Geek Answers Handbook

How to restrict Flask dev server to only one visiting IP address

I am developing a website using the Python flash framework , and now I am making some devices, redirecting my changes to a remote dev server. I installed this remote developers server to serve the website using app.run(host='0.0.0.0') .

This works great, but I just don't want other people to browse my site. For this reason, somehow I want the whitelist of my ip, so that the development server only serves the website to its own IP address, without giving a response, 404 or some other unacceptable answer to other IP addresses. I can, of course, configure the server to use apache or nginx to actually maintain the website, but I like to automatically reload the website when changing the code to develop my website.

Does anyone know how to do this using the Flask dev built-in server? All tips are welcome!

+7
python flask ip-address
source share
2 answers

Using only the Flask functions, you can use before_request() hook by checking the request.remote_addr attribute:

 from flask import abort, request @app.before_request def limit_remote_addr(): if request.remote_addr != '10.20.30.40': abort(403) # Forbidden

but using a firewall rule on the server is probably a safer and more reliable option.

Please note that Remote_Addr can be masked if there is a reverse proxy between the browser and your server; be careful how you limit this and do not block yourself. If the proxy server lives near the server itself (for example, a load balancer or an external cache), you can view the request.access_route list to access the actual IP address. Do this only if remote_addr itself is a trusted IP address:

 trusted_proxies = ('42.42.42.42', '82.42.82.42', '127.0.0.1') def limit_remote_addr(): remote = request.remote_addr route = list(request.access_route) while remote in trusted_proxies: remote = route.pop() if remote != '10.20.30.40': abort(403) # Forbidden
+24
source share

IMHO , although you can easily achieve the expected result using the above solution, this problem should be handled at the Network level of the operating system .. p>

To block / allow traffic from any source to a specific port on your server, this task is for the operating system firewall. Packets and their sources (IP addresses) must be processed at the network level in your operating system in kernel land without sending your application. If your server does not have a firewall, you must configure it to protect your server, even if your server is not already in the Production section.

Here's an example of a thought: given that the packages that arrive on your server, firstly, go through the analysis of the kernel of your operating system (suppose you are using a Unix-like or GNU / Linux-compatible OS), you can reject / allow incoming connecting to the network layer with Kernel Land using packet filtering software such as Netfilter , which is typically managed using IPTABLES .

Here is the Netfiler rule that suits you:

 /sbin/iptables -A INPUT -s ! your_ip_address --dport 80 -j DROP
  • All traffic arriving at port 80 will be deleted, EXCEPTION for connections originating from your_ip_address .

The principle of filtering / blocking incoming connections / packets at the network level of the operating system is somewhat applied to Microsoft OS, but I'm not sure. I have never studied how Windows Firewall works with packet filtering, but there are good chances that it works in a very similar way.

So here is the last thought:

Packages must be processed at the network level of your operating system. Do not let packages access your application: it is safer and distributes the work to the necessary sides of your system.

The Linux kernel and its modules (Netfilter) are much more reliable, competent, and effective in treating such problems than Flask.

Keep in mind this good practice;).

+3
source share

More articles:


All Articles