maximizing security on gunicorn system

Cliff Ribeiro asked:

I have 2 machines running ubuntu server, one as a proxy running nginx and another machine as a app server running gunicorn. Lets name the nginx machine server 1 and the gunicorn server 2.

Everything is working fine, however for me to get server 1 to talk to server 2, I had to open up port in server 2. In this particular case I allowed port 8000 in ufw.

Is this common practice? As my app grows and I add more app servers, would I have to open up those ports for those machines as well? If have 3 app servers I would have to open up 8000, 8001, 8002? I’m assuming this increases security vulnerabilities? What are best practice for securing a system like this?

My answer:

For private services like your backend web apps, MongoDB, etc., that shouldn’t be exposed to the public, allow incoming traffic to their ports only from those IP addresses or networks that need to connect to them.

For example:

sudo ufw allow from to any port 8000 proto tcp

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.