HTTPS support (from 1.3)¶
https <socket>,<certificate>,<key> option. This option may be
specified multiple times. First generate your server key, certificate signing
request, and self-sign the certificate using the OpenSSL toolset:
You’ll want a real SSL certificate for production use.
openssl genrsa -out foobar.key 2048 openssl req -new -key foobar.key -out foobar.csr openssl x509 -req -days 365 -in foobar.csr -signkey foobar.key -out foobar.crt
Then start the server using the SSL certificate and key just generated:
uwsgi --master --https 0.0.0.0:8443,foobar.crt,foobar.key
As port 443, the port normally used by HTTPS, is privileged (ie. non-root processes may not bind to it), you can use the shared socket mechanism and drop privileges after binding like thus:
uwsgi --shared-socket 0.0.0.0:443 --uid roberto --gid roberto --https =0,foobar.crt,foobar.key
uWSGI will bind to 443 on any IP, then drop privileges to those of
and use the shared socket 0 (
=0) for HTTPS.
The =0 syntax is currently undocumented.
In order to use https option be sure that you have OpenSSL development headers installed (e.g. libssl-dev on Debian). Install them and rebuild uWSGI so the build system will automatically detect it.
Setting SSL/TLS ciphers¶
https option takes an optional fourth argument you can use to specify
the OpenSSL cipher suite.
[uwsgi] master = true shared-socket = 0.0.0.0:443 uid = www-data gid = www-data https = =0,foobar.crt,foobar.key,HIGH http-to = /tmp/uwsgi.sock
This will set all of the HIGHest ciphers (whenever possible) for your SSL/TLS transactions.
Client certificate authentication¶
https option can also take an optional 5th argument. You can use it to
specify a CA certificate to authenticate your clients with. Generate your CA
key and certificate (this time the key will be 4096 bits and
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate the server key and CSR (as before):
openssl genrsa -out foobar.key 2048 openssl req -new -key foobar.key -out foobar.csr
Sign the server certificate with your new CA:
openssl x509 -req -days 365 -in foobar.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out foobar.crt
Create a key and a CSR for your client, sign it with your CA and package it as PKCS#12. Repeat these steps for each client.
openssl genrsa -des3 -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl pkcs12 -export -in client.crt -inkey client.key -name "Client 01" -out client.p12
Then configure uWSGI for certificate client authentication
[uwsgi] master = true shared-socket = 0.0.0.0:443 uid = www-data gid = www-data https = =0,foobar.crt,foobar.key,HIGH,!ca.crt http-to = /tmp/uwsgi.sock
If you don’t want the client certificate authentication to be mandatory, remove the ‘!’ before ca.crt in the https options.
If your client certificates are signed by intermediate certificates
rather than directly by a CA, you will need to set the
ssl-verify-depth option to a value large enough to accomodate
the whole certificate chain. For example
[uwsgi] master = true shared-socket = 0.0.0.0:443 uid = www-data gid = www-data ssl-verify-depth = 8 https = =0,foobar.crt,foobar.key,HIGH,!ca.crt http-to = /tmp/uwsgi.sock
Due to an order dependency in configuration parsing, the
ssl-verify-depth option must be specified before the