Yes, I discovered a few days ago that private folder can be accessed using the vps ip, so I have been playing with host names in appconfig.ini and with apache2 configuration and the only way to stop accessing private folder was adding a new virtualhost in apache for each vps ip with this:
<VirtualHost x.x.x.x:80> > Redirect 403 / > ErrorDocument 403 "Sorry, direct IP access not allowed." > DocumentRoot /dev/null > UseCanonicalName Off > </VirtualHost> > > I use Lets encrypt certificates and redirecting from 80 to 443, and I don't touch virtualhost file in port 80 so for sure, i'm doing something wrong with apache3 and for sure with host names in appconfig.ini [host] > names = localhost:*, 127.0.0.1:*, *:*, * > > Regards El jueves, 1 de agosto de 2019, 9:26:26 (UTC+2), Jose C escribió: > > > I added the line in routes.py - While it restricts allowing >> access to other applications like welcome it does not restrict >> redirection - so in my case it still redirected to welcome application >> mentioning something is wrong message. >> >> Odd. I have a similar setup to you with multiple domains, 2.18.5, py3 > using rocket server. If I do not place 'welcome' in the 'allowed_apps' > any attempt to get to any page on the welcome app returns a 404 (as > expected). > One thing that may be different... I have additional parameters in > routes.py which specifies the default for each app... perhaps in the > absence of this it tries to go back to 'welcome'? > > routers = dict( > # base router > BASE = dict( > domains={'domain1.com' : 'app1', > 'domain2.com' : 'app2', > }, > default_application = 'app1', > applications = ['app1', 'app2'], > default_function = 'home', > ), > app1 = dict( > default_language = 'en', > languages = ['en'], > default_function = 'home', > ), > app2 = dict( > default_language = 'en', > languages = ['en'], > default_function = 'index', > map_hyphen = True, > ), > > > ) > > Paco: Surely appconfig.ini should never be reachable via the url due to > the security risks of allowing access to config info? I paniced for a sec > and tried accessing mine with a link like yours but get 404 (as expected). > Are you saying you can see your appconfig.ini, without specifically doing > something to expose it, by simply accessing a link the way you formatted > it? > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/b617507e-06b5-423d-b007-04f98734c101%40googlegroups.com.