How to (easily) setup secure webserver, for testing

iburger

I would like to run my Python webserver in the cloud. But I am not very good at Apache, or Nginx. (I know nginx a little bit better). I would prefer to just run "python start server" with a cronjob. That works, but that also exposes my webservice to the world. And this aint all that secure.

Perhaps I could...

• Create a VPN service between "me" and the linux box in the cloud. Somehow, make the virtual box a local box in my network. (I have a cheap old linux WRT 54GL router)

• Restrict access to the linux box, and bind it to my IP address. If you have the wrong IP, you won't be able to see my insecure webserver service.

What do y'all think?

SonOfAMotherlessGoat

Learn an automation orchestrator like Ansible or Puppet. Spin up nodes on demand and take them down when you don't need them.

willie

iburger said: exposes my webservice to the world

Well yes, it's called the worldwide web for a reason . Simplest approach if you want to restrict it for testing is (in apache) use "deny all" and "accept 12.34.56.78" or whatever your address is, or do something similar with nginx or iptables. Setting up a vpn is more hardcore but more complicated.

Harambe

For personal stuff I just restrict access to my IPs using UFW. Too lazy to modify the apache or nginx conf, just only open port 80/443 to my IPs

pike

@willie said:

Setting up a vpn is more hardcore but more complicated.

setting up openvpn and do the steps you mentioned with the internal (VPN) IP adress of the client doesn't seem hardcore to me.

bsdguy

@iburger

Maybe I got you wrong but it seems to me that you have some Python web app that does include web server functionality and that you are mainly worried (and quite probably rightly so) that the python server isn't exactly rock solid and secure. If so, you are right; most of this functionality was primarily designed as a way to help developers during development.

Probably the most simple (and quite OK) solution would be to simply have some web server like nginx as a proxy between the evil internet and your python app. Pretty much every professional web server offers lots of functionality of the "let only xyz" in and "keep xyz out" kind.

This would also conveniently allow you to have all static content (images, etc) served via that server and to have your python app only do the dynamic part. Moreover the web proxy could handle ssl/tls which is not something you want to be done on the python side.

Nomad

It's actually not that hard.

You can just
apt-get install apache2

After that it is easy to find a way to protect it. You can still protect it from the outside world with ease.

For example this is from a website that we only wanted to access either from the localhost or from a certain IP/subnet. You can ask for a password if the user is not from 127.0.0.1 or listed in "require ip" section.

<If "%{REMOTE_ADDR} != '127.0.0.1'">
    AuthType Basic
    AuthName "The answer to life the universe and everything"
    AuthUserFile /path/to/.htpasswd

    require valid-user
    require ip ip.sub.net.1
    require ip ip.sub.net.0/24
</If>

iburger

@bsdguy:
That's exactly it! (i'm running flask and bokeh)

It was actually quite easy to get what I wanted. Woot woot. I actually already had a OpenVPN setup working, so I only needed to figure out how to reject access to the 80, 8000 ports from the scary world-wide web.

Thanks Nomad & Bsdguy though, you are right. When I am gonna share my app with friends, I will have to go tru either Apache or Nginx.

Thanks all!

bsdguy

@iburger said:
@bsdguy:
That's exactly it! (i'm running flask and bokeh)

It was actually quite easy to get what I wanted. Woot woot. I actually already had a OpenVPN setup working, so I only needed to figure out how to reject access to the 80, 8000 ports from the scary world-wide web.

Thanks Nomad & Bsdguy though, you are right. When I am gonna share my app with friends, I will have to go tru either Apache or Nginx.

Thanks all!

You are welcome. I have a small addition: Unless you plan to run a seriously massive web app operation (in which case nginx were a good choice) have a look at a cool project -> cherokee web server. Works nicely with Python, is considered quite secure, pretty fast and lite, easy to configure and even offers a nice small web config/stat interface.

eva2000

bsdguy said: Unless you plan to run a seriously massive web app operation (in which case nginx were a good choice) have a look at a cool project -> cherokee web server.

Wouldn't it be better for user to just go with nginx

1. nginx documentation, how to guides and user base is larger so easier to get help if user runs into nginx related issues
2. no need to switch web servers once the site grows in traffic as you start with nginx
3. nginx is cool - yeah I am biased ^_^
4. nginx is working on an application server called Nginx Unit which is in beta development which Python, PHP, GO, Java and NodeJS folks may eventually want to use https://www.nginx.com/blog/introducing-nginx-unit/. I've only played with early Nginx Unit application server for PHP https://community.centminmod.com/threads/nginxs-unit.12803/ so not sure how Python is. So worth keeping track of though I'd use Nginx web server for now as reverse proxy.

iburger

This thread was really educational to me. Coming into it, I had no idea what a reverse proxy really is. I now understand that a reverse proxy is the most simplest way to shield of attackers from your website.

• https://en.wikipedia.org/wiki/Reverse_proxy

I read more on bokeh / nginx and it seems quite doable.

• http://bokeh.pydata.org/en/0.11.0/docs/user_guide/server.html#reverse-proxying-with-nginx
• https://github.com/mlshapiro/bokeh-server-table

JoeRock

Would

iptables -A INPUT -p tcp ! -s 1.2.3.4 --dport 80 -j DROP

work?