Dual http https #2120
Dual http https #2120
Conversation
The Tornado workers don't seem to be able to support this
|
@TylerLubeck Is it important for you that you'd bind to different ports? Otherwise one could make the socket listen for both protocols. (This would work since the client always sends bytes first and SSL should be easy enough to identify, plenty of servers do that and then tell you "tried http on ssl port") |
|
Honestly I didn't know you could do that. When you say "SSL should be easy enough to identify", I assume that means with code in gunicorn? That implementation would work for me, but I'm not sure how to proceed with it. |
|
I'm not sure there's a common use case for optional SSL on the same port. I think whatever approach we take should preserve secure defaults where providing certificates to Gunicorn enforces SSL on the socket. I sort of like how explicit |
|
On Wed, Nov 13, 2019, at 01:13, Tyler Lubeck wrote:
When you say "SSL should be
easy enough to identify", I assume that means with code in gunicorn?
Yes, but I just checked and it seems to be everything but easy to implement in Python 🙄
|
|
Any progress on this front? I think I have a valid use case for having optional SSL on the same port (in my case the Flask application shall decide based on the app's internal state). Currently I have to spawn two instances of gunicorn (one with certificates, i.e. forced SSL and one without any certificates, i.e. plain HTTP) - each having it's own port which has some downsides. Particularly the reason is, that the Flask app provides user interface and an API. For API SSL is always required, but the user interface can accommodate (i.e. show just less sensitive information) for HTTP if SSL wasn't requested by the client. |
|
That's a good idea! Though the patch may be over complicated. I would try for example to just wrap the Anyway I would like to discuss the API before going further I created #2237 for it. Please join the discussion :) |
This takes a stab at solving #1466. It would be beneficial for some work I'm involved in where we need to convert all our apps to https communication, and would like to avoid adding technologies (nginx in front of the app, running two separate application pools, etc).
It doesn't quite work yet, but I wanted to ask for an earlier look at methodology and implementation.
The idea is that there's a new flag
--bind-no-sslwhere, regardless of other configurations, ssl settings will not be applied. I chose to go this route to minimize compatibility problems.Some examples:
gunicorn --bind-no-ssl 127.0.0.1:8001:Works the same as
gunicorn --bind 127.0.0.1:8001gunicorn --bind 127.0.0.1:8001 --bind-no-ssl 127.0.0.1:8002:Works the same as
gunicorn --bind 127.0.0.1:8001 --bind 127.0.0.1:8002gunicorn --certfile ./mycert --keyfile ./mykey --bind 127.0.0.1:8001 --bind-no-ssl 127.0.0.1:8002:Serves on https://127.0.0.1:8001 and http://127.0.0.1:8002