Ragnar Beer wrote:
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I'm using
<LocationMatch "/ssl|manage"> Deny from all </LocationMatch>
to block any request from my virtual server on port 80 that is under the /ssl directory or has "manage" in it. You could then allow from localhost.
I was thinking about extending this idea to protect myself from possible seccurity-holes in zope by denying everything and allowing only requests ending in _html or _img. Any opinions on that?
What about callable objects that don't end in either of these?