Skip to first unread message
Paolo Amboni
Aug 9, 2015, 11:36:20 AM8/9/15
to web2py-users
I've just set up a small server for web2py on ubuntu server 15.04 using the default script.
all is working fine,
but i don't understand why when i point the ip of the server for the default app it always go for https.
I need the exact opposite
thanks.
pa...@cancamusa.net
Aug 9, 2015, 6:24:33 PM8/9/15
to web2py-users
but i don't understand why when i point the ip of the server for the default app it always go for https.
The instructions in the web2py book don't do that, they configure both http and https, client's choice.
The install script has changed, however, and now redirects http to https:
https://github.com/web2py/web2py/blob/master/scripts/setup-web2py-ubuntu.sh
you need to change /etc/apache2/sites-available/default.conf. You can find alternative configurations, with instructions, in the web2py book:
http://web2py.com/books/default/chapter/29/13/deployment-recipes#mod_wsgi
http://web2py.com/books/default/chapter/29/13/deployment-recipes#mod_wsgi-and-SSL
I need the exact opposite
1) If you disable https, you will have to use a ssh tunnel or a similar trick to access the admin interface
2) Google gives higher ratings to webs with ssl certificates
3) Gandi SSL certificates are simple to use, work just fine, and are not expensive: gandi.net
4) You can disable https, but, to the best of my knowledge, you cannot redirect https to http using your web server. The reason: in order to redirect to the http version of the site, you must first stablish a connection to the https version, and that means you need a certificate. And if the certificate is self-signed, your visitors will get the same fear screen.
5) https://www.resetthenet.org/
Anthony
Aug 9, 2015, 8:56:39 PM8/9/15
to web2py-users
3) Gandi SSL certificates are simple to use, work just fine, and are not expensive: gandi.net
You can even get a free one from http://www.startssl.com/?app=1.
Paolo Amboni
Aug 10, 2015, 4:11:18 AM8/10/15
to web2py-users
OK I'm waiting for a free certificate.
But what i can't understand is why all the site is https not only the admin interface.
I will study all the deployment chapter of the book to find some clues and how to use the new certificate.
Thanks.
Pablo Angulo
Aug 10, 2015, 4:39:16 AM8/10/15
to web...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 10/08/15 a las 10:11, Paolo Amboni escribió:
> OK I'm waiting for a free certificate.
>
> But what i can't understand is why all the site is https not only the admin interface.
I told you, some web2py contributor it was best to do it that way in
2015, and everyone else thought it was a good idea, so the install
script was changed so that all http is redirected to https.
Specifically, this config tells apache "redirect all http to https":
https://github.com/web2py/web2py/blob/master/scripts/setup-web2py-ubuntu.sh
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
CustomLog /var/log/apache2/access.log common
ErrorLog /var/log/apache2/error.log
</VirtualHost>
while the one on the manual just configures http:
http://web2py.com/books/default/chapter/29/13/deployment-recipes#mod_wsgi
|<VirtualHost *:80>
ServerName web2py.example.com
WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}
WSGIProcessGroup web2py
WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py
#This is Apache 2.2.x permission syntax. See Apache docs for 2.4 syntax
# http://httpd.apache.org/docs/2.4/upgrading.html#run-time
<Directory /home/www-data/web2py>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(?:_[\d]+.[\d]+.[\d]+/)?(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>
<Location /admin>
Deny from all
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Deny from all
</LocationMatch>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>|
https://github.com/web2py/web2py/blob/master/scripts/setup-web2py-ubuntu.sh
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
CustomLog /var/log/apache2/access.log common
ErrorLog /var/log/apache2/error.log
</VirtualHost>
while the one on the manual just configures http:
http://web2py.com/books/default/chapter/29/13/deployment-recipes#mod_wsgi
|<VirtualHost *:80>
ServerName web2py.example.com
WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}
WSGIProcessGroup web2py
WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py
#This is Apache 2.2.x permission syntax. See Apache docs for 2.4 syntax
# http://httpd.apache.org/docs/2.4/upgrading.html#run-time
<Directory /home/www-data/web2py>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(?:_[\d]+.[\d]+.[\d]+/)?(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>
<Location /admin>
Deny from all
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Deny from all
</LocationMatch>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>|
> I will study all the deployment chapter of the book to find some clues and how to use the new certificate.
> Thanks.
In the manual, or in the script, it configures a self-signed
certificate. You can use the script, or follow the book, but then
you must replace the self-signed certificates
| SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
|
by certificated signed by startssl (only for non-commercial purposes), or gandi.net, or any other "authority". You must follow their particular procedure to generate your server.key file and then get the correct server.crt file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVyGMLAAoJEATsOw+FDrzILdIP+wfVshYU7F4teHsQZGfhCC5X
md2vA3SuNU6LE4Q+kNHaFAoY05ziUywetObgGpw36+qe59I4UePa7F3f9aNqhaQP
yFiBmdpNZZmBGUWzHABI9JbSXAjc5be/4ReNUDcAx7MKT7wpTEeXJDlsn62e4Xom
M6pXfOrLrtygsXGB0JF0DeJ3QL+EjcXPvTEQBC3x3C3bnKugDtzKfNzbxWmUhdaY
ybs5e4rmD1g+b6QG50j/imnnGm4Pqfo+iI9AmcxGfs4bjWp7vup6JV8Lr4W+CsAV
sccY0Jy6FDeqhQpdKPWcLe3YRrpY0p6wouzOZHlUfF8FeFPT7F6p9rOxEdw/2yJ6
uHfXG+9vFslM3y5lWfUp2ymp4dm0P31jfAc8eftLV+ZumiLDndO491EgJj8ewz9z
+4VMWryEW+uJF1yUjpxikeQlvIMrGz+CEj4Yj/1mB6T4g3NKgtUdyIPP3ptjrWbQ
ZMBTYPXhWETiNlf33N/YdSfz/9rzTjw+N1Vn1bc1k2WB9oyBGY7P2A/OqxrOD/G3
Mr/bFWwH0pD2UpvSWI+nUwIDoPtwgCx0SyiyItqBXnKBc5rQKSmdDBd1WSyTLWbG
zqesLbifwzfN+zK+x6oAozp2fUWLq4CgcPTOPp9RBPwdPSD7lDHrShzfoyqxYvDy
CMRh3KXHYMhdG4H2e3IU
=+WTS
-----END PGP SIGNATURE-----
| SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
|
by certificated signed by startssl (only for non-commercial purposes), or gandi.net, or any other "authority". You must follow their particular procedure to generate your server.key file and then get the correct server.crt file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVyGMLAAoJEATsOw+FDrzILdIP+wfVshYU7F4teHsQZGfhCC5X
md2vA3SuNU6LE4Q+kNHaFAoY05ziUywetObgGpw36+qe59I4UePa7F3f9aNqhaQP
yFiBmdpNZZmBGUWzHABI9JbSXAjc5be/4ReNUDcAx7MKT7wpTEeXJDlsn62e4Xom
M6pXfOrLrtygsXGB0JF0DeJ3QL+EjcXPvTEQBC3x3C3bnKugDtzKfNzbxWmUhdaY
ybs5e4rmD1g+b6QG50j/imnnGm4Pqfo+iI9AmcxGfs4bjWp7vup6JV8Lr4W+CsAV
sccY0Jy6FDeqhQpdKPWcLe3YRrpY0p6wouzOZHlUfF8FeFPT7F6p9rOxEdw/2yJ6
uHfXG+9vFslM3y5lWfUp2ymp4dm0P31jfAc8eftLV+ZumiLDndO491EgJj8ewz9z
+4VMWryEW+uJF1yUjpxikeQlvIMrGz+CEj4Yj/1mB6T4g3NKgtUdyIPP3ptjrWbQ
ZMBTYPXhWETiNlf33N/YdSfz/9rzTjw+N1Vn1bc1k2WB9oyBGY7P2A/OqxrOD/G3
Mr/bFWwH0pD2UpvSWI+nUwIDoPtwgCx0SyiyItqBXnKBc5rQKSmdDBd1WSyTLWbG
zqesLbifwzfN+zK+x6oAozp2fUWLq4CgcPTOPp9RBPwdPSD7lDHrShzfoyqxYvDy
CMRh3KXHYMhdG4H2e3IU
=+WTS
-----END PGP SIGNATURE-----
Paolo Amboni
Aug 10, 2015, 4:57:52 AM8/10/15
to web2py-users
OK now is much more clear.
If i replace the apache configuration file with the one that i find on the book i can have https on admin interface only?
I got a certificate from startssl but i really can't find a way to export or generate the server.crt and server.key files.
My knowledge is not that advanced for the moment.
The server is only for educational purpose and to store some data from sensors.
Thanks.
Pablo Angulo
Aug 10, 2015, 5:38:19 AM8/10/15
to web...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 10/08/15 a las 10:57, Paolo Amboni escribió:
> OK now is much more clear.
> If i replace the apache configuration file with the one that i find on the book i can have https on admin interface only?
Yes, apache will forward both http and https to web2py, without any
redirection. Then web2py will display "admin disabled because of
insecure channel" if you try to enter throught http. Not a problem,
I hope, since admin interface is not for regular users.
> I got a certificate from startssl but i really can't find a way to export or generate the server.crt and server.key files.
You have to follow their instructions. The procedure varies with the
registrar. One thing is for sure:
you generate server.key: it's your private key that you do not share with anyone, not even with the registrar.
you probably generate a "csr" file alongside the "key" file.
Then you give the csr to the registrar, the registrar verifies in some way that you are the owner of the domain, and then they give you the crt.
You must look for details searching for apache2, openssl, and/or startssl (you're using apache2, are you?)
you generate server.key: it's your private key that you do not share with anyone, not even with the registrar.
you probably generate a "csr" file alongside the "key" file.
Then you give the csr to the registrar, the registrar verifies in some way that you are the owner of the domain, and then they give you the crt.
You must look for details searching for apache2, openssl, and/or startssl (you're using apache2, are you?)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVyHD2AAoJEATsOw+FDrzIMEQP/iZgK2bdfJr+dQKFYinUncbf
BxDZY8nPb35LE0vaiyYodRaszMkJna7tQMGXNi17mOa49s4Wrw8obtz1fh8ieYo2
2CLnp0rWLLX9Gu1CcWsCCzgxEZqDQcvJXtJSUNwOrA+xYBmBHifVYGXygawS2Avw
kCn0cjQv7Z/LWm2U3ezrjVuVOM12ihIJpVazsgov36WbdcphHQ4lIEOLwmO/F4Kq
Kwy/CqhbQZaM9+scsp3pTE+s1DIhHyYRPU/K8oIZGH3d8h5D/TfS2uKqc42EDMSV
pgYq9jFwDADS6q7Km8Bx8rcn6OBez/6rCpD69MAZE3EPHePysCpN/YTENIbh9TUh
hnPPCZYEkcPFyLdCfZaOyinM0Hi9tKxjqby1sfnol3dEjurqDrL45Ja8TBwgwpBu
qRJBaZve0OLZeF7ld+Ugh+P61IolfEGp1DMEeCPZIac193y4Wou0b/WnKYVBeG9j
o1qLLARAqZcjOtTxQXLdrBnrOLsLwtQRGpzJcm6HZXv4OvB4iudqyRpuDP871Nbo
72PSwodKBBBjywrml49zyeElk7jzdhytPWEonLG3dtfSznnezj7A2GC4gaX/voej
z0bIuKMQNiJDGKwChnZn8bRuXODcODKH8sWmX8qTrLCfGpWRn7OGA9Vw1g1z6x64
Je12wGEqWxoa/1ga+mej
=pVQl
-----END PGP SIGNATURE-----
BxDZY8nPb35LE0vaiyYodRaszMkJna7tQMGXNi17mOa49s4Wrw8obtz1fh8ieYo2
2CLnp0rWLLX9Gu1CcWsCCzgxEZqDQcvJXtJSUNwOrA+xYBmBHifVYGXygawS2Avw
kCn0cjQv7Z/LWm2U3ezrjVuVOM12ihIJpVazsgov36WbdcphHQ4lIEOLwmO/F4Kq
Kwy/CqhbQZaM9+scsp3pTE+s1DIhHyYRPU/K8oIZGH3d8h5D/TfS2uKqc42EDMSV
pgYq9jFwDADS6q7Km8Bx8rcn6OBez/6rCpD69MAZE3EPHePysCpN/YTENIbh9TUh
hnPPCZYEkcPFyLdCfZaOyinM0Hi9tKxjqby1sfnol3dEjurqDrL45Ja8TBwgwpBu
qRJBaZve0OLZeF7ld+Ugh+P61IolfEGp1DMEeCPZIac193y4Wou0b/WnKYVBeG9j
o1qLLARAqZcjOtTxQXLdrBnrOLsLwtQRGpzJcm6HZXv4OvB4iudqyRpuDP871Nbo
72PSwodKBBBjywrml49zyeElk7jzdhytPWEonLG3dtfSznnezj7A2GC4gaX/voej
z0bIuKMQNiJDGKwChnZn8bRuXODcODKH8sWmX8qTrLCfGpWRn7OGA9Vw1g1z6x64
Je12wGEqWxoa/1ga+mej
=pVQl
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages