-
-
Notifications
You must be signed in to change notification settings - Fork 494
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add details and examples in docs for running apps with https (#3213)
* docs(section_configuration_deployment): add details and examples for https * chore: run pre-commit * feat: make the https example 'executable' * formatting * formatting --------- Co-authored-by: Rodja Trappe <[email protected]>
- Loading branch information
Showing
6 changed files
with
176 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Serving an App with HTTPS encryption behind a Reverse Proxy (NGINX) | ||
|
||
This example shows how to serve NiceGUI with HTTPS encryption behind NGINX. | ||
For running the App under a Subpath, have a look at https://github.com/zauberzeug/nicegui/blob/main/examples/nginx_subpath. | ||
|
||
## Try Out | ||
|
||
1. Create the `certs/` directory: | ||
|
||
```bash | ||
mkdir certs | ||
``` | ||
|
||
2. Generate and self-sign SSL an certificate for `localhost` | ||
|
||
```bash | ||
openssl req -x509 -out certs/localhost.crt -keyout certs/localhost.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <( printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") | ||
``` | ||
|
||
3. Run the containerized app | ||
|
||
```bash | ||
docker compose up | ||
``` | ||
|
||
4. Try to access http:https://localhost without the "s". | ||
You will be automatically redirected to the https version. | ||
|
||
5. Depending on your browser, you should typically receive a warning that the certificate authority is invalid. | ||
This is perfectly normal as we issued and self-signed a simple certificate for demo use locally. | ||
So proceed anyway, e.g. on Chrome, click on `Advanced` > `Proceed to localhost (unsafe)` | ||
|
||
6. Note the Hello World message from the app accessed with encrypted connection | ||
|
||
## Deploy in production in your self-hosted NGINX | ||
|
||
- For production, you'll need your own domain and a proper SSL certificate issued by a recognized Certificate Authority (CA). | ||
You can consider the free CA [Let's Encrypt](https://letsencrypt.org/) provided by the Internal Security Research Group, and use their [Certbox](https://certbot.eff.org/instructions) tool to generate the certicates for your own domain. | ||
|
||
- If you already have an NGINX server running and want to add your NiceGUI app, you can reuse a stripped down version of the nginx.conf file, [nginx_site.conf](https://github.com/zauberzeug/nicegui/blob/main/example/nginx_https/nginx_site.conf) | ||
|
||
```bash | ||
sudo cp nginx_site.conf /etc/nginx/sites-available/my_nicegui_app.conf | ||
sudo nano /etc/nginx/sites-available/my_nicegui_app.conf # customize your domain, certificates, port number, etc. | ||
sudo ln -s /etc/nginx/sites-available/mynicegui_app.conf /etc/nginx/sites-enabled | ||
sudo systemctl reload nginx | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
from nicegui import ui | ||
|
||
ui.label('Hello HTTPS encrypted world') | ||
|
||
ui.run() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
services: | ||
app: | ||
image: zauberzeug/nicegui:1.4.27 | ||
volumes: | ||
- ./app:/app # mount local app directory | ||
proxy: | ||
image: nginx:1.27.0-alpine | ||
ports: | ||
- "80:80" # map internal port 80 to external port 80 | ||
- "443:443" # map internal port 443 to external port 443 | ||
volumes: | ||
- ./nginx.conf:/etc/nginx/nginx.conf # use custom nginx config | ||
- ./certs:/certs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
worker_processes 1; | ||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
|
||
http { | ||
include mime.types; | ||
default_type application/octet-stream; | ||
|
||
|
||
sendfile on; | ||
keepalive_timeout 65; | ||
|
||
server { | ||
listen 80; | ||
listen [::]:80; | ||
server_name _; | ||
resolver 127.0.0.11; # Specific to running nginx proxy in docker | ||
# See https://github.com/docker/compose/issues/3412 | ||
|
||
# Redirect all HTTP requests to HTTPS | ||
return 301 https://$host$request_uri; | ||
} | ||
|
||
server { | ||
listen 443 ssl; | ||
listen [::]:443 ssl; | ||
http2 on; | ||
server_name _; | ||
resolver 127.0.0.11; # Specific to running nginx proxy in docker | ||
# See https://github.com/docker/compose/issues/3412 | ||
|
||
# SSL configuration | ||
ssl_certificate /certs/localhost.crt; | ||
ssl_certificate_key /certs/localhost.key; | ||
ssl_session_timeout 1d; | ||
|
||
# Proxy pass to app:8080 | ||
location / { | ||
proxy_pass http:https://app:8080; | ||
proxy_redirect http:https://app:8080/ /; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "Upgrade"; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
server { | ||
listen 80; | ||
listen [::]:80; | ||
server_name my-domain.com; | ||
|
||
# Redirect all HTTP requests to HTTPS | ||
return 301 https://$host$request_uri; | ||
} | ||
|
||
server { | ||
listen 443 ssl; | ||
listen [::]:443 ssl; | ||
http2 on; | ||
server_name my-domain.com; | ||
|
||
# SSL configuration | ||
ssl_certificate /etc/letsencrypt/live/my-domain.com/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/my-domain.com/privkey.pem; | ||
ssl_session_timeout 1d; | ||
|
||
# Proxy pass to localhost:8080 | ||
location / { | ||
proxy_pass http:https://localhost:8080; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "Upgrade"; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters