serving.py 38 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098
  1. """A WSGI and HTTP server for use **during development only**. This
  2. server is convenient to use, but is not designed to be particularly
  3. stable, secure, or efficient. Use a dedicate WSGI server and HTTP
  4. server when deploying to production.
  5. It provides features like interactive debugging and code reloading. Use
  6. ``run_simple`` to start the server. Put this in a ``run.py`` script:
  7. .. code-block:: python
  8. from myapp import create_app
  9. from werkzeug import run_simple
  10. """
  11. import errno
  12. import io
  13. import os
  14. import socket
  15. import socketserver
  16. import sys
  17. import typing as t
  18. from datetime import datetime as dt
  19. from datetime import timedelta
  20. from datetime import timezone
  21. from http.server import BaseHTTPRequestHandler
  22. from http.server import HTTPServer
  23. from ._internal import _log
  24. from ._internal import _wsgi_encoding_dance
  25. from .exceptions import InternalServerError
  26. from .urls import uri_to_iri
  27. from .urls import url_parse
  28. from .urls import url_unquote
  29. try:
  30. import ssl
  31. except ImportError:
  32. class _SslDummy:
  33. def __getattr__(self, name: str) -> t.Any:
  34. raise RuntimeError( # noqa: B904
  35. "SSL is unavailable because this Python runtime was not"
  36. " compiled with SSL/TLS support."
  37. )
  38. ssl = _SslDummy() # type: ignore
  39. _log_add_style = True
  40. if os.name == "nt":
  41. try:
  42. __import__("colorama")
  43. except ImportError:
  44. _log_add_style = False
  45. can_fork = hasattr(os, "fork")
  46. if can_fork:
  47. ForkingMixIn = socketserver.ForkingMixIn
  48. else:
  49. class ForkingMixIn: # type: ignore
  50. pass
  51. try:
  52. af_unix = socket.AF_UNIX
  53. except AttributeError:
  54. af_unix = None # type: ignore
  55. LISTEN_QUEUE = 128
  56. _TSSLContextArg = t.Optional[
  57. t.Union["ssl.SSLContext", t.Tuple[str, t.Optional[str]], "te.Literal['adhoc']"]
  58. ]
  59. if t.TYPE_CHECKING:
  60. import typing_extensions as te # noqa: F401
  61. from _typeshed.wsgi import WSGIApplication
  62. from _typeshed.wsgi import WSGIEnvironment
  63. from cryptography.hazmat.primitives.asymmetric.rsa import (
  64. RSAPrivateKeyWithSerialization,
  65. )
  66. from cryptography.x509 import Certificate
  67. class DechunkedInput(io.RawIOBase):
  68. """An input stream that handles Transfer-Encoding 'chunked'"""
  69. def __init__(self, rfile: t.IO[bytes]) -> None:
  70. self._rfile = rfile
  71. self._done = False
  72. self._len = 0
  73. def readable(self) -> bool:
  74. return True
  75. def read_chunk_len(self) -> int:
  76. try:
  77. line = self._rfile.readline().decode("latin1")
  78. _len = int(line.strip(), 16)
  79. except ValueError as e:
  80. raise OSError("Invalid chunk header") from e
  81. if _len < 0:
  82. raise OSError("Negative chunk length not allowed")
  83. return _len
  84. def readinto(self, buf: bytearray) -> int: # type: ignore
  85. read = 0
  86. while not self._done and read < len(buf):
  87. if self._len == 0:
  88. # This is the first chunk or we fully consumed the previous
  89. # one. Read the next length of the next chunk
  90. self._len = self.read_chunk_len()
  91. if self._len == 0:
  92. # Found the final chunk of size 0. The stream is now exhausted,
  93. # but there is still a final newline that should be consumed
  94. self._done = True
  95. if self._len > 0:
  96. # There is data (left) in this chunk, so append it to the
  97. # buffer. If this operation fully consumes the chunk, this will
  98. # reset self._len to 0.
  99. n = min(len(buf), self._len)
  100. # If (read + chunk size) becomes more than len(buf), buf will
  101. # grow beyond the original size and read more data than
  102. # required. So only read as much data as can fit in buf.
  103. if read + n > len(buf):
  104. buf[read:] = self._rfile.read(len(buf) - read)
  105. self._len -= len(buf) - read
  106. read = len(buf)
  107. else:
  108. buf[read : read + n] = self._rfile.read(n)
  109. self._len -= n
  110. read += n
  111. if self._len == 0:
  112. # Skip the terminating newline of a chunk that has been fully
  113. # consumed. This also applies to the 0-sized final chunk
  114. terminator = self._rfile.readline()
  115. if terminator not in (b"\n", b"\r\n", b"\r"):
  116. raise OSError("Missing chunk terminating newline")
  117. return read
  118. class WSGIRequestHandler(BaseHTTPRequestHandler):
  119. """A request handler that implements WSGI dispatching."""
  120. server: "BaseWSGIServer"
  121. @property
  122. def server_version(self) -> str: # type: ignore
  123. from . import __version__
  124. return f"Werkzeug/{__version__}"
  125. def make_environ(self) -> "WSGIEnvironment":
  126. request_url = url_parse(self.path)
  127. url_scheme = "http" if self.server.ssl_context is None else "https"
  128. if not self.client_address:
  129. self.client_address = ("<local>", 0)
  130. elif isinstance(self.client_address, str):
  131. self.client_address = (self.client_address, 0)
  132. # If there was no scheme but the path started with two slashes,
  133. # the first segment may have been incorrectly parsed as the
  134. # netloc, prepend it to the path again.
  135. if not request_url.scheme and request_url.netloc:
  136. path_info = f"/{request_url.netloc}{request_url.path}"
  137. else:
  138. path_info = request_url.path
  139. path_info = url_unquote(path_info)
  140. environ: "WSGIEnvironment" = {
  141. "wsgi.version": (1, 0),
  142. "wsgi.url_scheme": url_scheme,
  143. "wsgi.input": self.rfile,
  144. "wsgi.errors": sys.stderr,
  145. "wsgi.multithread": self.server.multithread,
  146. "wsgi.multiprocess": self.server.multiprocess,
  147. "wsgi.run_once": False,
  148. "werkzeug.socket": self.connection,
  149. "SERVER_SOFTWARE": self.server_version,
  150. "REQUEST_METHOD": self.command,
  151. "SCRIPT_NAME": "",
  152. "PATH_INFO": _wsgi_encoding_dance(path_info),
  153. "QUERY_STRING": _wsgi_encoding_dance(request_url.query),
  154. # Non-standard, added by mod_wsgi, uWSGI
  155. "REQUEST_URI": _wsgi_encoding_dance(self.path),
  156. # Non-standard, added by gunicorn
  157. "RAW_URI": _wsgi_encoding_dance(self.path),
  158. "REMOTE_ADDR": self.address_string(),
  159. "REMOTE_PORT": self.port_integer(),
  160. "SERVER_NAME": self.server.server_address[0],
  161. "SERVER_PORT": str(self.server.server_address[1]),
  162. "SERVER_PROTOCOL": self.request_version,
  163. }
  164. for key, value in self.headers.items():
  165. key = key.upper().replace("-", "_")
  166. value = value.replace("\r\n", "")
  167. if key not in ("CONTENT_TYPE", "CONTENT_LENGTH"):
  168. key = f"HTTP_{key}"
  169. if key in environ:
  170. value = f"{environ[key]},{value}"
  171. environ[key] = value
  172. if environ.get("HTTP_TRANSFER_ENCODING", "").strip().lower() == "chunked":
  173. environ["wsgi.input_terminated"] = True
  174. environ["wsgi.input"] = DechunkedInput(environ["wsgi.input"])
  175. # Per RFC 2616, if the URL is absolute, use that as the host.
  176. # We're using "has a scheme" to indicate an absolute URL.
  177. if request_url.scheme and request_url.netloc:
  178. environ["HTTP_HOST"] = request_url.netloc
  179. try:
  180. # binary_form=False gives nicer information, but wouldn't be compatible with
  181. # what Nginx or Apache could return.
  182. peer_cert = self.connection.getpeercert( # type: ignore[attr-defined]
  183. binary_form=True
  184. )
  185. if peer_cert is not None:
  186. # Nginx and Apache use PEM format.
  187. environ["SSL_CLIENT_CERT"] = ssl.DER_cert_to_PEM_cert(peer_cert)
  188. except ValueError:
  189. # SSL handshake hasn't finished.
  190. self.server.log("error", "Cannot fetch SSL peer certificate info")
  191. except AttributeError:
  192. # Not using TLS, the socket will not have getpeercert().
  193. pass
  194. return environ
  195. def run_wsgi(self) -> None:
  196. if self.headers.get("Expect", "").lower().strip() == "100-continue":
  197. self.wfile.write(b"HTTP/1.1 100 Continue\r\n\r\n")
  198. self.environ = environ = self.make_environ()
  199. status_set: t.Optional[str] = None
  200. headers_set: t.Optional[t.List[t.Tuple[str, str]]] = None
  201. status_sent: t.Optional[str] = None
  202. headers_sent: t.Optional[t.List[t.Tuple[str, str]]] = None
  203. chunk_response: bool = False
  204. def write(data: bytes) -> None:
  205. nonlocal status_sent, headers_sent, chunk_response
  206. assert status_set is not None, "write() before start_response"
  207. assert headers_set is not None, "write() before start_response"
  208. if status_sent is None:
  209. status_sent = status_set
  210. headers_sent = headers_set
  211. try:
  212. code_str, msg = status_sent.split(None, 1)
  213. except ValueError:
  214. code_str, msg = status_sent, ""
  215. code = int(code_str)
  216. self.send_response(code, msg)
  217. header_keys = set()
  218. for key, value in headers_sent:
  219. self.send_header(key, value)
  220. header_keys.add(key.lower())
  221. # Use chunked transfer encoding if there is no content
  222. # length. Do not use for 1xx and 204 responses. 304
  223. # responses and HEAD requests are also excluded, which
  224. # is the more conservative behavior and matches other
  225. # parts of the code.
  226. # https://httpwg.org/specs/rfc7230.html#rfc.section.3.3.1
  227. if (
  228. not (
  229. "content-length" in header_keys
  230. or environ["REQUEST_METHOD"] == "HEAD"
  231. or (100 <= code < 200)
  232. or code in {204, 304}
  233. )
  234. and self.protocol_version >= "HTTP/1.1"
  235. ):
  236. chunk_response = True
  237. self.send_header("Transfer-Encoding", "chunked")
  238. # Always close the connection. This disables HTTP/1.1
  239. # keep-alive connections. They aren't handled well by
  240. # Python's http.server because it doesn't know how to
  241. # drain the stream before the next request line.
  242. self.send_header("Connection", "close")
  243. self.end_headers()
  244. assert isinstance(data, bytes), "applications must write bytes"
  245. if data:
  246. if chunk_response:
  247. self.wfile.write(hex(len(data))[2:].encode())
  248. self.wfile.write(b"\r\n")
  249. self.wfile.write(data)
  250. if chunk_response:
  251. self.wfile.write(b"\r\n")
  252. self.wfile.flush()
  253. def start_response(status, headers, exc_info=None): # type: ignore
  254. nonlocal status_set, headers_set
  255. if exc_info:
  256. try:
  257. if headers_sent:
  258. raise exc_info[1].with_traceback(exc_info[2])
  259. finally:
  260. exc_info = None
  261. elif headers_set:
  262. raise AssertionError("Headers already set")
  263. status_set = status
  264. headers_set = headers
  265. return write
  266. def execute(app: "WSGIApplication") -> None:
  267. application_iter = app(environ, start_response)
  268. try:
  269. for data in application_iter:
  270. write(data)
  271. if not headers_sent:
  272. write(b"")
  273. if chunk_response:
  274. self.wfile.write(b"0\r\n\r\n")
  275. finally:
  276. if hasattr(application_iter, "close"):
  277. application_iter.close() # type: ignore
  278. try:
  279. execute(self.server.app)
  280. except (ConnectionError, socket.timeout) as e:
  281. self.connection_dropped(e, environ)
  282. except Exception as e:
  283. if self.server.passthrough_errors:
  284. raise
  285. if status_sent is not None and chunk_response:
  286. self.close_connection = True
  287. try:
  288. # if we haven't yet sent the headers but they are set
  289. # we roll back to be able to set them again.
  290. if status_sent is None:
  291. status_set = None
  292. headers_set = None
  293. execute(InternalServerError())
  294. except Exception:
  295. pass
  296. from .debug.tbtools import DebugTraceback
  297. msg = DebugTraceback(e).render_traceback_text()
  298. self.server.log("error", f"Error on request:\n{msg}")
  299. def handle(self) -> None:
  300. """Handles a request ignoring dropped connections."""
  301. try:
  302. super().handle()
  303. except (ConnectionError, socket.timeout) as e:
  304. self.connection_dropped(e)
  305. except Exception as e:
  306. if self.server.ssl_context is not None and is_ssl_error(e):
  307. self.log_error("SSL error occurred: %s", e)
  308. else:
  309. raise
  310. def connection_dropped(
  311. self, error: BaseException, environ: t.Optional["WSGIEnvironment"] = None
  312. ) -> None:
  313. """Called if the connection was closed by the client. By default
  314. nothing happens.
  315. """
  316. def __getattr__(self, name: str) -> t.Any:
  317. # All HTTP methods are handled by run_wsgi.
  318. if name.startswith("do_"):
  319. return self.run_wsgi
  320. # All other attributes are forwarded to the base class.
  321. return getattr(super(), name)
  322. def address_string(self) -> str:
  323. if getattr(self, "environ", None):
  324. return self.environ["REMOTE_ADDR"] # type: ignore
  325. if not self.client_address:
  326. return "<local>"
  327. return self.client_address[0]
  328. def port_integer(self) -> int:
  329. return self.client_address[1]
  330. def log_request(
  331. self, code: t.Union[int, str] = "-", size: t.Union[int, str] = "-"
  332. ) -> None:
  333. try:
  334. path = uri_to_iri(self.path)
  335. msg = f"{self.command} {path} {self.request_version}"
  336. except AttributeError:
  337. # path isn't set if the requestline was bad
  338. msg = self.requestline
  339. code = str(code)
  340. if code[0] == "1": # 1xx - Informational
  341. msg = _ansi_style(msg, "bold")
  342. elif code == "200": # 2xx - Success
  343. pass
  344. elif code == "304": # 304 - Resource Not Modified
  345. msg = _ansi_style(msg, "cyan")
  346. elif code[0] == "3": # 3xx - Redirection
  347. msg = _ansi_style(msg, "green")
  348. elif code == "404": # 404 - Resource Not Found
  349. msg = _ansi_style(msg, "yellow")
  350. elif code[0] == "4": # 4xx - Client Error
  351. msg = _ansi_style(msg, "bold", "red")
  352. else: # 5xx, or any other response
  353. msg = _ansi_style(msg, "bold", "magenta")
  354. self.log("info", '"%s" %s %s', msg, code, size)
  355. def log_error(self, format: str, *args: t.Any) -> None:
  356. self.log("error", format, *args)
  357. def log_message(self, format: str, *args: t.Any) -> None:
  358. self.log("info", format, *args)
  359. def log(self, type: str, message: str, *args: t.Any) -> None:
  360. _log(
  361. type,
  362. f"{self.address_string()} - - [{self.log_date_time_string()}] {message}\n",
  363. *args,
  364. )
  365. def _ansi_style(value: str, *styles: str) -> str:
  366. if not _log_add_style:
  367. return value
  368. codes = {
  369. "bold": 1,
  370. "red": 31,
  371. "green": 32,
  372. "yellow": 33,
  373. "magenta": 35,
  374. "cyan": 36,
  375. }
  376. for style in styles:
  377. value = f"\x1b[{codes[style]}m{value}"
  378. return f"{value}\x1b[0m"
  379. def generate_adhoc_ssl_pair(
  380. cn: t.Optional[str] = None,
  381. ) -> t.Tuple["Certificate", "RSAPrivateKeyWithSerialization"]:
  382. try:
  383. from cryptography import x509
  384. from cryptography.x509.oid import NameOID
  385. from cryptography.hazmat.backends import default_backend
  386. from cryptography.hazmat.primitives import hashes
  387. from cryptography.hazmat.primitives.asymmetric import rsa
  388. except ImportError:
  389. raise TypeError(
  390. "Using ad-hoc certificates requires the cryptography library."
  391. ) from None
  392. backend = default_backend()
  393. pkey = rsa.generate_private_key(
  394. public_exponent=65537, key_size=2048, backend=backend
  395. )
  396. # pretty damn sure that this is not actually accepted by anyone
  397. if cn is None:
  398. cn = "*"
  399. subject = x509.Name(
  400. [
  401. x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Certificate"),
  402. x509.NameAttribute(NameOID.COMMON_NAME, cn),
  403. ]
  404. )
  405. backend = default_backend()
  406. cert = (
  407. x509.CertificateBuilder()
  408. .subject_name(subject)
  409. .issuer_name(subject)
  410. .public_key(pkey.public_key())
  411. .serial_number(x509.random_serial_number())
  412. .not_valid_before(dt.now(timezone.utc))
  413. .not_valid_after(dt.now(timezone.utc) + timedelta(days=365))
  414. .add_extension(x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False)
  415. .add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False)
  416. .sign(pkey, hashes.SHA256(), backend)
  417. )
  418. return cert, pkey
  419. def make_ssl_devcert(
  420. base_path: str, host: t.Optional[str] = None, cn: t.Optional[str] = None
  421. ) -> t.Tuple[str, str]:
  422. """Creates an SSL key for development. This should be used instead of
  423. the ``'adhoc'`` key which generates a new cert on each server start.
  424. It accepts a path for where it should store the key and cert and
  425. either a host or CN. If a host is given it will use the CN
  426. ``*.host/CN=host``.
  427. For more information see :func:`run_simple`.
  428. .. versionadded:: 0.9
  429. :param base_path: the path to the certificate and key. The extension
  430. ``.crt`` is added for the certificate, ``.key`` is
  431. added for the key.
  432. :param host: the name of the host. This can be used as an alternative
  433. for the `cn`.
  434. :param cn: the `CN` to use.
  435. """
  436. if host is not None:
  437. cn = f"*.{host}/CN={host}"
  438. cert, pkey = generate_adhoc_ssl_pair(cn=cn)
  439. from cryptography.hazmat.primitives import serialization
  440. cert_file = f"{base_path}.crt"
  441. pkey_file = f"{base_path}.key"
  442. with open(cert_file, "wb") as f:
  443. f.write(cert.public_bytes(serialization.Encoding.PEM))
  444. with open(pkey_file, "wb") as f:
  445. f.write(
  446. pkey.private_bytes(
  447. encoding=serialization.Encoding.PEM,
  448. format=serialization.PrivateFormat.TraditionalOpenSSL,
  449. encryption_algorithm=serialization.NoEncryption(),
  450. )
  451. )
  452. return cert_file, pkey_file
  453. def generate_adhoc_ssl_context() -> "ssl.SSLContext":
  454. """Generates an adhoc SSL context for the development server."""
  455. import tempfile
  456. import atexit
  457. cert, pkey = generate_adhoc_ssl_pair()
  458. from cryptography.hazmat.primitives import serialization
  459. cert_handle, cert_file = tempfile.mkstemp()
  460. pkey_handle, pkey_file = tempfile.mkstemp()
  461. atexit.register(os.remove, pkey_file)
  462. atexit.register(os.remove, cert_file)
  463. os.write(cert_handle, cert.public_bytes(serialization.Encoding.PEM))
  464. os.write(
  465. pkey_handle,
  466. pkey.private_bytes(
  467. encoding=serialization.Encoding.PEM,
  468. format=serialization.PrivateFormat.TraditionalOpenSSL,
  469. encryption_algorithm=serialization.NoEncryption(),
  470. ),
  471. )
  472. os.close(cert_handle)
  473. os.close(pkey_handle)
  474. ctx = load_ssl_context(cert_file, pkey_file)
  475. return ctx
  476. def load_ssl_context(
  477. cert_file: str, pkey_file: t.Optional[str] = None, protocol: t.Optional[int] = None
  478. ) -> "ssl.SSLContext":
  479. """Loads SSL context from cert/private key files and optional protocol.
  480. Many parameters are directly taken from the API of
  481. :py:class:`ssl.SSLContext`.
  482. :param cert_file: Path of the certificate to use.
  483. :param pkey_file: Path of the private key to use. If not given, the key
  484. will be obtained from the certificate file.
  485. :param protocol: A ``PROTOCOL`` constant from the :mod:`ssl` module.
  486. Defaults to :data:`ssl.PROTOCOL_TLS_SERVER`.
  487. """
  488. if protocol is None:
  489. protocol = ssl.PROTOCOL_TLS_SERVER
  490. ctx = ssl.SSLContext(protocol)
  491. ctx.load_cert_chain(cert_file, pkey_file)
  492. return ctx
  493. def is_ssl_error(error: t.Optional[Exception] = None) -> bool:
  494. """Checks if the given error (or the current one) is an SSL error."""
  495. if error is None:
  496. error = t.cast(Exception, sys.exc_info()[1])
  497. return isinstance(error, ssl.SSLError)
  498. def select_address_family(host: str, port: int) -> socket.AddressFamily:
  499. """Return ``AF_INET4``, ``AF_INET6``, or ``AF_UNIX`` depending on
  500. the host and port."""
  501. if host.startswith("unix://"):
  502. return socket.AF_UNIX
  503. elif ":" in host and hasattr(socket, "AF_INET6"):
  504. return socket.AF_INET6
  505. return socket.AF_INET
  506. def get_sockaddr(
  507. host: str, port: int, family: socket.AddressFamily
  508. ) -> t.Union[t.Tuple[str, int], str]:
  509. """Return a fully qualified socket address that can be passed to
  510. :func:`socket.bind`."""
  511. if family == af_unix:
  512. return host.split("://", 1)[1]
  513. try:
  514. res = socket.getaddrinfo(
  515. host, port, family, socket.SOCK_STREAM, socket.IPPROTO_TCP
  516. )
  517. except socket.gaierror:
  518. return host, port
  519. return res[0][4] # type: ignore
  520. def get_interface_ip(family: socket.AddressFamily) -> str:
  521. """Get the IP address of an external interface. Used when binding to
  522. 0.0.0.0 or ::1 to show a more useful URL.
  523. :meta private:
  524. """
  525. # arbitrary private address
  526. host = "fd31:f903:5ab5:1::1" if family == socket.AF_INET6 else "10.253.155.219"
  527. with socket.socket(family, socket.SOCK_DGRAM) as s:
  528. try:
  529. s.connect((host, 58162))
  530. except OSError:
  531. return "::1" if family == socket.AF_INET6 else "127.0.0.1"
  532. return s.getsockname()[0] # type: ignore
  533. class BaseWSGIServer(HTTPServer):
  534. """A WSGI server that that handles one request at a time.
  535. Use :func:`make_server` to create a server instance.
  536. """
  537. multithread = False
  538. multiprocess = False
  539. request_queue_size = LISTEN_QUEUE
  540. def __init__(
  541. self,
  542. host: str,
  543. port: int,
  544. app: "WSGIApplication",
  545. handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  546. passthrough_errors: bool = False,
  547. ssl_context: t.Optional[_TSSLContextArg] = None,
  548. fd: t.Optional[int] = None,
  549. ) -> None:
  550. if handler is None:
  551. handler = WSGIRequestHandler
  552. # If the handler doesn't directly set a protocol version and
  553. # thread or process workers are used, then allow chunked
  554. # responses and keep-alive connections by enabling HTTP/1.1.
  555. if "protocol_version" not in vars(handler) and (
  556. self.multithread or self.multiprocess
  557. ):
  558. handler.protocol_version = "HTTP/1.1"
  559. self.host = host
  560. self.port = port
  561. self.app = app
  562. self.passthrough_errors = passthrough_errors
  563. self.address_family = address_family = select_address_family(host, port)
  564. server_address = get_sockaddr(host, int(port), address_family)
  565. # Remove a leftover Unix socket file from a previous run. Don't
  566. # remove a file that was set up by run_simple.
  567. if address_family == af_unix and fd is None:
  568. server_address = t.cast(str, server_address)
  569. if os.path.exists(server_address):
  570. os.unlink(server_address)
  571. # Bind and activate will be handled manually, it should only
  572. # happen if we're not using a socket that was already set up.
  573. super().__init__(
  574. server_address, # type: ignore[arg-type]
  575. handler,
  576. bind_and_activate=False,
  577. )
  578. if fd is None:
  579. # No existing socket descriptor, do bind_and_activate=True.
  580. try:
  581. self.server_bind()
  582. self.server_activate()
  583. except BaseException:
  584. self.server_close()
  585. raise
  586. else:
  587. # Use the passed in socket directly.
  588. self.socket = socket.fromfd(fd, address_family, socket.SOCK_STREAM)
  589. self.server_address = self.socket.getsockname()
  590. if address_family != af_unix:
  591. # If port was 0, this will record the bound port.
  592. self.port = self.server_address[1]
  593. if ssl_context is not None:
  594. if isinstance(ssl_context, tuple):
  595. ssl_context = load_ssl_context(*ssl_context)
  596. elif ssl_context == "adhoc":
  597. ssl_context = generate_adhoc_ssl_context()
  598. self.socket = ssl_context.wrap_socket(self.socket, server_side=True)
  599. self.ssl_context: t.Optional["ssl.SSLContext"] = ssl_context
  600. else:
  601. self.ssl_context = None
  602. def log(self, type: str, message: str, *args: t.Any) -> None:
  603. _log(type, message, *args)
  604. def serve_forever(self, poll_interval: float = 0.5) -> None:
  605. try:
  606. super().serve_forever(poll_interval=poll_interval)
  607. except KeyboardInterrupt:
  608. pass
  609. finally:
  610. self.server_close()
  611. def handle_error(
  612. self, request: t.Any, client_address: t.Union[t.Tuple[str, int], str]
  613. ) -> None:
  614. if self.passthrough_errors:
  615. raise
  616. return super().handle_error(request, client_address)
  617. def log_startup(self) -> None:
  618. """Show information about the address when starting the server."""
  619. dev_warning = (
  620. "WARNING: This is a development server. Do not use it in a production"
  621. " deployment. Use a production WSGI server instead."
  622. )
  623. dev_warning = _ansi_style(dev_warning, "bold", "red")
  624. messages = [dev_warning]
  625. if self.address_family == af_unix:
  626. messages.append(f" * Running on {self.host}")
  627. else:
  628. scheme = "http" if self.ssl_context is None else "https"
  629. display_hostname = self.host
  630. if self.host in {"0.0.0.0", "::"}:
  631. messages.append(f" * Running on all addresses ({self.host})")
  632. if self.host == "0.0.0.0":
  633. localhost = "127.0.0.1"
  634. display_hostname = get_interface_ip(socket.AF_INET)
  635. else:
  636. localhost = "[::1]"
  637. display_hostname = get_interface_ip(socket.AF_INET6)
  638. messages.append(f" * Running on {scheme}://{localhost}:{self.port}")
  639. if ":" in display_hostname:
  640. display_hostname = f"[{display_hostname}]"
  641. messages.append(f" * Running on {scheme}://{display_hostname}:{self.port}")
  642. _log("info", "\n".join(messages))
  643. class ThreadedWSGIServer(socketserver.ThreadingMixIn, BaseWSGIServer):
  644. """A WSGI server that handles concurrent requests in separate
  645. threads.
  646. Use :func:`make_server` to create a server instance.
  647. """
  648. multithread = True
  649. daemon_threads = True
  650. class ForkingWSGIServer(ForkingMixIn, BaseWSGIServer):
  651. """A WSGI server that handles concurrent requests in separate forked
  652. processes.
  653. Use :func:`make_server` to create a server instance.
  654. """
  655. multiprocess = True
  656. def __init__(
  657. self,
  658. host: str,
  659. port: int,
  660. app: "WSGIApplication",
  661. processes: int = 40,
  662. handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  663. passthrough_errors: bool = False,
  664. ssl_context: t.Optional[_TSSLContextArg] = None,
  665. fd: t.Optional[int] = None,
  666. ) -> None:
  667. if not can_fork:
  668. raise ValueError("Your platform does not support forking.")
  669. super().__init__(host, port, app, handler, passthrough_errors, ssl_context, fd)
  670. self.max_children = processes
  671. def make_server(
  672. host: str,
  673. port: int,
  674. app: "WSGIApplication",
  675. threaded: bool = False,
  676. processes: int = 1,
  677. request_handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  678. passthrough_errors: bool = False,
  679. ssl_context: t.Optional[_TSSLContextArg] = None,
  680. fd: t.Optional[int] = None,
  681. ) -> BaseWSGIServer:
  682. """Create an appropriate WSGI server instance based on the value of
  683. ``threaded`` and ``processes``.
  684. This is called from :func:`run_simple`, but can be used separately
  685. to have access to the server object, such as to run it in a separate
  686. thread.
  687. See :func:`run_simple` for parameter docs.
  688. """
  689. if threaded and processes > 1:
  690. raise ValueError("Cannot have a multi-thread and multi-process server.")
  691. if threaded:
  692. return ThreadedWSGIServer(
  693. host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  694. )
  695. if processes > 1:
  696. return ForkingWSGIServer(
  697. host,
  698. port,
  699. app,
  700. processes,
  701. request_handler,
  702. passthrough_errors,
  703. ssl_context,
  704. fd=fd,
  705. )
  706. return BaseWSGIServer(
  707. host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  708. )
  709. def is_running_from_reloader() -> bool:
  710. """Check if the server is running as a subprocess within the
  711. Werkzeug reloader.
  712. .. versionadded:: 0.10
  713. """
  714. return os.environ.get("WERKZEUG_RUN_MAIN") == "true"
  715. def prepare_socket(hostname: str, port: int) -> socket.socket:
  716. """Prepare a socket for use by the WSGI server and reloader.
  717. The socket is marked inheritable so that it can be kept across
  718. reloads instead of breaking connections.
  719. Catch errors during bind and show simpler error messages. For
  720. "address already in use", show instructions for resolving the issue,
  721. with special instructions for macOS.
  722. This is called from :func:`run_simple`, but can be used separately
  723. to control server creation with :func:`make_server`.
  724. """
  725. address_family = select_address_family(hostname, port)
  726. server_address = get_sockaddr(hostname, port, address_family)
  727. s = socket.socket(address_family, socket.SOCK_STREAM)
  728. s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  729. s.set_inheritable(True)
  730. # Remove the socket file if it already exists.
  731. if address_family == af_unix:
  732. server_address = t.cast(str, server_address)
  733. if os.path.exists(server_address):
  734. os.unlink(server_address)
  735. # Catch connection issues and show them without the traceback. Show
  736. # extra instructions for address not found, and for macOS.
  737. try:
  738. s.bind(server_address)
  739. except OSError as e:
  740. print(e.strerror, file=sys.stderr)
  741. if e.errno == errno.EADDRINUSE:
  742. print(
  743. f"Port {port} is in use by another program. Either"
  744. " identify and stop that program, or start the"
  745. " server with a different port.",
  746. file=sys.stderr,
  747. )
  748. if sys.platform == "darwin" and port == 5000:
  749. print(
  750. "On macOS, try disabling the 'AirPlay Receiver'"
  751. " service from System Preferences -> Sharing.",
  752. file=sys.stderr,
  753. )
  754. sys.exit(1)
  755. s.listen(LISTEN_QUEUE)
  756. return s
  757. def run_simple(
  758. hostname: str,
  759. port: int,
  760. application: "WSGIApplication",
  761. use_reloader: bool = False,
  762. use_debugger: bool = False,
  763. use_evalex: bool = True,
  764. extra_files: t.Optional[t.Iterable[str]] = None,
  765. exclude_patterns: t.Optional[t.Iterable[str]] = None,
  766. reloader_interval: int = 1,
  767. reloader_type: str = "auto",
  768. threaded: bool = False,
  769. processes: int = 1,
  770. request_handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  771. static_files: t.Optional[t.Dict[str, t.Union[str, t.Tuple[str, str]]]] = None,
  772. passthrough_errors: bool = False,
  773. ssl_context: t.Optional[_TSSLContextArg] = None,
  774. ) -> None:
  775. """Start a development server for a WSGI application. Various
  776. optional features can be enabled.
  777. .. warning::
  778. Do not use the development server when deploying to production.
  779. It is intended for use only during local development. It is not
  780. designed to be particularly efficient, stable, or secure.
  781. :param hostname: The host to bind to, for example ``'localhost'``.
  782. Can be a domain, IPv4 or IPv6 address, or file path starting
  783. with ``unix://`` for a Unix socket.
  784. :param port: The port to bind to, for example ``8080``. Using ``0``
  785. tells the OS to pick a random free port.
  786. :param application: The WSGI application to run.
  787. :param use_reloader: Use a reloader process to restart the server
  788. process when files are changed.
  789. :param use_debugger: Use Werkzeug's debugger, which will show
  790. formatted tracebacks on unhandled exceptions.
  791. :param use_evalex: Make the debugger interactive. A Python terminal
  792. can be opened for any frame in the traceback. Some protection is
  793. provided by requiring a PIN, but this should never be enabled
  794. on a publicly visible server.
  795. :param extra_files: The reloader will watch these files for changes
  796. in addition to Python modules. For example, watch a
  797. configuration file.
  798. :param exclude_patterns: The reloader will ignore changes to any
  799. files matching these :mod:`fnmatch` patterns. For example,
  800. ignore cache files.
  801. :param reloader_interval: How often the reloader tries to check for
  802. changes.
  803. :param reloader_type: The reloader to use. The ``'stat'`` reloader
  804. is built in, but may require significant CPU to watch files. The
  805. ``'watchdog'`` reloader is much more efficient but requires
  806. installing the ``watchdog`` package first.
  807. :param threaded: Handle concurrent requests using threads. Cannot be
  808. used with ``processes``.
  809. :param processes: Handle concurrent requests using up to this number
  810. of processes. Cannot be used with ``threaded``.
  811. :param request_handler: Use a different
  812. :class:`~BaseHTTPServer.BaseHTTPRequestHandler` subclass to
  813. handle requests.
  814. :param static_files: A dict mapping URL prefixes to directories to
  815. serve static files from using
  816. :class:`~werkzeug.middleware.SharedDataMiddleware`.
  817. :param passthrough_errors: Don't catch unhandled exceptions at the
  818. server level, let the serve crash instead. If ``use_debugger``
  819. is enabled, the debugger will still catch such errors.
  820. :param ssl_context: Configure TLS to serve over HTTPS. Can be an
  821. :class:`ssl.SSLContext` object, a ``(cert_file, key_file)``
  822. tuple to create a typical context, or the string ``'adhoc'`` to
  823. generate a temporary self-signed certificate.
  824. .. versionchanged:: 2.1
  825. Instructions are shown for dealing with an "address already in
  826. use" error.
  827. .. versionchanged:: 2.1
  828. Running on ``0.0.0.0`` or ``::`` shows the loopback IP in
  829. addition to a real IP.
  830. .. versionchanged:: 2.1
  831. The command-line interface was removed.
  832. .. versionchanged:: 2.0
  833. Running on ``0.0.0.0`` or ``::`` shows a real IP address that
  834. was bound as well as a warning not to run the development server
  835. in production.
  836. .. versionchanged:: 2.0
  837. The ``exclude_patterns`` parameter was added.
  838. .. versionchanged:: 0.15
  839. Bind to a Unix socket by passing a ``hostname`` that starts with
  840. ``unix://``.
  841. .. versionchanged:: 0.10
  842. Improved the reloader and added support for changing the backend
  843. through the ``reloader_type`` parameter.
  844. .. versionchanged:: 0.9
  845. A command-line interface was added.
  846. .. versionchanged:: 0.8
  847. ``ssl_context`` can be a tuple of paths to the certificate and
  848. private key files.
  849. .. versionchanged:: 0.6
  850. The ``ssl_context`` parameter was added.
  851. .. versionchanged:: 0.5
  852. The ``static_files`` and ``passthrough_errors`` parameters were
  853. added.
  854. """
  855. if not isinstance(port, int):
  856. raise TypeError("port must be an integer")
  857. if static_files:
  858. from .middleware.shared_data import SharedDataMiddleware
  859. application = SharedDataMiddleware(application, static_files)
  860. if use_debugger:
  861. from .debug import DebuggedApplication
  862. application = DebuggedApplication(application, evalex=use_evalex)
  863. if not is_running_from_reloader():
  864. s = prepare_socket(hostname, port)
  865. fd = s.fileno()
  866. # Silence a ResourceWarning about an unclosed socket. This object is no longer
  867. # used, the server will create another with fromfd.
  868. s.detach()
  869. os.environ["WERKZEUG_SERVER_FD"] = str(fd)
  870. else:
  871. fd = int(os.environ["WERKZEUG_SERVER_FD"])
  872. srv = make_server(
  873. hostname,
  874. port,
  875. application,
  876. threaded,
  877. processes,
  878. request_handler,
  879. passthrough_errors,
  880. ssl_context,
  881. fd=fd,
  882. )
  883. if not is_running_from_reloader():
  884. srv.log_startup()
  885. _log("info", _ansi_style("Press CTRL+C to quit", "yellow"))
  886. if use_reloader:
  887. from ._reloader import run_with_reloader
  888. run_with_reloader(
  889. srv.serve_forever,
  890. extra_files=extra_files,
  891. exclude_patterns=exclude_patterns,
  892. interval=reloader_interval,
  893. reloader_type=reloader_type,
  894. )
  895. else:
  896. srv.serve_forever()