Edit page

Title:

Security Code:

Body: (use this wiki markup)

In general it is not a good idea to expose publicly admin and yourapp/appadmin unless they go over HTTPS and you enable secure cookies with

response.cookies[response.session_id_name]['secure']=True

This is true for web2py and any other web application: **If you do not want your passwords to transmit unencrypted, your sesion cookies should not either!**

In fact, by default, for security, web2py admin does not work if the client is not localhost.

An easy way to setup a secure production environment on a server (@serveraddress) is to:

- start two instances of web2py:

`nohup python2.5 web2py -p 8000 -i 127.0.0.1 -a '' &`

`nohup python2.5 web2py -p 8001 -i 127.0.0.1 -a password &`

- use apache mod_proxy to redirect port 80 to port 8000 (there will be no admin because no password) this is the public site

- from your client machine connect to the second using a ssh tunnel:

`ssh -L 8001:127.0.0.1:8001 username@serveraddress`

- connect to 127.0.0.1:8001 on the local computer to access the admin of the remote (serveraddress) computer.

All communication via port 8001 will be accessible to you only and encrypted.