the easiest way to prevent *all* outside access to zope directly, if your apache and zope run on the same box, is to have zope listen on the localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to the start script (the actual port doesn't matter that much). the "-X" option is there to turn off any services that might want to start up and listen, like FTP or the monitor daemon. then you just change your rewrite or proxy rules in apache to redirect through port 127.0.0.1 jens On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.