防止直接文件访问龙卷风中的服务器文件
[英]Prevent direct file access to server files in tornado
问题描述
I'm using python with tornado webserver. 
我在龙卷风网络服务器上使用python。 the application works fine but I can't find a way to prevent the user on accessing server files directly via url. 该应用程序运行正常,但我找不到阻止用户直接通过url访问服务器文件的方法。 for example I have the following files in the server: 例如,我在服务器中有以下文件:
program.py program.py
index.html 的index.html
main.html main.html中
i wanted to prevent the user from accessing the above server files directly via web url 我想防止用户直接通过网址访问上述服务器文件
ex: localhost:8080/program.py or /index.html 例如:localhost:8080 / program.py或/index.html
i only wanted them to access localhost:8080/ or /home 我只希望他们访问localhost:8080 /或/ home
Thanks in advance 提前致谢
from ws4py.client.tornadoclient import TornadoWebSocketClient
import tornado.ioloop
import tornado.web
import tornado.websocket
import tornado.template
SETTING_CLIENT_LISTEN_PORT = 8080
class MainHandler(tornado.web.RequestHandler):
def get(self):
try:
loader = tornado.template.Loader(".")
self.write(loader.load("index.html").generate())
except Exception as e:
print("exception occured", e)
class CWSHandler(tornado.websocket.WebSocketHandler):
global waiters
def open(self):
print('###FUNCTION CWSHandler.open(self) start')
def on_close(self):
print('###FUNCTION CWSHandler.open(self) close')
def on_message(self, message):
print('###FUNCTION CWSHandler.on_message msg:', message)
settings = {
"cookie_secret": "bZJc2sWbQLKos6GkHn/VB9oXwQt8S0R0kRvJ5/xJ89E=",
"login_url": "/",
}
application = tornado.web.Application(handlers=[
(r'/', MainHandler),
(r'/cws', CWSHandler),
(r"/(.*)", tornado.web.StaticFileHandler,{'path':'./'})
], cookie_secret="bZJc2sWbQLKos6GkHn/VB9oXwQt8S0R0kRvJ5/xJ89E=")
if __name__ == "__main__":
server = tornado.httpserver.HTTPServer(application)
server.listen(SETTING_CLIENT_LISTEN_PORT)
try:
tornado.ioloop.IOLoop.instance().start()
server.stop()
except KeyboardInterrupt:
print("Keyboard interupt")
pass
finally:
server.stop()
tornado.ioloop.IOLoop.instance().stop()
1 个解决方案
解决方案1
2 已采纳 2017-09-25 10:37:19
The problem is with your urls, specifically: 问题出在您的网址,特别是:
(r"/(.*)", tornado.web.StaticFileHandler,{'path':'./'})
You have mapped r'/(.*)' to {'path': './'} , which is your project directory. 您已经将r'/(.*)'映射到{'path': './'} ,这是您的项目目录。 So, if a request comes in like localhost:8080/program.py , it will be matched with this - /(.*) and tornado will then look for a file named program.py in your project directory. 因此,如果一个请求像localhost:8080/program.py一样/(.*) ,它将与此- localhost:8080/program.py /(.*)匹配,然后龙卷风将在您的项目目录中查找名为program.py的文件。 If it finds it there, it will serve that file. 如果在此找到它,它将提供该文件。
You should keep all your static files in a separate directory called static (you can name it anything you want, though) inside your project dir. 您应该将所有静态文件保存在项目目录中一个单独的目录中,该目录称为static (尽管您可以命名为任意名称)。 Then map this directory with the desired url. 然后使用所需的URL映射此目录。
Example: 例:
(r"/(.*)", tornado.web.StaticFileHandler,{'path': 'static'})
Or better yet, serve that directory under a /static/ url instead of - .* . 或者更好的是,在/static/ url下而不是- .*下提供该目录。
(r"/static/(.*)", tornado.web.StaticFileHandler,{'path': 'static'})
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.