Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass $ssl_client_s_dn to flask app #103

Closed
MiaMish opened this issue Nov 1, 2018 · 7 comments
Closed

Pass $ssl_client_s_dn to flask app #103

MiaMish opened this issue Nov 1, 2018 · 7 comments

Comments

@MiaMish
Copy link

MiaMish commented Nov 1, 2018

My nginx.conf file looks like this:

uwsgi_read_timeout 300;

ssl_certificate     /app/cert.pem;
ssl_certificate_key /app/key.pem;
ssl_password_file   /app/password.pass;

ssl_client_certificate  /app/client-ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;

include uwsgi_params;
uwsgi_param HTTP_X_DN $ssl_client_s_dn;

I want my Flask app to receive the HTTP_X_DN parameter, but cannot find how.

From looking around, I found its expected to reside in request.environ object of flask, but I don't see any such key when printing the environ content.

For reference, request.environ.keys()) returns the following when sending a request via Postman:

dict_keys(['QUERY_STRING', 'REQUEST_METHOD', 'CONTENT_TYPE', 'CONTENT_LENGTH', 'REQUEST_URI', 'PATH_INFO', 'DOCUMENT_ROOT', 'SERVER_PROTOCOL', 'REQUEST_SCHEME', 'HTTPS', 'REMOTE_ADDR', 'REMOTE_PORT', 'SERVER_PORT', 'SERVER_NAME', 'HTTP_CONTENT_TYPE', 'HTTP_CACHE_CONTROL', 'HTTP_POSTMAN_TOKEN', 'HTTP_USER_AGENT', 'HTTP_ACCEPT', 'HTTP_HOST', 'HTTP_ACCEPT_ENCODING', 'HTTP_CONTENT_LENGTH', 'HTTP_CONNECTION', 'wsgi.input', 'wsgi.file_wrapper', 'wsgi.version', 'wsgi.errors', 'wsgi.run_once', 'wsgi.multithread', 'wsgi.multiprocess', 'wsgi.url_scheme', 'uwsgi.version', 'uwsgi.node', 'werkzeug.request'])
@MiaMish
Copy link
Author

MiaMish commented Nov 4, 2018

Apparently for some reason uwsgi_param that are set in app.conf are ignore, while when setting in nginx.conf it works fine. However, since this docker image is generating the nginx.conf on the fly, that's a bit problematic.

@MiaMish
Copy link
Author

MiaMish commented Nov 4, 2018

So what resolves the issue for me is to add the following /app/prestart.sh, but that's a nasty hack.

#!/usr/bin/env bash
ex -sc '%s/include uwsgi_params;/include uwsgi_params; uwsgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;/g|x' /etc/nginx/conf.d/nginx.conf

@tiangolo
Copy link
Owner

tiangolo commented Jan 1, 2019

Sorry for the delay! I was busy building FastAPI.

I understand you solved your problem, but anyway...

What are you trying to achieve? If you want to have HTTPS, I recommend using Traefik, it can acquire free Let's Encrypt certificates for your application.

You can deploy a Docker Swarm cluster with an HTTPS handling Traefik following this guide.

And then you can use a project generator to create the basic code structure to connect with Traefik, and add all the rest of your code to it (or add the parts you need to your code).

I just added the relevant info and links to the README: https://github.com/tiangolo/uwsgi-nginx-flask-docker#project-generators

@MiaMish
Copy link
Author

MiaMish commented Jan 6, 2019

Thanks, I'll take a look at Traefik.
Regardless, I think adding the option to add custom uwsgi_param rows to the main nginx.conf would be quite simpler in this case.
I would want some configuration that will add the following line to nginx.conf:
uwsgi_param SSL_CLIENT_S_DN $ssl_client_s_dn
Note it must be added to the main nginx.conf and not to app.conf, I'm not sure why but it seems like an nginx constraint.

@tiangolo
Copy link
Owner

I just added tests for all the images and configurations to be able to re-factorize knowing that I'm not breaking anything.

I'm planning on:

  • By default, generating the nginx.conf entirely in code. But...
  • Check if there's a file in /app/nginx.conf first. If that file exists, use it instead.

That would allow you to customize the nginx.conf entirely, in any way you wanted.

Do you think that would support your use case/need?

@MiaMish
Copy link
Author

MiaMish commented Jan 13, 2019

Yes, that would be great.

@tiangolo
Copy link
Owner

tiangolo commented Feb 2, 2019

Done! ✔️

I just finished a big refactor to be able to add this feature on top.

You can now add a file /app/nginx.conf and it will be used instead of the generated one.

You can check the docs here: https://github.com/tiangolo/uwsgi-nginx-flask-docker#overriding-nginx-configuration-completely

@MiaMish MiaMish closed this as completed Feb 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants