How do I configure HTTPS sites using pem certificates about meinheld-gunicorn-flask-docker HOT 5 CLOSED

SSL (TLS) is quite a complex subject. For example, you can only have one component/program handling HTTPS certificates in a single IP (in a single server). If you handle it directly in your app code/Gunicorn, you won't be able to have more than one domain on that IP.

I suggest you delegate that to a dedicated component, it's called a TLS Termination Proxy, and it's a common practice.

To learn more about HTTPS handling, check this section in FastAPI: https://fastapi.tiangolo.com/deployment/#https

Let me suggest you use Traefik. It can handle HTTPS certificates for multiple domains, it has free automatic acquisition with Let's Encrypt, and automatic renewals too.

For more info about how to set it up, you can try https://dockerswarm.rocks/

from meinheld-gunicorn-flask-docker.

I also ran into problems getting Gunicorn to serve HTTPS traffic. It would be nice to use the power of Docker and env vars to configure HTTPS with

ENV PORT=443
ENV GUNICORN_CMD_ARGS="--keyfile=/app/my_key.pem --certfile=/app/my_cert.crt"

But it seems that even with Python 3.7 and Gunicorn 20.0.3, a client fails with ERR_SSL_PROTOCOL_ERROR. Trying to use add command line args via the bottom env var above was of no help (ie --ssl-version=5 since it defaults to 2 and/or setting a --ciphers list). My use case is that I write light web apps for coworkers to use internally which don't receive enough traffic to need a load balancer etc. I'm looking for a 1-stop-shop solution like how tiangolo/uwsgi-nginx-flask was, to make my flask app more robust than the built-in development server, but without needing to wrangle several layers of software to get things running.

As an aside, I'm looking forward to using your FastAPI for my next API project!

from meinheld-gunicorn-flask-docker.

I have a similar use case. An simple internal application.

I ended up moving back to the https://github.com/tiangolo/uwsgi-nginx-flask-docker base and including this custom nginx.conf file in my app directory.

user  nginx;
worker_processes 1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections 1024;
}
http {

    server{
        listen 80;
        listen      443 default ssl;

        location / {
            try_files $uri @app;
        }
        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///tmp/uwsgi.sock;
        }
        location /static {
            alias /app/app/static;
        }

        ssl_certificate    /app/server.crt;
        ssl_certificate_key    /app/server.key;

        if ($ssl_protocol = "") {
            rewrite ^   https://$server_name$request_uri? permanent;
        }
    }

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    include /etc/nginx/conf.d/*.conf;

}
daemon off;

from meinheld-gunicorn-flask-docker.

Thanks for the report @gsainsbury86 !

Would that solve your use case @hamx0r ?

from meinheld-gunicorn-flask-docker.

Assuming the original issue was solved, it will be automatically closed now. But feel free to add more comments or create new issues.

from meinheld-gunicorn-flask-docker.