I'd like to expose a simple TCP server written in Python to the internet. To authenticate clients, I'd like to rely on both client and server certificates. Does socketserver.TCPServer support this mode by default? If not, can you suggest how to extend the server to implement mutual authentication?
The default library doesn't handle secure sockets (SSL/TLS). Assuming you want to use that specific library no matter what, here's another discussion that shows a way to do it using the OpenSSL libraries.
If you want to write a server application, you might want to use Twisted, an event-oriented framework for writing network applications in Python. Here's the relevant documentation on how to enable SSL for a TCP server.
Related
I have task to create SSO (single sign-on) authorization in Python backend application with the help of Kerberos and Active Directory.
In other words, frontend application make AJAX GET request of the specific URL of the backend application. That backend application must return information about employee in JSON format.
What I have done so far:
1) SPN name for the backend application was created in Active Directory.
2) krb5.keytab file for the backend application was created.
3) Active Directory and Kerberos server located on remote Windows server.
4) Backend application would be in Linux Docker container.
5) I install Kerberos client to Docker container.
6) Kerberos Realm: SERVICE.LOCAL.
7) Hostname for the KDC Server: CS001, CS002, CS003.
Have you ever seen any implementations of the above process in Python? I will be grateful for any help.
You have 2 ways to handle this:
Handle it directly in Python
Handle it in a proxy such as apache or nginx
Pure Python Solution
If you don't have a proxy or just want to handle it in python anyway, I recommend using the python-gssapi library. Here's a code sample. There are other Python bindings but from my reading, this one seems to be the most complete.
Note, if you handle it this way, your python server will probably need to be able to respect the keep-alive header (i.e. re-use the same connection for multiple requests). This isn't strictly part of the SPENGO protocol, but most browsers seem to require that the server implements it.
Proxy Solution
If you're using apache, there's a mod_auth_kerb module you can use which is well documented. There's also a mod_auth_gssapi which provides similar functionality.
For nginx, there's a similar module available.
With any of these proxy solutions, the idea is that the proxy handles Kerberos auth, and sets the REMOTE_USER env variable for your python app. So your python app needs to be able to accept this variable as an authenticated user. Django has middleware specifically for that purpose - I'm not sure about Flask (I mention these 2 frameworks because they're in your question's tags).
I been using python to create an web app and it has been doing well so far. Now I would like to encrypt the transmission of the data between client and server using https. The communication is generally just post form and web pages, no money transactions are involve. Is there anything I need to change to the python code except setting the server up with certificate and configurate it to use https? I see a lot of information regarding ssl for python and I not sure if I need those modules and python setup to make https work.
Thanks
Typically, the ssl part for Python web app is managed by some frontend web server like nginx, apache or so.
This does not require any modification of your code (assuming, you are not expecting user to authenticate by ssl certificate on client side, what is quite exotic, but possible scenario).
If you want to run pure Python solution, I would recommend using cherrypy, which is able providing rather reliable and performant web server part (it will be very likely slower then served behind nginx or apache).
I run a WSGI application from within my Python file, using the make_server command.
(I don't know if this is a good practice or whether it is more common to setup Apache or nginx for this purpose.)
I want to make this little server secure by adding SSL support. Where do I start?
Is the built-in WSGI server from Python considered safe? I want the connection to be really secure. I only recently came across WSGI and I thought it was very easy to use, especially from within Python. The app is only used as a proxy so has little functionality, but I do want it to be as secure as possible.
Basically WSGI is just an interface for communication between a web-server software (e.i. nginx or httpd) and your python script/app which contains some code to process requests (usually either application callable or applications list of callables).
You need to enable SSL on the web-server layer. But if you don't want to involve external software you may follow #Demz's advice and try using eventlet.wrap_ssl. Please find more relevant information here.
I have worked with Django for a while but I am new to xml-rpc. I have two Django servers running and the first needs to call functions from some modules of second server. I find xml-rpc easiest way to do so but don't want to run a separate server for this only.
What options do I have? Can I run Django's web-server and xml-rpc server with a single manage runserver command ?
Easily - we use http://code.djangoproject.com/wiki/XML-RPC to add an xml-rpc server into our django server.
You may also consider David Fisher's rpc4django which supports both XMLRPC and JSONRPC within a single package. Features include:
Detects request type (JSONRPC or XMLRPC) based on content
Easy identification of RPC methods via a decorator
Pure python and requires no external modules except Django
Customizable RPC method documentation including reST
Supports XMLRPC and JSONRPC introspection
Supports method signatures (unlike SimpleXMLRPCServer)
Easy installation and integration with existing Django projects
Ties in with Django’s authentication and authorization
Try: http://pypi.python.org/pypi/django-xmlrpc
I need to use Python to access data from a RESTful web service that requires certificate-based client authentication (PKI) over SSL/HTTPS. What is the recommended way of doing this?
The suggestion by stribika using httplib.HTTPSConnection should work for you provided that you do not need to verify the server's certificate. If you do want/need to verify the server, you'll need to look at a 3rd party module such as pyOpenSSL (which is a Python wrapper around a subset of the OpenSSL library).
I found this: http://code.activestate.com/recipes/117004/
I did not try it so it may not work.
I would recommend using M2Crypto. If you are a Twisted guy, M2Crypto integrates with Twisted so you can let Twisted handle the networking stuff and M2Crypto the SSL/verification/validation stuff.