Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Safe Remote Blogging with PyDS

Introduction

The soft­ware I use to build this blog, Python Desk­top Serv­er (PyD­S) is ac­cessed through HTTP. To use the web in­ter­face to post sto­ries or mes­sages, I point my web brows­er to http://127.0.0.1:4334 and start typ­ing. Ob­vi­ous­ly, such a URL on­ly works when I am sit­ting on the spe­cif­ic com­put­er where PyDS is in­stalled, be­cause 127.0.0.1 is the "lo­cal ad­ddress". It al­ways points to your own box.

If I want­ed to work on my blog from an­oth­er com­put­er, I would have to use a URL like http://192.168.1.253:4334, where 192.168.1.253 is the IP ad­dress for my com­put­er. How­ev­er, that won't work, be­cause PyDS on­ly lis­tens for con­nec­tions on the 127.0.0.1 ad­dress.

The goal here is to be able to blog at will from any­where. Since there are sev­er­al ways to do it, and the dif­fi­cul­ty and con­ve­nience of each varies, I will split it in three sce­nar­ios, in in­creas­ing or­der of dif­fi­cul­ty and se­cu­ri­ty.

Scenario Number 1

The net­work I want to use for blog­ging is trust­ed. For ex­am­ple, my home net­work, be­hind a fire­wal­l, and I live alone. Since noone else can ac­cess any­thing, not even a pass­word pro­tec­tion for the blog is nec­es­sary.

Ed­it ~/.PyD­S/etc/PyD­SCon­fig.py (if it does­n't ex­ist, cre­ate it) to have some­thing like this:

serverip="0.0.0.0"

While this is easy, it's al­so very in­se­cure. You can now point your brows­er to your pub­lic IP ad­dress, port 4334, and blog at will.

Re­mem­ber that, be­cause PyDS does­n't ask for pass­words by de­fault, any­one in your net­work can do any­thing to your blog!. Un­less you are in a net­work where you are the on­ly user, this could be a very bad idea.

Scenario Number 2

A trust­ed net­work, but pass­word pro­tect­ed. Could be, for ex­am­ple, a home net­work with sev­er­al user­s, if you don't feel up to tack­ling Sce­nario Num­ber 3.

First, you must cre­ate at least one "lo­cal us­er with pass­word" with ad­min rights us­ing PyD­S's us­er tool (Pref­er­ences -> User)

Here, we will dif­fer­en­ti­ate be­tween lo­cal and re­mote ac­cess. Lo­cal ac­cess is through the 127.0.0.1 ad­dress, and is un­re­strict­ed. Re­mote ac­cess will be through the 192.168.1.253 ad­dress, and will be pass­word-pro­tect­ed.

Ed­it ~/.PyD­S/etc/PyD­SCon­fig.py (if it does­n't ex­ist, cre­ate it) to have some­thing like this:

remotehostname="192.168.1.253"
remoteip="192.168.1.253"

Of course, re­plac­ing 192.168.1.253 with your own IP ad­dress. Now, you can point your brows­er to http://192.168.1.253:4334 or what­ev­er your IP is, and you will be asked for the us­er and pass­word you con­fig­ured ear­li­er.

Safer than Sce­nario 1, but stil­l....

Scenario Number 3

A hostile network, for example, Internet, or an insecure office network.

Sce­nario num­ber 2 has a weak­ness in that the user­names and pass­words are trans­mit­ted in the clear over the net­work, and any­one with the wish to read them and some knowl­edge can do it. The stan­dard mech­a­nism to avoid such a prob­lem in a web­site is to use HTTPS in­stead of HTTP. If PyDS used Apache to serve its pages, for ex­am­ple, that would be sim­ple. Ok, maybe not too sim­ple, but doable ;-)

How­ev­er, PyD­S's in­ter­nal web serv­er has no sup­port for HTTPS as far as I know. So, the so­lu­tion is to use a re­verse http­s-­to-http prox­y. If you have no idea what that mean­s, don't wor­ry, you don't need to.

Here's how it work­s:

The re­verse proxy is a pro­gram that re­ceives the clien­t's re­quest­s, us­ing the HTTPS pro­to­col, which is se­cure, and con­verts them to HTTP, the in­se­cure pro­to­col PyDS us­es. Then, it pass­es those re­quests to PyD­S, and pass­es PyD­S's replies to the clien­t.

Since the Prox­y->PyDS con­nec­tion is in­ter­nal to the server, it can't be seen by oth­er users on the net­work.

The re­verse proxy I am us­ing is called Pound which is smal­l, sim­ple and light.

Step-By-Step
  1. Down­load Pound


  2. Ex­­pand the tar­bal­l:

     
         tar xzvf Pound-1.3.t­gz  

  3. Com­pile Pound:

    You will need a C com­pil­er, and the de­vel­op­­ment pack­­age for OpenSS­L. All that should come with your dis­­tro, but may not be in­­stalled. In Red Hat, as­­sum­ing the re­quired pack­­ages are there, you can com­pile Pound like this:

     
    ./­con­fig­ure --with­-ss­l=/usr && make 

  4. In­­stall Pound:

     
    su root -c "make in­stal­l" 

  5. Cre­ate a SSL cer­ti­fi­­cate:

    HTTPS us­es cer­ti­fi­­cates to en­crypt the da­­ta and guar­an­­tee the iden­ti­­ty of the server­s. A "re­al" cer­ti­fi­­cate costs mon­ey. So here you can cre­ate what's called a self­­-signed cer­ti­fi­­cate.

     
    openssl req -new -x509 -days 365 -n­odes -out myc­ert.pem -key­out myc­ert.pem 

    While it en­crypts just as well as any oth­­er, a self­­-signed cer­ti­fi­­cate does­n't guar­an­­tee the iden­ti­­ty of the serv­er you con­nect to. In most cas­es that should be no prob­lem, ex­­cept your web brows­er will com­­plain a bit. Your cer­ti­fi­­cate is the my­c­ert.pem file.


  6. Con­­fig­ure Pound:

    As­­sum­ing your IP ad­­dress is 192.168.1.253, your PyDS port is 4334 and your cer­ti­fi­­cate file is saved as /home­­/rober­­to/my­c­ert.pem, here is the Pound con­­fig file, save it as /us­r/lo­­cal/etc/­­pound.cfg

     
    Lis­ten­HTTPS *,443 /home­/rober­to/myc­ert.pem
    
    Url­Group ".*"
    Back­End 192.168.1.253,4334,1
    End­Group 

  7. Con­­fig­ure Py­D­S:

    Do it ex­ac­t­­ly as in the Sce­­nario 2 above.


  8. Start Pound:

     
    su root -c /us­r/lo­cal/s­bin/­pound 

If all went well, now you can point your web brows­er to http­s://192.168.1.253 and ac­cess PyDS through an en­crypt­ed, pass­word-pro­tect­ed link, which is the safest way I can think of right now.

Final Words

This should be enough for PyD­S, but don't box your­self in. Any­thing that can be ac­cessed through HTTP can be made safer by mak­ing it use HTTP­S. And if it's not sup­port­ed, you can wrap it us­ing Pound!

Important Links

Roberto Alsina / 2006-04-04 16:22:

Comments for this story are here:

http://www.haloscan.com/com...


Contents © 2000-2024 Roberto Alsina