On Aug 21, 5:55 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
> Can you post the file you sent me(or something better). I have limited
> connection.
As I said, I will blog about it soon. Rather do it that way as can
then provide proper explanation to accompany it.
Graham
> On Aug 20, 8:36 pm, Graham Dumpleton <graham.dumple...@gmail.com>
> wrote:
>
>
>
> > On Aug 20, 10:20 pm, Alex Fanjul <alex.fan...@gmail.com> wrote:
>
> > > Massimo, Graham commented (replying my "apache+windows+wsgi
> > > <http://www.mhproject.org/index.php/mhproject.php/2009/07/20/how_to_in...>"
> > > tutorial post) some security issues in our default configurations using
> > > wsgi , I think we have to take in consideration.
> > > Maybe its corrected in th new chapter 10. In such a case, could you post
> > > the best and secure httpd.conf configuration?
>
> > Massimo has been sent a better configuration, although need to see a
> > few more tweaks for it.
>
> > The blog entry:
>
> > http://blog.dscpl.com.au/2009/08/problems-with-example-web2py.html
>
> > starts to explain in more detail why the existing configuration was
> > wrong.
>
> > I will blog about what the correct configuration should be, but
> > getting the time is an issue.
>
> > And no I am not going to post just the configuration to this list, as
> > I want an explanation to go along with it, otherwise people cherry
> > pick bits from it not understanding why certain things are done in a
> > specific way. Thus it morphs into something which is again wrong.
>
> > Graham
>
> > > /---You should avoid using the mod_wsgi Windows binaries you have, they
> > > are old and have a number of notable bugs which may cause problems. Up
> > > to date binaries are available from the mod_wsgi site.
> > > /I didnt find new ones for python 2.5
>
> > > /---Also, the Location/LocationMatch directives you are using to allow
> > > Apache to serve files are a bad idea and doing it that way makes your
> > > web server less secure. In this respect, the instructions found with
> > > some web2py documentation which you may be following is quite poor and
> > > doesn't use best practice. You should use Directory directives instead
> > > and qualify access by where the files are stored in the file system and
> > > not by the URL path that access them.
> > > /I tried but I didnt get the right configuration throught Directory
> > > directives... (using wsgi alias, and so...)
>
> > > /---By using Location/LocationMatch directive in the way you have, you
> > > have effectively said that someone can download any file from your
> > > computer accessible via any URL. The only saving grace at present is
> > > that there probably isn't a URL which maps to high in the file system,
> > > but if through misconfiguration that was done, then there is nothing
> > > else to protect your files from being downloaded. The Directory
> > > directive when used properly, would prevent any files outside of the
> > > intended directories being downloadable./
>
> > > than
> > > Alex F
>
> > > El 17/08/2009 13:10, Massimo Di Pierro escribió:
>
> > > > I want to publicly thank Graham Dupleton both for developing WSGI
> > > > (which is critical for a professional and scalable web2py deployment)
> > > > and for his help in the new book chapter 10 on deployment recipes. I
> > > > discovered he has an Amazon wishlist and that may be a nice way to say
> > > > thank you:
>
> > > > http://www.amazon.com/gp/registry/wishlist/1ENAXIJG1G044
>
> > > > Massimo
>
> > > --
> > > Alejandro Fanjul Fdez.
> > > alex.fan...@gmail.comwww.mhproject.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
