Use SSL

[kyao]

Use SSL

[g1eb]

We should ask Pat how they want to handle connections over port 443 and who needs to provide the SSL certificates.

[kyao]

For now we should use a self-signed certificate

[kyao]

The t2wml backend service should run over SSL. I found this web page on running Flask over HTTPS:

https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https

For now we should their self-signed certificate.

[zmbq]

I'm sorry, I don't understand why we need to do this if they are going to place t2wml behind IIS. They should just place it behind IIS in testing, too. It will take them fifteen minutes to configure this, as opposed to many hours, and maybe a couple of days, to get Flask to support ssl on Windows when running behind waitress as part of a windows service. ⁣הורד את BlueMail עבור Android ​ ב-17 בספט׳ 2021, 03:37, ב-kyao ***@***.***>, 03:37 כתב:

…

The t2wml backend service should run over SSL. I found this web page on running Flask over HTTPS: https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https For now we should their self-signed certificate. -- You are receiving this because you were assigned. Reply to this email directly or view it on GitHub: #571 (comment)

[zmbq]

I did some reading. Waitress does not support ssl, and we bypass the flask dev server so the ssl solution in the link will not work. The way to run flask behind ssl on windows is to set up IIS or nginx. Since we cannot use docker, and cannot install nginx on their server, we're left with IIS. Can you configure IIS on their server? ⁣הורד את BlueMail עבור Android ​ ב-17 בספט׳ 2021, 03:37, ב-kyao ***@***.***>, 03:37 כתב:

…

The t2wml backend service should run over SSL. I found this web page on running Flask over HTTPS: https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https For now we should their self-signed certificate. -- You are receiving this because you were assigned. Reply to this email directly or view it on GitHub: #571 (comment)

[kyao]

One of the security requirement is every service that communicates with another service is required to use SSL. Even if this service is already sits behind IIS.

[kyao]

What do we lose if we do not use Waitress, and just use plain Flask? There will not be many simultaneous users annotating datasets.

[kyao]

Or, perhaps we can use uWSGI. It seems to support SSL.

https://uwsgi-docs.readthedocs.io/en/latest/
https://flask.palletsprojects.com/en/2.0.x/deploying/uwsgi/

[zmbq]

uwsgi does not work on Windows, it requires cygwin, which means no Windows service support. Using the flask dev server is a huge security risk. If the allow us to use it, we can and then it will probably work as long as only one user uses t2wml at any given time. Two users who try to use two large files at the same time will probably kill it. ⁣הורד את BlueMail עבור Android ​ ב-17 בספט׳ 2021, 21:55, ב-kyao ***@***.***>, 21:55 כתב:

…

Or, perhaps we can use uWSGI. It seems to support SSL. https://uwsgi-docs.readthedocs.io/en/latest/ https://flask.palletsprojects.com/en/2.0.x/deploying/uwsgi/ -- You are receiving this because you were assigned. Reply to this email directly or view it on GitHub: #571 (comment)

[kyao]

Why would flask be a security risk?

I do not think there will be many users. And, most of the time they will be working with small files. Perhaps we can start with Flask, and if we run into scalability issues we can switch to using one of the Python WSGI Servers.

https://flask.palletsprojects.com/en/2.0.x/deploying/index.html
https://www.appdynamics.com/blog/engineering/a-performance-analysis-of-python-wsgi-servers-part-2/

[zmbq]

Flask by itself is not a security risk of course, the Flask dev server is. So I suggest we ask them before we implement it and then have it rejected by them – if they approve, we’ll set up the service with SSL and the Flask dev server. From: kyao ***@***.***> Sent: Saturday, 18 September 2021 1:44 To: usc-isi-i2/t2wml ***@***.***> Cc: Itay Zandbank ***@***.***>; Assign ***@***.***> Subject: Re: [usc-isi-i2/t2wml] Use SSL (#571) Why would flask be a security risk? I do not think there will be many users. And, most of the time they will be working with small files. Perhaps we can start with Flask, and if we run into scalability issues we can switch to using one of the Python WSGI Servers. https://flask.palletsprojects.com/en/2.0.x/deploying/index.html https://www.appdynamics.com/blog/engineering/a-performance-analysis-of-python-wsgi-servers-part-2/ — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#571 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEWI7R73UMLZKY5ZU7BVVTUCPAE3ANCNFSM5BC3QQJA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . <https://github.com/notifications/beacon/AAEWI7TQ76TFLUZJG6Q63VLUCPAE3A5CNFSM5BC3QQJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOG33G2MI.gif>

…

_____ <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Scanned by McAfee <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> and confirmed virus-free.

[kyao]

They would prefer us to use SSL compatible WSGI server. They are not familiar with WSGI servers, but they suggest we look into CherryPy and Tornado.