Flask、Tornado、Nginx搭建Https服务
其实Flask可以直接用tornado部署就行:
# coding=utf-8 from tornado.wsgi import WSGIContainer from tornado.httpserver import HTTPServer from tornado.ioloop import IOLoop from app.app_main import app if __name__ == '__main__': http_server = HTTPServer(WSGIContainer(app)) http_server.listen(9050) IOLoop.instance().start()
以上就可以直接通过访问ip或者域名加9050端口就可以访问了。
但是,如果要支持https呢?要直接访问域名(域名后面不叫端口号)呢?同时访问http直接跳转到https呢?
接下来讲一下:
首先,部署方式要修改一下代码:
# coding=utf-8 import os.path from tornado.httpserver import HTTPServer from tornado.wsgi import WSGIContainer from tornado import ioloop from app.app_main import app pl = os.getcwd().split('cover_app_platform') cert_path = pl[0] + r'cover_app_platform\\app\\https_cert\\' def main(): application = HTTPServer(WSGIContainer(app)) # https证书地址 https_cert_file = cert_path + 'covercert.pem' # https证书私钥地址 https_key_file = cert_path + 'privatekey.pem' # https服务 server = HTTPServer(application, ssl_options={"certfile": https_cert_file, "keyfile": https_key_file}) # 9070启动端口 server.listen(9070) ioloop.IOLoop.instance().start() if __name__ == "__main__": main()
当然,怎么生成“covercert.pem”和'privatekey.pem'文件呢,你可以找你们运维给你生成,或者让运维给你根证书,自己生成:
# 生成证书的申请文件和私钥文件 openssl req -nodes -newkey rsa:1024 -out coverreq.pem -keyout privatekey.pem
# req:request的简写,代表发出一个申请数字证书的请求 # -nodes:不生成pin码,简化流程 # -newkey:生成新证书并指明加密算法和长度,也可以写成2048 # -out:输出一个请求文件,非密码文件 # -keyout:生成私钥 # 生成证书 :使用申请文件和私钥进行证书的申请,自己给自己颁发证书 openssl req -in coverreq.pem -x509 -key privatekey.pem -out covercert.pem -days 3650
# -in:用之前的申请文件作为输入
# -x509:证书格式
# -key:私钥文件
# -out:产出的证书文件
# -days:证书有效期
然后我们来配置nginx,怎么安装就不介绍了:
在配置nginx\conf\nginx.conf 配置文件前,先copy保存一下,
找到http{}段:
http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name xx.thecover.cn; rewrite ^(.*) https://$server_name$1 permanent; # charset utf-8; #access_log logs/host.access.log main; location / { proxy_pass https://localhost:9070; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }
server里我们配置运行的端口为80,域名为“xx.thecover.cn”,“rewrite ^(.*) https://$server_name$1 permanent;” 请求都转发到https,比如客服端访问http域名,也直接转为https。
location 里直接配置我们flask启动的地址和端口“proxy_pass https://localhost:9070;”。
接下来配置Https:
配置https前,我们需要把证书和私钥文件放到nginx下的/conf/cert目录下,一般conf下没有cert文件夹的,需要直接建一个:
然后找到# HTTPS server段:
server{}这里一般都是注释了的,都打开:
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate cert/covercert.pem; ssl_certificate_key cert/privatekey.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { #root html; #index index.html index.htm; proxy_pass https://localhost:9070; } }
如上配置就行,localtion里也需要配置flask访问的地址。
ok,到此为止,我们就配置好了:
直接访问域名:https://xx.thecover.cn,http:xx.thecover.cn, https:xx.thecover.cn:9070,都可以访问,妥妥的。
另外,如果https证书是自己建立的话,浏览器访问会提示无效,或者不安全,还是要根证书来生成才行。