1

On Windows Server 2016

I have a simple python web server (in flask). It works great, and listens on port 80 (or whatever I configure it to listen on).

I need to serve it over SSL.

I have a good certificate, and imported it into the Computer/personal cert store.

Then I ran:

netsh http add sslcert ipport=0.0.0.0:443 certhash=8caef2be185a0c94d################ appid="{7E46BD40-39C6-4813-B414-019AD3332421}"   

netsh http add urlacl url=https://+:443/ user=Everyone

The commands run fine. I run the flask web server on 443, but it is serving unencrypted. E.g.

https://host/    // fails, because the server is serving plain text
http://host:443   // works, because the traffic ain't ssl-ified

How to resolve?

To be clear: How to resolve without touching the flask code (we do not want to put the SSL certificate on the file system, that is not secure). I believe netsh can be used to terminate SSL in front of an arbitrary web server?

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82

2 Answers2

0

I'm not really familiar with Flask. But every other python app I've run on Windows that used SSL referenced a PEM formatted certificate and key file directly. They didn't interface with the Windows cert store at all or need any netsh config. I presume the same is true for Flask and there's a particular way to reference those files and have it serve the traffic over HTTPS.

A quick web search for "python flask ssl" seems to have some encouraging results:

The consensus seems to revolve around creating an instance of SSL.Context that references the cert and key and passing it as an argument to app.run.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Thank you! However, I am looking for a no code approach (we do not want to put the SSL certificate on the file system, that is not secure). OP enhanced. – Jonesome Reinstate Monica May 30 '18 at 01:18
  • Granted, I'm certainly not a python expert. But I'm not sure what you want is possible without a python library explicitly intended to work with the Windows' http.sys stack and certificate store. Flask does not appear to support that. You'd need to front end the Flask app with IIS or an equivalent Windows web server. – Ryan Bolger May 30 '18 at 15:37
  • Ryan, the approach you describe will work, but having the private key on the file system is a bad idea. We cannot put our cert at risk in that way. – Jonesome Reinstate Monica May 30 '18 at 16:08
  • Why do you think putting the cert/key on the filesystem is bad? Countless non-Windows web servers have been configured that way for decades. An attacker with elevated privileges on your system can compromise your cert regardless of whether it's in the cert store or on the filesystem. – Ryan Bolger May 30 '18 at 16:40
0

Answer is: Forget netsh, does not seem to be the ticket.

We solved by using IIS as a reverse proxy, as doced here:

https://developers.coveo.com/display/public/SearchREST/Configuring+HTTPS+Reverse+Proxy+in+IIS

and here

https://weblogs.asp.net/owscott/creating-a-reverse-proxy-with-url-rewrite-for-iis

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82