I'm trying to find the best security practices when deploying web2py to a Linux production environment (either with Apache/mod_wsgi or nginx/uwsgi).
The One step production deployment scripts (http://web2py.com/books/default/chapter/29/13#One-step-production-deployment) seem to be out of date considering modern security standards (e.g. the certificate key). The fedora script even installs the insecure Python version 2.6.4 with wget if no Python with version 2.5 or can be found (side note: shouldn't a production deployment script rather stop if the os doesn't provide a supported/current python version?). The VirtualHost Directives of both scripts differ (the fedora script explicitely forbids access to admin/ appadmin/ as in the web2py book). When comparing the entry for mod_wsgi (http://web2py.com/books/default/chapter/29/13#mod_wsgi) and nginx (http://web2py.com/books/default/chapter/29/13#Nginx), is the following correct? -allow access only to applications/*/static and the file wsgihandler.py (copied [Apache] or symlinked [nginx] to the web2py root) -disallow access to all other files, especially the directories admin/, appadmin/) -allow administrative access only restrictively (e.g. http://web2py.com/books/default/chapter/29/13#Securing-sessions-and-admin or VirtualHost directive) Are there any more best security practices like restricting write access to the web2py files? SELinux context restrictions? Anything else web2py-specific? Stefan -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
