0

I followed the instructions in the web2py manual on how to connect to a remote web2py via ssh tunnel. SSH to my server appears to work just fine:

[~/prg]$ ssh -L 8002:127.0.0.1:8002 username@linux-server.com
Linux schemelab2 4.6.5-x86_64-linode71 #2 SMP Fri Jul 29 16:16:25 EDT 2016 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.

but just as others have failed, when I attempt to visit http://localhost:8002 or https://localhost:8002 I get a number of connection refused messages:

channel 3: open failed: connect failed: Connection refused
channel 4: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 4: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused

If it helps any, here is my sshd_config

Also note: telnet localhost 8002 yields

schemelab@schemelab2:~$ telnet localhost 8002
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
schemelab@schemelab2:~$
Terrence Brannon
  • 4,760
  • 7
  • 42
  • 61
  • Possible duplicate of [SSH -L connection successful, but localhost port forwarding not working "channel 3: open failed: connect failed: Connection refused"](http://stackoverflow.com/questions/18705453/ssh-l-connection-successful-but-localhost-port-forwarding-not-working-channel) – Kenster Dec 13 '16 at 14:43

1 Answers1

3

Could be one of several possible reasons. I am assuming you are mostly interested in accessing the web2py admin page on your remote server, since web2py doesn't allow remote admin access over an insecure channel... So first things first, you want to make sure your server's IP Tables are allowing access to services on the port you are trying to connect to, otherwise these remote connection solutions probably wont work (except for perhaps Plan C). See here for more info: https://help.ubuntu.com/community/IptablesHowTo

Firstly, let me show you how I SSH tunneled to web2py via dozens of servers I used in the past. I'll be using port 8889 in my examples:

ssh -L 8889:127.0.0.1:8889 username@linux-server.com

Just like with a normal SSH, you should now see the shell of your server (which you have demonstrated). Now, in the same terminal, cd to your server's root web2py directory and do the following (do not close the terminal window after):

> cd mywebite.com
> python web2py.py -a password -i 127.0.0.1 -p 8889
*web2py startup stuff*

Now on your local browser visit http://127.0.0.1:8889/admin and you should see the web2py admin page from your server.

Plan B - Using self-signed SSL certificate

If you're still having issues with ssh tunnel, another option you can try is using a self-signed SSL certificate.

Making a self-signed certificate is very easy with OpenSSL, and you can also use some online self-signed certificate generators (though I don't recommend this) to save you even more time.

Once you have your generated .crt and .key files, sftp to your server and upload the files to your server's root web2py directory (or upload them to Dropbox, ssh to your server, cd to your root web2py directory and wget the file links). Finally ssh to your server and do the following (do not close the terminal window after):

> cd mywebite.com
> python web2py.py -a password -p 8889 -i 0.0.0.0 server.crt -k server.key
*web2py startup stuff*

Now on your browser enter (notice the https) https://xxx.xxx.xxx.xxx:8889/admin (xxx... being your server IP), or you can do https://mywebsite.com:8889/admin if you already have your domain name setup.

Now you should see a SSL security warning on your browser. Simply ignore this warning and add an exception, and finally you should be able to see the web2py admin page from your server.

Plan C - Edit web2py source

This is the least recommended plan to allow admin over insecure channel, and should be used as a last resort. You can simply edit the part of the web2py source code that disables admin by just adding one line of code. In <server's root web2py directory>\applications\admin\models\access.py (around line 21) put request.is_local=True before the part that disables admin over insecure channel:

'...'
request.is_local=True #TESTING ONLY. COMMENT OUT OR REMOVE IN PRODUCTION!
if request.env.http_x_forwarded_for or request.is_https:
    session.secure()
elif not request.is_local and not DEMO_MODE:
    raise HTTP(200, T('Admin is disabled because insecure channel'))
'...'

Now you can access your server's web2py admin by simply visiting http://xxx.xxx.xxx.xxx:8889/admin (xxx... being your server IP), or you can do http://mywebsite.com:8889/admin if you already have your domain name setup.

Note this is a quick and dirty solution and should be used only temporarily and for testing. Don't forget to remove or comment out that line in production!

Himel Das
  • 1,148
  • 10
  • 13
  • thank you. The reason it failed is [the web2py book has a bug](http://web2py.com/books/default/chapter/29/13/deployment-recipes#Securing-sessions-and-admin) ... if you notice they put an ampersand after *both* of the first two ssh commands when there should only be one after the first. – Terrence Brannon Dec 26 '16 at 12:54