Skip to content

Commit

Permalink
[3.6] Add docs for nginx + gunicorn + ssl (#4201)
Browse files Browse the repository at this point in the history
(cherry picked from commit 993d6e7)

Co-authored-by: Jonathan De Troye <[email protected]>
  • Loading branch information
detroyejr authored and asvetlov committed Oct 17, 2019
1 parent c020893 commit 37a2486
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGES/4201.doc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add 'Deploy with SSL' to docs.
92 changes: 88 additions & 4 deletions docs/deployment.rst
Original file line number Diff line number Diff line change
Expand Up @@ -300,15 +300,99 @@ worker processes.
`uvloop <https://github.com/MagicStack/uvloop>`_, you can use the
``aiohttp.GunicornUVLoopWebWorker`` worker class.

Proxy through NGINX
----------------------

We can proxy our gunicorn workers through NGINX with a configuration like this:

.. code-block:: nginx
worker_processes 1;
user nobody nogroup;
events {
worker_connections 1024;
}
http {
## Main Server Block
server {
## Open by default.
listen 80 default_server;
server_name main;
client_max_body_size 200M;
## Main site location.
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
Since gunicorn listens for requests at our localhost address on port 8080, we can
use the `proxy_pass <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass>`_
directive to send web traffic to our workers. If everything is configured correctly,
we should reach our application at the ip address of our web server.

Proxy through NGINX + SSL
----------------------------

Here is an example NGINX configuration setup to accept SSL connections:

.. code-block:: nginx
worker_processes 1;
user nobody nogroup;
events {
worker_connections 1024;
}
http {
## SSL Redirect
server {
listen 80 default;
return 301 https://$host$request_uri;
}
## Main Server Block
server {
# Open by default.
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name main;
client_max_body_size 200M;
ssl_certificate /etc/secrets/cert.pem;
ssl_certificate_key /etc/secrets/key.pem;
## Main site location.
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
The first server block accepts regular http connections on port 80 and redirects
them to our secure SSL connection. The second block matches our previous example
except we need to change our open port to https and specify where our SSL
certificates are being stored with the ``ssl_certificate`` and ``ssl_certificate_key``
directives.

During development, you may want to `create your own self-signed certificates for testing purposes <https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04>`_
and use another service like `Let's Encrypt <https://letsencrypt.org/>`_ when you
are ready to move to production.

More information
----------------

The Gunicorn documentation recommends deploying Gunicorn behind an
Nginx proxy server. See the `official documentation
See the `official documentation
<http://docs.gunicorn.org/en/latest/deploy.html>`_ for more
information about suggested nginx configuration.

information about suggested nginx configuration. You can also find out more about
`configuring for secure https connections as well. <https://nginx.org/en/docs/http/configuring_https_servers.html>`_

Logging configuration
---------------------
Expand Down

0 comments on commit 37a2486

Please sign in to comment.