Yes, I discovered a few days ago that private folder can be accessed using
the vps ip, so I have been playing with host names in appconfig.ini and
with apache2 configuration and the only way to stop accessing private
folder was adding a new virtualhost in apache for each vps ip with this:
<VirtualHost x.x.x.x:80>
> Redirect 403 /
> ErrorDocument 403 "Sorry, direct IP access not allowed."
> DocumentRoot /dev/null
> UseCanonicalName Off
> </VirtualHost>
>
>
I use Lets encrypt certificates and redirecting from 80 to 443, and I don't
touch virtualhost file in port 80 so for sure, i'm doing something wrong
with apache3 and for sure with host names in appconfig.ini
[host]
> names = localhost:*, 127.0.0.1:*, *:*, *
>
>
Regards
El jueves, 1 de agosto de 2019, 9:26:26 (UTC+2), Jose C escribió:
>
> > I added the line in routes.py - While it restricts allowing
>> access to other applications like welcome it does not restrict
>> redirection - so in my case it still redirected to welcome application
>> mentioning something is wrong message.
>>
>> Odd. I have a similar setup to you with multiple domains, 2.18.5, py3
> using rocket server. If I do not place 'welcome' in the 'allowed_apps'
> any attempt to get to any page on the welcome app returns a 404 (as
> expected).
> One thing that may be different... I have additional parameters in
> routes.py which specifies the default for each app... perhaps in the
> absence of this it tries to go back to 'welcome'?
>
> routers = dict(
> # base router
> BASE = dict(
> domains={'domain1.com' : 'app1',
> 'domain2.com' : 'app2',
> },
> default_application = 'app1',
> applications = ['app1', 'app2'],
> default_function = 'home',
> ),
> app1 = dict(
> default_language = 'en',
> languages = ['en'],
> default_function = 'home',
> ),
> app2 = dict(
> default_language = 'en',
> languages = ['en'],
> default_function = 'index',
> map_hyphen = True,
> ),
>
>
> )
>
> Paco: Surely appconfig.ini should never be reachable via the url due to
> the security risks of allowing access to config info? I paniced for a sec
> and tried accessing mine with a link like yours but get 404 (as expected).
> Are you saying you can see your appconfig.ini, without specifically doing
> something to expose it, by simply accessing a link the way you formatted
> it?
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/web2py/b617507e-06b5-423d-b007-04f98734c101%40googlegroups.com.
