HTTPS support (from 1.3)¶
Use the https <socket>,<certificate>,<key>
option. This option may be
specified multiple times. First generate your server key, certificate signing
request, and self-sign the certificate using the OpenSSL toolset:
Note
You’ll want a real SSL certificate for production use.
openssl genrsa -out foobar.key 2048
openssl req -new -key foobar.key -out foobar.csr
openssl x509 -req -days 365 -in foobar.csr -signkey foobar.key -out foobar.crt
Then start the server using the SSL certificate and key just generated:
uwsgi --master --https 0.0.0.0:8443,foobar.crt,foobar.key
As port 443, the port normally used by HTTPS, is privileged (ie. non-root processes may not bind to it), you can use the shared socket mechanism and drop privileges after binding like thus:
uwsgi --shared-socket 0.0.0.0:443 --uid roberto --gid roberto --https =0,foobar.crt,foobar.key
uWSGI will bind to 443 on any IP, then drop privileges to those of roberto
,
and use the shared socket 0 (=0
) for HTTPS.
Note
The =0 syntax is currently undocumented.
Note
In order to use https option be sure that you have OpenSSL development headers installed (e.g. libssl-dev on Debian). Install them and rebuild uWSGI so the build system will automatically detect it.
Setting SSL/TLS ciphers¶
The https
option takes an optional fourth argument you can use to specify
the OpenSSL cipher suite.
[uwsgi]
master = true
shared-socket = 0.0.0.0:443
uid = www-data
gid = www-data
https = =0,foobar.crt,foobar.key,HIGH
http-to = /tmp/uwsgi.sock
This will set all of the HIGHest ciphers (whenever possible) for your SSL/TLS transactions.
Client certificate authentication¶
The https
option can also take an optional 5th argument. You can use it to
specify a CA certificate to authenticate your clients with. Generate your CA
key and certificate (this time the key will be 4096 bits and
password-protected):
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate the server key and CSR (as before):
openssl genrsa -out foobar.key 2048
openssl req -new -key foobar.key -out foobar.csr
Sign the server certificate with your new CA:
openssl x509 -req -days 365 -in foobar.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out foobar.crt
Create a key and a CSR for your client, sign it with your CA and package it as PKCS#12. Repeat these steps for each client.
openssl genrsa -des3 -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -name "Client 01" -out client.p12
Then configure uWSGI for certificate client authentication
[uwsgi]
master = true
shared-socket = 0.0.0.0:443
uid = www-data
gid = www-data
https = =0,foobar.crt,foobar.key,HIGH,!ca.crt
http-to = /tmp/uwsgi.sock
Note
If you don’t want the client certificate authentication to be mandatory, remove the ‘!’ before ca.crt in the https options.
If your client certificates are signed by intermediate certificates
rather than directly by a CA, you will need to set the
ssl-verify-depth
option to a value large enough to accomodate
the whole certificate chain. For example
[uwsgi]
master = true
shared-socket = 0.0.0.0:443
uid = www-data
gid = www-data
ssl-verify-depth = 8
https = =0,foobar.crt,foobar.key,HIGH,!ca.crt
http-to = /tmp/uwsgi.sock
Note
Due to an order dependency in configuration parsing, the
ssl-verify-depth
option must be specified before the
https
option.