Flask application as a desktop application | SSL certificate - python

The situation is that a desktop application is needed to be run in the background (an application that would be "hanging around" in the system tray) with an API. For simplicity reasons, I chose Flask to build the API and Python overall to build the desktop part of it. Is this a practical or reasonable way to create a desktop application? The application itself will not be large scale, it will only hold several Python scripts.
Basically, a Microsoft PowerApp will be communicating with this API on the desktop. When a call will be executed from the Microsoft PowerApp to the API, it will be targeting a public static IP address to a specific port, then that will be forwarded to the local IP of the Flask application. I understand that PowerApps requires SSL to communicate with applications. I can figure out how to build the API and desktop part of it, but I cannot figure out the SSL certificates. When I try to generate a certificate through CertBot, it requires me to supply a domain. This situation will not be using a domain, only the public static IP. Does this at all seem logical to do or should a different approach be taken?

Though some SSL certificate providers support issuing certs to IP addresses, do yourself a favor and get the one assigned to a hostname. Just use organization's domain to create a hostname you like.
Alternatively, try entering IP address instead of domain when ordering a certificate.
You can read more about IP-based certs here: Is it possible to have SSL certificate for IP address, not domain name?

Related

SSL issue when trying to communicate with Python webserver on Raspberry PI by using a Progressive Web App

I'm trying to create a measurement device which can be controlled with a smart phone.
My situation
The places where I'm using the device don't have any internet connection available.
The measurement device uses a Raspberry PI, which creates a local WiFi network to communicate with the smart phone.
There is a Python webserver running on the RPI.
The smart phone has a PWA installed to send commands to the RPI's webserver.
The PWA is hosted on GitHub Pages (uses HTTPS by default).
After installation the PWA is supposed to work without an internet connection (just uses the RPI WiFi).
My goal is to successfully send requests to the Python webserver on the RPI by using the PWA on my smart phone.
My issue
When fetching the Python webserver within the PWA, I receive a Mixed Content error because the PWA is hosted on HTTPS (and also requires HTTPS) but the Python server is not.
When I tried using a self signed certificate created with OpenSSL, I receive a ERR_CERT_AUTHORITY_INVALID error.
I tried to use Let's Encrypt, but CertBot requires an actual domain. I only have an IP adress, which is the RPI's IP within its own WiFi network.
What should I do?
I fixed my issue by registering a free .tk domain pointing to 127.0.0.1 (localhost) and using Certbot from Let's Encrypt to create a SSL Certificate.
To validate the domain with Certbot I've used the TXT record validation.
In order to make use of the domain without an internet connection I've added a DNS record with the same .tk domain pointing to localhost inside the dnsmasq config file of the RPI.
My python webserver then uses the cert file to establish serving over HTTPS so the SPA on my mobile device won't throw an error when requesting data.

Connecting Server to Client using Socket Programming

I am trying to connect two computer using socket library with python. One of the system is my local system and another is an instance in AWS. The one hosted in AWS has its own public address. And my local system only has private ip address (192.168.10.1). I am able to establish connection from my local system to system in AWS. But not the vice versa.
Is it possible to connect from AWS system to local system (here local system should be listening for other incoming connection)
You need to configure your router to forward requests from AWS to the computer on your network. It would be good practice to set your local computer with a static IP address or use DHCP reservation to ensure that the address doesn't change.
warning: You will also need to ensure your connection is secure mostly likely using a combination of authentication, authorisation and encryption. Forwarding ports exposes your device to the entire world.

Is is possible to inspect the outbound https traffic?

So, the situation is: I want to know what path is a program sending the request to. With Wireshark, I can only know that it is sending https request and the corresponding domain but not the path.
I think there could be a way to at least inspect the outbound https traffic even without hacking the program.
Let's say if I run a fake website and redirect the connection to the real site to my local fake site. So the request will be sent to my fake site, and I can create a self-signed fake key pair for my fake site. Install the private key on the fake site, and install the public key on my local machine. Then the handshake should be approved.
But I have several problems:
How to launch a fake https server in the simplest way? Nginx? Or is there a simple solution in Python?
How can I install the public key on my local machine? I'm using Linux Mint 19 which is based on Ubuntu 18.04.
Any help is appreciated!
You may want to check Charles proxy. This a proxy with which you can inspect the outbound traffic (including HTTPS).
In order to inspect HTTPS traffic, it will be required to enable SSL Proxy which means that Charles will dynamically generate a certificate and become man-in-the-middle for HTTPS connections.
Charles signs these dynamic certificates with it's own which has to be added to the trusted storage of the application you use. Various instructions are available here.

how can I post to api running on remote desktop?

I'm creating a python flask api on remote desktop and running it on localhost of remote desktop.
Is there anyway I can access this api from my local machine?
We are working in a team and I want to share this with my team members, but this is confidential and not to be deployed on open server.
We want to post and get the result with every member's local machine from api runnnig on remote desktop.
Both of our local machines and remote desktop are windows10.
Sorry for being abstract but I'm searching for any way out. Thanks.
Well, you should open your way to this API. You'll have to set up a VPN or IP address filter in the server so you can access the server from your network while still have it secured on the Internet. You can also setup a simpler proxy if you prefer it. I'll not cover the details on how to setup a VPN or proxy since it can get pretty extensive, but a Google search will help you out find the best alternative for you.
AFAIK, the Remote Desktop Protocol does not allow for any kind of VPN. However, if you can switch to TeamViewer, it does have an easy to setup VPN system that will allow you to get into the network with few configuration. Once a VPN is configured, it will work like if you were in the same network as the server, so from there you can access your API from your host machine by just going to the IP address of the server.
Do notice the security policies of whoever owns the server, since you can get into trouble if you don't have permission to enable some access from the outside. Security goes always in front of comfort.
Short term solution:
Firstly download ngrok for your operating system.
For debugging and testing purposes you can expose a secure tunnel connection to your API by running this command in your command prompt / terminal.
ngrok http <PORT_NUMBER>-host-header="localhost:<PORT_NUMBER>"
Where PORT_NUMBER is the port number in which your flask application is running.
Example if your flask application is running at port 5000 then simply execute this command:
ngrok http 5000 -host-header="localhost:5000"
Running this will give you two hostnames one with HTTP and other a secure HTTPS connected by a tunnel like this for a duration of 8 hours after which the command needs to again re-run.
Which you can call remotely
Long term solution:
Deploy flask application using FastCGI
or
To a cloud infrastructure provider like Microsoft Azure which gives readymade templates for flask applications.

How to make a valid SSL Certificate / Keyfile to use with Flask SSL WSGI?

I am writing a Flask Web-Application and use eventlet as the networking library for that application (eventlet is wrapped by Flask-SocketIO to allow asynchronous operation)
Following this guide I have been successfully creating a SSL key- and cert-file which I pass to the WSGI Server
socket_io.run(app,
host=APP_HOST,
port=APP_PORT,
keyfile='ia.key',
certfile='ia.crt')
This works fine but unfortunately Safari / Chrome says that my SSL-Certificate is not trustworthy when I access the page for the first time.
The Chrome-Failure is the following:
NET::ERR_CERT_COMMON_NAME_INVALID
How to I generate a valid SSL Certificate so that the browsers don't show that error when a user connects to the web application the first time!?
That is because it is something called a "Self Signed Certificate", which is not from any trusted company, so any modern browser auto-detects this as an untrusted site. If you are using a UNIX-based operating system, (Linux, or macOS, Fedora, and more), you can use what I am using. You have to generate new certification from a trusted site.
This is what I use to get a TRUSTED certificate that most browsers can use: https://certbot.eff.org/instructions.

Categories