Is there any mechanism yet for using my own SSL certificate to get SSL/HTTPS for my web app running on my own domain?
Forums
SSL on my own domain?
Also curious to know this
MorePyPlease
|
52
posts
|
We don't have an automatic, easy setup of this yet, but we can do it. Drop us an email to support@pythonanywhere.com if you want to try it and we'll see what we can do.
glenn
|
9718
posts
|
PythonAnywhere staff
|
Emailed :) Thanks!
Still eagerly awaiting a response to my email :)
Sorry for the slow response! Glenn is typing an email to you as I write this :-)
Thanks! Glenn got back to me today just after I had finished throwing my site behind cloudflare.com since they do some SSL magic that makes a quick implementation easy. Kudos over there and to you guys.
I did notice when playing around that since you guys have a wildcard SSL cert, I can throw an https in front of my domain and it works just fine. Is there a way to enforce this using WSGI?
Hi there MorePyPlease, do you mean you want to force redirects from http to https? We don't currently support that, but it might be a feature other people would like... I'll add it as a ticket in our tracker. In the meantime, it might be possible to do it in Python? You could manually detect whether a request comes in via http and issue your own 302. In Django, for example, there's a request.is_secure()...
That's exactly what I am looking for! That would be an awesome feature. I'll look into how do to that with flask, primarily I just want to make sure a few pages enforce https but id prefer to encaspulate the entire site.
The Flask Request object has the url attribute which you should be able to parse and extract the scheme (either "http" or "https"). There may be a more elegant way of doing it, but this seems like it should work.
NB - If you wanted to avoid the overhead of a full urlparse you could do something slightly hacky like request.url.lstrip().lower().startswith("https"), but I'd hope the overhead of parsing should be very low.
EDIT: On a whim, I did some quick tests with timeit and the hacky version above takes only about half the time of urlparse.urlsplit(), but neither of them takes more than a second to do a million repetitions so don't worry about it. Interestingly, urlparse.urlparse() takes more than twice as long as urlparse.urlsplit().
Thanks Cartroo, i'll look into that and see if it will be a good interim fix for me!
You're welcome. The scheme is typically one of the more reliable parts of the request because it's synthesized by the webserver/framework, as it's not part of the HTTP request itself.
I also discovered this snippet earlier which does more or less exactly what you want - I haven't tested it in the slightest so bear that in mind if you give it a shot. It seems to imply that the request offers an is_secure() method I must have missed in the official Flask docs.
In general it looks like the Flask lot have decided that SSL is just something for application wrappers to worry about and they'll just deal with the HTTP side of things. This is fine as far as it goes, but it could become annoying in the case of, say, client-side certificates for authentication. I know that many wrappers and servers (e.g. nginx, uwsgi) allow you to specify a trusted root against which client certificates will be authenticated, but this approach is inherently less flexible than allowing the web app itself to do it.
Still, client-side certs are still fairly unusual, so I guess it's not unreasonable.
