No Huddle Offense

"Individual commitment to a group effort-that is what makes a team work, a company work, a society work, a civilization work."

Deploying your (RESTful) python app in a PKI secured environment

August 1st, 2010 • 4 Comments

Now assume you have written an RESTful python application which you want to deploy in a secure manner. Many environments use a PKI security setup using X509 certificates. The good news is that you can do this. Install apache and the mod_wsgi module. On an Ubuntu Server a apt-get install libapache2-mod-wsgi apache2 will do.

Now simply add a site to your apache2 configuration – Normally located in /etc/apache2/sites-available:

WSGIPythonPath <python path>
    
    Listen 81
    NameVirtualHost *:81
    <VirtualHost *:81>
        ServerAdmin root@localhost
        ServerName localhost
    
        SSLEngine on
        SSLCertificateFile <path to cert>/newcert.pem
        SSLCertificateKeyFile<path to cert>/newkey.pem
        SSLCACertificateFile <path to cert>/cacert.pem
        SSLVerifyClient require
        SSLVerifyDepth 2
    
        SSLOptions +StdEnvVars
    
        WSGIScriptAlias / /<path to your service>/service.py
    
        ErrorLog /var/log/apache2/service.error.log
        CustomLog /var/log/apache2/service.log common
    </VirtualHost>

That’s it! The python app is now available on localhost:81 – Apache will ensure that the client certificate is authenticated against the CA! The statement SSLOptions +StdEnvVars ensures that the according headers are forwared to your python application so you also verify the user by his DN defined in the certificate.

4 responses to “Deploying your (RESTful) python app in a PKI secured environment”

  1. Guy says:

    Is there a way to get the DN of the authenticated request into the RESTful app? Authentication is one thing, but one may need to authorise as well, and that requires the knowledge of the DN … Or the DN is just needed internally for other things within the app, when triggering actions.

  2. coach says:

    Jap – Actually with the ‘SSLOption #StdEnvVars’ all needed header entries are forwarded to the app – In your case you’ll need the SSL_CLIENT_CERT_DN header entry!

  3. Guy says:

    Kewl, thx. Will start building my server over the next week … 🙂

    Gonna be interesting how proxy certs will come across.

  4. admin says:

    If you like try: pyssf.sf.net…Willing to help 😀