Tornado configuration for self signed certification authentication

Question

I'm going to implement a web app which requires clients to authenticate by client certificates. The web app is running behind a load balancer which talks to internal services on none https way.

I've configured my tornado with the following:

if __name__ == "__main__":
   app = make_app()

   ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_ctx.load_cert_chain("../server.crt", "../server.key")
   ssl_ctx.load_verify_locations("../ca.crt")
   ssl_ctx.verify_mode = ssl.CERT_REQUIRED
   http_server = tornado.httpserver\
    .HTTPServer(app, ssl_options=ssl_ctx)
   http_server = tornado.httpserver.HTTPServer(app)
   http_server.listen(3333)
   logging.info("Server is running.")
   tornado.ioloop.IOLoop.current().start()

It works only over https. My question is: Is there anyway to config tornado work on http?

score 0 · Answer 1 · answered Nov 27 '19 at 13:05

Your sample actually starts an HTTP server, not an HTTPS one, because variable http_server is reassigned. The first time:

http_server = tornado.httpserver\
  .HTTPServer(app, ssl_options=ssl_ctx)

you declare an HTTPS server, then:

http_server = tornado.httpserver.HTTPServer(app)

you instantiate another server, this time not enabling SSL. This instance is the only one that it is activated by listen method call.

This is the usual pattern: let the load balancer handle SSL, and use HTTP behind.

Tornado configuration for self signed certification authentication

1 Answers1