Is it possible to run Flask (http://flask.pocoo.org/) as the standard user?
I need to run a web service on my Pi, but am not sure how safe it would be running it as a super user when it needs to be exposed to the web through my firewall.
It is, you simply cannot bind to port 80 as a regular user.
There are plenty of workarounds, though. This question is a good reference: Is there a way for non-root processes to bind to "privileged" ports on Linux?
--
Usually the workaround is either to give your Flask (Python) capabilities to bind to port 80, or to simply setup an iptables rule that redirects traffic from port 80 to whatever port Flask is listening on.
Related
I made a WEB application using Bottle and want to publish it. I decided to use paste for the web server because official document said it's the easiest way.
In order to let the web server process listen on the port 80, the process must be launched by the root user. I'm not a security expert and can not judge that it's safe to use the root user for launching an application that is exposed to the internet directly.
Shall I avoid using root user in such a situation ?
No.
Do not run your web server as root.
Shall I avoid using root user in such a situation?
Yes, avoid running as root.
In order to let the web server process listen on the port 80
Your web server does not need to listen on port 80. One common way to structure this is to put a proxy (like a load balancer) in front of your web server. Your server listens on a non-privileged port (e.g. 8000); the load balancer (which is listening on port 80) forwards all requests to your server.
The accepted answer (which does not actually answer your question) merely mentions chroot, but I suggest that you not worry about that. Running as a non-privileged user is a much more important safeguard than using chroot. I would consider chroot to be secondary to your initial, quite legitimate, concerns over running as root.
It is recommended to create an chrooted environment with an restricted user.
Over here you can find a howto on how to create a chrooted environment www.howtogeek.com/441534/how-to-use-the-chroot-command-on-linux/amp/
I've just started learning network developing using Flask. According to its official tutorial:
Externally Visible Server
If you run the server you will notice that the server is only
accessible from your own computer, not from any other in the network.
This is the default because in debugging mode a user of the
application can execute arbitrary Python code on your computer.
If you have the debugger disabled or trust the users on your network,
you can make the server publicly available simply by adding
--host=0.0.0.0 to the command line:
flask run --host=0.0.0.0
This tells your operating system to listen on all public IPs.
However, when I try to access 0.0.0.0:5000 on another device, I got an error: ERR_CONNECTION_REFUSE. In fact, I think this behavior is reasonable, since people all around world can use 0.0.0.0:5000 for different testing purposes, but isn't the tutorial implying that adding --host=0.0.0.0 can make my webpage "accessible not only from your own computer, but also from any other in the network"?
So, my question is:
What does adding --host=0.0.0.0 do?
How can I access my webpage on device B while the server is running on device A?
You don't access the Flask server on another computer by going to 0.0.0.0:5000. Instead, you need to put in the IP address of the computer that it is running on.
For example, if you are developing on a computer that has IP address 10.10.0.1, you can run the server like so:
flask run --host=0.0.0.0 --port=5000
This will start the server (on 10.10.0.1:5000) and listen for any connections from anywhere. Now your other device (say, on 10.10.0.2) can access that server by going to http://10.10.0.1:5000 in the browser.
If you don't have the host=0.0.0.0, the server on 10.10.0.1 will only listen for connections from itself (localhost). By adding that parameter, you are telling it to listen from connections external to itself.
If I run my flask app on my local machine I get proper results by connecting to http://127.0.0.1:5000/report?id=1
But now I want to make it externally visible by deploying my flask in a VM in azure. I have opened the port 80 on my VM. And I'm running the flask app using this:
if __name__ == '__main__':
app.run(host='0.0.0.0')
I'm still not able to connect to my flask server using this (assume the public IP address of my VM is x.x.x.x):
http://x.x.x.x:5000/report?id=1
Any suggestions how should I go ahead with it?
Edit: I'm able to psping my VM's public IP address on port 80.
The problem isn't related to Flask, since you opened up your application to listen on any public IP (0.0.0.0).
Moreover you should do a proper port mapping in your azure configuration. Google said, you might have a look here: https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
EDIT
Another idea, where some colleages often run into, is that you may have skype open which somewhat uses port 80/443 and therefore is blocking it. Shutdown skype if you do so or use a different port for your webapp.
So here's the deal with Azure:
If you open a port from the Azure portal, the firewall in your VM STILL blocks that port. You have to manually go in and create a firewall setting in your VM to keep the port 5000 open for your flask server. Once that is done, you should be able to connect to it.
I'm trying to test and distribute my python application in script or executable form (client). I already have my openshift server setup and running. I'm confused on setting up port forwarding with other users to test it out with.
Do other clients (publicly) need to download rhc and run 'rhc port-forward appname' on their own machine or are there alternatives out there which can be accomplished using python internally by code?
This is kind of confusing and any help would be much appreciated.
Thanks.
all the 'rhc port-forward appname' does is set up SSH tunnels behind the scenes. If you want people to tunnel into your appication you will need to get their public SSH key into your application as an approved key. Then you can set up an SSH tunnel whatever way you chose.
How can I deploy cherrypy along with IIS. I am not able to reach the machine from outside using the IP. If i run using localhost it works. If I give the ip address in the browser from a different machine then IIS7 comes up.
Thanks
Raman
It would help if you posted more information about your problem but this kinda sounds like a classic configuration issue. If you have CherryPy listening on localhost (127.0.0.1) then it will only answer on that address. You have to configure it to listen on the external IP address if you want it to answer there. Here is another question that covers how to do this.
It also sounds like you are trying to run CherryPy on a box that also has IIS7 running. If this is the case, and you wish to continue to run both, you will either need to configure CherryPy to use a different port than IIS7 or you will have to configure IIS7 to redirect requests to CherryPy. Here is a similar question about doing the latter with IIS6