Hi Eric, Right... someone suggested a firewall.. which is fine if you want to make all of zope inaccessable on port 8080, and clearly it's a sure-fire solution. However it also requires that you have *access* to put up a firewall, which you might not! My thought was that, in Zope you could simply protect a particular area by adding code to standard_html_header in that area that did a check, e.g., <dtml-if "URL[:5] == 'http:'"> <dtml-call "RESPONSE.redirect('https:' + URL[5:])"> <dtml-return "'REDIRECTING.. to secure port.. '"> </dtml-if> ... This way, you could still use 8080 for other things if you wanted to. I guess the question comes down to 'who are you trying to protect from doing what?'. If it's your own users then, as Joachim mentioned maybe its just a matter of education? -steve On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )