Fix TLS issues in Granian and implement TLS for NGINX

[madhav165]

🐛 Bug-fix PR

Closes #2526

---

📌 Summary

This PR focuses on fixing and documenting TLS setup issues across docker-compose, Granian, and Nginx to make HTTPS deployments work reliably.

Key Changes

• Granian SSL fix: Added missing SSL key passphrase support in run-granian and switched to AES-256 encrypted keys, which Granian requires.
• Nginx cert mounting: Added certificate mounts to Nginx containers.
• Nginx SSL config: Added backend SSL configuration and optional frontend HTTPS config in nginx.conf.
• TLS handshake error fix: Identified and fixed the cause of InvalidContentType handshake errors by correcting Nginx HTTPS configuration and connection reuse.
• TLS documentation: Added a detailed TLS guide with setup options, fixes, and debugging info (including peer address errors like 172.18.0.X:XXXXX).

Impact

• HTTPS now works end-to-end (gateway ↔ nginx ↔ client)
• TLS errors are eliminated after config update
• Clear documentation reduces setup and debugging time
• No breaking changes (TLS remains opt-in)

🧪 Verification

Check	Command	Status
Lint suite	make lint	pass
Unit tests	make test	pass

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[crivetimihai]

Review and Fixes Applied

I've rebased this PR onto main and made the following corrections:

Bug Fix

• Fixed broken certs Makefile target - The shell script was incomplete (missing -addext "subjectAltName=...", closing semicolon, success message, and fi). This would have caused certificate generation to fail.

Reverted Unintended Changes

Removed leaked local development settings that were not related to TLS:

• Restored HTTP_SERVER=gunicorn as default (was changed to granian)
• Restored GRANIAN_WORKERS=16 (was reduced to 2)
• Restored replicas: 3 (was reduced to 1)
• Restored resource limits to production defaults (8G/4G instead of 2G/1G)
• Restored gateway ports as commented out (for multi-replica mode)

Commit History

Squashed 12 commits into 1 clean commit with proper conventional commit format and co-author attribution.

Verification

• ✅ Package verification passed (10/10)
• ✅ Makefile syntax validated
• ✅ Security review passed (no injection vulnerabilities, proper file permissions)
• ✅ Changes are consistent with existing codebase patterns

[crivetimihai]

Additional Fixes (based on code review)

Addressed two valid issues identified during review:

1. KEY_FILE path mismatch (Medium)

Issue: docker-compose.yml pointed KEY_FILE to key-encrypted.pem, but make certs only creates key.pem. Users following the compose hints would get "file not found".

Fix: Restored KEY_FILE=/app/certs/key.pem as the default, with explicit documentation for passphrase-protected keys:

## Uncomment to enable HTTPS (run `make certs` first)
# - SSL=true
# - CERT_FILE=/app/certs/cert.pem
# - KEY_FILE=/app/certs/key.pem
# For passphrase-protected keys: run `make certs-passphrase` and use:
# - KEY_FILE=/app/certs/key-encrypted.pem
# - KEY_FILE_PASSWORD=${KEY_FILE_PASSWORD}

2. nginx backend TLS guidance incomplete (Low)

Issue: The proxy_ssl_* settings could be uncommented without changing proxy_pass from http:// to https://, causing TLS handshake errors.

Fix: Added explicit instructions in the SSL Backend Configuration section:

# To enable HTTPS for backend connections to gateway:
# 1. Uncomment these proxy_ssl_* settings below
# 2. Change ALL proxy_pass directives from http:// to https://
#    (e.g., proxy_pass https://gateway_backend;)

Granian version verified

The --ssl-keyfile-password option is supported in Granian. The project requires >=2.6.1 which includes this feature.