Flask、Tornado、Nginx搭建Https服務
其實Flask可以直接用tornado部署就行:
# coding=utf-8 from tornado.wsgi import WSGIContainer from tornado.httpserver import HTTPServer from tornado.ioloop import IOLoop from app.app_main import app if __name__ == '__main__': http_server = HTTPServer(WSGIContainer(app)) http_server.listen(9050) IOLoop.instance().start()
以上就可以直接通過訪問ip或者域名加9050埠就可以訪問了。
但是,如果要支援https呢?要直接訪問域名(域名後面不叫埠號)呢?同時訪問http直接跳轉到http是呢?
接下來講一下:
首先,部署方式要修改一下程式碼:
# coding=utf-8 import os.path from tornado.httpserver import HTTPServer from tornado.wsgi import WSGIContainer from tornado import ioloop from app.app_main import app pl = os.getcwd().split('cover_app_platform') cert_path = pl[0] + r'cover_app_platform\\app\\https_cert\\' def main(): application = HTTPServer(WSGIContainer(app)) # https證書地址 https_cert_file = cert_path + 'covercert.pem' # https證書私鑰地址 https_key_file = cert_path + 'privatekey.pem' # https服務 server = HTTPServer(application, ssl_options={"certfile": https_cert_file, "keyfile": https_key_file}) # 9070啟動埠 server.listen(9070) ioloop.IOLoop.instance().start() if __name__ == "__main__": main()
當然,怎麼生成“covercert.pem”和'privatekey.pem'檔案呢,你可以找你們運維給你生成,或者讓運維給你跟證書,自己生成:
# 生成證書的申請檔案和私鑰檔案 openssl req -nodes -newkey rsa:1024 -out coverreq.pem -keyout privatekey.pem
# req:request的簡寫,代表發出一個申請數字證書的請求 # -nodes:不生成pin碼,簡化流程 # -newkey:生成新證書並指明加密演算法和長度,也可以寫成2048 # -out:輸出一個請求檔案,非密碼檔案 # -keyout:生成私鑰 # 生成證書 :使用申請檔案和私鑰進行證書的申請,自己給自己頒發證書 openssl req -in coverreq.pem -x509 -key privatekey.pem -out covercert.pem -days 3650
# -in:用之前的申請檔案作為輸入
# -x509:證書格式
# -key:私鑰檔案
# -out:產出的證書檔案
# -days:證書有效期
然後我們來配置nginx,怎麼安裝就不介紹了:
在配置nginx\conf\nginx.conf配置檔案前,先copy儲存一下,
找到http{}段:
http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name xx.thecover.cn; rewrite ^(.*) https://$server_name$1 permanent; # charset utf-8; #access_log logs/host.access.log main; location / { proxy_pass https://localhost:9070; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }
server裡我們配置執行的埠為80,域名為“xx.thecover.cn”,“rewrite ^(.*) https://$server_name$1 permanent;” 請求都轉發到https,比如客服端訪問http域名,也直接轉為https。
location裡直接配置我們flask啟動的地址和埠“proxy_pass https://localhost:9070;”。
接下來配置Https:
配置https前,我們需要把證書和私鑰檔案放到nginx下的/conf/cert目錄下,一般conf下沒有cert資料夾的,需要直接建一個:
然後找到# HTTPS server段:
server{}這裡一般都是註釋了的,都開啟:
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate cert/covercert.pem; ssl_certificate_key cert/privatekey.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { #root html; #index index.html index.htm; proxy_pass https://localhost:9070; } }
如上配置就行,localtion裡也需要配置flask訪問的地址。
ok,到此為止,我們就配置好了:
直接訪問域名:https://xx.thecover.cn,http:xx.thecover.cn, https:xx.thecover.cn:9070,都可以訪問,妥妥的。
另外,如果https證書是自己建立的話,瀏覽器訪問會提示無效,或者不安全,還是要跟證書來生成才行。