Apache背后的CherryPy SSL
[英]CherryPy SSL behind Apache
问题描述
Is there a way to set up CherryPy to use SSL when running behind Apache2 without configuring Apache2 to do SSL for CherryPy? 
有没有一种方法可以将CherryPy设置为在Apache2后面运行时使用SSL,而无需配置Apache2对CherryPy执行SSL?
I have found multiple tutorials about using SSL with CherryPy and configuring Apache2 to do the SSL work for CherryPy, but I have not been able to find a tutorial that deals with using SSL with CherryPy behind Apache2 without configuring Apache2 to do the SSL work. 我已经找到了许多关于将SSL与CherryPy一起使用以及如何配置Apache2来对CherryPy进行SSL工作的教程,但是我找不到能够在不配置Apache2来完成SSL工作的情况下将SSL与CherryPy一起使用SSL的教程。
2 个解决方案
解决方案1
3 已采纳 2012-08-24 19:11:45
to expound a bit on gcbrizan's answer, you cannot because the first step required to understand an https request is to first decrypt the connection. 要详细说明gcbrizan的答案,您不能这样做,因为了解https请求所需的第一步是首先解密连接。 SSL/TLS work in two modes; SSL / TLS有两种模式: tunneling and STARTTLS; 隧道和STARTTLS; in the latter, a normal connection is started, and at some point, once the two parties have established whatever they want to do with the connection; 在后者中,正常连接开始,并且在某一时刻,一旦两方建立了他们想对连接进行的操作; one peer asks the other to start encrypting the connection. 一个对等方要求另一方开始加密连接。 ESMTP (email) uses this mechanism. ESMTP(电子邮件)使用此机制。
HTTP, however, does not have a starttls feature; 但是,HTTP不具有starttls功能。 so tunneling is used instead. 所以改用隧道。 Before any http traffic is transferred, both parties start a secure tunnel; 在传输任何http流量之前,双方都要启动安全隧道。 the client verifies the correctness of the server's certificate, and the server may do the same for the client (if required/requested). 客户端验证服务器证书的正确性,并且服务器可以为客户端执行相同的操作(如果需要/请求)。 Only once all of this has happened does the client send the page request. 仅在所有这些情况发生之后,客户端才会发送页面请求。
were apache (or any other proxy) to do this, that means that it would have to pass all encrypted traffic to the origin server (cherrypy in your question) since the traffic is encrypted, the proxy has no opportunity to "send this request here, but that request there". 是由apache(或任何其他代理)执行的,这意味着由于该通信已加密,因此必须将所有加密的通信传递到原始服务器(您的问题中的cherrypy),该代理没有机会“在此处发送此请求,但那里有此要求”。 If it's just passing all traffic unmodified, then it's not really doing anything helpful at all; 如果它只是传递所有未经修改的流量,那么它实际上并没有做任何有帮助的事情。 and you may as well expose the origin server directly. 您也可以直接公开原始服务器。
解决方案2
2 2012-08-24 18:01:39
You cannot do that (nor would I try to). 您不能这样做(我也不会尝试)。 Firstly, Apache will be better for terminating the SSL than CherryPy (if for no other reason, than performance). 首先,Apache在终止SSL方面比CherryPy更好(如果没有其他原因,则比性能更好)。 And secondly, it will simply not work because Apache speaks HTTP and HTTPS is actually HTTP encrypted with SSL, so you need to handle the SSL before you get any HTTP that Apache can understand. 其次,它根本不起作用,因为Apache会说HTTP,而HTTPS实际上是使用SSL进行HTTP加密的,因此在获得Apache可以理解的任何HTTP之前,您需要先处理SSL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.