How to deploy my first app

[Al]

Hi,

Now that I get my secure channel (using self-signed certificate)
working, I can remotely login from another computer to access the
admin interface thru https. To deploy this app for general users for
http access, do I have to run another instance of web2py on another
port - say port 80? Also how do I make these 2 instances to run as a
service in windows 2003 server? Also do I have to change the code so
that the general user just get directly to that single app? This whole
thing seems a lot more complicated than ruby on rails. I would
appreciate if people can explain this in more detail to me or point me
to the right documentations. Thanks.

Cheers
Al

[mdipierro]

It depends. For development if you use the built in web server you
need to start it twice for http and https. This is in general a
security measure. You do not want the same process to listen to two
sockets else if something happens (like a memory leak) you may get
locked out.

In deployment you should be using apache+mod_wsgi

just download and run this:
http://web2py.googlecode.com/hg/scripts/setup-web2py-ubuntu.sh

It will setup everything for you behind a single apache server.
I think this easier than rails actually.

Massimo

[Al]

Thank you for your input. I am using Windows server so I cannot use
the ubuntu scripts you mentioned. How about my second part of the
question? I understand why web2py is designed in such a "secure"
fashion. I am just trying to find a way around it so that I can deploy
my first app. I theory I should be able to type from any machine
http://myserver/myfirstapp, but it gives me an internal error - Ticket
issues. When I click the ticket link, it gives "Admin is disabled
because insecure channel". I have two instances of web2py running. I
can run http://myserver/example or https://myserver/myfirstapp without
any issues. What's so special about the built-in examples app? Do I
have to cut out some code from my app to get rid of all the admin menu
and authentication for a general users?

On Feb 10, 11:38 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
> It depends. For development if you use the built in web server you
> need to start it twice for http and https. This is in general a
> security measure. You do not want the same process to listen to two
> sockets else if something happens (like a memory leak) you may get
> locked out.
>
> In deployment you should be using apache+mod_wsgi
>
> just download and run this:http://web2py.googlecode.com/hg/scripts/setup-web2py-ubuntu.sh
>
> It will setup everything for you behind a single apache server.
> I think this easier than rails actually.
>
> Massimo
>
> On Feb 10, 9:27 am, Al <albertsec...@gmail.com> wrote:
>
> > Hi,
>
> > Now that I get my secure channel (using self-signed certificate)
> > working, I can remotely login from another computer to access the

> > admin interface thru https. Todeploythis app for general users for

[Alexandre Andrade]

To see the tickets, use https protocol.

2010/2/11 Al <albert...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To post to this group, send email to web...@googlegroups.com.
To unsubscribe from this group, send email to web2py+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/web2py?hl=en.

--
Atenciosamente

--
=========================
Alexandre Andrade
Hipercenter.com

[Álvaro Justen [Turicas]]

On Wed, Feb 10, 2010 at 13:38, mdipierro <mdip...@cs.depaul.edu> wrote:
> It depends. For development if you use the built in web server you
> need to start it twice for http and https. This is in general a
> security measure. You do not want the same process to listen to two
> sockets else if something happens (like a memory leak) you may get
> locked out.
>
> In deployment you should be using apache+mod_wsgi
>
> just download and run this:
> http://web2py.googlecode.com/hg/scripts/setup-web2py-ubuntu.sh

This script is included in web2py_src.zip, just see web2py/scripts/
directory for this and other useful scripts.
I think we need better deploy scripts (like some script to just update
some app on server etc.) and document them.

> It will setup everything for you behind a single apache server.
> I think this easier than rails actually.
>
> Massimo
>
>
> On Feb 10, 9:27 am, Al <albertsec...@gmail.com> wrote:
>> Hi,
>>
>> Now that I get my secure channel (using self-signed certificate)
>> working, I can remotely login from another computer to access the
>> admin interface thru https. To deploy this app for general users for
>> http access, do I have to run another instance of web2py on another
>> port - say port 80? Also how do I make these 2  instances to run as a
>> service in windows 2003 server? Also do I have to change the code so
>> that the general user just get directly to that single app? This whole
>> thing seems a lot more complicated than ruby on rails. I would
>> appreciate if people can explain this in more detail to me or point me
>> to the right documentations. Thanks.
>>
>> Cheers
>> Al
>

> --
> You received this message because you are subscribed to the Google Groups "web2py-users" group.
> To post to this group, send email to web...@googlegroups.com.
> To unsubscribe from this group, send email to web2py+un...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
>
>

--
Álvaro Justen - Turicas
http://blog.justen.eng.br/
21 9898-0141

[Alexandre Andrade]

I have 2 sugestions for the setup-web2py-ubuntu.sh:

remove install emacs (what emacs have to do with web2py)?
install postgresql-8.4 instead obsolete 8.3

2010/2/11 Álvaro Justen [Turicas] <alvaro...@gmail.com>

--

[mdipierro]

send me a tested patch about postgresql. but emacs stays. ;-)

On Feb 11, 12:45 pm, Alexandre Andrade <alexandrema...@gmail.com>
wrote:

> I have 2 sugestions for the setup-web2py-ubuntu.sh:
>
> remove install emacs (what emacs have to do with web2py)?
> install postgresql-8.4 instead obsolete 8.3
>

> 2010/2/11 Álvaro Justen [Turicas] <alvarojus...@gmail.com>

> > web2py+un...@googlegroups.com<web2py%2Bunsu...@googlegroups.com>

> > .
> > > For more options, visit this group at
> >http://groups.google.com/group/web2py?hl=en.
>
> > --
> > Álvaro Justen - Turicas
> >  http://blog.justen.eng.br/
> >  21 9898-0141
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "web2py-users" group.
> > To post to this group, send email to web...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > web2py+un...@googlegroups.com<web2py%2Bunsu...@googlegroups.com>

[Brian M]

Al,

You'd want to get rid of the "edit" " menu when you "Go Live" that's
just there as a convenience while you're creating things. Just use
this (or remove response.menu_edit from menu.py which does it once &
for all):
response.menu_edit = None
If you don't want auth menu either do
response.menu_auth = None

If you want to use the built-in server and be able to access on both
port 80 and port 443 (SSL) without running two web2py server instances
you could perhaps use a tunnel program like stunnel (www.stunnel.org).
Set it up to listen on port 443 (or really any port) and re-direct to
localhost:80. This way you should be able to get at admin and tickets
- as far as web2py is concerned you're accessing from the local
machine so tickets should work, but because it's tunneled it's also
secured as it goes to your remote computer.

To get the general user to automatically go to http://myserver/myfirstapp
when they type in http://myserver/ you can either work with routes or
just take the lazy route and replace the welcome app's default/index
with a redirect to whatever the home page of myfirstapp is. Of course
this will break the welcome app, but do you really want/need it when
deployed anyway?

#in the Welcome application's default.py controller
def index():
redirect(URL(a='myfirstapp', c='default', f='index'))

Setting up web2py as a Windows Service is easy enough:
http://www.web2py.com/AlterEgo/default/show/77

~Brian

On Feb 11, 9:54 am, Al <albertsec...@gmail.com> wrote:
> Thank you for your input. I am using Windows server so I cannot use
> the ubuntu scripts you mentioned. How about my second part of the
> question? I understand why web2py is designed in such a "secure"
> fashion. I am just trying to find a way around it so that I can deploy

> my first app. I theory I should be able to type from any machinehttp://myserver/myfirstapp, but it gives me an internal error - Ticket

[Al]

Brian,

Thank you for your detailed instructions. I managed to get stunnel
working, though it is a lot more complicated than I thought
originally. On the windows server, the stunnel.conf file is setup as
server mode and redirect port 8443 to 8000. On the client side, I also
have to set up another stunnel as client mode and redirect
127.0.0.1:80 to 192.168.1.11 - server's IP address. As this server
will be facing public, I cannot expect people to set up stunnel in
their machine in order to access my website. I was expecting a tool
which runs on the server side to do port redirection, and then when I
type in http://server_ip:8443 from another machine, it will route me
to my target app. (note: I did NOT set up any SSL certificate to get
stunnel working)

Also with stunnel, I still cannot access the target app without
entering the admin password, I cannot find any response.menu_auth to
remove.

I also have another mac which I tried to set up stunnel, but when I
run sudo stunnel3 I got the following error:
anyone familiar with mac can give some tips on how to solve this:

inetd mode must define a remote host or an executable

Cheers
Al

On Feb 12, 8:09 am, Brian M <bmere...@gmail.com> wrote:
> Al,
>
> You'd want to get rid of the "edit" " menu when you "Go Live" that's
> just there as a convenience while you're creating things.  Just use
> this (or remove response.menu_edit from menu.py which does it once &
> for all):
>     response.menu_edit = None
> If you don't want auth menu either do
>     response.menu_auth = None
>
> If you want to use the built-in server and be able to access on both
> port 80 and port 443 (SSL) without running two web2py server instances
> you could perhaps use a tunnel program likestunnel(www.stunnel.org).
> Set it up to listen on port 443 (or really any port) and re-direct to
> localhost:80. This way you should be able to get at admin and tickets
> - as far as web2py is concerned you're accessing from the local
> machine so tickets should work, but because it's tunneled it's also
> secured as it goes to your remote computer.
>
> To get the general user to automatically go tohttp://myserver/myfirstapp

> when they type inhttp://myserver/you can either work with routes or

[Brian M]

Al,

Yes, stunnel needs both a client and a server. The general public
should not need to use a stunnel connection to access your web2py
application though - they should just be using good old http://your_server.com.
My suggestion was that *you* could use stunnel when you need to get
remote access to the web2py admin screens.

Port redirection/forwarding of http://server_ip:8443 to http://server_ip:8000
(or 80 whatever port web2py is actually listening on) from the outside
probably wouldn't accomplish the goal of being able to access web2py's
admin without SSL - web2py will only allow non-SSL admin if the
connection comes from localhost and even with port redirection you
would not be connection from localhost.

So you can't access http://server_ip/myfirstapp over stunnel without
getting the prompt for the admin password? That doesn't make sense.
Web2py should be behaving exactly the same whether or not you're using
stunnel. What do you get when you do put in the admin password? Do you
get your app or do you get the admin screen?

Sorry, can't help with the Mac thing - don't have a Mac.

~Brian

On Feb 18, 11:09 am, Al <albertsec...@gmail.com> wrote:
> Brian,
>
> Thank you for your detailed instructions. I managed to get stunnel
> working, though it is a lot more complicated than I thought
> originally. On the windows server, the stunnel.conf file is setup as
> server mode and redirect port 8443 to 8000. On the client side, I also
> have to set up another stunnel as client mode and redirect
> 127.0.0.1:80 to 192.168.1.11 - server's IP address. As this server
> will be facing public, I cannot expect people to set up stunnel in
> their machine in order to access my website. I was expecting a tool
> which runs on the server side to do port redirection, and then when I

> type inhttp://server_ip:8443from another machine, it will route me

> > when they type inhttp://myserver/youcan either work with routes or

[Brian M]

Al,

I setup a stunnel server on Win7 which also had web2py's native server
running on it. Then I setup a stunnel client on a Linux VM.

In Stunnel Server's stunnel.conf:
[web2py]
accept = 8443
connect = localhost:8000

In Stunnel Client's stunnel.conf:
; Use it for client mode
client = yes
[web2py]
accept = 8443
connect = server_ip:8443

Visiting http://server_ip:8443/myapp brought up the web2py application
as expected, no prompts for the admin password - same as if I'd
visited http://server_ip:8000. Attempting to access the admin pages or
to view a ticket brought up the admin password prompt (as it should)
and I was able to use web2py's admin from the remote computer just
fine without https (because web2py thought I was on localhost thanks
to stunnel).

I think the problem you're having on the Mac with "inetd mode must
define a remote host or an executable " is due to trying to use the
"stunnel" command (which is likely really stunnel3) instead of
"stunnel4" at the command line. I found that I got the same error on
linux.

~Brian

On Feb 20, 11:31 pm, Brian M <bmere...@gmail.com> wrote:
> Al,
>

> Yes, stunnel needs both a client and a server. The general public
> should not need to use a stunnel connection to access your web2py

> application though - they should just be using good oldhttp://your_server.com.

> My suggestion was that *you* could use stunnel when you need to get
> remote access to the web2py admin screens.
>

> Port redirection/forwarding ofhttp://server_ip:8443tohttp://server_ip:8000

> (or 80 whatever port web2py is actually listening on) from the outside
> probably wouldn't accomplish the goal of being able to access web2py's
> admin without SSL - web2py will only allow non-SSL admin if the
> connection comes from localhost and even with port redirection you
> would not be connection from localhost.
>

> So you can't accesshttp://server_ip/myfirstappover stunnel without

> getting the prompt for the admin password? That doesn't make sense.
> Web2py should be behaving exactly the same whether or not you're using
> stunnel. What do you get when you do put in the admin password? Do you
> get your app or do you get the admin screen?
>
> Sorry, can't help with the Mac thing - don't have a Mac.
>
> ~Brian
>
> On Feb 18, 11:09 am, Al <albertsec...@gmail.com> wrote:
>
>
>
> > Brian,
>
> > Thank you for your detailed instructions. I managed to get stunnel
> > working, though it is a lot more complicated than I thought
> > originally. On the windows server, the stunnel.conf file is setup as
> > server mode and redirect port 8443 to 8000. On the client side, I also
> > have to set up another stunnel as client mode and redirect
> > 127.0.0.1:80 to 192.168.1.11 - server's IP address. As this server
> > will be facing public, I cannot expect people to set up stunnel in
> > their machine in order to access my website. I was expecting a tool
> > which runs on the server side to do port redirection, and then when I

> > type inhttp://server_ip:8443fromanother machine, it will route me

> > > when they type inhttp://myserver/youcaneither work with routes or

[Al]

Brian,

Finally I found the mistake which causes all this trouble in accessing
the non-admin pages, I had the following line in the default.py in
myapp:
return dict(form=form, images=images, admin = admin)

On Feb 22, 6:11 am, Brian M <bmere...@gmail.com> wrote:
> Al,
>

> I setup a stunnel server on Win7 which also had web2py's native server
> running on it. Then I setup a stunnel client on a Linux VM.
>
> In Stunnel Server's stunnel.conf:
> [web2py]
> accept = 8443
> connect = localhost:8000
>
> In Stunnel Client's stunnel.conf:
> ; Use it for client mode
> client = yes
> [web2py]
> accept = 8443
> connect = server_ip:8443
>

> Visitinghttp://server_ip:8443/myappbrought up the web2py application

> as expected, no prompts for the admin password - same as if I'd

> visitedhttp://server_ip:8000. Attempting to access the admin pages or

> to view a ticket brought up the admin password prompt (as it should)
> and I was able to use web2py's admin from the remote computer just
> fine without https (because web2py thought I was on localhost thanks
> to stunnel).
>

> I think the problem you're having on theMacwith "inetd mode must

> define a remote host or an executable " is due to trying to use the
> "stunnel" command (which is likely really stunnel3) instead of
> "stunnel4" at the command line. I found that I got the same error on
> linux.
>
> ~Brian
>
> On Feb 20, 11:31 pm, Brian M <bmere...@gmail.com> wrote:
>
> > Al,
>
> > Yes, stunnel needs both a client and a server. The general public
> > should not need to use a stunnel connection to access your web2py
> > application though - they should just be using good oldhttp://your_server.com.
> > My suggestion was that *you* could use stunnel when you need to get
> > remote access to the web2py admin screens.
>
> > Port redirection/forwarding ofhttp://server_ip:8443tohttp://server_ip:8000
> > (or 80 whatever port web2py is actually listening on) from the outside
> > probably wouldn't accomplish the goal of being able to access web2py's

> > admin withoutSSL- web2py will only allow non-SSLadmin if the

> > connection comes from localhost and even with port redirection you
> > would not be connection from localhost.
>

> > So you can't accesshttp://server_ip/myfirstappoverstunnel without

> > getting the prompt for the admin password? That doesn't make sense.
> > Web2py should be behaving exactly the same whether or not you're using
> > stunnel. What do you get when you do put in the admin password? Do you
> > get your app or do you get the admin screen?
>
> > Sorry, can't help with theMacthing - don't have aMac.
>
> > ~Brian
>
> > On Feb 18, 11:09 am, Al <albertsec...@gmail.com> wrote:
>
> > > Brian,
>
> > > Thank you for your detailed instructions. I managed to get stunnel
> > > working, though it is a lot more complicated than I thought
> > > originally. On the windows server, the stunnel.conf file is setup as
> > > server mode and redirect port 8443 to 8000. On the client side, I also
> > > have to set up another stunnel as client mode and redirect
> > > 127.0.0.1:80 to 192.168.1.11 - server's IP address. As this server
> > > will be facing public, I cannot expect people to set up stunnel in
> > > their machine in order to access my website. I was expecting a tool
> > > which runs on the server side to do port redirection, and then when I

> > > type inhttp://server_ip:8443fromanothermachine, it will route me
> > > to my target app. (note: I did NOT set up anySSLcertificate to get

> > > stunnel working)
>
> > > Also with stunnel, I still cannot access the target app without
> > > entering the admin password, I cannot find any response.menu_auth to
> > > remove.
>

> > > I also have anothermacwhich I tried to set up stunnel, but when I

> > > run sudo stunnel3 I got the following error:

> > > anyone familiar withmaccan give some tips on how to solve this:

>
> > > inetd mode must define a remote host or an executable
>
> > > Cheers
> > > Al
> > > On Feb 12, 8:09 am, Brian M <bmere...@gmail.com> wrote:
>
> > > > Al,
>
> > > > You'd want to get rid of the "edit" " menu when you "Go Live" that's
> > > > just there as a convenience while you're creating things.  Just use
> > > > this (or remove response.menu_edit from menu.py which does it once &
> > > > for all):
> > > >     response.menu_edit = None
> > > > If you don't want auth menu either do
> > > >     response.menu_auth = None
>
> > > > If you want to use the built-in server and be able to access on both
> > > > port 80 and port 443 (SSL) without running two web2py server instances
> > > > you could perhaps use a tunnel program likestunnel(www.stunnel.org).
> > > > Set it up to listen on port 443 (or really any port) and re-direct to
> > > > localhost:80. This way you should be able to get at admin and tickets
> > > > - as far as web2py is concerned you're accessing from the local
> > > > machine so tickets should work, but because it's tunneled it's also
> > > > secured as it goes to your remote computer.
>
> > > > To get the general user to automatically go tohttp://myserver/myfirstapp

> > > > when they type inhttp://myserver/youcaneitherwork with routes or

[Al]

Brian,

Finally I found the mistakes which causes all the troubles of
accessing the non-admin pages:

return dict(form=form, images=images, admin = admin)

I have the above line in the default.py controller, that why it keeps
asking for admin authentication even I tried to navigate the default
home page of myapp.

As for the Mac, what you mentioned was correct, I installed the
stunnel 4.27_0 package using macports, but the executables are in the /
opt/local/bin are called stunnel and stunnel3. Haven't got time to
solve this yet...

Cheers
Al

On Feb 22, 6:11 am, Brian M <bmere...@gmail.com> wrote:
> Al,
>

> I setup a stunnel server on Win7 which also had web2py's native server
> running on it. Then I setup a stunnel client on a Linux VM.
>
> In Stunnel Server's stunnel.conf:
> [web2py]
> accept = 8443
> connect = localhost:8000
>
> In Stunnel Client's stunnel.conf:
> ; Use it for client mode
> client = yes
> [web2py]
> accept = 8443
> connect = server_ip:8443
>

> Visitinghttp://server_ip:8443/myappbrought up the web2py application

> as expected, no prompts for the admin password - same as if I'd

> visitedhttp://server_ip:8000. Attempting to access the admin pages or

> to view a ticket brought up the admin password prompt (as it should)
> and I was able to use web2py's admin from the remote computer just
> fine without https (because web2py thought I was on localhost thanks
> to stunnel).
>
> I think the problem you're having on the Mac with "inetd mode must
> define a remote host or an executable " is due to trying to use the
> "stunnel" command (which is likely really stunnel3) instead of
> "stunnel4" at the command line. I found that I got the same error on
> linux.
>
> ~Brian
>
> On Feb 20, 11:31 pm, Brian M <bmere...@gmail.com> wrote:
>
> > Al,
>
> > Yes, stunnel needs both a client and a server. The general public
> > should not need to use a stunnel connection to access your web2py
> > application though - they should just be using good oldhttp://your_server.com.
> > My suggestion was that *you* could use stunnel when you need to get
> > remote access to the web2py admin screens.
>
> > Port redirection/forwarding ofhttp://server_ip:8443tohttp://server_ip:8000
> > (or 80 whatever port web2py is actually listening on) from the outside
> > probably wouldn't accomplish the goal of being able to access web2py's
> > admin without SSL - web2py will only allow non-SSL admin if the
> > connection comes from localhost and even with port redirection you
> > would not be connection from localhost.
>

> > So you can't accesshttp://server_ip/myfirstappoverstunnel without

> > getting the prompt for the admin password? That doesn't make sense.
> > Web2py should be behaving exactly the same whether or not you're using
> > stunnel. What do you get when you do put in the admin password? Do you
> > get your app or do you get the admin screen?
>
> > Sorry, can't help with the Mac thing - don't have a Mac.
>
> > ~Brian
>
> > On Feb 18, 11:09 am, Al <albertsec...@gmail.com> wrote:
>
> > > Brian,
>
> > > Thank you for your detailed instructions. I managed to get stunnel
> > > working, though it is a lot more complicated than I thought
> > > originally. On the windows server, the stunnel.conf file is setup as
> > > server mode and redirect port 8443 to 8000. On the client side, I also
> > > have to set up another stunnel as client mode and redirect
> > > 127.0.0.1:80 to 192.168.1.11 - server's IP address. As this server
> > > will be facing public, I cannot expect people to set up stunnel in
> > > their machine in order to access my website. I was expecting a tool
> > > which runs on the server side to do port redirection, and then when I

> > > type inhttp://server_ip:8443fromanothermachine, it will route me

> > > > when they type inhttp://myserver/youcaneitherwork with routes or