HTTPS support (from 1.3)

Use the https <socket>,<certificate>,<key> option. This option may bespecified multiple times. First generate your server key, certificate signingrequest, and self-sign the certificate using the OpenSSL toolset:

Note

You’ll want a real SSL certificate for production use.

  1. openssl genrsa -out foobar.key 2048
  2. openssl req -new -key foobar.key -out foobar.csr
  3. openssl x509 -req -days 365 -in foobar.csr -signkey foobar.key -out foobar.crt

Then start the server using the SSL certificate and key just generated:

  1. uwsgi --master --https 0.0.0.0:8443,foobar.crt,foobar.key

As port 443, the port normally used by HTTPS, is privileged (ie. non-rootprocesses may not bind to it), you can use the shared socket mechanism and dropprivileges after binding like thus:

  1. uwsgi --shared-socket 0.0.0.0:443 --uid roberto --gid roberto --https =0,foobar.crt,foobar.key

uWSGI will bind to 443 on any IP, then drop privileges to those of roberto,and use the shared socket 0 (=0) for HTTPS.

Note

The =0 syntax is currently undocumented.

Note

In order to use https option be sure that you have OpenSSLdevelopment headers installed (e.g. libssl-dev on Debian). Install themand rebuild uWSGI so the build system will automatically detect it.

Setting SSL/TLS ciphers

The https option takes an optional fourth argument you can use to specifythe OpenSSL cipher suite.

  1. [uwsgi]
  2. master = true
  3. shared-socket = 0.0.0.0:443
  4. uid = www-data
  5. gid = www-data
  6.  
  7. https = =0,foobar.crt,foobar.key,HIGH
  8. http-to = /tmp/uwsgi.sock

This will set all of the HIGHest ciphers (whenever possible) for yourSSL/TLS transactions.

Client certificate authentication

The https option can also take an optional 5th argument. You can use it tospecify a CA certificate to authenticate your clients with. Generate your CAkey and certificate (this time the key will be 4096 bits andpassword-protected):

  1. openssl genrsa -des3 -out ca.key 4096
  2. openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate the server key and CSR (as before):

  1. openssl genrsa -out foobar.key 2048
  2. openssl req -new -key foobar.key -out foobar.csr

Sign the server certificate with your new CA:

  1. openssl x509 -req -days 365 -in foobar.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out foobar.crt

Create a key and a CSR for your client, sign it with your CA and package it asPKCS#12. Repeat these steps for each client.

  1. openssl genrsa -des3 -out client.key 2048
  2. openssl req -new -key client.key -out client.csr
  3. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  4. openssl pkcs12 -export -in client.crt -inkey client.key -name "Client 01" -out client.p12

Then configure uWSGI for certificate client authentication

  1. [uwsgi]
  2. master = true
  3. shared-socket = 0.0.0.0:443
  4. uid = www-data
  5. gid = www-data
  6. https = =0,foobar.crt,foobar.key,HIGH,!ca.crt
  7. http-to = /tmp/uwsgi.sock

Note

If you don’t want the client certificate authentication to bemandatory, remove the ‘!’ before ca.crt in the https options.