Can you post the file you sent me(or something better). I have limited connection.
On Aug 20, 8:36 pm, Graham Dumpleton <graham.dumple...@gmail.com> wrote: > On Aug 20, 10:20 pm, Alex Fanjul <alex.fan...@gmail.com> wrote: > > > Massimo, Graham commented (replying my "apache+windows+wsgi > > <http://www.mhproject.org/index.php/mhproject.php/2009/07/20/how_to_in...>" > > tutorial post) some security issues in our default configurations using > > wsgi , I think we have to take in consideration. > > Maybe its corrected in th new chapter 10. In such a case, could you post > > the best and secure httpd.conf configuration? > > Massimo has been sent a better configuration, although need to see a > few more tweaks for it. > > The blog entry: > > http://blog.dscpl.com.au/2009/08/problems-with-example-web2py.html > > starts to explain in more detail why the existing configuration was > wrong. > > I will blog about what the correct configuration should be, but > getting the time is an issue. > > And no I am not going to post just the configuration to this list, as > I want an explanation to go along with it, otherwise people cherry > pick bits from it not understanding why certain things are done in a > specific way. Thus it morphs into something which is again wrong. > > Graham > > > /---You should avoid using the mod_wsgi Windows binaries you have, they > > are old and have a number of notable bugs which may cause problems. Up > > to date binaries are available from the mod_wsgi site. > > /I didnt find new ones for python 2.5 > > > /---Also, the Location/LocationMatch directives you are using to allow > > Apache to serve files are a bad idea and doing it that way makes your > > web server less secure. In this respect, the instructions found with > > some web2py documentation which you may be following is quite poor and > > doesn't use best practice. You should use Directory directives instead > > and qualify access by where the files are stored in the file system and > > not by the URL path that access them. > > /I tried but I didnt get the right configuration throught Directory > > directives... (using wsgi alias, and so...) > > > /---By using Location/LocationMatch directive in the way you have, you > > have effectively said that someone can download any file from your > > computer accessible via any URL. The only saving grace at present is > > that there probably isn't a URL which maps to high in the file system, > > but if through misconfiguration that was done, then there is nothing > > else to protect your files from being downloaded. The Directory > > directive when used properly, would prevent any files outside of the > > intended directories being downloadable./ > > > than > > Alex F > > > El 17/08/2009 13:10, Massimo Di Pierro escribió: > > > > I want to publicly thank Graham Dupleton both for developing WSGI > > > (which is critical for a professional and scalable web2py deployment) > > > and for his help in the new book chapter 10 on deployment recipes. I > > > discovered he has an Amazon wishlist and that may be a nice way to say > > > thank you: > > > > http://www.amazon.com/gp/registry/wishlist/1ENAXIJG1G044 > > > > Massimo > > > -- > > Alejandro Fanjul Fdez. > > alex.fan...@gmail.comwww.mhproject.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
