Thanks a lot! I am going to discuss the topic with my network admin. (1) Just one more thing to make me sure: There is no possiblity to access Zope directly (that is without going out to the Internet) from the local network in this architecture? (2) And another one. What about this "layout": AnyBrowser+SSL <--HTTP--> Apache Proxy+SSL <--> firewall <--> Apache+SSL+pcgi <---> Zope+Fnorb <--IIOP--> SQLBroker+ORBacus <--SQL*Net--> CorporateDatabase(Oracle7) The first Apache would be set up restricting acces with the Location tags in httpsd.conf as you suggested. This would be used only for forwarding appropriate HTTP requests to the second Apache server. All internal users might be able to diractly access Zope through the second Apache server. Miklos Nemeth Ewald Wasscher wrote:
Nemeth Miklos wrote:
I'd like to have the following architecture:
AnyBrowser+SSL <-HTTP-> Apache+SSL+pcgi <--> firewall <--> Zope+Fnorb <-IIOP-> SQLBroker+ORBacus <-SQL*Net-> CorporateDatabase(Oracle7)
The users access Zope from the Internet via an Apache+SSL server. For security reasons my network administrator (responsible for security) does not want to allow any Zope management activity initiated from the Internet. However I do want to manage Zope from the internal network while web clients are using my Zope application at the same time. (1) How can I access my Zope from the internal network? Can anyone suggests me a solution to my problem?
The network administrator could try something like the following setup in the apache configuration file:
<Location /zopesite/manage> order allow, deny Allow from .iqsoft.hu </Location>
Make sure this section comes before the Rewriterules that apply to Zope. Please take a look at the apache docs and adjust this where needed. Make sure you test the setup, and don't blame me if something goes wrong. You could setup certificate authentication for this <Location> to make it more secure. At least for Apache+mod_ssl there is a (dirty) way to do this.
A less important problem is that my network administrator also wishes a secured communication between the Apache+SSL server and Zope (over the firewall). This communication is the task of pcgi. (2) Is there any solution to do this?
One solution could be to install some kind of Vitual Private Network package (IPSec, cipe, PGPnet (commercial), etc). The network administrator should know what I mean.
A simpler (but perhaps less secure) option would be the use of sslwrap (http://www.rickk.com/sslwrap/) or stunnel (http://blah.lpt.fi/doc/stunnel/) to SSL-ify the connection between Apache and Zope.
<--CUT-->
Ewald Wasscher