Let me understand you setup. Do you use a wf proxy and run web2py
locally? Can you access admin both from http and https? If you access
your app remotely, can you print {{=request.client}}, do you get
localhost or 127.0.0.1?
The problem with proxies is that web2py cannot reliably determine
whether the request is local or remote and whether https was used or
not. Therefore settings are either too strict (no admin, the default,
use ssh tunnel) or too lose (it is not too bad but if you accidentally
go over http, a potential attacker can steal you session cookies).
Massimo
On Feb 7, 5:51 am, Lucidguppy <matthew.james.ka...@gmail.com> wrote:
> I've gotten web2py working on my webfaction account with admin using
> an https site pointing to the webapp and changing the
> parameters_xxx.py file to the port that the web app should be using.
> So now I have a regular site and a https site pointing to the port
> that the app uses. I don't think wf allows you to access your app via
> different ports - only the provided one - wf sees your standard
> request and routes it to the correct and only port.
>
> Massimo gave me the impression that this was insecure via this reddit
> comment.
>
> ***QUOTE***
> One is the parameters_*.py file. This file is required to enable admin
> and normally it is created automatically when running the built-in web
> server. In a production environment it is not created because you
> should not run admin off port 80. Admin would not work anyway because
> requires https unless in use a proxy, in which case if you enable
> admin by manually creating this file, you open your system to
> vulnerability (like using telnet instead of ssh). The proper way to
> handle this is:
> sudo -u www-data python -c "from gluon.main import save_password;
> save_password(raw_input('admin password: '),443)"
> and use admin only over https (port 443). Feel free to join us on the
> web2py mailing list.
> ***/QUOTE***
>
> I can get a web2py install running by using ssh to get to my account,
> download web2py, unzip it and then run it once setting the admin
> password. I then kill the process and then use a script to launch
> anyserver.py using a cherrypy server.
>
> My ultimate question is - if https is less secure to my wf app - how
> do I use ssh to get to the apps admin?
> The slice at "http://www.web2pyslices.com/slices/take_slice/71"; has
> been tried and it didn't work or I didn't do it correctly. How do I
> use ssh to access the web2py admin on webfaction?
>
> There is
> this:http://docs.webfaction.com/user-guide/databases.html#starting-an-ssh-...
> But it pertains to accessing databases.
