adding ssl support to waitress

[brightening-eyes]

hi,
if waitress provide a way to specify public and private keys for ssl it would be cool using ssl_context, or ssl_context='adhoc' which werkzeug provide by generating a certificate.

[stevepiercy]

See #86 (comment)

Until then, you can set up another server in front to handle TLS, and proxy to waitress. nginx is one popular choice.

[onkar6699]

@stevepiercy I have used nginx as reverse proxy for TLS so request flow will be like
Browser-nginx-waitress in this case nginx responsible for handling certificate but what I have observed that browser can bypass nginx and directly access waitress url how I can avoid it is there any way ?

[onkar6699]

@brightening-eyes @j4mie @kgaughan @pjenvey anyone one of you could you please comment on above question?

[stevepiercy]

Please provide a reproducible example configuration, as well as log files of both nginx and waitress that indicate a request bypasses nginx and hits waitress only. This sounds like a misconfiguration of nginx.

[onkar6699]

@stevepiercy I am having setup on windows i have referred below link
https://dev.to/thetrebelcc/how-to-run-a-flask-app-over-https-using-waitress-and-nginx-2020-235c
as you able to see /location passed proxy pass http://ipaddr:5000;
if I have hit http://ipaddr:5000 I get the result
and proxy id addr https://$servername$req_uri still i get result which is valid (https)
but I want only HTTPS should run how I can achieve ?

[stevepiercy]

That configuration is not what you want. Here is one that is closer to what you want. It is slightly more complex (2 nginx config files, one for server wide, the other for the app), uses Pyramid instead of Flask (that does not matter), and includes sections on pserve and Supervisord that you can ignore.

[onkar6699]

@stevepiercy but in my case, I wanted to access flask API only using, HTTPS( secure) I don't want to access it by HTTP from the browser is there any way to achive it.
for example
waitress server(127.0.0.1,port=8080,url_scheme=https) ->>http://localhost:8080
nginx redirect to https://localhost:5000->http://localhost:8080
but i want to do such setting it should be access only via nginx not by using http://localhost:8080

[stevepiercy]

Add a redirect to that sample configuration within the server stanza. Also do not listen on ports you do not want exposed.

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://$host$request_uri;
    }

[onkar6699]

listen 80 default_server;
listen [::]:80 default_server;
@stevepiercy it would be great if you explain the above line pls...

[stevepiercy]

https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

[onkar6699]

@stevepiercy
location / {
proxy_pass http://localhost:5000;

        proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header        Host $host;
    }
}

server {
listen 5000 default_server;
listen [::]:5000 default_server;

server_name localhost;

return 302 https://$server_name$request_uri;

}

Above is snippet of code
here the problem is solved that 
if i use http://localhost:5000/url 
redirected to https://localhost/url

but when i hit url by system ip 
http://10.221.23.43:/hello
still i am getting result by bypassing nginx 
is there any way 

[stevepiercy]

That's not the configuration I suggested.

[onkar6699]

Will try
https://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/deployment/nginx.html this and check result

[onkar6699]

But if I try using above link
Client <---> nginx [0.0.0.0:80] <---> (static files)
/|
|-------> WSGI App [localhost:5000]
`-------> WSGI App [localhost:5001]
Here if here I pass my both URL
http and HTTPS this is will work but I wanted to just access only https don't want to access it from http how I can achieve this ..

[stevepiercy]

This is not an issue with waitress, but with how to configure SSL with nginx. Please consult their documentation.

[mmerickel]

@onkar6699 the issue is that you're configuring waitress to be publicly accessible by telling it to allow traffic from 0.0.0.0. Set the host='localhost' instead and it will only accept traffic internal to the computer - this allowing only nginx to talk to it directly.