I already use Apache Redirect for some secure parts of current websites, any advantage using the ReWriteEngine over Redirect? (besides it being invisible to the user) The ReWriteEngine can do redirects too :) When I remember right, its: RewriteRule ^/intern(.*) https://somehost/$1 [R]
The advantages compared to pcgi: -) BHS is multithreaded. Not much use with Zope, but important for my stuff :). pcgi at the moment is being developed to be concurrent. So BoBoHTTPServer != ZopeHTTPServer? Or is it multithreaded but this feature is not used by Zope? -) pcgi processes run as the Webserver user, so you are limited to uid management a la Apache. BHS runs as the user it is started :) With some small patches to BHS one could even run it as root to allow remote as-root administration of a box.
The proxy stuff has the advantage, that you can hide the real http interface somewhere on the inside (I like to create IP aliases for the loopback device *g*), and all accesses must go trough the external gateway. And this is an invisible redirect. [Off topic:] It would be nice to use the ReWriteEngine to do load balancing over several servers this way ;=))
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there.
No problem to setup on our servers.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :)
What do you intend to accomplish doing this? Easy. Take a site X, you could have http://X/ and https://X/ with the same content. Now some functions require user authentication -> But the credentials NEVER EVER should be send in clean, ... That is the reason why I want Zope to be able to send redirects for certain URLs, especially /manage, but others might also come in handy.
So by killing the ``Not authorized'' (401?) error code, the user never even gets the possibility to enter a password when working in the clear :) Which should be a strong reminder to switch over to the secure server :) I personally think it is an absolute requirement for Zopes TTW management. But 'killing' the error code is the wrong approach, I would like to see the Zope extended so we can limit what is visible depending on the users domain. This should be a document property so we will have to wait for Zope 2 to implement this in a clean way. A clean context (switch) depending on domain, language, authorisation etc should be standard.
-- <- Ronald Offerman | ron@gjt-it.nl <- Root Powered Carrot Munchers Ltd. Inc. SA AG BV "Daddy, why do those people have to use Microsoft Windows?" "Don't stare, son; it's not polite." "M$ Windows NT, an accident waiting to happen" "What goes up, must come down. Ask any system administrator."