Can a machine running a packet sniffer see what nginx is forwarding on localhost to a Flask app?



  • I want to serve a Flask application from my pc. Other machines in my network only should be able to consume the API. However, I wish to have the communication between the other machines and the API secured using https with a self-signed certificate. For this reason (because serving Flask with waitress does not support https on its own), I am using nginx on the same machine as a proxy so that it can handle https.

    My question is: If someone connects to my network, let's say via wifi, and runs a packet sniffer like Wireshark, will they be able to see what is being transferred between the legitimate clients of the app and the app?

    When running Wireshark on the same machine as the application, I see the request and all of its contents. I believe this is because it is sniffing on localhost and sees the forwarded http request (from nginx to the app). When running Wireshark on my laptop, I don't see the http request. Can someone confirm this is safe for my purposes?

    Also: Can someone confirm that if nginx were to run on a separate local machine, then the http request would be exposed again?

    EDIT: Here is the nginx configuration I have

    server {
        listen 443 ssl;
    
        ssl_certificate /etc/nginx/sites-available/nginx-selfsigned.crt;
        ssl_certificate_key /etc/nginx/sites-available/nginx-selfsigned.key;
    
        server_name example.com;
    
        location / {
    
            proxy_pass http://127.0.0.1:5000;
            proxy_set_header X-Real-IP $remote_addr;
    
    
        }
    }
    
    server {
      listen 80;
    
      server_name 192.168.1.5;
    
      return 301 https://$server_name$request_uri;
    }
    


  • If installed on localhost with sufficient permissions, Wireshark can see all your localhost traffic (with some caveats).

    That said, a 'packet sniffer' in my understanding refers to something running on a different machine which sniffs packets off the actual network. It's my (perhaps not entirely correct) understanding that packets to/from localhost from/to localhost or to/from 127.0.0.1 from/to 127.0.0.1 do not end up on the network. You may want to read a bit about the loopback interface.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2