Web2py on Pythonanywhere

[clara]

Hello all,

I have used  python anywhere to deploy simple web2py applications. In the last few I updloaded onto pythonanywhere I realize that the website is served as an HTTPS (SSL enabled) application. I have not changed any default setting in web2py neither have I uncommented the line:

# request.requires_https() in db.py.

Looking at older loaded applications I can see that they are served as "http" applications. 

I really need the web2py applications in Pythonanywhere to not require SSL. 

Any help on this? Thank you!

Clara

[David Ripplinger]

Are you comfortable posting a link to your website so I can see if it also loads as https on my end?

[clara]

Hello David,

Sorry for my late reply. The site I have on pythonanywere is at the following link:

http://ulamdev.pythonanywhere.com/unlam

I am redirected to:

https://ulamdev.pythonanywhere.com/unlam

And I assume it is the case for any other PC accessing the site. 

I look forward to your comments. Thanks!

Clara

[clara]

On the other hand, on another web2py I built long ago if I try:

http://kiki.pythonanywhere.com/ it remains as http

and if I try:

https://kiki.pythonanywhere.com/ it remains as https, that is the request is kept as is.

Thanks in advance for any help.

Regards to all,

Clara

[Niphlod]

the first link, albeit "printed" as http, is carrying a link to https:

please.... 

try this

http://ulamdev.pythonanywhere.com/unlam

and 

https://ulamdev.pythonanywhere.com/unlam

Sites are served "independently" because pythonanywhere serves both by default, and both are available without redirects.

[clara]

Hello Niphlod,

Thanks for your quick answer. From my PC if I try either link I always get the secure site back (https). If I try it on my cellphone though  I get http when requesting http and https when requesting https.

If I remember correctly, when I do the same from my notebook at home, I always end up getting the secure site back.

Could this be related to the browser settings? 

Thanks again,

Clara

PS: I am relieved to know that both http and https are served in Pythonanywere

[Niphlod]

it's probably some misconfiguration / cached values / etc on your browser. Try resetting preferences/cache/etc (or open an "incognito" session) to test it properly.

[Giles Thomas]

Hi there,

PythonAnywhere dev here -- you're right, it's a browser cache thing, resulting from a bug on our side.  

We have a "Strict-Transport-Security" setting on the main PythonAnywhere site that means that if you ever visit it via https then in future your browser will always use https to access it.  This fixes a number of potential security holes, and we think it's a good thing.  But we only intended it to apply to www.pythonanywhere.com.

Unfortunately for a brief period this setting "leaked" into some of our customers' sites as the result of a bug on our side.  So if you visited one of them via https (eg. to use the admin UI) while that bug was active then your browser will have stored the "always use https" setting for that site.  (Perhaps confusingly, this will also apply if you visit it in an incognito session -- incognito sessions inherit this setting from non-incognito sessions, though obviously the reverse isn't true.)

The best fix is to clear your browser history.  Sorry about that!

All the best,

Giles

[clara]

Hello Giles,

Thanks for this reply! So there was somthing on Pythonanywhere's side that forced https rather than http....

I cleared my cache and things are working properly now.

Thanks a lot!!

Clara

[Giles Thomas]

On Tuesday, November 11, 2014 2:37:42 PM UTC, clara wrote:

Thanks for this reply! So there was somthing on Pythonanywhere's side that forced https rather than http....

Exactly.  It only did it if you had visited your site using HTTPS once from that browser, which is why you saw the problem from your PC but not from your phone.

 

I cleared my cache and things are working properly now.

Great!

 

Thanks a lot!!

No problem, and sorry for the bug!  It was a particularly nasty bit of nginx configuration on our loadbalancer, which we thought did one thing and actually did something subtly different.

All the best,

Giles