How can I implement a secure WebSocket (wss://) server in Python?

I want to serve a real-time stream that has to be securely encrypted due to sensitive data.

I've successfully got normal WebSockets streaming using both gevent and gunicorn as direct frontends, but now I need to make it secure, and am looking for either of these:

1. A server that can serve secure WebSocket connections that are proxied to (for example) gunicorn which listens for non-secure WebSocket connections.
2. A framework that can serve secure WebSocket connections directly. I've been looking at Tornado and believe it can handle it, but I'm still open to suggestions.
3. I use ZeroMQ for the PUB/SUB pattern. If there is a good WebSocket protocol implementation for ZeroMQ, that would be great.

Spe开发者_运维技巧ed is not super important here as the number of connections will be low. However, the integrity of the data is important.

Assuming that you have your app running correctly over non-SSL Tornado WebSockets, change the listen call from:

app.listen(args.listen_port, args.listen_interface) 

to:

app.listen(args.listen_port, args.listen_interface, ssl_options={ 
        "certfile": os.path.join(lib_dir, "mydomain.crt"),
        "keyfile": os.path.join(lib_dir, "mydomain.key"),
    })

where "mydomain.crt" and "mydomain.key" are your usual SSL certificate files, and lib_dir is the directory they live in.

Don't forget to change the client to use "wss:"

Also note that the port you specify in the listen call will still be used if you specify ssl_options. i.e. it will not revert to listening on port 443.

You can check out the websockify project. Websockify is a proxy that allows a WebSockets capable browser to communicate with a raw binary TCP server. It does this by base64 encoding all traffic to/from the browser. However, the project is modular and the websocket.py file is a general WebSocket server that is designed to be extended (and there a couple of included tests that show how this works). It would be fairly easy to disable the base64 encoding if that is not needed for you project.

Websockify also includes a Javascript library 'websock.js' which is designed to interact with websockify. It will transparently fallback to using web-socket-js (Flash based) if the browser does not have native WebSocket support.

Websockify supports secure (TLS/wss) connections and also is able to answer Flash security policy requests inline on the same port.

Disclaimer: I made websockify.

Take a look at the standalone websockets server of the pywebsocket project supported by Google.

Note that this Python module uses CGIHTTPServer so you need to tweak it to make it secure. I had a similar requirement for a project I was involved in some months ago, so I forked the standalone.py module and removed the dependencies with CGI stuff but I haven't tested secure connections very much.

Maybe you can import OpenSSL.SSL and set up a WebSocketServer as it is in my script. It should use a WebSocketRequestHandler with the proper configuration of use_tls, private_key and certificate in order to implement TLS (Transport Layer Security).

Read the source code. I think you can extend it to meet your needs.

We use Tornado and Tornadio for our realtime app, and I just switched on SSL for websockets, as well as all the other realtime socket.io protocols. It took me just over an hour! more info here:

http://devblog.resolversystems.com/?p=1084

In server side add this to Tornado:

tornadio2.server.SocketServer(application, ssl_options={
    "certfile": "server.crt",
    "keyfile":  "server.key",
})

In client side, refer to this link: wss://www.example.com:2201/ws, where the 2201 is the secure Websocket's TLS port.