Gunicorn - HTTP and HTTPS in the same instance?

[Kushal Kumaran]

On Fri, Jan 07 2022 at 12:51:48 PM, Skip Montanaro <skip.montanaro at gmail.com> wrote:
> Hopefully some Pythonistas are also Gunicornistas. I've had little success
> finding help with a small dilemma in the docs or in other more specific
> sources.
>
> I'm testing out a new, small website. It is just Gunicorn+Flask. I'd like
> to both listen for HTTP and HTTPS connections. Accordingly, in my config, I
> have the Gunicorn process bind to both ports 80 and 443 if running as root:
>
> if IAM_ROOT:
>     bind = [
>         '0.0.0.0:443',
>         '0.0.0.0:80',
>     ]
> else:
>     bind = [
>         '0.0.0.0:8080',
>     ]
>
> Gunicorn listens on both ports, but insists on SSL/TLS chit chat over port
> 80, not just port 443 (which seems to work okay). Is there some magic
> incantation to get it to just talk HTTP on port 80, or will I need to spin
> up two instances? (The non-root config works fine - plain old HTTP over
> port 8080.)
>

It is not possible to do this.  The ssl-ness is a global configuration,
and will apply to all of the listening sockets gunicorn creates.  To get
what you want, you need to run multiple instances, as you say, if you
can run those safely.

The recommended way to deploy gunicorn, though, is to front it with a
reverse proxy such as nginx.  You'd configure nginx (or whatever proxy
you choose) to listen on the interfaces/ports you want, and
enable/disable TLS as required.  Example for configuring nginx is at
https://docs.gunicorn.org/en/latest/deploy.html, although that
particular example does not talk about TLS.

-- 
regards,
kushal