Running gunicorn on https?

SslHttpsGunicorn

Ssl Problem Overview

We've got a few Django setups that go through a proxy (Apache and Nginx) that eventually make their way to the actual Django runtime.

We need to have HTTPS end to end even once it's in our network. We've been revisiting Gunicorn due to its success and performance in our other setups, but needed to test with HTTPS end to end to be consistent.

Our topology is as such:

https://foo.com -> [Public facing proxy] -> (https) -> [internal server https://192...:8001]

How does one configure Gunicorn to listen on HTTPS with a self signed certificate?

Ssl Solutions

Solution 1 - Ssl

Gunicorn now supports SSL, as of version 17.0. You can configure it to listen on https like this:

$ gunicorn --certfile=server.crt --keyfile=server.key test:app

If you were using --bind to listen on port 80, remember to change the port to 443 (the default port for HTTPS connections). For example:

$ gunicorn --certfile=server.crt --keyfile=server.key --bind 0.0.0.0:443 test:app

Solution 2 - Ssl

Massively late reply, but for anyone else coming across this, there's another option using nginx as the "[Public facing proxy]" above.

Configure nginx to handle the incoming SSL traffic on port 443, and then proxy_pass to gunicorn on an internal port. External traffic is encrypted, and the traffic between nginx and gunicorn isn't exposed anyway. I find this very simple to manage.

Solution 3 - Ssl

If you're using a gunicorn.config.py or similar gunicorn config file you can add the certificate file and key file.

certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'

Config files can be used to initialise settings as env variables and can be helpful if you had lots of settings. To use config file

  • Create a config file by creating a file named gunicorn.config.py

  • Some usual settings would be

      bind = "0.0.0.0:8000"
  workers = 4
  pidfile = 'pidfile'
  errorlog = 'errorlog'
  loglevel = 'info'
  accesslog = 'accesslog'
  access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'

    and of course

      certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
  keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'

Check out the documentation and a config file example

to run gunicorn with these settings

    $ gunicorn app:app

since

> By default, a file named gunicorn.conf.py will be read from the same directory where gunicorn is being run.

Solution 4 - Ssl

In addition to certfile and keyfile you need to add ca-certs as well. Without passing ca-certs, I was getting Trust anchor for certification path not found. on Android devices.

Sample command:

/usr/bin/python3 /usr/local/bin/gunicorn --bind 0.0.0.0:443 wsgi:app --workers=8 --access-logfile=/root/app/logs/access.log --error-logfile=/root/app/logs/error.log --certfile=/root/app/certificate.crt --keyfile=/root/app/private.key --ca-certs=/root/app/ca_bundle.crt --daemon
Categories
Recommended Ssl Solutions
Recommended Https Solutions
Recommended Gunicorn Solutions

Previous Solution:

Can't Mod Zero?

C++ModuloDivide by-Zero

Next Solution:

run program in Python shell

PythonExecutable

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestiondmyungView Question on Stackoverflow
Solution 1 - SslGregMView Answer on Stackoverflow
Solution 2 - SslmafrosisView Answer on Stackoverflow
Solution 3 - Sslgreysou1View Answer on Stackoverflow
Solution 4 - SslGaurav SinglaView Answer on Stackoverflow