Web2py & nginx - do I have to set up static folder - authentication

I'm running nginx/uWSGI and trying to lock down a web2py site using 'auth.requires_login()' (https://groups.google.com/forum/#!topic/web2py/0j92-sPp4bc) so that only logged in users can get to it, even the content under /static/. If I set up nginx config file with
location ~* /(\w+)/static/ {
root /home/www-data/web2py/applications/;
}
as recommended in the docs, won't that bypass the access control, and allow anyone to see the static content? If I leave this line out of the config file, will web2py still share the static content to logged-in users (although presumably a little slower)?

Yes, using that nginx rule will bypass web2py. Removing it and letting web2py handle /static/ won't change much either, as this is directly from the web2py manual:
http://127.0.0.1:8000/a/static/filename
There is no controller called "static". web2py interprets this as a request for the file called "filename" in the subfolder "static" of the application "a".
When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models.
So because there is no controller, you cannot directly use auth.requires_login() for static content. This is because files in /static/ are generally not meant to be access-controlled, or else browsers will not be able to get the css, js, etc. needed to even render the welcome or login page.
However, if you still want site-wide access control to static files (i.e. private pdf files) you can do it like so:
in your application directory, create a folder called private_static
then in your controller add the following:
#default.py
import os
auth.requires_login()
def private_static():
filename = os.path.join(*request.args)
allowed = ['private1.pdf', 'private2.pdf'] # have some kind of validation for security!
if not filename in allowed:
raise HTTP(404)
return response.stream(open(os.path.join(request.folder, 'private_static', filename)))
and in your view something like the following:
Private Document
Now accessing http://.../private_static/private1.pdf will force the user to login before getting the static file.

Related

NextJS doesn't create index.html for subfolders in static export

I made a fully static website using NextJS, exported it and I'm hosting it on S3 using static website hosting. I can click around and successfully view all the pages, including example.com/blog. However if in the browser I click refresh, or enter example.com/blog directly, I get a 404 Not Found error.
When viewing the exported files, I see that /blog/ has no index.html file, even though there should be (in my opinion) since in the original source files I have a /blog/index.ts file, and when in dev mode I can refresh localhost/blog or enter it directly and it works as expected.
In summary, I believe NextJS should create a /blog/index.html file but it doesn't. Is there any way to force this? Am I doing something wrong? Thank you!
To generate an index.html file when exporting to static HTML, enable the trailingSlash setting in your next.config.js:
module.exports = {
trailingSlash: true,
}
./out/blog.html should now become ./out/blog/index.html after the export.

.htaccess Block direct access to subdirectories, but allow them to be called via JQuery/images/etc

My main index.php calls a couple of scripts via JQuery from a subdirectory. I need to block direct access to any files in this directory, but allow them to be accessed by index.php. I have tried the simply:
deny from all
approach, but this blocks even Jquery from loading the script. There is also an /images subdirectory that needs to be blocked from direct access. deny all disallows the image from being called in any way. Does anyone know how to do this?
just use the file-functions of php to get the content of the protected files, so only your php-file (e.g. index.php) is able to handle with the files of the protected dir.
useful functions are:
file_get_contents()
fread()
...
then you can include the js-code in your output-html or get the content out as image (then you should take a look at the header() function.

Prevent access to files from Apache without .htaccess

(LAMP server configuration)
As a workaround for another problem, I need PHP to be able to access local files, but prevent these files from being served over http by Apache.
Normally, I would just use .htaccess to accomplish this, however due to institutional restrictions, I cannot. I also can't touch php.ini, although I can use php_ini_set within php.
As a creative solution, I thought that if php executes as its own linux user (not as apache) I could use normal chown's and chmod's to accomplish this.
Again, the goal is simply to have a directory of files that apache will not display, but php can access.
I'm open to any suggestions.
Put the files outside of your web accessible root (DocumentRoot), but keep them accessible via PHP.
Suggestion:
/sites
/sites/my.site.com
/sites/my.site.com/data // <-- data goes here
/sites/my.site.com/web // <-- web root is here
Here's a thought. Set the permissions on the files to be inaccessible to even the owner, then when PHP needs them, chmod() then, read them, then chmod() them back to inaccessible.

Apache redirect entire folder content

I need to access to some static files in a folder from different domains. I've think that, instead of make several copies of that folder in each domain public folder, I could make some type of redirection or hard linking in apache for redirect them.
For example, I could access the common static files from www.abc.com/static/* and www.def.com/static/*, and internally, both urls point to the same folder "/home/static/*", transparently for the user and the browser.
You are looking for Alias.
What you want to do, however (creating an alias pointing to a directory outside the web root) needs to be done in the central configuration.
Alias /static /var/www/shared/static

Link to file outside context root of weblogic

If I want to display an image in my webpage and its src is a file outside context root.
At the IDE, the image is shown to be loaded.
But when I test the web page, nothing displayed.
How can I config weblogic server to allow the image to be displayed. If not is there anyway to run around this problem.
Thanks a lot.
You can use the Virtual Directory Mapping feature (that you declare in the weblogic.xml):
Using the virtual directory mapping
feature, you can create one directory
to serve static files such as images
for multiple Web Applications. For
example, you would create a mapping
similar to the folowing:
<virtual-directory-mapping>
<local-path>c:/usr/gifs</local-path>
<url-pattern>/images/*</url-pattern>
</virtual-directory-mapping>
A request to
http://localhost:7001/mywebapp/images/test.gif
will cause your WebLogic Server
implementation to look for the
requested image at:
c:/usr/gifs/images/*.
This directory must be located in the
relative uri, such as
"/images/test.gif".