serving.py 37 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091
  1. """A WSGI and HTTP server for use **during development only**. This
  2. server is convenient to use, but is not designed to be particularly
  3. stable, secure, or efficient. Use a dedicate WSGI server and HTTP
  4. server when deploying to production.
  5. It provides features like interactive debugging and code reloading. Use
  6. ``run_simple`` to start the server. Put this in a ``run.py`` script:
  7. .. code-block:: python
  8. from myapp import create_app
  9. from werkzeug import run_simple
  10. """
  11. import errno
  12. import io
  13. import os
  14. import socket
  15. import socketserver
  16. import sys
  17. import typing as t
  18. from datetime import datetime as dt
  19. from datetime import timedelta
  20. from datetime import timezone
  21. from http.server import BaseHTTPRequestHandler
  22. from http.server import HTTPServer
  23. from ._internal import _log
  24. from ._internal import _wsgi_encoding_dance
  25. from .exceptions import InternalServerError
  26. from .urls import uri_to_iri
  27. from .urls import url_parse
  28. from .urls import url_unquote
  29. try:
  30. import ssl
  31. except ImportError:
  32. class _SslDummy:
  33. def __getattr__(self, name: str) -> t.Any:
  34. raise RuntimeError( # noqa: B904
  35. "SSL is unavailable because this Python runtime was not"
  36. " compiled with SSL/TLS support."
  37. )
  38. ssl = _SslDummy() # type: ignore
  39. _log_add_style = True
  40. if os.name == "nt":
  41. try:
  42. __import__("colorama")
  43. except ImportError:
  44. _log_add_style = False
  45. can_fork = hasattr(os, "fork")
  46. if can_fork:
  47. ForkingMixIn = socketserver.ForkingMixIn
  48. else:
  49. class ForkingMixIn: # type: ignore
  50. pass
  51. try:
  52. af_unix = socket.AF_UNIX
  53. except AttributeError:
  54. af_unix = None # type: ignore
  55. LISTEN_QUEUE = 128
  56. _TSSLContextArg = t.Optional[
  57. t.Union["ssl.SSLContext", t.Tuple[str, t.Optional[str]], "te.Literal['adhoc']"]
  58. ]
  59. if t.TYPE_CHECKING:
  60. import typing_extensions as te # noqa: F401
  61. from _typeshed.wsgi import WSGIApplication
  62. from _typeshed.wsgi import WSGIEnvironment
  63. from cryptography.hazmat.primitives.asymmetric.rsa import (
  64. RSAPrivateKeyWithSerialization,
  65. )
  66. from cryptography.x509 import Certificate
  67. class DechunkedInput(io.RawIOBase):
  68. """An input stream that handles Transfer-Encoding 'chunked'"""
  69. def __init__(self, rfile: t.IO[bytes]) -> None:
  70. self._rfile = rfile
  71. self._done = False
  72. self._len = 0
  73. def readable(self) -> bool:
  74. return True
  75. def read_chunk_len(self) -> int:
  76. try:
  77. line = self._rfile.readline().decode("latin1")
  78. _len = int(line.strip(), 16)
  79. except ValueError as e:
  80. raise OSError("Invalid chunk header") from e
  81. if _len < 0:
  82. raise OSError("Negative chunk length not allowed")
  83. return _len
  84. def readinto(self, buf: bytearray) -> int: # type: ignore
  85. read = 0
  86. while not self._done and read < len(buf):
  87. if self._len == 0:
  88. # This is the first chunk or we fully consumed the previous
  89. # one. Read the next length of the next chunk
  90. self._len = self.read_chunk_len()
  91. if self._len == 0:
  92. # Found the final chunk of size 0. The stream is now exhausted,
  93. # but there is still a final newline that should be consumed
  94. self._done = True
  95. if self._len > 0:
  96. # There is data (left) in this chunk, so append it to the
  97. # buffer. If this operation fully consumes the chunk, this will
  98. # reset self._len to 0.
  99. n = min(len(buf), self._len)
  100. # If (read + chunk size) becomes more than len(buf), buf will
  101. # grow beyond the original size and read more data than
  102. # required. So only read as much data as can fit in buf.
  103. if read + n > len(buf):
  104. buf[read:] = self._rfile.read(len(buf) - read)
  105. self._len -= len(buf) - read
  106. read = len(buf)
  107. else:
  108. buf[read : read + n] = self._rfile.read(n)
  109. self._len -= n
  110. read += n
  111. if self._len == 0:
  112. # Skip the terminating newline of a chunk that has been fully
  113. # consumed. This also applies to the 0-sized final chunk
  114. terminator = self._rfile.readline()
  115. if terminator not in (b"\n", b"\r\n", b"\r"):
  116. raise OSError("Missing chunk terminating newline")
  117. return read
  118. class WSGIRequestHandler(BaseHTTPRequestHandler):
  119. """A request handler that implements WSGI dispatching."""
  120. server: "BaseWSGIServer"
  121. @property
  122. def server_version(self) -> str: # type: ignore
  123. from . import __version__
  124. return f"Werkzeug/{__version__}"
  125. def make_environ(self) -> "WSGIEnvironment":
  126. request_url = url_parse(self.path)
  127. url_scheme = "http" if self.server.ssl_context is None else "https"
  128. if not self.client_address:
  129. self.client_address = ("<local>", 0)
  130. elif isinstance(self.client_address, str):
  131. self.client_address = (self.client_address, 0)
  132. # If there was no scheme but the path started with two slashes,
  133. # the first segment may have been incorrectly parsed as the
  134. # netloc, prepend it to the path again.
  135. if not request_url.scheme and request_url.netloc:
  136. path_info = f"/{request_url.netloc}{request_url.path}"
  137. else:
  138. path_info = request_url.path
  139. path_info = url_unquote(path_info)
  140. environ: "WSGIEnvironment" = {
  141. "wsgi.version": (1, 0),
  142. "wsgi.url_scheme": url_scheme,
  143. "wsgi.input": self.rfile,
  144. "wsgi.errors": sys.stderr,
  145. "wsgi.multithread": self.server.multithread,
  146. "wsgi.multiprocess": self.server.multiprocess,
  147. "wsgi.run_once": False,
  148. "werkzeug.socket": self.connection,
  149. "SERVER_SOFTWARE": self.server_version,
  150. "REQUEST_METHOD": self.command,
  151. "SCRIPT_NAME": "",
  152. "PATH_INFO": _wsgi_encoding_dance(path_info),
  153. "QUERY_STRING": _wsgi_encoding_dance(request_url.query),
  154. # Non-standard, added by mod_wsgi, uWSGI
  155. "REQUEST_URI": _wsgi_encoding_dance(self.path),
  156. # Non-standard, added by gunicorn
  157. "RAW_URI": _wsgi_encoding_dance(self.path),
  158. "REMOTE_ADDR": self.address_string(),
  159. "REMOTE_PORT": self.port_integer(),
  160. "SERVER_NAME": self.server.server_address[0],
  161. "SERVER_PORT": str(self.server.server_address[1]),
  162. "SERVER_PROTOCOL": self.request_version,
  163. }
  164. for key, value in self.headers.items():
  165. key = key.upper().replace("-", "_")
  166. value = value.replace("\r\n", "")
  167. if key not in ("CONTENT_TYPE", "CONTENT_LENGTH"):
  168. key = f"HTTP_{key}"
  169. if key in environ:
  170. value = f"{environ[key]},{value}"
  171. environ[key] = value
  172. if environ.get("HTTP_TRANSFER_ENCODING", "").strip().lower() == "chunked":
  173. environ["wsgi.input_terminated"] = True
  174. environ["wsgi.input"] = DechunkedInput(environ["wsgi.input"])
  175. # Per RFC 2616, if the URL is absolute, use that as the host.
  176. # We're using "has a scheme" to indicate an absolute URL.
  177. if request_url.scheme and request_url.netloc:
  178. environ["HTTP_HOST"] = request_url.netloc
  179. try:
  180. # binary_form=False gives nicer information, but wouldn't be compatible with
  181. # what Nginx or Apache could return.
  182. peer_cert = self.connection.getpeercert( # type: ignore[attr-defined]
  183. binary_form=True
  184. )
  185. if peer_cert is not None:
  186. # Nginx and Apache use PEM format.
  187. environ["SSL_CLIENT_CERT"] = ssl.DER_cert_to_PEM_cert(peer_cert)
  188. except ValueError:
  189. # SSL handshake hasn't finished.
  190. self.server.log("error", "Cannot fetch SSL peer certificate info")
  191. except AttributeError:
  192. # Not using TLS, the socket will not have getpeercert().
  193. pass
  194. return environ
  195. def run_wsgi(self) -> None:
  196. if self.headers.get("Expect", "").lower().strip() == "100-continue":
  197. self.wfile.write(b"HTTP/1.1 100 Continue\r\n\r\n")
  198. self.environ = environ = self.make_environ()
  199. status_set: t.Optional[str] = None
  200. headers_set: t.Optional[t.List[t.Tuple[str, str]]] = None
  201. status_sent: t.Optional[str] = None
  202. headers_sent: t.Optional[t.List[t.Tuple[str, str]]] = None
  203. chunk_response: bool = False
  204. def write(data: bytes) -> None:
  205. nonlocal status_sent, headers_sent, chunk_response
  206. assert status_set is not None, "write() before start_response"
  207. assert headers_set is not None, "write() before start_response"
  208. if status_sent is None:
  209. status_sent = status_set
  210. headers_sent = headers_set
  211. try:
  212. code_str, msg = status_sent.split(None, 1)
  213. except ValueError:
  214. code_str, msg = status_sent, ""
  215. code = int(code_str)
  216. self.send_response(code, msg)
  217. header_keys = set()
  218. for key, value in headers_sent:
  219. self.send_header(key, value)
  220. header_keys.add(key.lower())
  221. # Use chunked transfer encoding if there is no content
  222. # length. Do not use for 1xx and 204 responses. 304
  223. # responses and HEAD requests are also excluded, which
  224. # is the more conservative behavior and matches other
  225. # parts of the code.
  226. # https://httpwg.org/specs/rfc7230.html#rfc.section.3.3.1
  227. if (
  228. not (
  229. "content-length" in header_keys
  230. or environ["REQUEST_METHOD"] == "HEAD"
  231. or (100 <= code < 200)
  232. or code in {204, 304}
  233. )
  234. and self.protocol_version >= "HTTP/1.1"
  235. ):
  236. chunk_response = True
  237. self.send_header("Transfer-Encoding", "chunked")
  238. # Always close the connection. This disables HTTP/1.1
  239. # keep-alive connections. They aren't handled well by
  240. # Python's http.server because it doesn't know how to
  241. # drain the stream before the next request line.
  242. self.send_header("Connection", "close")
  243. self.end_headers()
  244. assert isinstance(data, bytes), "applications must write bytes"
  245. if data:
  246. if chunk_response:
  247. self.wfile.write(hex(len(data))[2:].encode())
  248. self.wfile.write(b"\r\n")
  249. self.wfile.write(data)
  250. if chunk_response:
  251. self.wfile.write(b"\r\n")
  252. self.wfile.flush()
  253. def start_response(status, headers, exc_info=None): # type: ignore
  254. nonlocal status_set, headers_set
  255. if exc_info:
  256. try:
  257. if headers_sent:
  258. raise exc_info[1].with_traceback(exc_info[2])
  259. finally:
  260. exc_info = None
  261. elif headers_set:
  262. raise AssertionError("Headers already set")
  263. status_set = status
  264. headers_set = headers
  265. return write
  266. def execute(app: "WSGIApplication") -> None:
  267. application_iter = app(environ, start_response)
  268. try:
  269. for data in application_iter:
  270. write(data)
  271. if not headers_sent:
  272. write(b"")
  273. if chunk_response:
  274. self.wfile.write(b"0\r\n\r\n")
  275. finally:
  276. if hasattr(application_iter, "close"):
  277. application_iter.close() # type: ignore
  278. try:
  279. execute(self.server.app)
  280. except (ConnectionError, socket.timeout) as e:
  281. self.connection_dropped(e, environ)
  282. except Exception as e:
  283. if self.server.passthrough_errors:
  284. raise
  285. if status_sent is not None and chunk_response:
  286. self.close_connection = True
  287. try:
  288. # if we haven't yet sent the headers but they are set
  289. # we roll back to be able to set them again.
  290. if status_sent is None:
  291. status_set = None
  292. headers_set = None
  293. execute(InternalServerError())
  294. except Exception:
  295. pass
  296. from .debug.tbtools import DebugTraceback
  297. msg = DebugTraceback(e).render_traceback_text()
  298. self.server.log("error", f"Error on request:\n{msg}")
  299. def handle(self) -> None:
  300. """Handles a request ignoring dropped connections."""
  301. try:
  302. super().handle()
  303. except (ConnectionError, socket.timeout) as e:
  304. self.connection_dropped(e)
  305. except Exception as e:
  306. if self.server.ssl_context is not None and is_ssl_error(e):
  307. self.log_error("SSL error occurred: %s", e)
  308. else:
  309. raise
  310. def connection_dropped(
  311. self, error: BaseException, environ: t.Optional["WSGIEnvironment"] = None
  312. ) -> None:
  313. """Called if the connection was closed by the client. By default
  314. nothing happens.
  315. """
  316. def __getattr__(self, name: str) -> t.Any:
  317. # All HTTP methods are handled by run_wsgi.
  318. if name.startswith("do_"):
  319. return self.run_wsgi
  320. # All other attributes are forwarded to the base class.
  321. return getattr(super(), name)
  322. def address_string(self) -> str:
  323. if getattr(self, "environ", None):
  324. return self.environ["REMOTE_ADDR"] # type: ignore
  325. if not self.client_address:
  326. return "<local>"
  327. return self.client_address[0]
  328. def port_integer(self) -> int:
  329. return self.client_address[1]
  330. def log_request(
  331. self, code: t.Union[int, str] = "-", size: t.Union[int, str] = "-"
  332. ) -> None:
  333. try:
  334. path = uri_to_iri(self.path)
  335. msg = f"{self.command} {path} {self.request_version}"
  336. except AttributeError:
  337. # path isn't set if the requestline was bad
  338. msg = self.requestline
  339. code = str(code)
  340. if _log_add_style:
  341. if code[0] == "1": # 1xx - Informational
  342. msg = _ansi_style(msg, "bold")
  343. elif code == "200": # 2xx - Success
  344. pass
  345. elif code == "304": # 304 - Resource Not Modified
  346. msg = _ansi_style(msg, "cyan")
  347. elif code[0] == "3": # 3xx - Redirection
  348. msg = _ansi_style(msg, "green")
  349. elif code == "404": # 404 - Resource Not Found
  350. msg = _ansi_style(msg, "yellow")
  351. elif code[0] == "4": # 4xx - Client Error
  352. msg = _ansi_style(msg, "bold", "red")
  353. else: # 5xx, or any other response
  354. msg = _ansi_style(msg, "bold", "magenta")
  355. self.log("info", '"%s" %s %s', msg, code, size)
  356. def log_error(self, format: str, *args: t.Any) -> None:
  357. self.log("error", format, *args)
  358. def log_message(self, format: str, *args: t.Any) -> None:
  359. self.log("info", format, *args)
  360. def log(self, type: str, message: str, *args: t.Any) -> None:
  361. _log(
  362. type,
  363. f"{self.address_string()} - - [{self.log_date_time_string()}] {message}\n",
  364. *args,
  365. )
  366. def _ansi_style(value: str, *styles: str) -> str:
  367. codes = {
  368. "bold": 1,
  369. "red": 31,
  370. "green": 32,
  371. "yellow": 33,
  372. "magenta": 35,
  373. "cyan": 36,
  374. }
  375. for style in styles:
  376. value = f"\x1b[{codes[style]}m{value}"
  377. return f"{value}\x1b[0m"
  378. def generate_adhoc_ssl_pair(
  379. cn: t.Optional[str] = None,
  380. ) -> t.Tuple["Certificate", "RSAPrivateKeyWithSerialization"]:
  381. try:
  382. from cryptography import x509
  383. from cryptography.x509.oid import NameOID
  384. from cryptography.hazmat.backends import default_backend
  385. from cryptography.hazmat.primitives import hashes
  386. from cryptography.hazmat.primitives.asymmetric import rsa
  387. except ImportError:
  388. raise TypeError(
  389. "Using ad-hoc certificates requires the cryptography library."
  390. ) from None
  391. backend = default_backend()
  392. pkey = rsa.generate_private_key(
  393. public_exponent=65537, key_size=2048, backend=backend
  394. )
  395. # pretty damn sure that this is not actually accepted by anyone
  396. if cn is None:
  397. cn = "*"
  398. subject = x509.Name(
  399. [
  400. x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Dummy Certificate"),
  401. x509.NameAttribute(NameOID.COMMON_NAME, cn),
  402. ]
  403. )
  404. backend = default_backend()
  405. cert = (
  406. x509.CertificateBuilder()
  407. .subject_name(subject)
  408. .issuer_name(subject)
  409. .public_key(pkey.public_key())
  410. .serial_number(x509.random_serial_number())
  411. .not_valid_before(dt.now(timezone.utc))
  412. .not_valid_after(dt.now(timezone.utc) + timedelta(days=365))
  413. .add_extension(x509.ExtendedKeyUsage([x509.OID_SERVER_AUTH]), critical=False)
  414. .add_extension(x509.SubjectAlternativeName([x509.DNSName(cn)]), critical=False)
  415. .sign(pkey, hashes.SHA256(), backend)
  416. )
  417. return cert, pkey
  418. def make_ssl_devcert(
  419. base_path: str, host: t.Optional[str] = None, cn: t.Optional[str] = None
  420. ) -> t.Tuple[str, str]:
  421. """Creates an SSL key for development. This should be used instead of
  422. the ``'adhoc'`` key which generates a new cert on each server start.
  423. It accepts a path for where it should store the key and cert and
  424. either a host or CN. If a host is given it will use the CN
  425. ``*.host/CN=host``.
  426. For more information see :func:`run_simple`.
  427. .. versionadded:: 0.9
  428. :param base_path: the path to the certificate and key. The extension
  429. ``.crt`` is added for the certificate, ``.key`` is
  430. added for the key.
  431. :param host: the name of the host. This can be used as an alternative
  432. for the `cn`.
  433. :param cn: the `CN` to use.
  434. """
  435. if host is not None:
  436. cn = f"*.{host}/CN={host}"
  437. cert, pkey = generate_adhoc_ssl_pair(cn=cn)
  438. from cryptography.hazmat.primitives import serialization
  439. cert_file = f"{base_path}.crt"
  440. pkey_file = f"{base_path}.key"
  441. with open(cert_file, "wb") as f:
  442. f.write(cert.public_bytes(serialization.Encoding.PEM))
  443. with open(pkey_file, "wb") as f:
  444. f.write(
  445. pkey.private_bytes(
  446. encoding=serialization.Encoding.PEM,
  447. format=serialization.PrivateFormat.TraditionalOpenSSL,
  448. encryption_algorithm=serialization.NoEncryption(),
  449. )
  450. )
  451. return cert_file, pkey_file
  452. def generate_adhoc_ssl_context() -> "ssl.SSLContext":
  453. """Generates an adhoc SSL context for the development server."""
  454. import tempfile
  455. import atexit
  456. cert, pkey = generate_adhoc_ssl_pair()
  457. from cryptography.hazmat.primitives import serialization
  458. cert_handle, cert_file = tempfile.mkstemp()
  459. pkey_handle, pkey_file = tempfile.mkstemp()
  460. atexit.register(os.remove, pkey_file)
  461. atexit.register(os.remove, cert_file)
  462. os.write(cert_handle, cert.public_bytes(serialization.Encoding.PEM))
  463. os.write(
  464. pkey_handle,
  465. pkey.private_bytes(
  466. encoding=serialization.Encoding.PEM,
  467. format=serialization.PrivateFormat.TraditionalOpenSSL,
  468. encryption_algorithm=serialization.NoEncryption(),
  469. ),
  470. )
  471. os.close(cert_handle)
  472. os.close(pkey_handle)
  473. ctx = load_ssl_context(cert_file, pkey_file)
  474. return ctx
  475. def load_ssl_context(
  476. cert_file: str, pkey_file: t.Optional[str] = None, protocol: t.Optional[int] = None
  477. ) -> "ssl.SSLContext":
  478. """Loads SSL context from cert/private key files and optional protocol.
  479. Many parameters are directly taken from the API of
  480. :py:class:`ssl.SSLContext`.
  481. :param cert_file: Path of the certificate to use.
  482. :param pkey_file: Path of the private key to use. If not given, the key
  483. will be obtained from the certificate file.
  484. :param protocol: A ``PROTOCOL`` constant from the :mod:`ssl` module.
  485. Defaults to :data:`ssl.PROTOCOL_TLS_SERVER`.
  486. """
  487. if protocol is None:
  488. protocol = ssl.PROTOCOL_TLS_SERVER
  489. ctx = ssl.SSLContext(protocol)
  490. ctx.load_cert_chain(cert_file, pkey_file)
  491. return ctx
  492. def is_ssl_error(error: t.Optional[Exception] = None) -> bool:
  493. """Checks if the given error (or the current one) is an SSL error."""
  494. if error is None:
  495. error = t.cast(Exception, sys.exc_info()[1])
  496. return isinstance(error, ssl.SSLError)
  497. def select_address_family(host: str, port: int) -> socket.AddressFamily:
  498. """Return ``AF_INET4``, ``AF_INET6``, or ``AF_UNIX`` depending on
  499. the host and port."""
  500. if host.startswith("unix://"):
  501. return socket.AF_UNIX
  502. elif ":" in host and hasattr(socket, "AF_INET6"):
  503. return socket.AF_INET6
  504. return socket.AF_INET
  505. def get_sockaddr(
  506. host: str, port: int, family: socket.AddressFamily
  507. ) -> t.Union[t.Tuple[str, int], str]:
  508. """Return a fully qualified socket address that can be passed to
  509. :func:`socket.bind`."""
  510. if family == af_unix:
  511. return host.split("://", 1)[1]
  512. try:
  513. res = socket.getaddrinfo(
  514. host, port, family, socket.SOCK_STREAM, socket.IPPROTO_TCP
  515. )
  516. except socket.gaierror:
  517. return host, port
  518. return res[0][4] # type: ignore
  519. def get_interface_ip(family: socket.AddressFamily) -> str:
  520. """Get the IP address of an external interface. Used when binding to
  521. 0.0.0.0 or ::1 to show a more useful URL.
  522. :meta private:
  523. """
  524. # arbitrary private address
  525. host = "fd31:f903:5ab5:1::1" if family == socket.AF_INET6 else "10.253.155.219"
  526. with socket.socket(family, socket.SOCK_DGRAM) as s:
  527. try:
  528. s.connect((host, 58162))
  529. except OSError:
  530. return "::1" if family == socket.AF_INET6 else "127.0.0.1"
  531. return s.getsockname()[0] # type: ignore
  532. class BaseWSGIServer(HTTPServer):
  533. """A WSGI server that that handles one request at a time.
  534. Use :func:`make_server` to create a server instance.
  535. """
  536. multithread = False
  537. multiprocess = False
  538. request_queue_size = LISTEN_QUEUE
  539. def __init__(
  540. self,
  541. host: str,
  542. port: int,
  543. app: "WSGIApplication",
  544. handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  545. passthrough_errors: bool = False,
  546. ssl_context: t.Optional[_TSSLContextArg] = None,
  547. fd: t.Optional[int] = None,
  548. ) -> None:
  549. if handler is None:
  550. handler = WSGIRequestHandler
  551. # If the handler doesn't directly set a protocol version and
  552. # thread or process workers are used, then allow chunked
  553. # responses and keep-alive connections by enabling HTTP/1.1.
  554. if "protocol_version" not in vars(handler) and (
  555. self.multithread or self.multiprocess
  556. ):
  557. handler.protocol_version = "HTTP/1.1"
  558. self.host = host
  559. self.port = port
  560. self.app = app
  561. self.passthrough_errors = passthrough_errors
  562. self.address_family = address_family = select_address_family(host, port)
  563. server_address = get_sockaddr(host, int(port), address_family)
  564. # Remove a leftover Unix socket file from a previous run. Don't
  565. # remove a file that was set up by run_simple.
  566. if address_family == af_unix and fd is None:
  567. server_address = t.cast(str, server_address)
  568. if os.path.exists(server_address):
  569. os.unlink(server_address)
  570. # Bind and activate will be handled manually, it should only
  571. # happen if we're not using a socket that was already set up.
  572. super().__init__(
  573. server_address, # type: ignore[arg-type]
  574. handler,
  575. bind_and_activate=False,
  576. )
  577. if fd is None:
  578. # No existing socket descriptor, do bind_and_activate=True.
  579. try:
  580. self.server_bind()
  581. self.server_activate()
  582. except BaseException:
  583. self.server_close()
  584. raise
  585. else:
  586. # Use the passed in socket directly.
  587. self.socket = socket.fromfd(fd, address_family, socket.SOCK_STREAM)
  588. self.server_address = self.socket.getsockname()
  589. if address_family != af_unix:
  590. # If port was 0, this will record the bound port.
  591. self.port = self.server_address[1]
  592. if ssl_context is not None:
  593. if isinstance(ssl_context, tuple):
  594. ssl_context = load_ssl_context(*ssl_context)
  595. elif ssl_context == "adhoc":
  596. ssl_context = generate_adhoc_ssl_context()
  597. self.socket = ssl_context.wrap_socket(self.socket, server_side=True)
  598. self.ssl_context: t.Optional["ssl.SSLContext"] = ssl_context
  599. else:
  600. self.ssl_context = None
  601. def log(self, type: str, message: str, *args: t.Any) -> None:
  602. _log(type, message, *args)
  603. def serve_forever(self, poll_interval: float = 0.5) -> None:
  604. try:
  605. super().serve_forever(poll_interval=poll_interval)
  606. except KeyboardInterrupt:
  607. pass
  608. finally:
  609. self.server_close()
  610. def handle_error(
  611. self, request: t.Any, client_address: t.Union[t.Tuple[str, int], str]
  612. ) -> None:
  613. if self.passthrough_errors:
  614. raise
  615. return super().handle_error(request, client_address)
  616. def log_startup(self) -> None:
  617. """Show information about the address when starting the server."""
  618. if self.address_family == af_unix:
  619. _log("info", f" * Running on {self.host} (Press CTRL+C to quit)")
  620. else:
  621. scheme = "http" if self.ssl_context is None else "https"
  622. messages = []
  623. all_addresses_message = (
  624. f" * Running on all addresses ({self.host})\n"
  625. " WARNING: This is a development server. Do not use it in"
  626. " a production deployment."
  627. )
  628. if self.host == "0.0.0.0":
  629. messages.append(all_addresses_message)
  630. messages.append(f" * Running on {scheme}://127.0.0.1:{self.port}")
  631. display_hostname = get_interface_ip(socket.AF_INET)
  632. elif self.host == "::":
  633. messages.append(all_addresses_message)
  634. messages.append(f" * Running on {scheme}://[::1]:{self.port}")
  635. display_hostname = get_interface_ip(socket.AF_INET6)
  636. else:
  637. display_hostname = self.host
  638. if ":" in display_hostname:
  639. display_hostname = f"[{display_hostname}]"
  640. messages.append(
  641. f" * Running on {scheme}://{display_hostname}:{self.port}"
  642. " (Press CTRL+C to quit)"
  643. )
  644. _log("info", "\n".join(messages))
  645. class ThreadedWSGIServer(socketserver.ThreadingMixIn, BaseWSGIServer):
  646. """A WSGI server that handles concurrent requests in separate
  647. threads.
  648. Use :func:`make_server` to create a server instance.
  649. """
  650. multithread = True
  651. daemon_threads = True
  652. class ForkingWSGIServer(ForkingMixIn, BaseWSGIServer):
  653. """A WSGI server that handles concurrent requests in separate forked
  654. processes.
  655. Use :func:`make_server` to create a server instance.
  656. """
  657. multiprocess = True
  658. def __init__(
  659. self,
  660. host: str,
  661. port: int,
  662. app: "WSGIApplication",
  663. processes: int = 40,
  664. handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  665. passthrough_errors: bool = False,
  666. ssl_context: t.Optional[_TSSLContextArg] = None,
  667. fd: t.Optional[int] = None,
  668. ) -> None:
  669. if not can_fork:
  670. raise ValueError("Your platform does not support forking.")
  671. super().__init__(host, port, app, handler, passthrough_errors, ssl_context, fd)
  672. self.max_children = processes
  673. def make_server(
  674. host: str,
  675. port: int,
  676. app: "WSGIApplication",
  677. threaded: bool = False,
  678. processes: int = 1,
  679. request_handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  680. passthrough_errors: bool = False,
  681. ssl_context: t.Optional[_TSSLContextArg] = None,
  682. fd: t.Optional[int] = None,
  683. ) -> BaseWSGIServer:
  684. """Create an appropriate WSGI server instance based on the value of
  685. ``threaded`` and ``processes``.
  686. This is called from :func:`run_simple`, but can be used separately
  687. to have access to the server object, such as to run it in a separate
  688. thread.
  689. See :func:`run_simple` for parameter docs.
  690. """
  691. if threaded and processes > 1:
  692. raise ValueError("Cannot have a multi-thread and multi-process server.")
  693. if threaded:
  694. return ThreadedWSGIServer(
  695. host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  696. )
  697. if processes > 1:
  698. return ForkingWSGIServer(
  699. host,
  700. port,
  701. app,
  702. processes,
  703. request_handler,
  704. passthrough_errors,
  705. ssl_context,
  706. fd=fd,
  707. )
  708. return BaseWSGIServer(
  709. host, port, app, request_handler, passthrough_errors, ssl_context, fd=fd
  710. )
  711. def is_running_from_reloader() -> bool:
  712. """Check if the server is running as a subprocess within the
  713. Werkzeug reloader.
  714. .. versionadded:: 0.10
  715. """
  716. return os.environ.get("WERKZEUG_RUN_MAIN") == "true"
  717. def prepare_socket(hostname: str, port: int) -> socket.socket:
  718. """Prepare a socket for use by the WSGI server and reloader.
  719. The socket is marked inheritable so that it can be kept across
  720. reloads instead of breaking connections.
  721. Catch errors during bind and show simpler error messages. For
  722. "address already in use", show instructions for resolving the issue,
  723. with special instructions for macOS.
  724. This is called from :func:`run_simple`, but can be used separately
  725. to control server creation with :func:`make_server`.
  726. """
  727. address_family = select_address_family(hostname, port)
  728. server_address = get_sockaddr(hostname, port, address_family)
  729. s = socket.socket(address_family, socket.SOCK_STREAM)
  730. s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  731. s.set_inheritable(True)
  732. # Remove the socket file if it already exists.
  733. if address_family == af_unix:
  734. server_address = t.cast(str, server_address)
  735. if os.path.exists(server_address):
  736. os.unlink(server_address)
  737. # Catch connection issues and show them without the traceback. Show
  738. # extra instructions for address not found, and for macOS.
  739. try:
  740. s.bind(server_address)
  741. except OSError as e:
  742. print(e.strerror, file=sys.stderr)
  743. if e.errno == errno.EADDRINUSE:
  744. print(
  745. f"Port {port} is in use by another program. Either"
  746. " identify and stop that program, or start the"
  747. " server with a different port.",
  748. file=sys.stderr,
  749. )
  750. if sys.platform == "darwin" and port == 5000:
  751. print(
  752. "On macOS, try disabling the 'AirPlay Receiver'"
  753. " service from System Preferences -> Sharing.",
  754. file=sys.stderr,
  755. )
  756. sys.exit(1)
  757. s.listen(LISTEN_QUEUE)
  758. return s
  759. def run_simple(
  760. hostname: str,
  761. port: int,
  762. application: "WSGIApplication",
  763. use_reloader: bool = False,
  764. use_debugger: bool = False,
  765. use_evalex: bool = True,
  766. extra_files: t.Optional[t.Iterable[str]] = None,
  767. exclude_patterns: t.Optional[t.Iterable[str]] = None,
  768. reloader_interval: int = 1,
  769. reloader_type: str = "auto",
  770. threaded: bool = False,
  771. processes: int = 1,
  772. request_handler: t.Optional[t.Type[WSGIRequestHandler]] = None,
  773. static_files: t.Optional[t.Dict[str, t.Union[str, t.Tuple[str, str]]]] = None,
  774. passthrough_errors: bool = False,
  775. ssl_context: t.Optional[_TSSLContextArg] = None,
  776. ) -> None:
  777. """Start a development server for a WSGI application. Various
  778. optional features can be enabled.
  779. .. warning::
  780. Do not use the development server when deploying to production.
  781. It is intended for use only during local development. It is not
  782. designed to be particularly efficient, stable, or secure.
  783. :param hostname: The host to bind to, for example ``'localhost'``.
  784. Can be a domain, IPv4 or IPv6 address, or file path starting
  785. with ``unix://`` for a Unix socket.
  786. :param port: The port to bind to, for example ``8080``. Using ``0``
  787. tells the OS to pick a random free port.
  788. :param application: The WSGI application to run.
  789. :param use_reloader: Use a reloader process to restart the server
  790. process when files are changed.
  791. :param use_debugger: Use Werkzeug's debugger, which will show
  792. formatted tracebacks on unhandled exceptions.
  793. :param use_evalex: Make the debugger interactive. A Python terminal
  794. can be opened for any frame in the traceback. Some protection is
  795. provided by requiring a PIN, but this should never be enabled
  796. on a publicly visible server.
  797. :param extra_files: The reloader will watch these files for changes
  798. in addition to Python modules. For example, watch a
  799. configuration file.
  800. :param exclude_patterns: The reloader will ignore changes to any
  801. files matching these :mod:`fnmatch` patterns. For example,
  802. ignore cache files.
  803. :param reloader_interval: How often the reloader tries to check for
  804. changes.
  805. :param reloader_type: The reloader to use. The ``'stat'`` reloader
  806. is built in, but may require significant CPU to watch files. The
  807. ``'watchdog'`` reloader is much more efficient but requires
  808. installing the ``watchdog`` package first.
  809. :param threaded: Handle concurrent requests using threads. Cannot be
  810. used with ``processes``.
  811. :param processes: Handle concurrent requests using up to this number
  812. of processes. Cannot be used with ``threaded``.
  813. :param request_handler: Use a different
  814. :class:`~BaseHTTPServer.BaseHTTPRequestHandler` subclass to
  815. handle requests.
  816. :param static_files: A dict mapping URL prefixes to directories to
  817. serve static files from using
  818. :class:`~werkzeug.middleware.SharedDataMiddleware`.
  819. :param passthrough_errors: Don't catch unhandled exceptions at the
  820. server level, let the serve crash instead. If ``use_debugger``
  821. is enabled, the debugger will still catch such errors.
  822. :param ssl_context: Configure TLS to serve over HTTPS. Can be an
  823. :class:`ssl.SSLContext` object, a ``(cert_file, key_file)``
  824. tuple to create a typical context, or the string ``'adhoc'`` to
  825. generate a temporary self-signed certificate.
  826. .. versionchanged:: 2.1
  827. Instructions are shown for dealing with an "address already in
  828. use" error.
  829. .. versionchanged:: 2.1
  830. Running on ``0.0.0.0`` or ``::`` shows the loopback IP in
  831. addition to a real IP.
  832. .. versionchanged:: 2.1
  833. The command-line interface was removed.
  834. .. versionchanged:: 2.0
  835. Running on ``0.0.0.0`` or ``::`` shows a real IP address that
  836. was bound as well as a warning not to run the development server
  837. in production.
  838. .. versionchanged:: 2.0
  839. The ``exclude_patterns`` parameter was added.
  840. .. versionchanged:: 0.15
  841. Bind to a Unix socket by passing a ``hostname`` that starts with
  842. ``unix://``.
  843. .. versionchanged:: 0.10
  844. Improved the reloader and added support for changing the backend
  845. through the ``reloader_type`` parameter.
  846. .. versionchanged:: 0.9
  847. A command-line interface was added.
  848. .. versionchanged:: 0.8
  849. ``ssl_context`` can be a tuple of paths to the certificate and
  850. private key files.
  851. .. versionchanged:: 0.6
  852. The ``ssl_context`` parameter was added.
  853. .. versionchanged:: 0.5
  854. The ``static_files`` and ``passthrough_errors`` parameters were
  855. added.
  856. """
  857. if not isinstance(port, int):
  858. raise TypeError("port must be an integer")
  859. if static_files:
  860. from .middleware.shared_data import SharedDataMiddleware
  861. application = SharedDataMiddleware(application, static_files)
  862. if use_debugger:
  863. from .debug import DebuggedApplication
  864. application = DebuggedApplication(application, evalex=use_evalex)
  865. if not is_running_from_reloader():
  866. s = prepare_socket(hostname, port)
  867. fd = s.fileno()
  868. os.environ["WERKZEUG_SERVER_FD"] = str(fd)
  869. else:
  870. fd = int(os.environ["WERKZEUG_SERVER_FD"])
  871. srv = make_server(
  872. hostname,
  873. port,
  874. application,
  875. threaded,
  876. processes,
  877. request_handler,
  878. passthrough_errors,
  879. ssl_context,
  880. fd=fd,
  881. )
  882. if not is_running_from_reloader():
  883. srv.log_startup()
  884. if use_reloader:
  885. from ._reloader import run_with_reloader
  886. run_with_reloader(
  887. srv.serve_forever,
  888. extra_files=extra_files,
  889. exclude_patterns=exclude_patterns,
  890. interval=reloader_interval,
  891. reloader_type=reloader_type,
  892. )
  893. else:
  894. srv.serve_forever()