I have python flask running on my server exposing a REST API that is being consumed by an iOS app. I'm using HTTP Basic Authentication using the Flask-HTTPAuth: module. I wanted to know how secure this is because the username:password string would be sent on every request.
Do I need to use HTTPS instead?
Thanks!
Sorry for bad english. Still learning.
Your current system is (very!) insecure, the login information can be seen during transit by anyone.
The easiest way to add secure HTTP is to install a proxy server like nginx. Then nginx is configured for secure HTTP, but it relays all the requests to the Flask application listening on a private socket without encryption.
This link will send you to the nginx documentation on secure HTTP.
Alternatively, you can have HTTPS running directly from Flask. The link has clear instructions of how to do this. It is a quick, easy method to use while developing.
For production, I'd use Apache's mod_ssl function, or as already stated by Miguel, nginx, as proxy servers.
Related
I'm currently using AWS for my backend services and angular for the frontend part. Trying to make my website more secure I added a CA signed SSL certificate on my API gateway and added it to my angular website in my angular.json and package.json.
Whenever I try to access the API using CURL from a linux machine providing it with the certificate and key the API returns a reponse however from my Angular website it always returns ERR_CONNECTION_RESET.
Is there a way to solve this? I'd greatly appreciate any help.
I expected the network layer to be secure and API to return a response. What actually resulted is ERR_CONNECTION_RESET.
first you must be clarify which webserver use are using Nginx or Apache, if you are using an apache web server then try to correct the SSL configuration and Nginx configuration also in case of using.
But according to me, I think you are also using the reverse proxy. First properly configure it. Learn Apache Reverse Proxy and Nginx Reverse Proxy
And finally, you can also check the web server log to get the correct error.
Thanks for reading in advance.
I have a working Apache2 server which is currently successfully serving both :80 and :443. I have a simple FLASK based site at the moment that is being served HTTPS successfully. using Mod_wsgi and self-signed certs at the moment.
Here's where I run into trouble. I have a login which uses POST data to send info back from a FORM in my template to my server for user authentication. It works fine in HTTP however in HTTPS I get:
Bad Request
The browser (or proxy) sent a request that this server could not understand.
Having googled around for a couple hours it seems like there could be some mix of context settings and or app extensions that could be used with the server SSL certs,keys to help here. But I'm a babe in the woods when it comes to SSL. Could anyone point me to what changes I need to make to adapt to SSL handling of client/server in Flask? I've tried SSLify (didn't work - same error)
Very Best Regards,
Tom
You need an SSL server in front of your Flask Application. Google how to configure flask nging ssl if you want nginx or flask apache ssl if you want Apache's httpd server.
If you really want to serve https content directly from your Flask Application (which I wouldn't recommend), you can follow this blog post.
I work on a python3.6 app that uses flask and oauth2client.
I want to serve https instead of http in gcloud environment.
I tried using talisman-flask:
https://github.com/GoogleCloudPlatform/flask-talisman
However, when I ran their sample app locally I got this error in my browser:
This site can’t provide a secure connection
127.0.0.1 sent an invalid response.
It works fine for http, but can't apparently serve https.
Are there some Talisman configurations I need to change?
Or maybe a whole different solution altogheter?
EDIT:
I changed from debug=True to debug=False and now I get automatically redirected to https but the above error message is still there.
One rather generic approach which can work even with the standard environment local development server (which doesn't support HTTPS) would be to use a reverse proxy.
Such solutions are documented in Appengine - Local dev server with https
It's an old thread, but if you want to serve HTTPS (with or without Talisman) you need, at least, a valid certificate. Please, create one at Let's Encrypt and install in your web server, even if your site are in the web or in your local environment. If you want a good tutorial to help further, I recommend this from Miguel Grinberg, a big "Flask Guru" ;-) .
I have a python script that wants to communicate via HTTPS to a flask application using a self-signed certificate.
I've created an SSL certificate with openssl. I want flask to only accept connections that use that certificate and refuse those that do not.
Can anyone give some thoughts of how can I do that?
I don't think flask is capable of that. Flask only takes care of the content building stuff. It in fact uses Werkzeug as backend while in development mode.
During development, werkzeug's builtin server supports SSL for testing purposes:
run_simple('localhost', 4000, application,
ssl_context=('/path/to/the/key.crt',
'/path/to/the/key.key'))
Details can be found here.
When it comes to production, a flask project has to be depolyed with a WSGI backend that is more productive. There are many backends out there like gunicorn and uWSGI(with nginx). If you choose to use one of them, You may want to check out their documentation to find about how to add HTTPS support.
I need to build a python web server which supports 2 different types of users :
"Super admins", which get full access to the admin panel when they connect using a pre-configured laptop/browser.
Admins, which get limited access to the admin panel and can connect using only a username/password combo.
I'm thinking SSL client authentication is a possible solution for authentifying the technicians.
Note that the web server will be embedded in a product and will not have internet access, so cannot connect to a CA.
Is SSL client authentication a good solution, or is there a simpler, or better option?
Here's what I've found...
CherryPy seems to be a very nice, simple python web server. However, it does not seem to support client authentification.
M2Crypto seems like a very complete library which supports all forms of SSL authentification, however I haven't found a detailed example of how to set up a python web server using M2Crypto for SSL client authentification.
pyOpenSSL seems to be dead.
I also found a recipe, which explains how to set up a python web server with SSL. However...
With this recipe, only the server is authenticated while the client
remains unauthenticated (i.e. the server will not request a client
certificate).
Source : http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
Can someone point me in the right direction or link to a well documented implementation of what I'm trying to do?
Thank you :)
Take a look at the twisted libraries: http://twistedmatrix.com/documents/current/core/examples/index.html
There is a simple echoservl_ssl and echoclient_ssl example in the link as well.
Optionally, bundle apache + any web framework and you're golden. There are loads of articles online about small embedded web servers.