I would like to run an application based on the Tornado web server in a production environment. The performance requirements are low.
Since I don't need a load balancer, I wonder if it is OK to have it directly accessible on ports 80 and 443. Is this OK from a security perspective, and are there are other problems? This is of course, assuming I find some way to run it as a non-root user (authbind not available on RHEL).
Directly exposing tornado on HTTPS would mean that the TLS crypto is handled by Python ssl module.
That's probably OK if :
the python distribution is recent enough (python < 2.7.9 has many SSL problems. python >= 2.7.9 or >= 3.4 is much better)
python and libssl are provided through the Linux distribution packages
you have a thorough upgrade policy for the distribution packages
Of course if your app involves very sensitive information, the best practice would be to run a proxy (as nginx) with a hardened TLS stack in front of your app. For example running nginx on an OpenBSD reverse-proxy, which uses LibreSSL.
For denial of service prevention, if your app is coded in respect of tornado apps (never block the ioloop), then there is little to gain from an async load-balancer in front of the app.
And finally, most of security problems are anyway mostly rooted in the app itself... Authentication, access control, XSRF, XSS... The load balancer does not prevent them.