2

I'm trying to run a Flask application via HTTPS on Gunicorn.

Up to now I have been running it successfully via HTTP using a command like the following:

gunicorn --workers=4 "program.__main__:WSGI()" --bind=0.0.0.0:8080

Now I am trying to run it via HTTPS using a command like the following:

gunicorn --workers=4 "program.__main__:WSGI()" --bind=0.0.0.0:443 --certfile=fullchain.pem --keyfile=privkey.pem

When I run this as a normal user, I get output like the following:

[2018-08-13 21:26:28 +0000] [15170] [INFO] Starting gunicorn 19.9.0
[2018-08-13 21:26:28 +0000] [15170] [ERROR] Retrying in 1 second.
[2018-08-13 21:26:29 +0000] [15170] [ERROR] Retrying in 1 second.
[2018-08-13 21:26:30 +0000] [15170] [ERROR] Retrying in 1 second.
[2018-08-13 21:26:31 +0000] [15170] [ERROR] Retrying in 1 second.
[2018-08-13 21:26:32 +0000] [15170] [ERROR] Retrying in 1 second.
[2018-08-13 21:26:33 +0000] [15170] [ERROR] Can't connect to ('0.0.0.0', 443)

As root, it works, but I'm disinclined to run a web server as root. How should I run this securely?

BlandCorporation
  • 1,210
  • 3
  • 21
  • 33
  • 1
    I'm not an expert in Gunicorn but it's an application server, Typically application servers run BEHIND a web server - e.g. apache, nginx, caddy. Web servers would be the things that would run on port 443 and proxy correct domain name to the correct gunicorn port (usually 5000 or 8000) they also have a smaller attack surface - they would also typically be run by the system daemon (init process/systemd). – Jono Oct 01 '18 at 21:24
  • 1
    try using the setcap command, to use the previleged port. If you are using python 2.7 on linux, then try : sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python2.7, similarly, if you are using another python verison point to that binary file. Thanks – Ankush Singh Feb 25 '19 at 11:07

0 Answers0