https only on admin

[Juozas Masiulis]

For certain reasons I could not use https for my entire website. I load content from external domains through javascript, which I do not controll, and those scripts get blocked by the browser. I would like to use https only on admin, and I can get apache to redirect only admin to https  by using this http://pastebin.com/raw.php?i=Hkz9YqnH config 

The redirection seems to work correctly, but then I can't acces admin interface, because I am getting an exception , which I could read only by changing this back to default config. 

Traceback (most recent call last):
File "/var/www/web2py/gluon/main.py", line 435, in wsgibase
session.connect(request, response)
File "/var/www/web2py/gluon/globals.py", line 931, in connect
session_pickled = pickle.dumps(self, pickle.HIGHEST_PROTOCOL)
TypeError: 'NoneType' object is not callable

926.
927.
928.
929.
930.
931.

932.
933.
934.
935.
            response.cookies[response.session_id_name]['path'] = '/'
            if cookie_expires:
                response.cookies[response.session_id_name]['expires'] = \
                    cookie_expires.strftime(FMT)

        session_pickled = pickle.dumps(self, pickle.HIGHEST_PROTOCOL)

        response.session_hash = hashlib.md5(session_pickled).hexdigest()

        if self.flash:
            (response.flash, self.flash) = (self.flash, None)

Function argument list
(self=<Storage {}>, request=<Storage {'_vars': None, 'function': 'index', 'c...'folder': '/var/www/web2py/applications/admin/'}>, response=<Storage {'body': <cStringIO.StringO object at 0..._caller': <function <lambda> at 0x7f0dbcfb3050>}>, db=None, tablename='web2py_session', masterapp='admin', migrate=True, separate=None, check_client=False, cookie_key=None, cookie_expires=None, compression_level=None)

[Massimo Di Pierro]

You are the second person to report this problem. Was this after an upgrade? Have you deleted your session files? Do you have any special/unusual library installed?

[tim spear]

I think I was the first person to mention it. 

I just reinstalled everything from scratch on digitalocean Ubuntu 14, with the sudo ./setup-web2py-ubuntu.sh script and I still get https:// on everything eg. 

http://128.199.113.29/test

redirects to https://128.199.113.29/test

with the associated 'attackers may be trying to steal your information' from Chrome.

Any ideas?

Thanks, Tim

[Massimo Di Pierro]

Please do not post your admin password (or any other password here). Anybody with the admin password has almost complete access to you machine and can install malware without you noticing it.

[tim spear]

ok, though it's only a digitalocean droplet I set up for test purposes with a 'hello world' on it and intend to destroy again shortly

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/bmVICJOMpXM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ariya Owam-aram]

HI Juozas Masiulis 

In /etc/apache2/sites-enabled/default.conf please chenge rewriterule as follows.

RewriteEngine On

  RewriteCond %{HTTPS} !=on

  RewriteRule ^/(admin/.*) https://%{SERVER_NAME}/$1 [R,L]

Hope it will help, see attach.

เมื่อ วันพุธที่ 4 กุมภาพันธ์ ค.ศ. 2015 3 นาฬิกา 48 นาที 21 วินาที UTC+7, Juozas Masiulis เขียนว่า:

[tim spear]

Update - some progress:

I tired the http://web2py.googlecode.com/hg/scripts/setup-web2py-nginx-uwsgi-ubuntu.sh

Ubuntu with nginx script and http: worked normally.

Also I'm sure a previous usage of the setup-web2py-ubuntu.sh used to work normally so I guess something in the stack that the script downloads must have changed. Apache perhaps?

That's as far as I've got. I guess I'll try using nginx as I'm not so good at figuring the error beyond that. 

I think I'll destroy the 128.199.113.29/test droplet

Ta, Tim

[Juozas Masiulis]

So standard deployment should not require https use sitewide?I thought this was intended behaviour, because this happens on any computer that I've tried this on, for example fresh ubuntu 14.04 droplet.

[tim spear]

I think I may have a solution. I've posted it at http://stackoverflow.com/questions/28116754/how-can-i-make-part-of-the-website-not-use-https-in-web2py

On Wednesday, February 4, 2015 at 3:48:21 AM UTC+7, Juozas Masiulis wrote:

[tim spear]

There didn't used to be https for everything with the older script for Ubuntu 12 / Apache 2.2 and there still is not if you use the Ngnix / Ubuntu script. Also https everywhere is not mentioned in the docs as far as I know. It seems to have come in in the new install script for Apache 2.4 labelled "setup-web2py-ubuntu works on 14.04, thanks Ivan Di Giusto." I'm not sure if https everywhere is intended of accidental there. Any thoughts Massimo if you read this?

--

[tim spear]

I tried similar but then http: didn't work because Apache didn't know to send the requests to web2py. I found the http://stackoverflow.com/questions/28116754/how-can-i-make-part-of-the-website-not-use-https-in-web2py solution got http to work while keeping admin on https though I was changing things without understanding them very well and hope I have not broken something else.

On Tue, Feb 10, 2015 at 7:02 AM, Ariya Owam-aram <write...@gmail.com> wrote:

HI Juozas Masiulis 

In /etc/apache2/sites-enabled/default.conf please chenge rewriterule as follows.

RewriteEngine On

  RewriteCond %{HTTPS} !=on

  RewriteRule ^/(admin/.*) https://%{SERVER_NAME}/$1 [R,L]

Hope it wil help

เมื่อ วันพุธที่ 4 กุมภาพันธ์ ค.ศ. 2015 3 นาฬิกา 48 นาที 21 วินาที UTC+7, Juozas Masiulis เขียนว่า:

For certain reasons I could not use https for my entire website. I load content from external domains through javascript, which I do not controll, and those scripts get blocked by the browser. I would like to use https only on admin, and I can get apache to redirect only admin to https  by using this http://pastebin.com/raw.php?i=Hkz9YqnH config 

--

[Ariya Owam-aram]

My case I just  copy default-both.conf (attached in previous post) to /etc/apache2/sites-enabled/ and restart apache. It work as aspect after done that.

thank you for sharing..  :)

เมื่อ วันพุธที่ 11 กุมภาพันธ์ ค.ศ. 2015 8 นาฬิกา 30 นาที 12 วินาที UTC+7, tim spear เขียนว่า: