search

OpServ-Monitoring / opserv-backend

The backend repository for the opserv monitoring software
GNU General Public License v3.0
3 stars 0 forks source link

Add SSL usage as an optional parameter when starting main.py #14

Closed Laberbear closed 7 years ago

Laberbear commented 7 years ago

Since the certificate is being commited here anyways, the security gain is pretty much zero and can be disabled for development purposes. Also a lot of arguments are probably being added in the near future, so using Python ArgParse could be helpful: https://docs.python.org/3/library/argparse.html

EndzeitBegins commented 7 years ago

As we're propably switching to Tornado as server framework in the long run we'll have to take a look how Tornado Supports TLS.

Surely the certicficate was only for test purposes and we have to think about how the certicficate should be passed. Either creating one on start up, reading it out a file at a specified path, receiving a certicficate from letsencrypt or support multiple of those.

In addition to receiving arguments through the console we should think about parsing a settings file. The path to this file could be passed as parameter aswell or set to a default value.

Laberbear commented 7 years ago

Also the certificate location should be determined more precise. Currently it requires the CWD to be in opserv-backend/app otherwise it will not find the cert and keyfile on Linux:

2016-10-14 10:51:14,661 - opserv.gathering.measure - INFO - Retrieving cpu data
    app.run(host='127.0.0.1', port=31337, ssl_context=context, debug=False, threaded=True)
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 843, in run
    run_simple(host, port, self, **options)
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 694, in run_simple
    inner()
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 656, in inner
    fd=fd)
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 544, in make_server
    passthrough_errors, ssl_context, fd=fd)
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 488, in __init__
    self.socket = ssl_context.wrap_socket(sock, server_side=True)
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 410, in wrap_socket
    ssl_version=self._protocol, **kwargs)
  File "/usr/lib/python3.5/ssl.py", line 1069, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python3.5/ssl.py", line 691, in __init__
    self._context.load_cert_chain(certfile, keyfile)
FileNotFoundError: [Errno 2] No such file or directory

But I agree, these things should also bei changable with a config file. Maybe this could also be stored in the db, but user interaction would be more limited

EndzeitBegins commented 7 years ago

I don't think this should be stored in the database but rather in-memory accessible via a read-only interface similar to the current data_manager interface.

As these are start params they potentially change every time the program is launched, thus old settings should vanish anyway. To keep settings the user could save them in a file and provide the filename as stated or write a short start script including the necessary params.

Additionally the default settings should be chosen to fit most users.

EndzeitBegins commented 7 years ago

I opened an issue stating the need of an input parameter reader which includes the points stated here. See #16