Not sure of the customs for people who release production django apps but I'd assume there is some kind of protection mechanism against people who spam a view or so?
If a view did not implement caching and a user just spams the url a bunch of times wouldn't that be a bad thing?
I want some mechanism to block people by IP address or whatnot if they are repeatedly calling a view at a high rate.
I tried to use this app: http://django-ratelimit.readthedocs.org/en/latest/install.html
But it promptly does not work, or perhaps my setup is wrong (has anyone used it?).
Thanks.
Typically this kind of security would happen at the web server level, i.e. in Nginx or whatever you're using to serve your app. Think about the fact that in order to block someone's IP in your app after a certain number of attempts you'd need to record their IP somewhere and then check incoming requests against that. If it were to go in your app then this kind of functionality would best fit at a middleware level.
If you were to do this at an application level for the purpose of protecting individual views then I would probably do it by means of a decorator.
You should have a mechanism in place for this anyway, as what you've described can also be a Denial of Service attack in the right context. Some web hosts have hardware-level protection for this, so ask your host about that too.
Generally in production you have some kind of frontend server. If your application logic not coupled to the number of requests, better do this work on frontend. For example Nginx has limit_req module:
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
Related
I'm building microservices app that supposed to launch tests in separate containers. I also want to stream log messages to frontend and store them in database and I don't know what solution would be better in that case:
Use my backend as proxy to store and redirect messages to the frontend
Stream messages to backend and frontend to avoid redirection
Frontend could start observing the test at anytime and if in the first case I could just prepend messages that I would read from database, in second case I will need to handle concurrency issues in some way.
I'm stacked with writing proto files, so there is nothing much to post here. Just figured out how bulky backend service going to be if I will pick first decision, since will need to duplicate TestRunner's calls there.
Please also let me know if you see some other issues I'm going to face by picking any of those decisions. Thanks in advance!
[DUPLICATE]
I've set up a free account on Google App Engine, and I currently have something like this deployed:
import webapp2
class MainHandler(webapp2.RequestHandler):
def get(self):
self.redirect('http://x.x.x.x:9000/')
This works and accomplishes what I was in the basic sense but since it's just issuing a http redirect I don't get my fancy Google Domain name and it ends up being the ip address (and port) of the final server. I am aware of why this happens, but was hoping for a solution that would preserve the domain name (and leave the port hidden).
Normally for something like this, you'd just have a rewrite rule in Apache, but that only works if both URLs are hosted by that same server. When the two servers are different, you'd probably go with some transparent proxy (Squid?), but I don't have a server capable of hosting that (this is for personal use, and though my router is ddwrt, I've had no luck getting squid installed on it).
So is there a python one-liner that let's me proxy to a single address but is smart enough to mangle resource requests and send along any request headers? I've found various solutions for writing proxies in python, but they seem overly complicated because they're intended to be general purpose.
This isn't even easy to google, since the obvious keywords all bring back too many results with only slightly relevant results.
You are looking for a reverse proxy setup. Here is one that I have used before. https://code.google.com/p/bs2grproxy/
You can either setup the DNS to point your domain directly to the IP address OR you can use urlfetch.
However, please keep in mind that urlfetch has quota and limitations [1]. It might not be worth it just to have a "pretty domain/URL".
[1] https://cloud.google.com/appengine/docs/quotas#UrlFetch
I will keep it short.
Can someone please point me in the right direction in:
How to authenticate users in native applications written in Python?
I know in web there are sessions, but I can't think of a way to implement authentication, that will 'live' for some time and on expiry I can logout the user?
EDIT:
I am referring to desktop type of apps, I am fairly happy with the implementation for Web based development in Twisted
EDIT 2
The application I am thinking about will not authenticate against a server, but a self-contained application, an example the idea is a Cash Register/Point of Sale (my idea is kinda different, but parts of the functionality is the same), in which I need to authenticate the cashier, so I can log the transactions processed by him/her, print name on receipt and etc. All will be based in one single machine, no server communication or anything
It’s not entirely clear what kind of security you are expecting.
In general, if the end user has physical access to the machine and a screwdriver, you’re pretty much screwed—they can do whatever they want on that machine.
If you take hardware security as a given, but want to ensure software security, then you’re going to have to do server communication within the machine’s boundaries. You have to separate the server and the client, and run the server in a security context that is inaccessible to the user. The server will then do both the authentication and whatever operations need authentication (printing out receipts etc.). For example, under a Unix-like OS, you would run a daemon under a dedicated system user or under root; on Windows, you would have a system service running as LOCAL SERVICE or whatever that’s called. In this way, the operating system’s built-in security features will ensure (given proper maintenance, like timely application of security hotfixes) that the user cannot influence the behavior of the software that does the sensitive operations. The protocol between the client and the server can be anything, and you can do authentication in much the same way as in HTTP—indeed, you may even use HTTP itself.
Finally, if you’re certain that your users will not be tampering with your system at all—e.g. because they lack the technical skills, or are being watched by CCTV cameras—you can forget all that stuff and go with Puciek’s answer.
You seem to be very confused and fixated on "sessions" for some reasons, maybe because your background is in the web apps?
Any-who you don't need "sessions" because with desktop application you have no trouble telling who is using the software without needing some elaborate tools. You don't need server, you don't need authentication tools, you don't need anything - just store that user within your single application. That is all really - a variable within your application called "user" and maybe some interface at the boot to pick one from available users.
And if you need it to last between boots, just save it in a file and read from it.
If you're using Unix, rely on the fact that it's a multi user system. That is, the user has already logged in using his own credentials, so you don't need to do anything, just use its home directory to store the data, taking care to block other users from accessing it by using permissions. You can improve this to provide encryption too. For global application data, you can specify a "manager" user or group, with its own directory, where the application can write.
All this might be possible on Windows systems too.
I'm creating a simple web game that uses web sockets for to stream updates HTTP AJAX requests for everything else (e.g. login system, user profiles, &c). Unfortunately I'm somewhat new to mod_python, but it seems that I want to use the Sessions class to keep track of visitors. The only problem is that a Session requires a mod_python request for some reason. Is there a way I can use these sessions within a mod_pywebsocket handler, or do I need to roll my own session mechanism?
In case anyone could use this, I've found that mod_python's sessions work quite well with mod_pywebsocket. Here are two considerations to be aware of:
Initialization Typically, you construct a mod_python Session object with a mod_python request. Luckily, the authors of mod_pywebsocket had the forethought to make the web socket requests (the ones you get in web_socket_transfer_data arguments) compatible. That means you can instantiate your Session in the same way you normally would in mod_python (see the docs for examples). This might seem obvious, but it wasn't to me. If you get an error doing this, you've done something else wrong.
Session locks The other thing to keep in mind is that the session associated with a given ID is locked by default, and the lock persists for the lifetime of that Session object. This means that if you have two web sockets that use Sessions from the same host, one of them is in danger of blocking forever. In addition, the documentation states that these mutex locks can require non-trivial system resources. They were clearly designed for serving quick HTTP requests, not for persistent connection-oriented use.
One way to fix sessions is to disable the locking, but that's probably not a smart thing to do. I haven't tried it, but best of luck with those race conditions if you make the attempt. What I did was to create the Sessions I needed only for short periods of time and then assign None to it when I was done. Apparently with clauses won't work with these sessions. Again, this isn't terribly obscure, but it can lead to some headaches if you don't realize what's going on under the hood.
I'm quite new in Python world. I come from java and ABAP world, where their application server are able to handle stateful request.
Is it also possible in python using WSGI?
Or stateful and stateless are handled in other layer?
Usually, you don't work with "bare" WSGI. You work with web-frameworks, such as Pylons or TurboGears2.
And these contain a session-middleware, based on WSGI - called "Beaker". But if you work with the framework, you don't have to worry about that - you just use it.
But if you insist, you can of course use Beaker standalone.
I prefer working directly on wsgi, along with mako and psycopg.
It's good to know about Beaker, though I usually don't hold state in the server because I believe it reduces scalability. I either put it in the user's cookie, in the database tied to a token in the user's cookie, or in a redirect url.
Your question is a little vague and open-ended. First of all, WSGI itself isn't a framework, it's just the glue to connect a framework to the web server. Secondly, I'm not clear on what you mean when you say "state" -- do you mean storing information about a client on the server? If so, web frameworks (Pylons, Django, etc) allow you to store that kind of information in web session variables.