Overview
Pounce supports TLS termination using Python's stdlibssl module, with optional truststoreintegration for system certificate stores.
Basic Setup
pounce myapp:app --ssl-certfile cert.pem --ssl-keyfile key.pem
Or programmatically:
import pounce
pounce.run(
"myapp:app",
ssl_certfile="cert.pem",
ssl_keyfile="key.pem",
)
Note
Bothssl_certfile and ssl_keyfile must be provided together. Setting only one raises ValueError.
Self-Signed Certificates (Development)
For local development, generate a self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
-days 365 -nodes -subj '/CN=localhost'
Then run:
pounce myapp:app --ssl-certfile cert.pem --ssl-keyfile key.pem
Your browser will warn about the self-signed certificate — this is expected in development.
ALPN and HTTP/2
When TLS is enabled andpounce[h2] is installed, Pounce advertises both h2 and http/1.1via ALPN (Application-Layer Protocol Negotiation). Clients that support HTTP/2 will automatically use it.
Truststore Integration
For production, install thetruststoreextra for system certificate store integration:
uv add "bengal-pounce[tls]"
This uses the operating system's trusted CA certificates instead of certifi or a bundled CA file.
Reverse Proxy
In many production setups, TLS is terminated at a reverse proxy (nginx, Caddy, etc.) and Pounce receives plain HTTP. In this case:
- Don't set
ssl_certfile/ssl_keyfileon Pounce - Set
root_pathif the proxy serves at a subpath - Set
trusted_hoststo your proxy's address
pounce.run(
"myapp:app",
root_path="/api",
trusted_hosts=("127.0.0.1",),
)
See Also
- HTTP/2 — Requires TLS with ALPN
- Production — Full production setup
- ServerConfig — All TLS options