On Mon, 20 Aug 2001, Todd Hepler wrote:
I'm relatively new to Zope and python.
I have Apache with ProxyPass (port 80) set up on the same box as Zope with a VirtualHostMonster (port 8080). I want to make it so that clients cannot "go around" Apache and talk directly to port 8080, so I'm looking for a way to make Zope only accept requests that come from localhost (or a specified IP address). I can't find anything on zope.org related to ACLs of this nature or blocking access to ZServer based on IP address. Any ideas? I dug through the medusa and ZServer code, but the answer isn't jumping out at me.
Sean Upton already gave you some good answers -- but an additional important step is to do this is to use Wietse Venema's TCP Wrappers to limit access right there on the box. The internet interface isn't the only unsafe one...
I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7.
Why would I want this? (you might ask)
To scale, I want to be able to turn on caching in Apache, or replace Apache with squid. This won't improve performance if the pages that come out of Zope refer directly to port 8080. The clients would end up "going around" the cache.
You can also put squid in front of the Zope server in a transparent acceleration mode -- look on LDP for a HOWTO. (should be valid on Solaris).
I know there are ways to make Zope generate appropriate URLs and thus not go around port 80, but I'm not interested in those solutions here. Even those solutions won't stop someone from hardcoding a reference to port 8080 in one of their pages. I want to simply shut off access to it in the first place so that if someone even tries it, they fail.
Thanks, -todd
-- Jack Coates Monkeynoodle: A Scientific Venture...