I have a running flask application which is catering to rest calls by another application using specific port an endpoints.
I want to configure nginx for the application with gunicorn(existing) to tackle DOS and **gunicorn freezing **due to the same.
However I do not want to hide the port. I other words. If we hit the IP:port/ then only we should be able to access the application endpoint, because there are some other applications already running on the ip on some ports which are the calling the application on different port.
Hence I do not want to hit XX.YY.ZZ.AA and get routed to XX.YY.ZZ.AA:5000.
Rather I want to reach XX.YY.ZZ.AA:5000 only if I hit XX.YY.ZZ.AA:5000.
I could not find a way to do the same as I see nginx mostly in context of port masking and reverse proxy.
Please help !!!
Related
Configure Flask dev server to be visible across the network
Meaning it runs on my PC's IP address visible to the entire internet and arbitrary Python code can be run via my Flask app?
The direct answer is: yes, it is unsafe. But then again, so is driving a car or eating at a new restaurant with bad reviews.
The point is evaluating the risk. Things to consider:
Are you launching this on a home network? In which case, your router almost certainly comes with its own firewall (and I only don't make the assertion because I can't possibly cover every single case). The server will not be accessible outside of the home network. Maybe there's a malicious housemate harbouring resent and waiting to pounce?
Are you launching on an intranet network? This would be accessible to everyone on the network. The vast majority of people won't be scanning the network for open ports, but you can't rule it out. Low risk., but it could happen that someone finds it.
Are you running this on a server with a dedicated IP (not an internal IP like 10.0.0.x or 192.168.x.x)? Is the particular port you're running on open to the wider internet e.g. no firewall or special rules for that port? In which case, expect to get requests.
Can someone landing on the site actually do something malicious? The whole point of having a web server is for other people to access it. If discovering your app is enough to be a real concern then it's just broken and you should be testing your fears on localhost.
I'm trying to run a bottle server such that some routes run on one port, and the others run on another port.
However, reading through the documentation has proved no fruits: https://bottlepy.org/docs/dev/bottle-docs.pdf.
Is this possible with bottle?
No, you can not route to multiple ports.
A server needs an address and a port to listen to. So, routing will be done after address and port are set in server.
I am developing one application using heroku, but struggling with one issue.
In this application, I have 2 dynos (one is for server, and the other is for client).
Since I want to get some data from server, my client needs to know IP address of the server(dyno).
Now I am trying to use Fixie and QuotaGuard Static,
They tell me an IP address, but I can not connect to the server using these IP address.
Could you tell me how to fix it?
You want to have two dynos communicate directly over a socket connection. Unfortunately, you can't easily do that; that runs counter to the ethos of Heroku and 12-factor application design (http://12factor.net), which specifies that processes should be isolated from each other, and that communication be via "network attached services". That second point may seem like a nuance, but it affects how the dynos discover the other services (via injected environment variables).
There are many reasons for this constraint, not the least of which is the fact that "dynos", as a unit of compute, may be scaled, migrated to different physical servers, etc., many times over an application's lifecycle. Trying to connect to a socket on a dyno reliably would actually get pretty complicated (selecting the right one if multiple are running, renegotiating connections after scaling/migration events, etc.). Remember - even if you are never going to call heroku ps:scale client=2, Heroku doesn't know that and, as a platform, it is designed to assume that you will.
The solution is to use an intermediate service like Redis to facilitate the inter-process communication via a framework like Python RQ or similar.
Alternatively, treat the two dynos as separate applications - then you can connect from one to the other via HTTP using the publicly available DNS entry for that application. Note - in that case, it would still be possible to share a database if that's required.
Hope that helps.
A typical situation with a server/web application is that the application needs to be shut down and restarted to implement an upgrade.
What are the possible/common schemes (and available software) to avoid losing data that clients sent to the server during the short time the application was gone?
An example scheme that could work is: For a simple web server where the client connects to port 80, rather than the client connecting directly to the web server application, there could be a simple application in between that listens to port 80 and seamlessly forwards/returns data to/from the "Actual" web server application (on some other port). When the web server needs to be shut down and restarted, the relay app could detect this and buffer all incoming data until the webserver comes back to life. This way there is always an application listening to port 80 and data is never lost (within buffer-size and time reason, of course). Does such a simple intermediate buffer-on-recipient-unavailable piece of software exist already?
I'm mostly interested in solutions for a single application instance and not one where there are multiple instances (in which case a clever rolling update scheme could be used), but in the interests of having a full answer set, any response would be great!
To avoid this, have multiple application servers behind a load balancer. Before bringing one down, ensure the load balancer is not sending it new clients. Bring it down, traffic will go to the other applications servers, and when it comes back up traffic will begin getting sent to it again.
If you have only one application server, simply 'buffering' network traffic is a poor solution. When the server comes back up, it has none of the TCP state information anymore and the old incoming connections have nowhere to go anyway.
I am attempting to write some tests using webtest to test out my python GAE application. The problem I am running into is that the application is listening on port 8080 but I cannot configure webtest to hit that port.
For example, I want to use app.get('/getreport') to hit http://localhost:8080/getreport. Obviously, it hits just thits http:// localhost/getreport.
Is there a way to set up webtest to hit a particular port?
With paste.proxy.TransparentProxy you can test anything that responds to an http request...
from webtest import TestApp
from paste.proxy import TransparentProxy
testapp = TestApp(TransparentProxy())
res = testapp.get("http://google.com")
assert res.status=="200 OK","failure....."
In config, and I quote,
port
Required? No, defaults is "80"
Defines the port number to use for
executing requests, e.g. "8080".
Edit: the user clarified that they mean this webtest (pythonpaste's), not the widely used Canoo application. I wouldn't have guessed, because pythonpaste's webtest is a very different kettle of fish, and I quote...:
With this you can test your web
applications without starting an HTTP
server, and without poking into the
web framework shortcutting pieces of
your application that need to be
tested. The tests WebTest runs are
entirely equivalent to how a WSGI HTTP
server would call an application
No HTTP server being started, there is no concept of "port" -- things run in-process, at WSGI level, without actual TCP/IP and HTTP in play. So, the "application" is not listening on port 8080 (or any other port), but rather its WSGI entry points are called directly, "just as if" an HTTP server was calling them.
If you want to test an actual running HTTP server, then you need Canoo's webtest (or other equivalent frameworks), not pythonpaste's -- the latter will make for faster testing by avoiding any socket-layer and HTTP-layer overhead, but you can't test a separate, existing, running server (such as GAE's SDK's) in this way.
I think you're misunderstanding what WebTest does. Something like app.get('/getreport') shouldn't make any kind of request to localhost on any port. The beauty of WebTest is that it doesn't require your app to actually be running on any server.
Here's a quote from the "What This Does" section of the WebTest docs:
With this you can test your web applications without starting an HTTP server, and without poking into the web framework shortcutting pieces of your application that need to be tested. The tests WebTest runs are entirely equivalent to how a WSGI HTTP server would call an application.