didn't mean to startle anyone .... amusement is personal entertainment, meant as "if you want to try facing the hige problem by yourself and you are willing to read through tons of docs".
that being said IMHO the question was/is ill posed. "wsgi" (no *U*wsgi, no *MOD_*wsgi) is just a spec. Anyone telling "you can't use wsgi because it's not safe" is basically telling you NOT to use python for web development, because it's really the only standard out there for python apps. in your "quoted parenthesis" * (which means not using web2py with apache)* you probably pointed out a reference to running wsgi under apache .... that is mod_wsgi. Now, mod_wsgi works. It has some configuration parameters that are hard to fine tune, but unrelated to security. As Kiran pointed out, there are multiple CVEs affecting it. We, as web2py-developers, don't "block" any deployment method. Web2py exposes a wsgi interface, and provides adapters for cgi, fastcgi, scgi and wsgi protocols. You can deploy web2py also behind a reverse proxy using the included webservers. This translates to "pretty much everywhere and behind anything". However we, as "support people", often see lots of users facing really weird issues deploying web2py with mod_wsgi under apache, and since there are alternatives that are far superior, with less headaches, less resource hungry, more scalable and with less security concerns, "encourage" dropping apache+mod_wsgi architectures in favour of nginx+uwsgi ones. Apache in production DEFINITELY suffers a very simple DdOS attach known as slowloris, that anyone knows, it's easy to do from any home internet connection and that can be mitigated only if you put something in FRONT of it. Why don't just drop apache alltogether ? In the end, web2py "should" be run under apache only and only if apache is a requirement itself (e.g. it runs other applications written in other programming languages). That being said, if you can point out the full extent of your chat we'll probably be able to pinpoint the scary part and address your concerns. If the problem is really "how can I prevent my web2py app to send GET requests to other domains" the reply is simply "don't issue requests to other domains". But that would be true indipendently from the webserver of your choice. If the problem is, on the other end, "I've been told that mod_wsgi can be exploited if not properly tuned, regardless of the underlying python app ", once again, options are (from safer to less safer) : - consider something else than apache - call an expert to fix apache and mod_wsgi - reading through mod_wsgi docs, mailing list and CVEs and pinpoint the needed fix -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
