Yes, I discovered a few days ago that private folder can be accessed using 
the vps ip, so I have been playing with host names in appconfig.ini and 
with apache2 configuration and the only way to stop accessing private 
folder was adding a new virtualhost in apache for each vps ip with this:

<VirtualHost x.x.x.x:80>
>     Redirect 403 /
>     ErrorDocument 403 "Sorry, direct IP access not allowed."
>     DocumentRoot /dev/null
>     UseCanonicalName Off
> </VirtualHost>
>
>
I use Lets encrypt certificates and redirecting from 80 to 443, and I don't 
touch virtualhost file in port 80 so for sure, i'm doing something wrong 
with apache3 and for sure with host names in appconfig.ini

[host]
> names = localhost:*, 127.0.0.1:*, *:*, *
>
>
Regards

El jueves, 1 de agosto de 2019, 9:26:26 (UTC+2), Jose C escribió:
>
> >         I added the line in routes.py  - While it restricts allowing 
>> access to other applications like welcome it does not restrict 
>> redirection - so in my case it still redirected to welcome application 
>> mentioning something is wrong message. 
>>
>> Odd.  I have a similar setup to you with multiple domains, 2.18.5, py3 
> using rocket server.  If I do not place 'welcome' in the 'allowed_apps'  
> any attempt to get to any page on the welcome app returns a 404 (as 
> expected).
>  One thing that may be different... I have additional parameters in 
> routes.py which specifies the default for each app... perhaps in the 
> absence of this it tries to go back to 'welcome'?
>
> routers = dict(
>     # base router
>     BASE = dict(
>         domains={'domain1.com' : 'app1',
>                  'domain2.com' : 'app2',
>                  },
>         default_application = 'app1',
>         applications = ['app1', 'app2'],
>         default_function = 'home',
>     ),
>     app1 = dict(
>         default_language = 'en',
>         languages = ['en'],
>         default_function = 'home',
>     ),
>     app2 = dict(
>         default_language = 'en',
>         languages = ['en'],
>         default_function = 'index',
>         map_hyphen = True,
>     ),
>
>
> )
>
> Paco:  Surely appconfig.ini should never be reachable via the url due to 
> the security risks of allowing access to config info?  I paniced for a sec 
> and tried accessing mine with a link like yours but get 404 (as expected).  
> Are you saying you can see your appconfig.ini, without specifically doing 
> something to expose it, by simply accessing a link the way you formatted 
> it? 
>  
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/b617507e-06b5-423d-b007-04f98734c101%40googlegroups.com.

Reply via email to