awesome-compose/nginx-wsgi-flask
Madhu Kumar e20c8dd50b
Security upgrade nginx from 1.19.7-alpine to 1.20.1-alpine
Changes included in this PR
nginx-wsgi-flask/nginx/Dockerfile
We recommend upgrading to nginx:1.20.1-alpine, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Some of the most important vulnerabilities in your base image include:

Severity	Priority Score / 1000	Issue	Exploit Maturity
critical severity	500	Out-of-bounds Read
SNYK-ALPINE313-APKTOOLS-1533754	No Known Exploit
critical severity	500	Double Free
SNYK-ALPINE313-CURL-1585246	No Known Exploit
critical severity	500	Double Free
SNYK-ALPINE313-CURL-1585246	No Known Exploit
critical severity	500	Buffer Overflow
SNYK-ALPINE313-OPENSSL-1569448	No Known Exploit
critical severity	500	Buffer Overflow
SNYK-ALPINE313-OPENSSL-1569448	No Known Exploit
2022-02-19 22:27:43 +01:00
..
flask init (#120) 2021-04-06 11:54:06 +02:00
nginx Security upgrade nginx from 1.19.7-alpine to 1.20.1-alpine 2022-02-19 22:27:43 +01:00
docker-compose.yaml Remove version from compose files to conform to the specification (#167) 2021-11-04 15:51:58 +01:00
README.md init (#120) 2021-04-06 11:54:06 +02:00

Compose Sample Application

NGINX Reverse Proxy -> WSGI -> Python/Flask Backend

Project structure:

.
├── docker-compose.yaml
├── flask
│   ├── app.py
│   ├── Dockerfile
│   ├── requirements.txt
│   └── wsgi.py
└── nginx
    ├── default.conf
    ├── Dockerfile
    ├── nginx.conf
    └── start.sh

docker-compose.yaml

services:
  nginx-proxy:
    build: nginx
    ports:
    - 80:80
  flask-app:
    build: flask
    ...

The compose file defines an application with two services nginx-proxy and flask-app. When deploying the application, docker-compose maps port 80 of the web service container to port 80 of the host as specified in the file.

Make sure port 80 on the host is not being used by another container, otherwise the port should be changed.

Deploy with docker-compose

$ docker-compose up -d
Creating network "nginx-wsgi-flask_default" with the default driver
Building flask-app
...
Building nginx-proxy
...
Creating nginx-wsgi-flask_flask-app_1 ... done
Creating nginx-wsgi-flask_nginx-proxy_1 ... done

Expected result

Listing containers must show two containers running and the port mapping as below:

$ docker ps
CONTAINER ID   IMAGE            COMMAND                  CREATED              STATUS                        PORTS                              NAMES
bde3f29cf571   ...nginx-proxy   "/docker-entrypoint.…"   About a minute ago   Up About a minute (healthy)   0.0.0.0:80->80/tcp                 ...nginx-proxy_1
86c44470b547   ...flask-app     "gunicorn -w 3 -t 60…"   About a minute ago   Up About a minute (healthy)   5000/tcp, 0.0.0.0:8000->8000/tcp   ...flask-app_1

After the application starts, navigate to http://localhost:80 in your web browser or run:

$ curl localhost:80
Hello World!

Stop and remove the containers

$ docker-compose down
Stopping nginx-wsgi-flask_nginx-proxy_1 ... done
Stopping nginx-wsgi-flask_flask-app_1   ... done
Removing nginx-wsgi-flask_nginx-proxy_1 ... done
Removing nginx-wsgi-flask_flask-app_1   ... done
Removing network nginx-wsgi-flask_default

About

By following the steps above, you will have an NGINX Reverse Proxy and a Flask backend. The general traffic flow will look like the following:

Client -> NGINX -> WSGI -> Flask

NGINX

With this deployment model, we use NGINX to proxy and handle all requests to our Flask backend. This is a powerful deployment model as we can use NGINX to cache responses or even act as an application load balancer between multiple Flask backends. You could also integrate a Web Application Firewall into NGINX to protect your Flask backend from attacks.

WSGI

WSGI (Web Server Gateway Interface) is the interface that sits in between our NGINX proxy and Flask backend. It is used to handle requests and interface with our backend. WSGI allows you to handle thousands of requests at a time and is highly scalable. In this docker-compose sample, we use Gunicorn for our WSGI.

Flask

Flask is a web development framework written in Python. It is the "backend" which processes requests.

A couple of sample endpoints are provided in this docker-compose example:

  • / - Returns a "Hello World!" string.
  • /cache-me - Returns a string which is cached by the NGINX reverse proxy. This demonstrates an intermediary cache implementation.
  • /info - Returns informational headers about the request. Some are passed from NGINX for added client visibility.