We've got a few Django setups that go through a proxy (Apache and Nginx) that eventually make their way to the actual Django runtime.
We need to have HTTPS end to end even once it's in our network. We've been revisiting Gunicorn due to its success and performance in our other setups, but needed to test with HTTPS end to end to be consistent.
Our topology is as such:
https://foo.com -> [Public facing proxy] -> (https) -> [internal server https://192...:8001]
How does one configure Gunicorn to listen on HTTPS with a self signed certificate?
Gunicorn wsgi server allows users to use HTTPS connection directly without a need to use HTTP server like Nginx or Apache. To Configure SSL support directly with Gunicorn you need to simply add the key and certificate paths to your configuration file.
Running sudo -u www-data curl --unix-socket /run/gunicorn. sock http , our Gunicorn service will be automatically started and you should see some HTML from your server in the terminal. systemd employs cgroups to track the processes of a service, so it doesn't need pid files.
Green Unicorn, commonly shortened to "Gunicorn", is a Web Server Gateway Interface (WSGI) server implementation that is commonly used to run Python web applications.
The Gunicorn process will start and bind to all host IP addresses on port 8081.
Gunicorn now supports SSL, as of version 17.0. You can configure it to listen on https like this:
$ gunicorn --certfile=server.crt --keyfile=server.key test:app
If you were using --bind
to listen on port 80, remember to change the port to 443 (the default port for HTTPS connections). For example:
$ gunicorn --certfile=server.crt --keyfile=server.key --bind 0.0.0.0:443 test:app
Massively late reply, but for anyone else coming across this, there's another option using nginx as the "[Public facing proxy]" above.
Configure nginx to handle the incoming SSL traffic on port 443, and then proxy_pass to gunicorn on an internal port. External traffic is encrypted, and the traffic between nginx and gunicorn isn't exposed anyway. I find this very simple to manage.
If you're using a gunicorn.config.py or similar gunicorn config file you can add the certificate file and key file.
certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'
Config files can be used to initialise settings as env variables and can be helpful if you had lots of settings. To use config file
Create a config file by creating a file named
gunicorn.config.py
Some usual settings would be
bind = "0.0.0.0:8000"
workers = 4
pidfile = 'pidfile'
errorlog = 'errorlog'
loglevel = 'info'
accesslog = 'accesslog'
access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
and of course
certfile = '/etc/letsencrypt/live/example.com/fullchain.pem'
keyfile = '/etc/letsencrypt/live/example.com/privkey.pem'
Check out the documentation and a config file example
to run gunicorn with these settings
$ gunicorn app:app
since
By default, a file named gunicorn.conf.py will be read from the same directory where gunicorn is being run.
In addition to certfile
and keyfile
you need to add ca-certs
as well. Without passing ca-certs
, I was getting Trust anchor for certification path not found.
on Android devices.
Sample command:
/usr/bin/python3 /usr/local/bin/gunicorn --bind 0.0.0.0:443 wsgi:app --workers=8 --access-logfile=/root/app/logs/access.log --error-logfile=/root/app/logs/error.log --certfile=/root/app/certificate.crt --keyfile=/root/app/private.key --ca-certs=/root/app/ca_bundle.crt --daemon
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With