Disabling Access to Application Builder and securing applications

212 views
Skip to first unread message

Manos Pappas

unread,
Jan 24, 2020, 5:55:06 AM1/24/20
to Jam.py Users Mailing List
Hello,

Is there a way to disable access to the application builder when a Jam.py application is running in a production environment (i.e Linux Apache2.4 webserver).
I am also looking for ways to disable file downloading of .sqlite databases without impacting application use.
I have set-up my Linux Apache 2.4 webserver as explained in the docs: https://jam-py.com/docs/how_to/deploy/how_to_deploy_to_linux_apache.html

Thank you very much in advance for your help.

Andrew Yushev

unread,
Jan 24, 2020, 9:16:20 AM1/24/20
to Manos Pappas, Jam.py Users Mailing List
Hello, Manos

I'll prohibit .sqlite files downloading.
As for disabling application builder, may be to limit the 
ips from which it can be run?

Regards,
Andrew

пт, 24 янв. 2020 г. в 13:55, Manos Pappas <front...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jam-py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jam-py/e760b194-631e-4aba-9ea0-4fd267bb3f11%40googlegroups.com.

Manos Pappas

unread,
Jan 27, 2020, 2:02:50 AM1/27/20
to Jam.py Users Mailing List
Hello Andrew,

Thank you very much for your message.

The general idea is to disable the application builder on production sites completely and activate it only by placing some special 'token' (e.g a file) inside the application folder.
Since only the server administrator has file-level access to the httpd folder, that would forbid anyone to make changes to the application even if they - somehow - manage to retrieve the admin.sqlite database.

Just my idea, please tell me if you have anything else in mind on how to secure Jam.py applications running on 'open web'.

Τη Παρασκευή, 24 Ιανουαρίου 2020 - 4:16:20 μ.μ. UTC+2, ο χρήστης Andrew Yushev έγραψε:
Hello, Manos

I'll prohibit .sqlite files downloading.
As for disabling application builder, may be to limit the 
ips from which it can be run?

Regards,
Andrew

пт, 24 янв. 2020 г. в 13:55, Manos Pappas <front...@gmail.com>:
Hello,

Is there a way to disable access to the application builder when a Jam.py application is running in a production environment (i.e Linux Apache2.4 webserver).
I am also looking for ways to disable file downloading of .sqlite databases without impacting application use.
I have set-up my Linux Apache 2.4 webserver as explained in the docs: https://jam-py.com/docs/how_to/deploy/how_to_deploy_to_linux_apache.html

Thank you very much in advance for your help.

--
You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jam...@googlegroups.com.

Drazen Babic

unread,
Jan 27, 2020, 2:33:18 AM1/27/20
to Jam.py Users Mailing List
Hi,

I think it should be fairly easy with .htaccess in App folder.

Apache or http server thing though, ie:

http://stackoverflow.com/questions/4400154/ddg#4400412

rrad

unread,
Jan 27, 2020, 3:40:32 AM1/27/20
to Jam.py Users Mailing List
Hi,
web2py has the following scenario:
 Access from localhost can be from admin account,
 otherwise ssl connection for admin account

Generally, the admin account should somehow be accessible remotely.

rrad

Drazen Babic

unread,
Jan 27, 2020, 9:28:15 PM1/27/20
to Jam.py Users Mailing List
This will work in .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule builder\.html$ - [F]
RewriteRule admin\.html$ - [F]
</IfModule>


Obviously, we need Apache2 rewrite module loaded.


Andrew Yushev

unread,
Jan 28, 2020, 2:39:17 AM1/28/20
to Jam.py Users Mailing List
Hello

I published version 5.4.89. It allows you to access only html files in the project folder.
To disable App Builder, you must place an empty (or with some warning message) builder.html file in the project folder, 
it will be used instead of the builder.html file from the project folder.

Regards,
Andrew Yushev

пятница, 24 января 2020 г., 13:55:06 UTC+3 пользователь Manos Pappas написал:

Dražen Babić

unread,
Jan 28, 2020, 2:59:31 AM1/28/20
to Andrew Yushev, Jam.py Users Mailing List
HI,

I just tested this and it does not work as per above when run with ./server.py:

jam.py-5.4.89/demo $ ls
admin.sqlite css index.html langs.sqlite reports static
builder.html demo.sqlite js locks server.py wsgi.py

D.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Jam.py Users Mailing List" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/jam-py/SnQlBysjJ9U/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> jam-py+un...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jam-py/0599331a-d9a5-44a8-8c7e-d67718c08aed%40googlegroups.com.
>

Drazen Babic

unread,
Jan 28, 2020, 3:22:29 AM1/28/20
to Jam.py Users Mailing List
Ahh, 

builder will show with Python 2.7 and Python 3.7...

Manos S. Pappás

unread,
Jan 28, 2020, 4:40:10 AM1/28/20
to Andrew Yushev, Jam.py Users Mailing List

Hello Andrew,

 

                I can confirm that this solution works perfectly, when running the app via wsgi.

Local development (via server.py) ignores this feature, which is desirable.

 

                Again, thank you very much for your help and quick response.

 

 

Manos S. Pappás

Address: D. Synadinou 8, 82131 Chios, GREECE
PGP key available on request

net.314 Development - Blog - Facebook - YouTube - LinkedIn

--

You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jam-py+un...@googlegroups.com.

FCX

unread,
Feb 2, 2020, 6:34:07 AM2/2/20
to Jam.py Users Mailing List
Will you be pushing this to the git repo?

Andrew Yushev

unread,
Feb 2, 2020, 11:51:56 AM2/2/20
to FCX, Jam.py Users Mailing List
It is available in Github 

вс, 2 февр. 2020 г. в 14:34, FCX <ceful...@gmail.com>:
Will you be pushing this to the git repo?

--
You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jam-py+un...@googlegroups.com.

FCX

unread,
Feb 2, 2020, 12:58:01 PM2/2/20
to Jam.py Users Mailing List
Also, how do you add custom 404 pages to a wsgi app using mod_wsgi apache?.

I've tried the apache conf files, and .htacess to no avail.

Any tips?

Drazen Babic

unread,
Feb 2, 2020, 8:27:01 PM2/2/20
to Jam.py Users Mailing List
This is the Apache thingy, complex topic.

No idea.

Drazen Babic

unread,
Feb 2, 2020, 11:07:38 PM2/2/20
to Jam.py Users Mailing List
To be fair, 

I like this solution more, which enables you to have multiple IP's for builder access:



<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^x\.y\.z\.1$
RewriteCond %{REMOTE_ADDR} !^x\.y\.z\.2$
RewriteCond %{REMOTE_ADDR} !^x\.y\.z\.3$
.
.
.
RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$ 
RewriteRule builder\.html$ - [F]
RewriteRule admin\.html$ - [F]
</IfModule>

The problem with empty builder.html file, as I see it, is the moment when that file is removed. 

At that moment your builder is open to the World if not password protected.


D.

rrad

unread,
Feb 3, 2020, 1:00:21 PM2/3/20
to Jam.py Users Mailing List

Hi, there

In my opinion, it is true that the proposed solution with an empty builder.html is not brilliant,
but Drazen, does your solution not rest on the file system and apache add-ons do?
Therefore, whoever has sufficient rights to remove the builder.html can do the same with
.access files etc, after all, it can remove the entire app directory, whatever it is.

In my opinion, this has to be resolved within just jam.py. How - that's a bit of a tougher story.
I assume @Andrew gave a solution like this since it takes time to make a more serious choice.

However @FCX, for the 404 page, you need to call the appropriate apache handler and that's it.
I no longer keep that in my fingers, but I think it's easy to do. What is not so easy, how to proceed
with the application?I think the author's choice was their own application stack, where there are
full controls and such events as bugs, though I'm not sure how the 404 can get into jam.py?
At least I haven't been able to do it so far!

Regards, Radosav.

jimbo

unread,
Feb 3, 2020, 1:46:08 PM2/3/20
to Jam.py Users Mailing List
right, jam-py wont in itself generate a 404. It knows where to find itself and its dependencies.

But,you can request a bad location and the httpd serves a 404 (example: https://jam-py.com/junklocation/)

In addition I must protect files from access like:

/admin.sqlite
/static/files   (disable directory browsing but allow jam-py's file type to function)
/static/internal
/static/reports

I know Andrew has enabled some protections in the new build, but I need others.

I do want to keep looking at this on my own to uncover this and perhaps add to the aws linux install docs.

jimbo

unread,
Feb 3, 2020, 5:47:38 PM2/3/20
to Jam.py Users Mailing List
looks like the Error Documents within a wsgi app can be done through the app itself, likely returning a NotFound from the werkzeurg package. Which is what appears to happen in the 5.4.89 release.

I hacked up a solution for my own use, which is a mod_wsgi based implementation (apache2)

Looks like services such as pythonanywhere already handle this out of the box. For the rest of us that are building out solutions, it would be cool to get this in a configurable area of the app, like Parameters, for at least the 404, 403, and 500 Errors.

Just an idea.

rrad

unread,
Feb 3, 2020, 6:33:26 PM2/3/20
to Jam.py Users Mailing List
Hi, Jimbo
I think all of this goes as it would for a regular apache system.
It simply provides an application, defines a virtual server I assume,
and defines Error404 -> file.html links, and apache does the rest.
I guess that's why mod_wsgi is used, because of an apache-developed
and well-supported infrastructure.

After all, Drazen is much, much better when it comes to web servers.

rrad

Andrew Yushev

unread,
Feb 4, 2020, 2:59:03 AM2/4/20
to rrad, Jam.py Users Mailing List
Jam.py application is a single page application, 
so I didn't add the custom 404 page.
Now I think it is needed and I figured out how to make it. 
Thanks to everyone for the discussion

вт, 4 февр. 2020 г. в 02:33, rrad <rrad...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Jam.py Users Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jam-py+un...@googlegroups.com.

jimbo

unread,
Feb 4, 2020, 10:02:37 AM2/4/20
to Jam.py Users Mailing List
Please add the ability to customize the error documents.

This was necessary also as a form of security, as the user can easily download the admin db by entering the URL
To unsubscribe from this group and stop receiving emails from it, send an email to jam...@googlegroups.com.

Drazen Babic

unread,
Feb 4, 2020, 8:40:53 PM2/4/20
to Jam.py Users Mailing List
The error handling would be nice.

But the security is in general managed by the System Administrator.

Add this to .htaccess:

<IfModule mod_rewrite.c>

RewriteRule admin\.sqlite$ - [F]

</IfModule>

Me thinks, the security totally depends on the App usage scenario. 

D.

jimbo

unread,
Feb 4, 2020, 9:22:17 PM2/4/20
to Jam.py Users Mailing List
I upgraded to 5.4.89 where these files, including admin.sqlite, are no longer served. So I'm good there.

I was never able to get .htaccess or the apache wsgi.conf file to work on jam py, which mounts itself in the document root.

rrad

unread,
Feb 5, 2020, 3:16:06 PM2/5/20
to Jam.py Users Mailing List
Hi,
About ten messages ago Andrew wrote that he posted 5.4.89,
that only html files were available, etc ...

Insisting on the Apache Jam.py error handler is pointless in my opinion.

And finally, the man said he would take our story into account.

rrad.

Dean D. Babic

unread,
Apr 5, 2023, 2:20:50 AM4/5/23
to Jam.py Users Mailing List
Hi all, 

a nice html page for the disabled builder. Redirecting page to index.html
From here:

Just add this page to the app for disabling builder.
 
builder.html

Dean D. Babic

unread,
May 9, 2024, 10:03:15 PMMay 9
to Jam.py Users Mailing List
Hi,

I did discuss Builder access with Andrew and in V7 he opted for disabling access to
the Builder when the "Production Mode" is checked. This creates the builder.html file
in the App folder, which restricts the access.

However, this means that the file should be removed by the hand if access is needed.
Which can be a problem.

Hence, I suggest this: 
- just rename the jam/builder.html to some random_name.html
- adjust TWO files only with the same name:

jam/admin/builder.py:    builder_file = os.path.join(folder, 'builder.html')
jam/wsgi.py:                file_name = 'builder.html'
jam/wsgi.py:            elif file_name == 'builder.html':
jam/wsgi.py:                    environ['PATH_INFO'] = '/jam/builder.html'

Now, the access to the builder will be with whatever the random_name.html is.

Btw, Django works in a similar way. This is secure enough if the random name is complex.
Plus, the random_name.html can be created as usual to disable access (tested in v5).

D.

Dean D. Babic

unread,
Jun 7, 2024, 2:28:06 AMJun 7
to Jam.py Users Mailing List
The below is working with V7.

Enjoy
Reply all
Reply to author
Forward
0 new messages