wasi-master
[BUG]: Flask server is not configured correctly
Description of the bug
I've reported this on another project before, so I'll just copy & paste a lot of my words from there. I got this error when starting 13ft:
13ft | WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
A quick Google search led me to the Deploying page in the Flask docs, which states:
When you’re developing locally, you’re probably using the built-in development server, debugger, and reloader. These should not be used in production... Do not use the development server when deploying to production. It is intended for use only during local development. It is not designed to be particularly secure, stable, or efficient.
And the Development Server docs which has the same warning about the production server, as well as this note on the development server:
The development server can also be started from Python with the Flask.run() method. This method takes arguments similar to the CLI options to control the server. The main difference from the CLI command is that the server will crash if there are errors when reloading. debug=True can be passed to enable debug mode.
This is exactly what's being done in index.py: the insecure development server is being run in the production environment. Also, unless I missed something in the code, Flask isn't configured to run behind a reverse proxy.
Steps To Reproduce
- Launch 13ft with
docker compose up - Observe warning in log
Additional Information
No response
This is exactly what's being done in index.py: the insecure development server is being run in the production environment. Also, unless I missed something in the code, Flask isn't configured to run behind a reverse proxy.
I'm running this behind traefik without issues. I also want to point out this is very much a self hosted app this is not a prod app. a lot of self hosted apps I've used just run in the dev instance.
I'm not affiliated at all with project just my two cents.
I’m running this behind traefik without issues.
So have I, but that doesn’t mean the server is configured for it.
I also want to point out this is very much a self hosted app this is not a prod app. a lot of self hosted apps I've used just run in the dev instance.
That isn’t what “prod” means. Prod is short for production-ready, which is fancy terminology that just refers to the polished builds that get released to the public. Self-hosted just means you can run it on your own device, which you would do by using the production build of the software. Just because an app is “self-hosted” doesn’t mean it can just ignore safety guidelines, especially self-hosted apps. The home lab community is a target because there are so many people who either expose things insecurely or expose insecure apps, like this repo. Unfortunately, a chain is only as strong as its weakest link and a dev server is a very weak link. Traefik doesn’t add any security anyway unless you have other stuff like CrowdSec, fail2ban, etc.. I’ve seen people get screwed by this before and funny enough, they were using Flask, too.
I personally won’t be running this anymore unless this issue is fixed.
If you feel so strongly then put in a PR. This seems to be an ongoing issue I see in FOSS we have no issue using but a huge issue contributing. If you like the work learn python and submit a PR.
If you feel so strongly then put in a PR. This seems to be an ongoing issue I see in FOSS we have no issue using but a huge issue contributing.
I've never understood this sentiment because it's a gross over-generalization. The vast majority of people don't know how to even read code, let alone write it, so of course there are going to be more users than contributors, and that's good. User feedback is the most important kind!
If you like the work learn python and submit a PR.
Done, PR #41 . Next time you want to slight people for not contributing to a project, maybe contribute something to it yourself first. I'd love some input on the ProxyFix in my PR if you need somewhere to start.