The app server that ships with web2py is a fork of the Rocket webserver: https://pypi.python.org/pypi/rocket It's written in pure python, so all of the security is how python sockets and so forth is secure (see also the python httpserver module). Ultimately if you are using web2py for administration then it security would depend on the security of web2py's Access Control and other security features (CSRF/XSS protections, etc.).
If you run web2py/rocket as a service bound only to the localhost interfaces (web2py --interfaces 127.0.0.1:$adminport,[::1]:$adminport) Then set an ssh tunnel to the localhost adminport from your remote host. Then you can hit the web2py directly. If you aren't sending Rocket requests then it's not using any CPU. It does, however, load Rocket into memory (but if nginx/uWSGI is hosed, you won't be seeing much from requests to those except for the overhead of generating the emission of error 500 or whatever...) On Friday, September 26, 2014 3:50:57 PM UTC-4, Ide wrote: > > I am working on a web2py application to help with FreeBSD system > administration. Although my main web2py system will run with Nginx and > uWSGI on this server, I would like my admin app to run independently of > these as I would use the admin application to manage these configurations > and a bad config could lock me out if the admin application depended on > Nginx and uWSGI. > > I was thinking xinetd would be a good solution as it would only run when > required, and can be restricted to specific source IP addresses which would > be good for security. My first attempt at this failed (I tried to adapt > this guide: http://www.freebsdonline.com/content/view/883/531/, replacing > the server parameter with the path to python, and the arguments with the > web2py.py plus usual startup options which work find on their own). Has > anyone managed to run web2py from xinetd or inetd? > > Any other suggestions other than just running web2py with it's built in > web server as a service? Security is important as some of the tasks require > root access, so any extra layer of security would be good. How secure is > the built in web2py web server? I'm trying to keep it simple and > lightweight as it would be hosted on a single core virtual server. > > Thanks, > > Ide. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
