Adding SSL to the Proxy in Front of devpi

I was getting a bunch of annoying warnings with the devpi index, so I decided to add SSL.

I don’t think it was worth it, because the config is a lot harder. Also, I’ve migrated the entire provisioning to Ansible, so this is just a fragment to add on. You will need to find another howto that explains setting up an HTTPS server. Make a self-signed certificate, enable the mod_ssl apache module, and replace devpi.conf with:

<VirtualHost 192.168.111.19:80>
    ServerName devpi.hif.lo

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www

    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    RequestHeader set X-outside-url "http://192.168.111.19"
    RequestHeader set X-Real-IP "192.168.111.19"
    ProxyPass / "http://localhost:4040/"
    ProxyPassReverse / "http://localhost:4040/"
    <Directory /var/www>
        Options +Includes
    </Directory>
</VirtualHost>
<VirtualHost 192.168.111.19:443>
    ServerName devpi.hif.lo
    SSLEngine on
    SSLCertificateFile "/etc/ssl/devpi.hif.lo/devpi.hif.lo.pem"
    SSLCertificateKeyFile "/etc/ssl/devpi.hif.lo/devpi.hif.lo.key"

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www

    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

    RequestHeader set X-outside-url "https://192.168.111.19"
    RequestHeader set X-Real-IP "192.168.111.19"
    ProxyPass / "http://localhost:4040/"
    ProxyPassReverse / "http://localhost:4040/"
    <Directory /var/www>
        Options +Includes
    </Directory>
</VirtualHost>

Put the cert and key into the indicated files, and restart the server.

Now you need to modify your ~/.pip/pip.conf or pip.conf in your virtualenv.

[global]
index-url = https://devpi.hif.lo/root/pypi/+simple/
trusted-host = devpi.hif.lo

[search]
index = https://devpi.hif.lo/root/pypi/
trusted-host = devpi.hif.lo

[easy_install]
index_url = http://devpi.hif.lo/root/pypi/+simple/

The “trusted-host” parameter prevents an error that’s raised because the certificate is self-signed.