I been using python to create an web app and it has been doing well so far. Now I would like to encrypt the transmission of the data between client and server using https. The communication is generally just post form and web pages, no money transactions are involve. Is there anything I need to change to the python code except setting the server up with certificate and configurate it to use https? I see a lot of information regarding ssl for python and I not sure if I need those modules and python setup to make https work.
Thanks
Typically, the ssl part for Python web app is managed by some frontend web server like nginx, apache or so.
This does not require any modification of your code (assuming, you are not expecting user to authenticate by ssl certificate on client side, what is quite exotic, but possible scenario).
If you want to run pure Python solution, I would recommend using cherrypy, which is able providing rather reliable and performant web server part (it will be very likely slower then served behind nginx or apache).
Related
Can I run a python server on the same Apache PHP server in order to use charts etc. that are included in the python dash application?
The implementation now is as follows. Php server uses an iframe in order to depict the python web app that is running in the same ip but on different port, but there is a need to change it for security reasons.
You can use Apache as a proxy to an internal server.
Apache server or php interpreter don't use iframes, you're adding html code that the browser will use to embeed the python server provided webpage into an iframe.
You're not doing anything wrong but to me seems error prone.
I would use a new domain to the webpage provided by python and setup his security and certs like any other server/web.
You can add CSP, feature policy, cors policy, frame options, xss protection, strict transport...
It's posible to send a request to the server using php and display back on the webpage the fetched graphs.
I am a newbie in web development, I am an energy engineering student trying to make a project, so I apologize if I say something weird.
I've made an application using Dash (python). And now, I would like to deploy that app in my server. I have a remote server (debian, adress.com, IP, opened ports: 80 and 443...) with my ssh public key and all the required stuff.
I have read all the official documentation in the plotly dash page, and also in flask's, but I dont understand very well the thing. I need either Heroku, OpenShift... And I dont understand very well how them work.
Could you please recommend me an easy tutorial (for dummies!) or give me advices/examples about the deployment? I would really apreciate I've searched the Internet a lot, but I can't figure it out.
You describe two options:
1. using your own server to host your app and
2. using a service which will host your app (heroku, etc.)
Using your own server to host your app
You need to decide for a web server, which is serving your page on your server. A host will not magically answer on any port. There is for example apache, nginx, etc... After having chosen one, you need to find a tutorial: how to run your flask app on [yourwebserver] or something like that.
Suppose you have chosen apache, you will find something like this:
https://jackhalpinblog.wordpress.com/2016/08/27/getting-your-python-3-flask-app-to-run-on-apache/
(In this case, you will have to figure out how to run your flask app with python3 instead of python2, if you are running debian)
When your page serves your page, you need an ssl certificate in order to make use of your domain. An easy way of doing this is https://letsencrypt.org/getting-started/ (there are probably other similar services)
Using a service, which will host your app for you (heroku, etc.)
Alternatively do not host you app on your own server, but on heroku, aws, gcd, etc., in my opinion this is much easier than hosting it on your own server. The documentation on hosting service websites is normally very good.
For heroku a good starting point would be here:
https://devcenter.heroku.com/articles/getting-started-with-python. Nevertheless the other services are easy to use as well, i just use this as an example.
Our end-to-end tests use Django's LiveServerTestCase with Selenium. So far we have only been able to run these on insecure urls. However, some of the libraries that we use (Square) require a page to be on https even in sandbox mode.
When attempting to connect to a secure url, Selenium/Chrome Webdriver simply shows the standard SSL not supported error:
This site can’t provide a secure connection chezpierre.localtest.me sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Does anyone know if it is possible to enable https on a LiveServerTestCase?
If not, does anyone have a working workaround for this? I'm trying to avoid running a separate https proxy on our build box, but it seems like it might be the only way.
After quick research I found out that this is impossible in Django suggested by this old code ticket https://code.djangoproject.com/ticket/25328
I also found out that you could setup a tunnel to bypass this issue. However this applies to django development server. This is kind of tricky so I am leaving links to posts as the method is rather long:
https://www.ianlewis.org/en/testing-https-djangos-development-server
or
How can I test https connections with Django as easily as I can non-https connections using 'runserver'?
ALTERNATIVE - In my opinion better
There is also a simpler way using an external package. It gives you out of the box a https capable django development server. The project is active and maintained
https://github.com/teddziuba/django-sslserver
So I've done some reading about Python web frameworks (or servers?), mostly Tornado and Bottle but also FAPWS3, and there are still some grey areas.
First, these three web frameworks are all said to be fast, yet they all include a web server written in Python (except FAPWS3) which should be put behind nginx/Apache. Isn't this reducing the performance? I mean, we know that Python is much slower than C, why not only use nginx, or at worst, only the included Python web server?
First of, Tornado and FAPWS3 are web servers, while Bottle is a web framework. Those belong to completely different categories.
Web frameworks are usually run as a WSGI server behind a HTTP ("web") proxy. The HTTP server included in most frameworks is only there for fast development and deployment and easy deployment on sites where high efficiency doesn't matter.
The idea is basically that the HTTP Server (Apache/Lighttpd/Nginx/Tornado/FAPWS3 etc) is very good at understanding HTTP and serving static files from the disk. The dynamic content on the other hand is generated by a Python server using a web framework like Bottle/Flask/web.py/Pylons/etc. The document produced by the web framework is then sent back to the HTTP server over WSGI, put in a HTTP Response and sent to the client.
I have been working with Django for some time now and have written several apps on a setup that uses Apache 2 mod_wsgi and a PostgreSQL database on ubuntu.
I have aa app that uses xsendfile to serve files from Apache via a Django view, and also allow users to upload files via a form as well. All this working great, but I now want to ramp up the features (and the complexity I am sure) by allowing users to chat and to see when new files have been uploaded without refreshing their browser.
As I want this to be scale-able, I don't want to poll continually with AJAX as this is going to get very heavy with large numbers of users.
I have read more posts, sites and blogs then I can count on integrating comet functionality into a Django app but there are so many different opinions out there on how to do this that I am now completely confused.
Should I be using orbited, gevent, iosocket?
Where does Tornado fit into this debate?
I want the messages also be stored on the database, so do I need any special configuration
to prevent my application blocking when writing to the database?
Will running a chat server with Django have any impact on my ability to serve files from Apache?
I'd recommend using WebSockets for bidirectional realtime communication. Keep running Django as is and run a WebSocket server on another port. As far as your database blocking, yes, you'll need to keep that in mind as you write your WebSocket server and either use a non-blocking database driver, or address that in some way.
Client-side you'll want to use Socket.IO or web-socket-js to support flash fallback for older browsers which don't support flash.
For the server, I would lean towards gevent or tornado, personally. For gevent there is gevent-websocket and gevent-socketio, for tornado you get built-in WebSocket support and can use tornadio if you want to use Socket.IO. Eventlet and twisted both support WebSockets as well. There is also a pretty cool new project called autobahn which is built on twisted, and meinheld has WebSocket middleware you can use.
WebSockets are pretty exciting, and as such there are tons of great posts out there on the subject. I found these posts useful:
http://gehrcke.de/2011/06/the-best-and-simplest-tools-to-create-a-basic-websocket-application-with-flash-fallback-and-python-on-the-server-side/
http://codysoyland.com/2011/feb/6/evented-django-part-one-socketio-and-gevent/
http://toastdriven.com/blog/2011/jul/31/gevent-long-polling-you/
http://blog.jupo.org/post/8858247674/real-time-web-apps-with-django-and-websockets/
Instead of Apache + X-Sendfile you could use Nginx + X-Accel-Redirect. That way you can run a gevent/wsgi/django server behind Nginx with views that provide long-polling. No need for a separate websockets server.
I've used both Apache + X-Sendfile and Nginx + X-Accel-Redirect to serve (access-protected) content on Webfaction without any problems.