Some suggestions, from practical experience: 1 - You want a firewall or router rule to block public access to 8080 on that box. Why not use NetFilter/IPTables to set this up on your Linux box, or for that matter, just set up a Cisco router ACL, which is even easier if you can? 2 - Bind Zope to an destination interface/IP with the -a option for z2.py a. If squid/apache runs on the same box, bind it only to loopback (very secure, but limits some remote admin functionality if you are not careful). b. If you need to, bind ZServer to a management network that is only accessed by the proxy and any private administrative clients. c. If you are really paranoid, segment proxy traffic onto its own network, and bind ZServer onto that network; then force your managment/admin traffic to go through the proxy or from localhost. 3 - Use squid; you will get much more powerful acls that will allow you to block certain pages as well as use acls to determine what is cached and not cached. You can do all sorts of ACLs, for that matter. You can also use a redirector both to rewrite URLs for VHM, and also rewrite blocked management URLs to internal URLs that only can be used on a private network (that is, if you are a bit paranoid). Squid is going to be faster anyhow. Squid also does a nice job round-robin load distribution to ZEO clients. 4 - If you are running ZEO, protect the storage server by keeping it on its own VLAN with a private IP. 5 - use squid ACLs for everything we need in the ACL department, including blocking ZMI access on the public interface(s) of the caching proxy. 6 - Keep our Zope/ZEO nodes on a private network behind Squid proxies to keep them out of 'public' internet view, and give them internet access via NAT on a firewall. Squid serves both a private and a public network, and the private network is less restricted, and you rely on host/application/Zope security beyond that. Sean -----Original Message----- From: Todd Hepler [mailto:thepler@caspiannetworks.com] Sent: Monday, August 20, 2001 5:32 PM To: zope@zope.org Subject: [Zope] ZServer ACL I'm relatively new to Zope and python. I have Apache with ProxyPass (port 80) set up on the same box as Zope with a VirtualHostMonster (port 8080). I want to make it so that clients cannot "go around" Apache and talk directly to port 8080, so I'm looking for a way to make Zope only accept requests that come from localhost (or a specified IP address). I can't find anything on zope.org related to ACLs of this nature or blocking access to ZServer based on IP address. Any ideas? I dug through the medusa and ZServer code, but the answer isn't jumping out at me. I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7. Why would I want this? (you might ask) To scale, I want to be able to turn on caching in Apache, or replace Apache with squid. This won't improve performance if the pages that come out of Zope refer directly to port 8080. The clients would end up "going around" the cache. I know there are ways to make Zope generate appropriate URLs and thus not go around port 80, but I'm not interested in those solutions here. Even those solutions won't stop someone from hardcoding a reference to port 8080 in one of their pages. I want to simply shut off access to it in the first place so that if someone even tries it, they fail. Thanks, -todd _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )