Some of the information here may be outdated, please check the book instead

In general it is not a good idea to expose publicly admin and yourapp/appadmin unless they go over HTTPS and you enable secure cookies with


This is true for web2py and any other web application: If you do not want your passwords to transmit unencrypted, your sesion cookies should not either!

In fact, by default, for security, web2py admin does not work if the client is not localhost.

An easy way to setup a secure production environment on a server (@serveraddress) is to:

  • start two instances of web2py:

    nohup python2.5 web2py -p 8000 -i -a '' &

    nohup python2.5 web2py -p 8001 -i -a password &

  • use apache mod_proxy to redirect port 80 to port 8000 (there will be no admin because no password) this is the public site

  • from your client machine connect to the second using a ssh tunnel:

    ssh -L 8001: username@serveraddress

  • connect to on the local computer to access the admin of the remote (serveraddress) computer.

All communication via port 8001 will be accessible to you only and encrypted.

© 2008-2010 by Massimo Di Pierro - All rights reserved - Powered by web2py - design derived from a theme by the earlybird
The content of this book is released under the Artistic License 2.0 - Modified content cannot be reproduced.