Ragnar Beer wrote:
Ragnar Beer wrote:
I'm trying to deny external access to zope maintainance
from elsewhere
(just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I'm using
<LocationMatch "/ssl|manage"> Deny from all </LocationMatch>
to block any request from my virtual server on port 80 that is under the /ssl directory or has "manage" in it. You could then allow from localhost.
I was thinking about extending this idea to protect myself from possible seccurity-holes in zope by denying everything and allowing only requests ending in _html or _img. Any opinions on that?
What about callable objects that don't end in either of these?
They wouldn't be callable from outside any more. This is the "deny everything that isn't allowed explicitly" policy. If I'd want them to be callable I'd have to put something in their names the makes it possible to identify them and then allow access.
That's an awful lot of code to rewrite ;)
Right, this is rather a strategy to follow from the beginning. Otherwise - arghh! (But it's very proactive, isn't it?) --Ragnar