On Sat, 12 Dec 1998, Ronald Offerman wrote:
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL? Use mod_proxy with Apache-SSL. For example: RewriteEngine on RewriteRule ^/intern(.*) http://127.0.0.2:5000$1 [P] What is the advantage over running Zope using pcgi and Apache-SSL? I already use Apache Redirect for some secure parts of current websites, any advantage using the ReWriteEngine over Redirect? (besides it being invisible to the user) The ReWriteEngine can do redirects too :) When I remember right, its: RewriteRule ^/intern(.*) https://somehost/$1 [R]
The advantages compared to pcgi: -) BHS is multithreaded. Not much use with Zope, but important for my stuff :). pcgi at the moment is being developed to be concurrent. -) pcgi processes run as the Webserver user, so you are limited to uid management a la Apache. BHS runs as the user it is started :) With some small patches to BHS one could even run it as root to allow remote as-root administration of a box. The proxy stuff has the advantage, that you can hide the real http interface somewhere on the inside (I like to create IP aliases for the loopback device *g*), and all accesses must go trough the external gateway.
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there.
No problem to setup on our servers.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :)
What do you intend to accomplish doing this? Easy. Take a site X, you could have http://X/ and https://X/ with the same content. Now some functions require user authentication -> But the credentials NEVER EVER should be send in clean, ...
So by killing the ``Not authorized'' (401?) error code, the user never even gets the possibility to enter a password when working in the clear :) Which should be a strong reminder to switch over to the secure server :) Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.