Ricardo Anguiano wrote:
- Restrict remote access to port 8080 or else folks will be able to connect to the zope management interface remotely without using SSL.
Or just bind zope to something in 127.0.0.0/8 which should obviates the need for additional access restrictions (from the outside world). (Assuming a non-routing host I suppose.)
<VirtualHost *> ServerName www.example.com RewriteEngine on RewriteCond %{REQUEST_URI} manage
The above RewriteCond is superfluous, the RewriteRule below is sufficient.
RewriteRule manage - [F] RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/www.example.com:80/example/Virtua... [P,L] </VirtualHost>
<VirtualHost *:443> ServerName www.example.com ... RewriteEngine on RewriteCond %{REQUEST_URI} manage
ibid
RewriteRule manage - [F] RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/www.example.com:443/example/Virt... [P,L] </VirtualHost>
These examples also fail to address the issues discussed in http://marc.theaimsgroup.com/?l=zope&m=104426779414836 but then, they are just examples, and nobody would dream of using them blindly without first reading the documentation right? Right. What you've done here will work ... mostly. I've even advocated it in the past, but its probably worth noting blocking 'manage' strings only works from a pragmatic sense. I believe there are management interfaces that don't have that string in them (I swear I saw one the other day though I don't remember in what now...) and as such if your goal is 100% assurance that auth headers for management never pass in the clear this config might not cut it. I've been considering an alternate approach, I'd entertain any commentary. I was thinking of using client certs with mod_ssl's FakeBasicAuth function in conjunction with a specialized UserFolder that only authenticates requests which are received via a known secure route. I've verified that when using FakeBasicAuth and mod_rewrite/proxy that the proxied request is indeed sent with an appropriately crafted WWW-Authenticate header. The problem I've been mulling over is that this means the passwords of your users are all identical in the user folder. (read up on mod_ssl if don't understand why) This means that whatever variable that holds the flag indicating the request came from a secure source must be protected from any form of duress. (Otherwise I can see a scenario where users could possibly script themselves new credentials.) To date thats about as far as I've gotten with this idea, I'm not sure what the best way to protect a variable of that much importance would be. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer