Issue #209 resolved

patch to enable ssl wrapping with stunnel

Christian Wyglendowski
created an issue

== Background == I have been working on wrapping a CherryPy server with SSL using [ stunnel]. stunnel is a cross platform utility for wrapping TCP streams in SSL. It could be a nice way to quickly SSL enable a CherryPy site.

The standard setup works pretty well, but a problem occurs when a request is made to 'https://host/pathtoobject'. If 'pathtoobject' has an index method, _cphttptools.mapPathToObject will raise _cperror.HTTPRedirect(path) (path being '/pathtoobject/') to redirect the user to the index method.

HTTPRedirect, following the HTTP standard, redirects to an absolute URL, using the cherrypy.request.base received ''from the SSL wrapper'', which would be 'http://host'. At best (depending on how you look at it ;-), if CP was running on port 80, the user would be redirected to the insecure site. At worst, if CP is running on some port other than 80, the connection is refused because nothing is listening on port 80.

== Resolution == Adding a couple config options, 'sslWrapAddr' and 'sslWrapPort'. HTTPRedirect will check to see if those options are set. If they are, it checks to see if the request came from 'sslWrapAddr'. If it did, then it modifies the location url to use https and optionally the 'sslWrapPort' if it is running on something other than 443.

Attached is a small patch to that checks for the above config settings and acts accordingly.

== Finally... == If this patch is accepted, I will be happy to add a how-to to the wiki on using stunnel with CherryPy.

Comments (6)

  1. Christian Wyglendowski reporter

    Config Samples

    With stunnel listening on 8443 and forwarding requests to CP listening on 8080, the config would look like this:

        '/': {
            'sslWrapAddr': '',
            'sslWrapPort': '8443'}

    With stunnel listening on 443 and forwarding requests to 8080, the config would look like this:

        '/': {
            'sslWrapAddr': ''}

    Side Effect

    Normally, sslWrapAddr would be set to If development was being done on a workstation with CP running, this would cause redirects to the SSL tunnel anytime http://localhost/pathtoobject was requested from the localhost.


    If you supply a hostname instead of localhost in the url, the request shouldn't come from localhost and the redirect should occur normally.

  2. Log in to comment