Configure Nginx + Flask on Oracle Linux 8

Hello World

initial setup

mkdir -p flask/cookie
cd flask/cookie

#set up the virtual env
python3.9 -m venv venv
. venv/bin/activate
#upgrade pip
/home/opc/flask/cookie/venv/bin/python3.9 -m pip install --upgrade pip
#install flask
pip install gunicorn flask

you need to add ingress rule to allow port 5000; also configure the firewall with

sudo firewall-cmd --zone=public --add-port=5000/tcp

other non-privileged ports may or may not work, but 5000 should be safe.

hello world example

add cookie.py

from flask import Flask
app = Flask(__name__)

@app.route("/")
def hello():
    return "<h1 style='color:blue'>Hello There!</h1>"

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=5000, debug=True)

then try

python cookie.py

the test site should be accessible from http://129.151.202.216:5000/

now add wsgi.py

from cookie import app

if __name__ == "__main__":
    app.run()

then try

gunicorn --bind 0.0.0.0:5000 wsgi:app

the test site should again be accessible from http://129.151.202.216:5000/

Make Your Site a Service

sudo vim /etc/systemd/system/cookie.service

[Unit]
Description=Gunicorn instance to serve cookie
After=network.target

[Service]
User=opc
Group=nginx
WorkingDirectory=/home/opc/flask/cookie
Environment="PATH=/home/opc/flask/cookie/venv/bin"
ExecStart=/home/opc/flask/cookie/venv/bin/gunicorn --workers 3 --bind unix:cookie.sock -m 007 wsgi:app

[Install]
WantedBy=multi-user.target

then try

sudo systemctl start cookie
sudo systemctl enable cookie
sudo systemctl status cookie

trouble shooting

trouble shoot systemd + SELinux problem:

repeat the following process until the status of the service is active

#for observation
sudo cat /var/log/audit/audit.log | grep gunicorn | audit2why
#generating custom rule and set it
sudo cat /var/log/audit/audit.log | grep gunicorn | audit2allow -M custom_rule
sudo semodule -i custom_rule.pp

#test if it's working
sudo systemctl daemon-reload
sudo systemctl restart cookie
sudo systemctl status cookie

Enable https

server {
    listen 80;
    server_name anti-hentai-league.konomama.dev;
    
    location / {
        proxy_pass http://unix:/home/opc/flask/cookie/cookie.sock;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Prefix /;
    }
}

sudo ln -s /etc/nginx/sites-available/cookie /etc/nginx/sites-enabled
sudo nginx -t

then enable SSL for the site

sudo certbot --nginx -d anti-hentai-league.konomama.dev  --email yourname@youremaildomain.tld

touble shooting

if you got 502 bad gateway error when accessing https://anti-hentai-league.konomama.dev/, try

sudo setenforce 0
sudo systemctl daemon-reload
sudo systemctl restart cookie
sudo systemctl restart nginx

it seems that it’s SELinux causing problem again.

use the trouble shooting strategy for gunicorn to fix any potential gunicorn problems then use the following to fix additional SELinux problems

sudo sealert -a /var/log/audit/audit.log

test by restarting nginx until you can visit the site without problem

sudo systemctl restart nginx