SSL error with bokeh serve (_ssl.c:1131)

Hi, I have built my website with flask/apache and bokeh. Everything runs fine when running over http. Now implementing the ssl certifcate. Everything works on the website side. However when calling bokeh serve while pointing to my cert.pem and privkey.pem i get the following error:

SSL Error on 7 ('myipaddress ', 51340): [SSL: HTTP_REQUEST] http request (_ssl.c:1131)

Command used:
bokeh serve --address=myipaddress --port=5100 --allow-websocket-origin=myipaddress --allow-websocket-origin=mywebsite.com --log-level debug --ssl-certfile /path/to/cert.pem --ssl-keyfile /path/to/privkey.pem --use-xheaders bokeh_app.py;

Note. This certificate and key work with apache before this process (website autodirects to https and uses certificate), so the hiccup comes when trying to serve bokeh. Also above my ip address and website have been replaced with aliases.

I’m struggling to find out what the above error actually means.

AFAIK that error indicates that the request was rejected because it was an HTTP request (it has to be HTTPS) so the first thing you should verify is that you are, in fact, making HTTPS requests.

Perhaps this is useful/relevant:

Interesting, I’m not quite sure how I would integrate this into my bokeh serve set up… One interesting point is that since I have built this on apache (and that party of the project works just fine) ports 443 and 80 are already being used so running the tornado code on those results in an error.

I only meant generally that HTTP requests can be redirected to HTTPS ones. Reiterating what I said earlier, AFAIK the issue is the that the Bokeh server is receiving HTTP requests, but if you configure SSL, then only HTTPS requests are permissible. You will have to ensure the Bokeh server only gets HTTPS request, one way or another. If not with redirects, then some other way.

The thing that I’m not understanding here. Is that my website is running on HTTPS. And requesting the bokeh server. So for example. When I remove the flags to the certificate and the private key. I get the following”

And obviously when I include those flags I get the SSL error that we are discussing . This got me thinking that I need to serve the bokeh app over https. And I was hoping including the cert and key would do that?

As shown in the screensot, the XMLHTTPRequest is HTTP. That explains both the previous error (with SSL enabled) and the current one (with SSL turned off). If you have a proxy (e.g. Apache) in between the front end and the Bokeh server, you should make sure that the connection from the proxy to the Bokeh server is HTTPS.

Have you configured Apache to forward the relevant headers? E.g. for Nginx this is required:

You’ll also have to customize Nginx. In particular, you have to configure Nginx to send X-Forwarded-Proto headers and use SSL termination.

That configuration is a necessary for prerequisite for this to be true:

The --use-xheaders flag causes Bokeh to override the remote IP and URI scheme/protocol for all requests with X-Real-Ip , X-Forwarded-For , X-Scheme , and X-Forwarded-Proto headers when they are available.

That is, the XMLHTTPRequest that Bokeh makes will automatically have the correct protocol (http vs https) if --use-xheaders is set and the proxy forwards the necessary headers.

A header forwarding config similar to Nginx’s X-Forwarded-Proto may be necessary for Apache. (I’m afraid Apache configuration is not an area of my expertise, so all I can do is note this possibility)