From 993d6e758cddab9debef2512cff7c8887622f53c Mon Sep 17 00:00:00 2001 From: Jonathan De Troye Date: Thu, 17 Oct 2019 05:45:02 -0400 Subject: [PATCH] Add docs for nginx + gunicorn + ssl (#4201) --- CHANGES/4201.doc | 1 + docs/deployment.rst | 92 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 CHANGES/4201.doc diff --git a/CHANGES/4201.doc b/CHANGES/4201.doc new file mode 100644 index 00000000000..28c8833f227 --- /dev/null +++ b/CHANGES/4201.doc @@ -0,0 +1 @@ +Add 'Deploy with SSL' to docs. \ No newline at end of file diff --git a/docs/deployment.rst b/docs/deployment.rst index 7725a5ed485..499d9db856e 100644 --- a/docs/deployment.rst +++ b/docs/deployment.rst @@ -300,15 +300,99 @@ worker processes. `uvloop `_, you can use the ``aiohttp.GunicornUVLoopWebWorker`` worker class. +Proxy through NGINX +---------------------- + +We can proxy our gunicorn workers through NGINX with a configuration like this: + +.. code-block:: nginx + + worker_processes 1; + user nobody nogroup; + events { + worker_connections 1024; + } + http { + ## Main Server Block + server { + ## Open by default. + listen 80 default_server; + server_name main; + client_max_body_size 200M; + + ## Main site location. + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + } + } + } + +Since gunicorn listens for requests at our localhost address on port 8080, we can +use the `proxy_pass `_ +directive to send web traffic to our workers. If everything is configured correctly, +we should reach our application at the ip address of our web server. + +Proxy through NGINX + SSL +---------------------------- + +Here is an example NGINX configuration setup to accept SSL connections: + +.. code-block:: nginx + + worker_processes 1; + user nobody nogroup; + events { + worker_connections 1024; + } + http { + ## SSL Redirect + server { + listen 80 default; + return 301 https://$host$request_uri; + } + + ## Main Server Block + server { + # Open by default. + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name main; + client_max_body_size 200M; + + ssl_certificate /etc/secrets/cert.pem; + ssl_certificate_key /etc/secrets/key.pem; + + ## Main site location. + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + } + } + } + + +The first server block accepts regular http connections on port 80 and redirects +them to our secure SSL connection. The second block matches our previous example +except we need to change our open port to https and specify where our SSL +certificates are being stored with the ``ssl_certificate`` and ``ssl_certificate_key`` +directives. + +During development, you may want to `create your own self-signed certificates for testing purposes `_ +and use another service like `Let's Encrypt `_ when you +are ready to move to production. More information ---------------- -The Gunicorn documentation recommends deploying Gunicorn behind an -Nginx proxy server. See the `official documentation +See the `official documentation `_ for more -information about suggested nginx configuration. - +information about suggested nginx configuration. You can also find out more about +`configuring for secure https connections as well. `_ Logging configuration ---------------------