与Flask安全捆绑在一起的服务器是否可以在生产环境中使用? [英] Is the server bundled with Flask safe to use in production?
问题描述
否捆绑的服务器是一个开发服务器。它不是设计用于生产环境的。
- 默认情况下,它一次不会处理多个请求。 b $ b
- 如果你打开调试模式并弹出一个错误,它会打开一个shell,允许在你的服务器上执行任意代码(想想
os.system('rm -rf /'))。 - 开发服务器不能很好地扩展。
Flask使用Werkzeug的开发服务器,文档中也有这样的描述:
开发服务器不适用于生产系统。它是专为开发目的而设计的,在高负载下表现不佳。有关部署设置,请参阅应用程序部署页面。
推荐的方法是使用生产WSGI服务器来运行你的Flask应用程序。整个部分专门用于部署文档:部署选项
如果您正在提供图片或视频等任何静态资源,需要低级缓存或者具有更高的并发需求,建议您使用Web服务器像 nginx ,并处理所有请求。
蹩脚的ASCII格式:
+ ---------- +
|客户端2 |
+ ---------- +
|
V
+ ---------- + + ------- + + ---------- +
|客户端1 | -----> | nginx |< ----- |客户端3 |
+ ---------- + + ------- + + ---------- +
^
|
V
/ -------------------- \
|有用的nginx的东西|
|像资产服务|
|和速率限制|
\ -------------------- /
|
V
+ ------------- +
| WSGI服务器|
+ ------------- +
实际上运行 WSGI服务器进程,可以使用主管。它会自动重启服务器,如果它出于某种原因失败,保持日志,并作为守护进程运行,所以你的服务启动服务器启动。
Is the server bundled with Flask safe for deployment in a production environment? If not, what should I use to deploy Flask in production?
No. The bundled server is a development server. It's not designed with production environments in mind.
- It will not handle more than one request at a time by default.
- If you leave debug mode on and an error pops up, it opens up a shell that allows for arbitrary code to be executed on your server (think
os.system('rm -rf /')). - The development server doesn't scale well.
Flask uses Werkzeug's development server, and the documentation says the same thing:
The development server is not intended to be used on production systems. It was designed especially for development purposes and performs poorly under high load. For deployment setups have a look at the Application Deployment pages.
The recommended approach is to use a production WSGI server to run your Flask application. There's a whole section dedicated to deployment in the docs: Deployment Options
If you are serving any static assets like images or videos, need low-level caching, or have higher concurrency demands, it's recommended to use a webserver like nginx and have it handle all of your requests.
In crappy ASCII form:
+----------+
| Client 2 |
+----------+
|
V
+----------+ +-------+ +----------+
| Client 1 |----->| nginx |<-----| Client 3 |
+----------+ +-------+ +----------+
^
|
V
/--------------------\
| useful nginx stuff |
| like asset serving |
| and rate limiting |
\--------------------/
|
V
+-------------+
| WSGI server |
+-------------+
To actually run the WSGI server process, you can use Supervisor. It automatically restarts the server if it fails for some reason, keeps logs, and runs as a daemon so your service starts when the server boots.
这篇关于与Flask安全捆绑在一起的服务器是否可以在生产环境中使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
