HTTPS instead of HTTP


Hi there,

Please excuse the noob question. This is my first experimentation with web APIs.

I am running a simple apistar endpoint on a local machine. I’d like to make it accessible from an Amazon Alexa skill, and Alexa supports HTTPS but not HTTP. What do I need to do in order to get apistar running on HTTPS instead of HTTP?


I’ve always put the burden of HTTPS on my web server and just have that reverse proxy to my WSGI apps. So in my stack nginx is using letsencrypt for secure web traffic. They have a dead simple program called Certbot with pluggins to configure your webserver for HTTPS with just a few commands.


@androiddrew I’m not sure I understand your reply. I have apistar running on its own as a an HTTP endpoint. There is no webserver. Is there something I can put apistar behind that will expose and HTTPS endpoint?


My stack looks like this:

Nginx <–>Gunicorn (WSGI Server) <–>APIStar (WSGI app)

I am operating under the assumption that you are using WSGI , but this framework supports Async model too. So a HTTPS request comes into my NGINX server which is the termination point for the SSL. I use Certbot and the nginx pluggin to aquire a free security cert for this task. Nginx decrypts the request then using a unix socket proxy’s the request to Gunicorn which is the WSGI server running my apistar WSGI app. In APIStar you write apps and you use a compliant server to run them. When you type apistar run you are running your APIStar app in the werkzueg WSGI development server. That is not a production server. You’ll want to use something like gunicorn, uwsgi, apach mod_wsgi.

Look through some of the documentation for running Django or Flask apps. You can follow all the same setup but when it comes time to pass an app to the WSGI server you just use your APIStar app instance instead :slight_smile:


Thanks, that’s helpful.

It wasn’t at all clear to me from the apistar docs that it’s “not for production”. If this is for a minuscule amount of traffic and personal (non-public) use only, is there a reason not to use use apistar run? It seems to work just fine.


Ok I think I have a better idea of what you are trying to do. Yeah you can use a self signed cert with the dev server in werkzueg but you can’t use the APIStar run command to run it. You’ll need to create an SSL context and pass that to the simple server. See the docs here:

I don’t think that the dev server is the right choice if it’s running for any long period of time. Now you can create and use a self signed cert in gunicorn too which might be the better option but may take a little more fiddling with if you aren’t familiar with the setup and config.