Re: [Zope] SSL + ProxyPass + Zope question...

5 Aug 2001

      Hi Eric,

Ahh...  in this case maybe an AccessRule would be better. Note that you 
*can* use _SUPPRESS_ACCESS_RULE (or something like that, not sure of 
exact spelling) in the URL to override these.. but you have to *really* 
know about it to know that.

take care,
-steve

On Sunday, August 5, 2001, at 04:25 PM, Eric Walstad wrote:
...
Thanks Steve,
Yes, I have a redirect in there now similar to what wrote below.  One
problem with doing it this way is that if the user *does* manage to get 
to
the page on the insecure port, the password they enter will be sent to 
the
server unencrypted.  Then the redirect takes over and everything else is
done securely, which is better than nothing, but to me the password is
important.  In my experience, even well educated users will manage to 
find
an application's "undocumented secrets" (bugs)  :).
Thanks for all your feedback.  It's been very helpful.
Eric.
-----Original Message-----
From: Steve Spicklemire [mailto:steve@spvi.com]
Sent: Sunday, August 05, 2001 3:05 AM
To: Eric Walstad
Cc: Steve Spicklemire; zope@zope.org
Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Right... someone suggested a firewall.. which is fine if you want
to make all of zope inaccessable on port 8080, and clearly it's a
sure-fire solution. However it also requires that you have *access* to
put up a firewall, which you might not! My thought was
that, in Zope you could simply protect a particular area by adding code
to standard_html_header in that area that did a check, e.g.,
<dtml-if "URL[:5] == 'http:'">
<dtml-call "RESPONSE.redirect('https:' + URL[5:])">
<dtml-return "'REDIRECTING.. to secure port.. '">
</dtml-if>
...
This way, you could still use 8080 for other things if you wanted to. I
guess the question comes down to 'who are you trying to protect from
doing what?'. If it's your own users then, as Joachim mentioned maybe
its just a matter of education?
-steve
On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
...
Hi Steve,
Well, in the condition I described, if the user knows the port that
Zope is
running on, they could bypass Apache altogether.  So, what I need is to
make
Zope inaccessible to the outside world.  That way, all traffic would
have to
be sent thru Apache.
Thanks,
Eric.
-----Original Message-----
From: Steve Spicklemire [mailto:steve@spvi.com]
Sent: Friday, August 03, 2001 4:16 PM
To: Eric Walstad
Cc: Steve Spicklemire; zope@zope.org
Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check
for that varible in an Access rule, or standard_html_header or some
other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
...
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080.
When a
request comes in for port 443 (or HTTPS) Apache forwards the request 
to
Zope
on port 8080 and sends the results back out thru SSL, just as it
should.  If
a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
connection
is created and the password is forwarded to Zope after it's been sent
thru
SSL.  However, if the user goes to
http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
request
and it goes straight to Zope.  The user is then prompted for a
password,
which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from
the
outside world unless they've gone thru Apache first?  Can I tell Zope
to
listen on something like 192.168.1.123:8080 so that it will never see
requests from the outside world?
TIA,
Eric.
_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )