On 11/05/2015, at 5:53 AM, Michael Blake <[email protected]> wrote:
> Works flawlessly. I added a few pre-build commands, and my Flask app starts
> right up on port 80 of the container, and it runs... fast! Definitely
> production grade (at least for my purposes).
>
> The next step I need is to setup TLS on the site, and a few redirects. I'm
> poking around in the .whiskey/apache area to see where to add in the config,
> but it's not immediately apparent where, or correct way to add the necessary
> SSLCertificate / rewrite directives. I checked over the docs and was looking
> for more about the .whiskey folder, and how that is setup.
Where you currently might have a Dockerfile of:
FROM grahamdumpleton/mod-wsgi-docker:python-2.7-onbuild
CMD [ "hello.wsgi" ]
You can add any additional mod_wsgi-express options into 'CMD'.
So as far as production goes, depending on your specific requirements, you may
want to adjust the number of processes/threads used from the default of one
process and five threads. Thus:
FROM grahamdumpleton/mod-wsgi-docker:python-2.7-onbuild
CMD [ "--processes", "3", "--threads", "3", "hello.wsgi" ]
For setting up HTTPS as well as HTTP, similarly use the appropriate options and
just add them to the Dockerfile, plus expose port 443, which is default that
mod_wsgi-express will use for HTTPS port.
Presuming you have added the certificate and key file into the top level
directory of the project that got copied into the Docker image as 'server.crt'
and 'server.key', and that the FQDN for the host name used in the SSL
certificate was 'www.example.com', you would use:
FROM grahamdumpleton/mod-wsgi-docker:python-2.7-onbuild
EXPOSE 443
CMD [ "--enable-https", "--server-name", "www.example.com",
"--ssl-certificate", "server", "hello.wsgi" ]
If you wanted only HTTPS and not HTTP, then you can also add "--https-only".
This will result in access to HTTP URLs being redirected automatically to HTTPS
URL.
If you wanted to set up a HSTS policy to make browsers only use HTTPS, then you
can use "--hsts-policy" with the policy argument.
Because "--server-name" is used to satisfy host name requirements for SSL
certificate, then it must be accessed as that host name else will fail.
If you have a wildcard SSL certificate, then you can use "--server-alias" with
pattern for other matching host names that should be accepted.
Probably makes no sense in Docker case, but if doing this on normal host OS and
wanted to be able to still access using HTTPS by 'localhost', you can also use
"--allow-localhost". Because this isn't going to match name in SSL certificate,
then you will get browser complaining about SSL certificate not matching which
would have to tell browser to ignore.
If you were after other typical HTTPS/HTTP behaviour beyond that then let me
know what you are after. There is also support for client certificates and
forcing SSL certificate information into the WSGI environment.
Graham
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/modwsgi.
For more options, visit https://groups.google.com/d/optout.
