gunicorn reverse proxy accessible from internet

Question

I configured nginx and gunicorn to serve flask app. And I started gunicorn with this command gunicorn --bind 0.0.0.0:5000 wsgi:app My website is accessible from my provided ip address on port 80. However It is accessible on port 5000 as well. It seems my reverse proxy works as it should be, but gunicorn server can be accessible as well.

I'm planning to disable port 5000, but not sure this is the correct, secure way to solve such problem.

This is my nginx conf file:

server {

  server_name <my_ip_adress>;
  access_log /var/log/nginx/domain-access.log;

  location / {
    proxy_pass_header Server;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_set_header X-Forwarded-For  $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_connect_timeout 10;
    proxy_read_timeout 10;

    # This line is important as it tells nginx to channel all requests to port 5000.
    # We will later run our wsgi application on this port using gunicorn.
    proxy_pass http://127.0.0.1:5000/;
  }

}

Answer 1

You're binding gunicorn to 0.0.0.0 hence it's available on the external interfaces. Assuming this is just one box, instead:

gunicorn --bind 127.0.0.1:5000 wsgi:app

This no longer listens for requests from external interfaces, meaning all requests must come through nginx.

Of course if you did bind gunicorn to 0.0.0.0 you could make a firewall rule with iptables to DROP traffic to that port from external interfaces.

If you are using a cloud provider they may implement this firewall functionality natively on their platform - for example Security Groups on AWS EC2 would allow you to create a 'webserver' group which only allows traffic through for ports 80 & 443.