nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged ubuntu sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs nginx install nginx sudo systemctl enable --now nginx # cat /var/log/nginx/access.log # /etc/nginx/nginx.conf gunicorn gunicorn --bind localhost:5000 app:app # for testing sudo nano /etc/systemd/system/gunicorn1.service # as a service sudo systemctl enable --now gunicorn1 # as a service python app1.py sudo mkdir /var/www sudo chown -R www-data:www-data /var/www sudo cp app1.py /var/www test # private key openssl genrsa -out ca.key 2048 # public certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" # server private key openssl genrsa -out server.key 2048 # generate certificate signing request openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost" # use public and private key of the ca to sign the cert signing request openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client" openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 openssl genrsa -out wrong_client.key 2048 openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k untested sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt sudo update-ca-certificates nginx configuration ocsp server to check that the server is valid crl to check if a client is revoked server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/your/server.crt; ssl_certificate_key /path/to/your/server.key; # Client certificate verification ssl_client_certificate /path/to/your/ca.pem; ssl_verify_client on; # Enable OCSP stapling and strict verification ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/your/ca.pem; # Specify resolver for OCSP stapling resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; # Enforce OCSP response checking strictly ssl_ocsp on; ssl_ocsp_fail closed; # Specify CRL file for client certificate revocation checking ssl_crl /etc/nginx/ssl/crl.pem; location / { try_files $uri $uri/ =404; } }