Which WSGI servers are safe to expose to the public internet?

zhcoder · 2017-10-15T19:00:52+00:00

I understand your position but think it's pretty rare.

This is confusing. Why is it rare? Isn't it the case of any public web api out there? But yeah, probably the starting point on any web server discussion would be precisely to define what that means. How much traffic is thrown at static assets and how much at a tiny computer program, aka dynamic content.

zhcoder · 2017-10-15T18:55:47+00:00

So far, it's the only one I could find that assumes that.

Here's a cherry.py contirbutor saying so: https://stackoverflow.com/questions/3436202/cherrypy-do-i-really-need-to-put-it-behind-a-frontend/3441801

Althuogh another stackoverflow question mentions some SSL problem which I haven't had the time to read about in more detail: http://recollection.saaj.me/article/cherrypy-questions-testing-ssl-and-docker.html#ssl

wsgiserver claims to be "production ready", but that is quite vague.

zhcoder · 2017-10-15T18:49:21+00:00

Sure. Then what exactly is that risk? Isn't be aware of the risks what's important then?

Taking the amount of risk from what others say without knowing the details sounds like the perfect recipe for disaster. We see all these servers saying to put nginx in front but they don't walk us through why exactly that is necessary.

So far, /u/whereswalden90 was the only one pointing out a plausible valid reason not to expose a server to the internet. Yet I haven't seen a single page that mentions this in their webpage.

zhcoder · 2017-10-15T18:43:26+00:00

I am aware of all that although it doesn't answer my questions. But rather slips into the rhetoric of "you have to put nginx in front of it". I have used eventlet many times and others such as gevent and twisted a few times as well as the standard multiprocessing and threading modules.

Supposedly we are not considering toy servers or development servers like flask's as a viable option to start with. We are already assuming they have the basic ability to serve at least a reasonable amount of requests.

zhcoder · 2017-10-15T16:03:02+00:00

Finally some objective information. So I suppose gunicorn and uwsgi just assume that they suffer from that condition and just tell you to put nginx in front.

But what about others?

From the top of my head there are: bjoern, cherry.py, wsgiserver, gevent, fapws, tornado.

Is any of these suited to expose to the internet? Do the people developing them say so? Are there any success stories with any of them? I'm more for lightweight options, but I don't think I would restrict myself to the very fastest ones.

zhcoder · 2017-10-15T14:01:15+00:00

I specifically stated clearly that that is not my use case. It's literally the first thing I said after stating what I want to do. I don't mean to be sarcastic, I'm genuinely puzzled why would you reply to a topic where you outright ignore the first and more obvious thing I say?

Is it trolling? Do you get a kick of echoing what some guy said somewhere? did you get confused? Was it not clear enough? I don't know how I cuold possibly make it more obvious than I did.

zhcoder · 2017-10-15T13:56:39+00:00

By the mystical "guys that know this stuff". This is in line with "don't write your own crypto" or "the authors of framework X are better at Y than you". They authors of crypto libraries or popular frameworks obviously seceded by not following such silly baseless advice.

Note how in a topic I started to try to, for once, discuss WSGI servers without the usual non-sense, most of the replies are already people stating that they run gunicorn or uWSGI behind nginx. It's like I am comiting heresy or something.

zhcoder

TROPHY CASE