I currently have nginx running as a load balancer and reverse proxy to tornado.
Once I setup my nginx to handle the SSL connection on port 443 and redirect to the appropriate tornado backend. Do I need to change the tornado configuration to handle HTTPS? I'm getting nginx to handle the certificates:
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
All the configurations so far for tornado have been when tornado is used as a standalone webserver and handles these certifications in the settings I.e.
http_server = tornado.httpserver.HTTPServer(application, ssl_options={
"certfile": "server.csr",
"keyfile": "server.key",
})
What settings to I need to provide tornado on the listening processes to handle the incoming SSL connections from nginx?
Thanks
The answer depends on whether you want to use TLS between nginx and the tornado servers, or allow that link to be in the clear.
To encrypt the connection, give the tornado servers a certificate/key pair that matches the hostname that nginx will use to contact them. You'll probably want to use a self-signed CA for this, and configure nginx to trust that CA for its backend connections. The backends section of your nginx config will use https:// in this case.
To not encrypt the connection between nginx and tornado (but leave the traffic to the end user encrypted), remove the ssl configuration from the tornado servers and use http:// in your nginx backends section.
In both cases, you probably want to set xheaders=True in your Tornado HTTP server and add the proxy_set_header directives from http://www.tornadoweb.org/en/stable/guide/running.html#running-behind-a-load-balancer so that fields like request.protocol will be set correctly.