Deploying your (RESTful) python app in a PKI secured environmentAugust 1st, 2010 • 4 Comments
Now assume you have written an RESTful python application which you want to deploy in a secure manner. Many environments use a PKI security setup using X509 certificates. The good news is that you can do this. Install apache and the mod_wsgi module. On an Ubuntu Server a apt-get install libapache2-mod-wsgi apache2 will do.
Now simply add a site to your apache2 configuration – Normally located in /etc/apache2/sites-available:
WSGIPythonPath <python path> Listen 81 NameVirtualHost *:81 <VirtualHost *:81> ServerAdmin root@localhost ServerName localhost SSLEngine on SSLCertificateFile <path to cert>/newcert.pem SSLCertificateKeyFile<path to cert>/newkey.pem SSLCACertificateFile <path to cert>/cacert.pem SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +StdEnvVars WSGIScriptAlias / /<path to your service>/service.py ErrorLog /var/log/apache2/service.error.log CustomLog /var/log/apache2/service.log common </VirtualHost>
That’s it! The python app is now available on localhost:81 – Apache will ensure that the client certificate is authenticated against the CA! The statement SSLOptions +StdEnvVars ensures that the according headers are forwared to your python application so you also verify the user by his DN defined in the certificate.