Permalink
Browse files

mist updats for https

  • Loading branch information...
1 parent 1f8c546 commit a9b5b90b1b11f842fec133779daf12f1019ffc40 @jvanasco committed Mar 14, 2012
Showing with 154 additions and 1 deletion.
  1. +48 −1 README.txt
  2. +5 −0 development.ini
  3. +59 −0 nginx.conf
  4. +13 −0 nginx/ssl/ssl.crt
  5. +11 −0 nginx/ssl/ssl.csr
  6. +15 −0 nginx/ssl/ssl.key
  7. +3 −0 setup.py
View
@@ -409,7 +409,54 @@ This will allow anything with session_https. or beaker_session_https. in your de
the https session cookie will be an attribute of the request, as request.session_https.
-Please note -- on the current version of the package, it will be an empty session on non-https connections.
+Please note -- on the first version of the package, it will be an empty session on non-https connections, version 0.0.2 and above will return NONE unless we're on an HTTPS session
+
+
+# illustrating an https session via a load-balancer/upstream proxy , with nginx
+
+The simplest way to simulate a production environment is to install nginx onto your local machine ( nginx.net )
+
+Nginx is a super-small , very-lightweight webserver that many people prefer to run as the frontend proxy on their installations.
+
+when you compile nginx, make sure you have the ssl module installed.
+
+## create a key
+i included a self-signed key in the ssl/ directory.
+
+create the key + certificate signing request
+
+ openssl req -new -nodes -keyout ssl.key -out ssl.csr
+
+sign the csr into a cert
+
+ openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
+
+## configure nginx to use the key
+
+i included a stripped-down verison of the config file for nginx , which references the certs
+
+## configure the app to use PasteDeploy's prefix middleware
+
+prefix-middleware does a lot of things that we don't necessarily need. it also does one thing we do need - adjust the environment vars to allow for https detection and various other proxy needs. check out the 3 lines in development.ini used to configure this:
+
+[app:main]
++filter-with = proxy-prefix
+
++[filter:proxy-prefix]
++use = egg:PasteDeploy#prefix
+
+as of version 0.0.2 of my session_https module, the session will either be a session object on https connections, or None on http connections
+
+
+
+
+
+
+
+
+
+
+
View
@@ -51,6 +51,11 @@ facebook.app.oauth_code_redirect_uri= http://127.0.0.1:5010/account/facebook-aut
# gaq_hub
gaq.account_id= UA-00000000-1
+filter-with = proxy-prefix
+
+[filter:proxy-prefix]
+use = egg:PasteDeploy#prefix
+
[server:main]
use = egg:waitress#main
View
@@ -0,0 +1,59 @@
+#user nobody;
+worker_processes 1;
+events {
+ worker_connections 1024;
+}
+
+http {
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+ gzip off;
+ server_tokens off;
+ access_log off;
+ error_log /dev/null crit ;
+ server {
+ listen 80;
+ server_name localhost;
+ location / {
+ root html;
+ index index.html index.htm;
+
+ proxy_pass http://127.0.0.1:5010;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_redirect off;
+
+ }
+ }
+
+ server {
+ listen 443;
+
+ ssl on;
+ ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
+ ssl_certificate nginx/ssl/ssl.crt;
+ ssl_certificate_key nginx/ssl/ssl.key;
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+
+ location / {
+
+ ### Configure Pass ####
+ proxy_pass http://127.0.0.1:5010;
+
+ ### Set headers ####
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ ### Most PHP, Python, Rails, Java App can use this header ###
+ proxy_set_header X-Forwarded-Proto https;
+
+ ### By default we don't want to redirect it ####
+ proxy_redirect off;
+ }
+ }
+}
View
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICATCCAWoCCQDmnQanM6wHEDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
+VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMB4XDTEyMDMxMjE1NTcwN1oXDTEzMDMxMjE1NTcwN1owRTELMAkG
+A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
+IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtABK
+kIDvVjz4ShTWwRkBEF6cbzoMz9aKYh8Q+8TzoCtraynWz05GP5Oke4kEQVwhQ63X
+gZ126DaR5Sigfh+wYCBVDepzA1xBEhdEhZ+m3DqYYhqYTHuCv2CoMZCIO4mIlb27
+8tWb5yopvDQ6KZ52sO1tzC1MKb+khvTdiY0dVmcCAwEAATANBgkqhkiG9w0BAQUF
+AAOBgQCrJsklOGSeHeuBSDms86L9OmlG5kzDdNZmZ9On96DX1GE3NnvZQHLetAWC
+46MT78xt40T3fqEBzMWhfnv1FYDMAGI89JhvXcpArO4jMTdTxU4QOVUQErBsRm8w
+k7xKEIWnTsw6et7F2i7cmI/cxyt3ID3AMlF+EWNAGnWXDyG0HQ==
+-----END CERTIFICATE-----
View
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
+MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC0AEqQgO9WPPhKFNbBGQEQXpxvOgzP1opiHxD7xPOgK2tr
+KdbPTkY/k6R7iQRBXCFDrdeBnXboNpHlKKB+H7BgIFUN6nMDXEESF0SFn6bcOphi
+GphMe4K/YKgxkIg7iYiVvbvy1ZvnKim8NDopnnaw7W3MLUwpv6SG9N2JjR1WZwID
+AQABoAAwDQYJKoZIhvcNAQEFBQADgYEAY02Sgx1emPc11XCUSKR0WclCd9eNvCYj
+z5J7fszrw91MPoTRGrGvTqM9dW7+P4/4+S8wXd8mjwZMm6wJVheFyuif7HCix0an
+bMbMqBw0Z322ZnmiftMsPZX4thsO01AlBPKhIuojGQlZZ89iG0Y6mxl2Xq3SToy/
+knb3waQCEXU=
+-----END CERTIFICATE REQUEST-----
View
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC0AEqQgO9WPPhKFNbBGQEQXpxvOgzP1opiHxD7xPOgK2trKdbP
+TkY/k6R7iQRBXCFDrdeBnXboNpHlKKB+H7BgIFUN6nMDXEESF0SFn6bcOphiGphM
+e4K/YKgxkIg7iYiVvbvy1ZvnKim8NDopnnaw7W3MLUwpv6SG9N2JjR1WZwIDAQAB
+AoGADKA8mrhAkYcDT4b4rWDIn1JTnMWwol+FI27UbSSahjClf0XXCIGQEeOUVQn+
+X2tL9ghapn/aGF3DjBR2dYJZh7ZQmttrzLZmRt2ocYno89KqlwuyJJE98GIY2VXf
+PeoKD2IquU6GcGH8foGfv5BL1p4xVdnSMeeXeqT2pIHpr7ECQQDvqwpOCpv4Yp43
+7P+5B8pHrDrJLQJkH/RXynr7pEH87hltfMLj/Xpj0Wk0CbIeW0h1y4P4gZhObzaG
+Yv53e/1JAkEAwERffts54at7neQDoDQpv8cGgGjhUeLlw1qZMZDYAlSSsAZqEZkj
+vlUtoI7ZLPEW8Aj4HhFdDR1a4Fh9zLkmLwJAC9Zx4trpS0JruC1vkA8PcazTFn6v
+oIxngDKTEnzReZG1FdBUu/gYJHgCbzyPXKp7kL3lnc+g2zbpBYg8M2CfaQJAeuM4
+pjw4oqSYPjKenqa4iHsNDMX8PfpoIJSnlaaead7kYt22rcjTr7OBlj23UaJGpuUU
+sSMn9lns27ezsEYmwQJBALjnusSbtnQHSw6oMP1w/e406hySFOeQURKvZne8rLR+
+dK2Wh/DvMLpRHHg86Hxn9oMQUBbLVsTjLHxWNJQC26M=
+-----END RSA PRIVATE KEY-----
View
@@ -18,6 +18,9 @@
'pyramid_beaker',
'simplejson',
+ # we need this for https awareness
+ 'pastedeploy',
+
# as a bonus, lets integrate pymongo
'pymongo',

0 comments on commit a9b5b90

Please sign in to comment.