CherryPy SSL behind Apache

Question

Is there a way to set up CherryPy to use SSL when running behind Apache2 without configuring Apache2 to do SSL for CherryPy?

I have found multiple tutorials about using SSL with CherryPy and configuring Apache2 to do the SSL work for CherryPy, but I have not been able to find a tutorial that deals with using SSL with CherryPy behind Apache2 without configuring Apache2 to do the SSL work.

Answer 1

to expound a bit on gcbrizan's answer, you cannot because the first step required to understand an https request is to first decrypt the connection. SSL/TLS work in two modes; tunneling and STARTTLS; in the latter, a normal connection is started, and at some point, once the two parties have established whatever they want to do with the connection; one peer asks the other to start encrypting the connection. ESMTP (email) uses this mechanism.

HTTP, however, does not have a starttls feature; so tunneling is used instead. Before any http traffic is transferred, both parties start a secure tunnel; the client verifies the correctness of the server's certificate, and the server may do the same for the client (if required/requested). Only once all of this has happened does the client send the page request.

were apache (or any other proxy) to do this, that means that it would have to pass all encrypted traffic to the origin server (cherrypy in your question) since the traffic is encrypted, the proxy has no opportunity to "send this request here, but that request there". If it's just passing all traffic unmodified, then it's not really doing anything helpful at all; and you may as well expose the origin server directly.

Answer 2

You cannot do that (nor would I try to). Firstly, Apache will be better for terminating the SSL than CherryPy (if for no other reason, than performance). And secondly, it will simply not work because Apache speaks HTTP and HTTPS is actually HTTP encrypted with SSL, so you need to handle the SSL before you get any HTTP that Apache can understand.