On Jul 2, 2012, at 7:05 AM, Chris wrote: > Opened as issue #820 on 25-May-2012, see > http://code.google.com/p/web2py/issues/detail?id=820
There are two things going on here. I think. One is web2py's practice of storing per-port admin passwords. This is arguably a security measure, though in many environments it's not clear that it adds much. The other thing is the SERVER_PORT header showing up as the port from the client side of the tunnel instead of the server side. This is (again: I think) a feature (of the tunnel and Apache), not a bug. The general idea is that redirects, which are (I think) absolute URLs, need to be presented with the port the client expects, not the port the server actually runs on. A side effect of the logic that accomplishes this is that the SERVER_PORT header, which web2py uses to generate the parameters_port.py name, reflects the server port from the client's point of view. A possible fix/workaround: if the per-port parameters file doesn't exist, look for parameters_default.py and use that. There's only one place in web2py that reads this file (access.py), so the impact would be limited. You'd have to create the file manually, but only once, and it'd work for all the user-side port choices. Caveat: someone who knows more than I do about the subtleties of web proxies might want to chime in. BTW, you might want to look into the alternative of having ssh set up a SOCKS proxy, which I think makes some aspects of browser tunneling less painful. > > > On Wednesday, May 23, 2012 10:03:04 PM UTC-4, Chris wrote: > This seems like a problem in web2py or mod_wsgi -- or else I am confused. > Would appreciate any pointers from the experts. > > I'm running web2py 1.99.7 on a Red Hat (RHEL 6) server using Apache 2.2.15 > and mod_wsgi 3.3. This is all running on a small virtual server at Amazon > Web Services. > > Since I don't want to open that box up to the world, I have been using ssh > tunneling to allow processes on my local machine to connect to the AWS > machine as if that is my local host. > > That is done via sshe command lines that look like this: > > ssh -i hs-test-000001.pem -L *:55080:localhost:80 -N [email protected] & > ssh -i hs-test-000001.pem -L *:55443:localhost:443 -N [email protected] & > > The -L option has ssh create a listener on local port 55080 and forward all > traffic to that port to IP address 107.21.240.172 / its localhost port 80. > The second command line is the same for port 443 (https). > > This works well. I can open a browser on my local machine, type > localhost:55080 in the address bar, and it does indeed connect with the > remote server and serve up the Welcome app. (The AWS machine -- Apache and > web2py -- function just as if the request came from that localhost. The > response is the same if I use a prompt on the AWS host and run 'curl > localhost:80'. It all checks out. So far so good. > > The problem has to do with how port numbers are interpreted on the AWS > machine. Browsing locally to http://localhost:55080 worked fine, but > https://localhost:55443 resulted in an error. After reading the error dump > file and putting a little debug code in applications / admin / models / > access.py, I could see the failure was caused by access.py trying to open a > local password file 'parameters_55443.py'. And indeed, when I copied the > existing parameters_443.py file and names the copy parameters_55443.py, > everything worked -- https://localhost:55443/admin brought up the admin add > as I had expected. > > I don't understand why the AWS web2py process would care about the port > number from the client machine that initiated the request. More than that, I > don't understand how web2py even knows what the port number from the client > is, since supposedly that is all handled in the ssh client side / sshd server > side process that ssh -L provides. > > To look further into this, I made a change in access.py to dump the entire > 'request' structure to the Apache error log and paged through this. The port > number 55443 shows up several times: > > -- 'HTTP_REFERER': 'https://localhost:55443/admin/default/site' > -- 'SERVER_SIGNATURE': '<address>Apache/2.2.15 (Red Hat) Server at localhost > Port 55443</address> > -- 'SERVER_PORT': '55443' > -- 'HTTP_HOST': 'localhost:55443' > -- 'mod_wsgi.application_group': 'ip-10-114-191-91.ec2.internal:55443| > > This is concerning because it means I may need to create new / redundant > parameters_*.py files for multiple port numbers on a production machine if we > use multiple port numbers in the ssh -L bridging. > > More than that, it makes me wonder if there is something wrong with mod_wsgi > or WSGI or how I have set them up -- and will this cause other problems. > > Does it make sense that Apache and web2py would be aware of / use the port > number from the remote client when it is mapped to a local port? > > It seems like a bug to me. > > Thanks
