Setting up a HTTPS server in Python (WSGI)

The situation

Setting up a HTTP server in Python is quite easy. You overload the handlers.CGIHandler class, and Bob's your uncle... You have to overload the run function, and that's about it.

def run(self, host='localhost', port=8000):
    # Initialize the server deamon


    # HTTP    self._httpd = simple_server.make_server(host, port, self.__call__)

    print("Serving on port {0}...".format(port))

    # Start the server    self._httpd.serve_forever()

Nothing to it, right?

So, you'd expect that setting up a HTTPS server would also be a piece of cake... but it isn't that straightforward. Luckily, for you, I have spent some time to make this easy as frig.

The idea is to make a SSL socket, and to do that, you have to use the wrap_socket command... but where?

Look at this line of code from the run function

    self._httpd = simple_server.make_server(host, port, self.__call__)

When you open the simple_server package, you see that there's an optional server_class argument.

The default WSGIServer overloads the HTTPServer class which overloads the TCPServer class which ... creates a socket we can wrap.

Now, the game plan becomes clear. Overload the TCPServer class to wrap the socket and propagate our overloaded class upward. Easy.

I'll leave you with ...

The code

class SSLServer(TCPServer):
    # Overload the __init__ function, the rest is inherited from TCPServer    

def __init__(self, server_address, RequestHandlerClass, bind_and_activate=True):
        TCPServer.__init__(self, server_address, RequestHandlerClass)

        try:
            context = SSLContext(PROTOCOL_SSLv23)
            context.load_cert_chain('/path/to/cert.pem', '/path/to/key.key', 'passphrase')
        except SSLError as e:
            print(e)

        self.socket = context.wrap_socket(self.socket, server_side=True)


class HTTPSServer(SSLServer):
    # Copy the code from HTTPServer but use SSLServer instead of TCPServer
    allow_reuse_address = 1    # Seems to make sense in testing environment
    def server_bind(self):
        """Override server_bind to store the server name."""        SSLServer.server_bind(self)
        host, port = self.server_address[:2]
        self.server_name = getfqdn(host)
        self.server_port = port


class WSGISServer(HTTPSServer):
    # Copy the code from WSGIServer but use HTTPSServer instead of HTTPServer

application = None
    def server_bind(self):
        """Override server_bind to store the server name."""        HTTPSServer.server_bind(self)
        self.setup_environ()

    def setup_environ(self):
        # Set up base environment        env = self.base_environ = {}
        env['SERVER_NAME'] = self.server_name
        env['GATEWAY_INTERFACE'] = 'CGI/1.1'        env['SERVER_PORT'] = str(self.server_port)
        env['REMOTE_HOST']=''        env['CONTENT_LENGTH']=''        env['SCRIPT_NAME'] = ''
    def get_app(self):
        return self.application

    def set_app(self,application):
        self.application = application
Nearly there. All we have to do now is pass the optional argument to the make_server function.

def run(self, host='localhost', port=8000):
    # Initialize the server deamon    # HTTPS    self._httpd = simple_server.make_server(host, port, self.__call__, server_class=WSGISServer)

    print("Serving on port {0}...".format(port))

    # Start the server    self._httpd.serve_forever()

Done.

OpenSSL

Creating the cert.pem and key.key files.

As you have probably noticed, the SSL part contains some files we need to provide with a valid passphrase.

context.load_cert_chain('//cert.pem', '//key.key', 'passphrase')

I got that from the OpenSSL Cookbook and it's quite easy, just follow the steps.

(1) generate a strong private key,
(2) create a Certificate Signing Request (CSR) and send it to a CA
(3) install the CA-provided certificate in your web server.

Let's do that.

1- Generate private key
openssl genrsa -aes128 -out key.key 2048
This is where you establish the passphrase.

check
cat

2A- Generate Certificate Signing Requests
openssl req -new -key key.key -out cert.csr

check
openssl req -text -in cert.csr -noout

2B- Signing Your Own Certificates
openssl x509 -req -days 365 -in cert.csr -signkey key.key -out cert.crt

check
openssl x509 -text -in cert.crt -noout

2C- Create PEM
openssl x509 -inform PEM -in cert.crt > cert.pem

... and that's about all there is to it.

I still have to investigate how to load the certificate without putting the passphrase in the code, but I'm sure there is something out there.

Comments

Post a Comment

Popular posts from this blog

The Kalam Cosmological Fallacies

I didn't think I would need to continue writing about atheism, but circumstances force me. Noblesse oblige, and all that shite. In other words, I ran into somebody who thinks you can prove god logically... in the twenty-first century, using the Kalam Cosmological Argument. Well, let's rip that one apart, shall we? I'll focus on the formal logic here. Others have more practical objections to Kalam. The form of the argument is as follows. Premise A: Whatever begins to exist has a cause. Premise B: The universe began to exist. Conclusion C: Therefore, the universe has a cause. If premises A & B are true, conclusion C must be true. While it can be argued that premise A may not be true, let's just accept this argument. “The universe has a cause” So far, so good, nobody got hurt in this exercise? Now, Kalam makes magic happen... [see the update below] Let's do a “non-sequitur” logical fallacy “therefore cause of the univer
Read more

Fallacies 'R Us

Image
After debating with religious people on Twitter for a number of months (mostly Christians, some Muslims and a few... stray bullets), I thought to myself that all arguments for gods are based on flawed logic. A short convo confirmed that, indeed, my fellow atheists on Twitter believe the same. This is a short list with the most common logical fallacies I've encountered. This post will be updated to incorporate new fallacies when they present themselves. The Fallacy Fallacy Warning: Using flawed logic doesn't mean that your conclusion is necessarily wrong, it just means that you cannot base your conclusion on that logic. Let's think about an example to clarify this. Suppose you are going to visit your family, and they ask you at what time you'll arrive. You take into account the inevitable traffic jam and estimate an hour. Then, you step into your car and lo and behold, there is no traffic jam... but you get a flat tire. You arrive at the estimat
Read more

Guts

I've had a long convo with -a person who wants to remain anonymous-, a former Young Earth Creationist (YEC) about evolution (and religion, and abiogenesis, and morality...). This convo is ongoing with the exact same result; -S- returning to her default position of denial (of evolution) and affirmation (of creation). The latest development is that -S- is now a believer of Intelligent Design (ID); her beliefs have evolved (changed over time). She's not a Christian any more. I'm not sure if she's gone from YEC to Old Earth Creationism. It seems nearly impossible to convince -S- that evolution is possible, probable and, in fact, a scientific fact. Still, one can only try :-) and try, and try, and try again. The thing is that -S- needs to look at evolution from a different angle because she has been bombarded with creationist' propaganda that she chooses to believe over the biologists' evidence. How can you convince someone who believes the ea
Read more