How to use caravel with TLS/SSL ???
28 views
Skip to first unread message
Karma Kolabor
May 12, 2016, 1:32:02 PM5/12/16
to airbnb_caravel
Hi,
how to run caravel over SSL/TLS ??? I kind of wonder how to get this running in a secure way?
First I tried to use uwsgi, as that seems to be the python thing for web servers. Then I looked into bin/caravel and understood that gunicorn is already there, what seems to be a replacement for uwsgi, but binding is hardcoded to 0.0.0.0, so there is probably no uwsgi needed, but there I see that caravel is listening always unsecured on 0.0.0.0 - this is not great. Is there a way to magically override that setting? Or do I have to just change 0.0.0.0 to 127.0.0.1 - in fact I just did that, but that seems not to be the pythonly elegant way of doing things?
Also: I would like to propose to make it extremely simple to run caravel over TLS and to add some documentation about how to do this. One config option. Maybe add some lets encrypt magic, so it will be really very simple. It is a very interesting and nice project, but I am sure in real life nobody ever wants to use it without TLS, so maybe that should be a default deployment option, I mean, c'mon...
I find myself thrown deeply into Python web deployment and Flask universe now, but I did not want that - I was just looking for a simple switch or config option, no way. It might be an interesting task to study the multitude of python web deployment options if you have nothing else to do, especially as there are so many different things to use to accomplish that. Lots of study material! Great! But nowhere near "one zen way to do it right", more like "20 ways to do it and you have to put the pieces together from several blog posts and stackoverflow, because all the single pieces docs are written like the other pieces do not exist" - horrible!
Yes, for anybody doing that kind of thing every day it is certainly a piece of cake, but that makes me just think: well, then again, why do they make it so hard to use it in a secure way for all the other people that are not deeply rooted in the python web config world? And why is this missing in the docs, as it is such a natural question to ask - "I want to test it, how can we use that over TLS" is the totally automatic train of thought, isn't it?
However I just want to run it securely, this should be very easy, shouldn't it? How can I do it? Do I have to become a python web deployment guru? This is so repetitive, uncreative and boring knowledge to acquire, I would be very happy if you just showed me the one zen way to do this, so I can dig into the more interesting things of this piece - THANK YOU!
Thank you very much for your attention!
Have a nice day,
Karma
how to run caravel over SSL/TLS ??? I kind of wonder how to get this running in a secure way?
First I tried to use uwsgi, as that seems to be the python thing for web servers. Then I looked into bin/caravel and understood that gunicorn is already there, what seems to be a replacement for uwsgi, but binding is hardcoded to 0.0.0.0, so there is probably no uwsgi needed, but there I see that caravel is listening always unsecured on 0.0.0.0 - this is not great. Is there a way to magically override that setting? Or do I have to just change 0.0.0.0 to 127.0.0.1 - in fact I just did that, but that seems not to be the pythonly elegant way of doing things?
Also: I would like to propose to make it extremely simple to run caravel over TLS and to add some documentation about how to do this. One config option. Maybe add some lets encrypt magic, so it will be really very simple. It is a very interesting and nice project, but I am sure in real life nobody ever wants to use it without TLS, so maybe that should be a default deployment option, I mean, c'mon...
I find myself thrown deeply into Python web deployment and Flask universe now, but I did not want that - I was just looking for a simple switch or config option, no way. It might be an interesting task to study the multitude of python web deployment options if you have nothing else to do, especially as there are so many different things to use to accomplish that. Lots of study material! Great! But nowhere near "one zen way to do it right", more like "20 ways to do it and you have to put the pieces together from several blog posts and stackoverflow, because all the single pieces docs are written like the other pieces do not exist" - horrible!
Yes, for anybody doing that kind of thing every day it is certainly a piece of cake, but that makes me just think: well, then again, why do they make it so hard to use it in a secure way for all the other people that are not deeply rooted in the python web config world? And why is this missing in the docs, as it is such a natural question to ask - "I want to test it, how can we use that over TLS" is the totally automatic train of thought, isn't it?
However I just want to run it securely, this should be very easy, shouldn't it? How can I do it? Do I have to become a python web deployment guru? This is so repetitive, uncreative and boring knowledge to acquire, I would be very happy if you just showed me the one zen way to do this, so I can dig into the more interesting things of this piece - THANK YOU!
Thank you very much for your attention!
Have a nice day,
Karma
Maxime Beauchemin
May 12, 2016, 8:50:55 PM5/12/16
to airbnb_caravel
Hi,
I agree that this is way too complicated and uninteresting, I'd love for it to be much easier. I'm really not great around apache or nginx config files, I just tried `uwsgi -s /tmp/uwsgi.sock -w caravel:app` and it works for me.
You can also run the gunicorn command in a similar way, bypassing the `caravel` CLI. I know the gunicorn command allows you to specify all sorts of switches including locations of SSL cert files.
Please help us document the process if/when you make progress.
I'd share more if I'd know more, at Airbnb we have a reverse proxy that takes care of SSL, LDAP authentication and load balancing all for us, so we don't have to worry about that on the Caravel side.
Max
Karma Kolabor
May 12, 2016, 9:09:48 PM5/12/16
to airbnb_caravel
Hi, Maxime,
thanks for your attention - hehe, yes, not need to worry is of course the best solution :)
Besides me being a lazy dog when "python webserver configuration" is on the todo list, I believe there should be at least a better way to override the hardcoded 0.0.0.0 in bin/caravel - I just did that by replacing it with 127.0.0.1 and used the nginx example config from the gunicorn docs, seems to be ok for now, but maybe this should be possible to put in a config file.
have a nice day!
thanks for your attention - hehe, yes, not need to worry is of course the best solution :)
Besides me being a lazy dog when "python webserver configuration" is on the todo list, I believe there should be at least a better way to override the hardcoded 0.0.0.0 in bin/caravel - I just did that by replacing it with 127.0.0.1 and used the nginx example config from the gunicorn docs, seems to be ok for now, but maybe this should be possible to put in a config file.
have a nice day!
Reply all
Reply to author
Forward
0 new messages