SSL for Tornado

6,327 views
Skip to first unread message

Fabio[mbutubuntu]Buda

unread,
Nov 12, 2010, 2:03:21 PM11/12/10
to Tornado Web Server
hello folks! is there any way to use SSL with tornado without using a
reverse Proxy?

best regards,

Fabio Buda
Web Developer/Designer @ netdesign
http://www.netd.it/

JohnMudd

unread,
Nov 15, 2010, 1:34:18 PM11/15/10
to Tornado Web Server
From: https://github.com/facebook/tornado/blob/master/tornado/httpserver.py


HTTPServer can serve HTTPS (SSL) traffic with Python 2.6+ and OpenSSL.
To make this server serve SSL traffic, send the ssl_options dictionary
argument with the arguments required for the ssl.wrap_socket() method,
including "certfile" and "keyfile":

HTTPServer(applicaton, ssl_options={
"certfile": os.path.join(data_dir, "mydomain.crt"),
"keyfile": os.path.join(data_dir, "mydomain.key"),
})



On Nov 12, 2:03 pm, "Fabio[mbutubuntu]Buda" <mbutubu...@yahoo.it>
wrote:

abdullah mohamed mohamed abdelrhim

unread,
Nov 21, 2010, 5:32:27 PM11/21/10
to python-...@googlegroups.com
please indicate where expactly i but this code
thanks

JohnMudd

unread,
Nov 23, 2010, 10:34:21 AM11/23/10
to Tornado Web Server
Here's more code.


if __name__ == "__main__":
application = tornado.web.Application([
(r"/", MainHandler),
])
http_server = tornado.httpserver.HTTPServer(applicaton,
ssl_options={
"certfile": os.path.join(data_dir, "mydomain.crt"),
"keyfile": os.path.join(data_dir, "mydomain.key"),

})
http_server.listen(8888)
tornado.ioloop.IOLoop.instance().start()



On Nov 21, 5:32 pm, abdullah mohamed mohamed abdelrhim
<eng.abod...@gmail.com> wrote:
> please indicate where expactly i but this code
> thanks
>

Ben Darnell

unread,
Sep 15, 2012, 8:06:36 PM9/15/12
to python-...@googlegroups.com
For testing purposes you can make a certificate using the openssl
command line tool, but these certificates will cause warnings in the
browser. For actual use you'll need a certificate signed by a CA.

-Ben

On Sat, Sep 15, 2012 at 11:40 AM, ESP <in...@ischematics.com> wrote:
> does the certificate have to be one from a cert authority, or can we make
> one somehow with python?

aliane abdelouahab

unread,
Sep 16, 2012, 6:56:37 AM9/16/12
to Tornado Web Server
and for HTTPS, the developpement must be in port 443 and not 80?

aliane abdelouahab

unread,
Sep 16, 2012, 7:41:47 AM9/16/12
to Tornado Web Server
sorry, i mean Deployement

Ben Darnell

unread,
Sep 16, 2012, 3:02:30 PM9/16/12
to python-...@googlegroups.com
Yes. You can develop on any port you like, but for deployment you
will (usually) want to use 80 for http and 443 for https.

-Ben

ischematics.com

unread,
Sep 16, 2012, 3:47:37 PM9/16/12
to python-...@googlegroups.com
Does anyone know if there are some standard ports that are generally open .. i have an application where it seems some people have issues at work, etc .. usually on port 8082, but 8080 is fine .. i would use 80 but i don't know how to release it on the mac, it is always in use by something ... 

Frank Smit

unread,
Sep 16, 2012, 4:45:36 PM9/16/12
to python-...@googlegroups.com
Only a root user can use ports below 1024.

And Nginx is usually put in front of Tornado as a proxy. In this case
Nginx is on port 80 (or 443 for HTTPS) and proxies requests for
Tornado to port 8080 for example.

ischematics.com

unread,
Sep 16, 2012, 4:54:59 PM9/16/12
to python-...@googlegroups.com
What is nginx, is it built into tornado?

ed

Frank Smit

unread,
Sep 16, 2012, 5:58:28 PM9/16/12
to python-...@googlegroups.com
Nginx is a webserver.

http://en.wikipedia.org/wiki/Nginx

aliane abdelouahab

unread,
Sep 16, 2012, 6:12:59 PM9/16/12
to Tornado Web Server
tornado is built on python, and python suffers from GIL (it is not
good for threading), so to get maximum response on a server, they use
a load balancer, think about this exemple: you have 10 kids every one
wants some sweeties, and you have in your hand 100 sweeties, so
instead of giving the first one 10 and let all the other stay untill
you finish the 10, just give them all 1 (one) and you make what is
called a "round robbin"
so it's the same thing with nginx and tornado; you start for example 4
instances of tornado (you make a copy of the application 4 times,
everytime you change the file with a different port number (for
exemple: 8001, 8002, 8003, 8004) and then you tell nginx to make the
"link" between them.
nginx is also a good solution for serving your static files (css,
images...) so tornado will handle dynamic requests (building the
webpage) and nginx will fill them will colors ;)
hope i was right.

On 16 sep, 21:55, "ischematics.com" <i...@ischematics.com> wrote:
> What is nginx, is it built into tornado?
>
> ed
>
>
>
>
>
>
>
> On Sun, Sep 16, 2012 at 3:45 PM, Frank Smit <fr...@61924.nl> wrote:
> > Only a root user can use ports below 1024.
>
> > And Nginx is usually put in front of Tornado as a proxy. In this case
> > Nginx is on port 80 (or 443 for HTTPS) and proxies requests for
> > Tornado to port 8080 for example.
>
> > On Sun, Sep 16, 2012 at 9:47 PM, ischematics.com <i...@ischematics.com>

aliane abdelouahab

unread,
Sep 16, 2012, 6:15:32 PM9/16/12
to Tornado Web Server
thank you, because never uses the https.
maybe this is why i dont get the HTML5 <keygen> element?

Srini Kommoori

unread,
Sep 16, 2012, 8:40:53 PM9/16/12
to python-...@googlegroups.com
@ed as others mentioned best practice is to have nginx(web server) in front of tornado(app server).


On the SSL, even though tornado can handle SSL, I would go with nginx as SSL endpoint. There are multiple cipher options that could be part of the SSL and some are good for handling max connections. With nginx you get full control of the cipher settings.

I would recommend to read http://matt.io/technobabble/hivemind_devops_alert:_nginx_does_not_suck_at_ssl for nginx ssl_cipher settings and how it impacts on supporting max connections.

hth

Ed Pataky

unread,
Sep 16, 2012, 8:51:32 PM9/16/12
to python-...@googlegroups.com
well it sounds interesting but i load tested my servers and they do just fine with tornado for hundreds of simultaneous connections .. not sure what the benefit is .. i put different machines on different ports and balance that way as well assigning users to different ports (machines) 

Srini Kommoori

unread,
Sep 16, 2012, 9:10:13 PM9/16/12
to python-...@googlegroups.com
@ed use whatever works and you are comfortable with. 

On SSL, Here is summary from the link I sent earlier:
1. Find what cipher your server is using. openssl s_client -host HOSTNAME -port 443
2. I would recommend to go with AES256-SHA for maximum speed and max connections. 

On, reverse proxy, it allows you to run multiple tornado servers to make use of multiple cores your machine might have. 

Ed Pataky

unread,
Sep 16, 2012, 9:25:06 PM9/16/12
to python-...@googlegroups.com
i see ok thank you 

mert gokkaya

unread,
Feb 13, 2020, 11:39:00 AM2/13/20
to Tornado Web Server
Not sure if anybody is still around and still have vivid memories of this discussion, but this was the closest approach to a nice python, tornado design.  Someone asked where to put this code, and Im sure I put the code to the right place, but I am guessing so many things changed with CORS and other browser technologies I wonder if the code need an upgrade.
Just a shot to 7 years ago, see what happens

John Mudd

unread,
Feb 13, 2020, 11:59:48 AM2/13/20
to python-...@googlegroups.com
Sorry, I don't recall. 

--
You received this message because you are subscribed to a topic in the Google Groups "Tornado Web Server" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/python-tornado/CKsG1Tk2iPI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to python-tornad...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/python-tornado/edaef79d-d2b7-447d-bb68-900b74d47ae0%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages