Nginx Configuration

Although there are many HTTP proxies available, we strongly advise that you use Nginx. If you choose another proxy server you need to make sure that it buffers slow clients when you use default Gunicorn workers. Without this buffering Gunicorn will be easily susceptible to denial-of-service attacks. You can use Hey to check if your proxy is behaving properly.

An example configuration file for fast clients with Nginx:

nginx.conf

  1. worker_processes 1;
  3. user nobody nogroup;
  4. # 'user nobody nobody;' for systems with 'nobody' as a group instead
  5. error_log  /var/log/nginx/error.log warn;
  6. pid /var/run/nginx.pid;
  8. events {
  9.   worker_connections 1024; # increase if you have lots of clients
  10.   accept_mutex off; # set to 'on' if nginx worker_processes > 1
  11.   # 'use epoll;' to enable for Linux 2.6+
  12.   # 'use kqueue;' to enable for FreeBSD, OSX
  13. }
  15. http {
  16.   include mime.types;
  17.   # fallback in case we can't determine a type
  18.   default_type application/octet-stream;
  19.   access_log /var/log/nginx/access.log combined;
  20.   sendfile on;
  22.   upstream app_server {
  23.     # fail_timeout=0 means we always retry an upstream even if it failed
  24.     # to return a good HTTP response
  26.     # for UNIX domain socket setups
  27.     server unix:/tmp/gunicorn.sock fail_timeout=0;
  29.     # for a TCP configuration
  30.     # server 192.168.0.7:8000 fail_timeout=0;
  31.   }
  33.   server {
  34.     # if no Host match, close the connection to prevent host spoofing
  35.     listen 80 default_server;
  36.     return 444;
  37.   }
  39.   server {
  40.     # use 'listen 80 deferred;' for Linux
  41.     # use 'listen 80 accept_filter=httpready;' for FreeBSD
  42.     listen 80;
  43.     client_max_body_size 4G;
  45.     # set the correct host(s) for your site
  46.     server_name example.com www.example.com;
  48.     keepalive_timeout 5;
  50.     # path for static files
  51.     root /path/to/app/current/public;
  53.     location / {
  54.       # checks for static file, if not found proxy to app
  55.       try_files $uri @proxy_to_app;
  56.     }
  58.     location @proxy_to_app {
  59.       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  60.       proxy_set_header X-Forwarded-Proto $scheme;
  61.       proxy_set_header Host $http_host;
  62.       # we don't want nginx trying to do something clever with
  63.       # redirects, we set the Host: header above already.
  64.       proxy_redirect off;
  65.       proxy_pass http://app_server;
  66.     }
  68.     error_page 500 502 503 504 /500.html;
  69.     location = /500.html {
  70.       root /path/to/app/current/public;
  71.     }
  72.   }
  73. }

If you want to be able to handle streaming request/responses or other fancy features like Comet, Long polling, or Web sockets, you need to turn off the proxy buffering. When you do this you must run with one of the async worker classes.

To turn off buffering, you only need to add proxy_buffering off; to your location block:

  1. ...
  2. location @proxy_to_app {
  3.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  4.     proxy_set_header Host $http_host;
  5.     proxy_redirect off;
  6.     proxy_buffering off;
  8.     proxy_pass http://app_server;
  9. }
  10. ...

It is recommended to pass protocol information to Gunicorn. Many web frameworks use this information to generate URLs. Without this information, the application may mistakenly generate ‘http’ URLs in ‘https’ responses, leading to mixed content warnings or broken applications. To configure Nginx to pass an appropriate header, add a proxy_set_header directive to your location block:

  1. ...
  2. proxy_set_header X-Forwarded-Proto $scheme;
  3. ...

If you are running Nginx on a different host than Gunicorn you need to tell Gunicorn to trust the X-Forwarded-* headers sent by Nginx. By default, Gunicorn will only trust these headers if the connection comes from localhost. This is to prevent a malicious client from forging these headers:

  1. $ gunicorn -w 3 --forwarded-allow-ips="10.170.3.217,10.170.3.220" test:app

When the Gunicorn host is completely firewalled from the external network such that all connections come from a trusted proxy (e.g. Heroku) this value can be set to ‘*’. Using this value is potentially dangerous if connections to Gunicorn may come from untrusted proxies or directly from clients since the application may be tricked into serving SSL-only content over an insecure connection.

Gunicorn 19 introduced a breaking change concerning how REMOTE_ADDR is handled. Previous to Gunicorn 19 this was set to the value of X-Forwarded-For if received from a trusted proxy. However, this was not in compliance with RFC 3875 which is why the REMOTE_ADDR is now the IP address of the proxy and not the actual user. You should instead configure Nginx to send the user’s IP address through the X-Forwarded-For header like this:

  1. ...
  2. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  3. ...

It is also worth noting that the REMOTE_ADDR will be completely empty if you bind Gunicorn to a UNIX socket and not a TCP host:port tuple.