I abandoned mod_proxy for mod_rewrite. Security-wise, mod_rewrite had less to worry about (this is important when website administration changes hands). The sample configuration below shows how to handle Zope resource quirks and how to proxy requests to and from folders in Zope (both tested). The last rule is my guess at what "proxy everything to and from Zope" would look like (untested). Apache is listening on 80 and routes requests to a Zope instance listening on 8080. <IfModule mod_rewrite.c> RewriteEngine On RewriteLog "/path/to/rewrite_log" # Zope serves some system-ish content from p_ and misc_. RewriteRule ^/p_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1 [L,P] RewriteRule ^/misc_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/misc _$1 [L,P] # Apache folders served by Zope folders. RewriteRule ^/folder1(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/fold er1$1 [L,P] RewriteRule ^/folder2(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/fold er2$1 [L,P] # Push everything to Zope? RewriteRule ^(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/$1 [L,P] </IfModule> Aloha, Priam -----Original Message----- From: zope-bounces@zope.org [mailto:zope-bounces@zope.org] On Behalf Of Ed Colmar Sent: Saturday, October 15, 2005 9:19 AM To: zope@zope.org Subject: [Zope] apache open proxy configuration problem I've been running zope through apache for years and years now, and I have a new machine set up with apache 2.0.48 and zope (Zope 2.8.0-final, python 2.3.5, linux2) Using Identical Vhost configuration settings from an old machine all has been well, up until about 5 days ago, when I noticed the machine getting slammed, and wierd logs started showing up like: xxx.xxx.xxx.xxx - - [14/Oct/2005:14:09:06 -0700] "GET http://partners.mygeek.com:80/search.jsp?partnerid=98885&pagesize=12 HTTP/1.1" 403 406 (IP removed to protect the guilty) In my quick research to try to determine the problem, I found people advising to turn "ProxyRequests Off", which I did, but did not have any effect. Luckily this is just a development server, not a live production server, so its not super critical, but I'm nervous now that my production server might be in the same state... Here is a sample vhost.conf entry: NameVirtualHost 192.168.1.32 <VirtualHost 192.168.1.32> ServerName www.greengraphics.net ServerPath /var/www/greengraphics/www DocumentRoot /var/www/greengraphics/www ServerAdmin webmaster RewriteEngine On TransferLog logs/Vhost-greengraphics-access.log ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/green graphics/VirtualHostRoot/ ProxyPassReverse / http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/green graphics/VirtualHostRoot/ </VirtualHost> mod_proxy.conf looks like: <IfDefine HAVE_PROXY> <IfModule !mod_proxy.c> LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so </IfModule> </IfDefine> <IfModule mod_proxy.c> # # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # ProxyRequests Off <Proxy *> Order deny,allow Deny from all # Allow from .your-domain.com </Proxy> # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block # ProxyVia On # End of proxy directives. </IfModule> any suggestions? places to look to verify security? Thanks! -ed _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )