In production, we may wish to deploy the WSGI gateway (gunicorn) on a separate host to the nginx frontend reverse proxy. See docker-compose.azure.yml and docker-compose.backend.yml. The network in-between the two hosts should be treated as insecure.
The solution to this is to implement transport-layer security between nginx and its upstream server at gunicorn.
This StackOverflow question on running gunicorn on SSL. I suspect they mean TLS, not SSL, as people often incorrectly use SSL as a shorthand for the 's' in 'https'.
We are no longer deploying with this architecture: Instead, we were successful in getting server routing to the outside world from the backend server. This issue is no longer required.
In production, we may wish to deploy the WSGI gateway (gunicorn) on a separate host to the nginx frontend reverse proxy. See docker-compose.azure.yml and docker-compose.backend.yml. The network in-between the two hosts should be treated as insecure.
The solution to this is to implement transport-layer security between nginx and its upstream server at gunicorn.
Resources:
NB: This is distinct from issue #86: There, TLS is between client and nginx. In this issue, TLS is required between nginx and gunicorn.