
  accesslog = 'accesslog'
  access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'

    and of course

      certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
  keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'

Check out the documentation and a config file example

to run gunicorn with these settings

    $ gunicorn app:app

since

By default, a file named gunicorn.conf.py will be read from the same directory where gunicorn is being run.

Upvotes: 10

GregM
GregM

Reputation: 1898

Gunicorn now supports SSL, as of version 17.0. You can configure it to listen on https like this:

$ gunicorn --certfile=server.crt --keyfile=server.key test:app

If you were using --bind to listen on port 80, remember to change the port to 443 (the default port for HTTPS connections). For example:

$ gunicorn --certfile=server.crt --keyfile=server.key --bind 0.0.0.0:443 test:app

Upvotes: 147

mafrosis
mafrosis

Reputation: 2770

Massively late reply, but for anyone else coming across this, there's another option using nginx as the "[Public facing proxy]" above.

Configure nginx to handle the incoming SSL traffic on port 443, and then proxy_pass to gunicorn on an internal port. External traffic is encrypted, and the traffic between nginx and gunicorn isn't exposed anyway. I find this very simple to manage.

Upvotes: 29

Related Questions