Deploying your (RESTful) python app in a PKI secured environment
August 1st, 2010 • 4 CommentsNow assume you have written an RESTful python application which you want to deploy in a secure manner. Many environments use a PKI security setup using X509 certificates. The good news is that you can do this. Install apache and the mod_wsgi module. On an Ubuntu Server a apt-get install libapache2-mod-wsgi apache2 will do.
Now simply add a site to your apache2 configuration – Normally located in /etc/apache2/sites-available:
WSGIPythonPath <python path> Listen 81 NameVirtualHost *:81 <VirtualHost *:81> ServerAdmin root@localhost ServerName localhost SSLEngine on SSLCertificateFile <path to cert>/newcert.pem SSLCertificateKeyFile<path to cert>/newkey.pem SSLCACertificateFile <path to cert>/cacert.pem SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +StdEnvVars WSGIScriptAlias / /<path to your service>/service.py ErrorLog /var/log/apache2/service.error.log CustomLog /var/log/apache2/service.log common </VirtualHost>
That’s it! The python app is now available on localhost:81 – Apache will ensure that the client certificate is authenticated against the CA! The statement SSLOptions +StdEnvVars ensures that the according headers are forwared to your python application so you also verify the user by his DN defined in the certificate.
Is there a way to get the DN of the authenticated request into the RESTful app? Authentication is one thing, but one may need to authorise as well, and that requires the knowledge of the DN … Or the DN is just needed internally for other things within the app, when triggering actions.
Jap – Actually with the ‘SSLOption #StdEnvVars’ all needed header entries are forwarded to the app – In your case you’ll need the SSL_CLIENT_CERT_DN header entry!
Kewl, thx. Will start building my server over the next week … 🙂
Gonna be interesting how proxy certs will come across.
If you like try: pyssf.sf.net…Willing to help 😀