Open proxy testing
Can anyone suggest how I can test for an open proxy when running Zope behind Apache? -- John
John Poltorak wrote:
Can anyone suggest how I can test for an open proxy when running Zope behind Apache?
You shouldn't need to use ProxyRequests at all. The "standard" mechanism uses mod_rewrite's [P,L] flags, which only apply to the rewritten URLs. Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
I've never got this mechanism to work and have had to resort to enabling proxy for redirection. Without it I get a 403 - Forbidden error from Apache. Where do I find the clearest example about how to set this up properly? -- John On Mon, Sep 13, 2004 at 07:04:46AM -0400, Tres Seaver wrote:
John Poltorak wrote:
Can anyone suggest how I can test for an open proxy when running Zope behind Apache?
You shouldn't need to use ProxyRequests at all. The "standard" mechanism uses mod_rewrite's [P,L] flags, which only apply to the rewritten URLs.
Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
On Sep 13, 2004, at 13:50, John Poltorak wrote:
I've never got this mechanism to work and have had to resort to enabling proxy for redirection. Without it I get a 403 - Forbidden error from Apache.
Where do I find the clearest example about how to set this up properly?
The best examples and clearest documentation is on http://www.apache.org jens --------------- Jens Vagelpohl jens@zetwork.com Software Engineer Zope - done medium rare Zetwork GmbH http://www.zetwork.com/
John Poltorak wrote:
I've never got this mechanism to work and have had to resort to enabling proxy for redirection. Without it I get a 403 - Forbidden error from Apache.
Where do I find the clearest example about how to set this up properly?
See Tino Wildenhain's response today in the thread, "REPOST Re: ZServer/ZPublisher proxying, or move to "full zope"; need consultant". Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
There must be something else which is expected but not stated - I have the lines as suggested but still get the 403 - Forbidden problem. Could this be due to some permissions not being set correctly? -- John On Mon, Sep 13, 2004 at 08:03:02AM -0400, Tres Seaver wrote:
John Poltorak wrote:
I've never got this mechanism to work and have had to resort to enabling proxy for redirection. Without it I get a 403 - Forbidden error from Apache.
Where do I find the clearest example about how to set this up properly?
See Tino Wildenhain's response today in the thread, "REPOST Re: ZServer/ZPublisher proxying, or move to "full zope"; need consultant".
Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
John Poltorak wrote:
There must be something else which is expected but not stated - I have the lines as suggested but still get the 403 - Forbidden problem.
Could this be due to some permissions not being set correctly?
I've missed most of this thread; are you possibly running Redhat 8.0 with default apache rpm install? If so, this is a bug in that setup. I've spent hours in the bowls of this mess. Andrew -- Zope Corporation Software Engineer (540) 361-1700
Andrew Sawyers wrote:
John Poltorak wrote:
There must be something else which is expected but not stated - I have the lines as suggested but still get the 403 - Forbidden problem.
Could this be due to some permissions not being set correctly?
I've missed most of this thread; are you possibly running Redhat 8.0 with default apache rpm install? If so, this is a bug in that setup. I've spent hours in the bowls of this mess. Andrew
I should restat this: IIRC it was Redhat 8.0 -- it might have been 9.0; anyhow, if it's redhat with a default rpm install; I'd look at updating your apache, cuz I ended up having to build mine from source cuz I just got annoyed and had burned too many hours. Later on I found out it was a known bug with the default package in the redhat release I was on. Since I've taken that particular machine from 7.3 - 9.0 I forget which release it was :( Andrew -- Zope Corporation Software Engineer (540) 361-1700
I'm running Red Hat 7.3, Apache 1.3.27 and Zope 2.6.2b3. I did manage to configure Apache to use Zope but ended up creating an Open Proxy. Without enabling proxy requests, I couldn't use a direct URL to Zope. I'm no expert here, so there may be something basic which I have overlooked, but I've spent a while digging around without success. -- John On Mon, Sep 13, 2004 at 10:40:46AM -0400, Andrew Sawyers wrote:
John Poltorak wrote:
There must be something else which is expected but not stated - I have the lines as suggested but still get the 403 - Forbidden problem.
Could this be due to some permissions not being set correctly?
I've missed most of this thread; are you possibly running Redhat 8.0 with default apache rpm install? If so, this is a bug in that setup. I've spent hours in the bowls of this mess. Andrew
-- Zope Corporation Software Engineer (540) 361-1700
On Mon, 13 Sep 2004 16:02:48 +0100, John Poltorak <jp@warpix.org> wrote:
I'm running Red Hat 7.3, Apache 1.3.27 and Zope 2.6.2b3.
I did manage to configure Apache to use Zope but ended up creating an Open Proxy. Without enabling proxy requests, I couldn't use a direct URL to Zope. I'm no expert here, so there may be something basic which I have overlooked, but I've spent a while digging around without success.
http://httpd.apache.org/docs/mod/mod_proxy.html What I have on my Apache-1.3 server, which is the front-end for a Zope instance, is this: <IfModule mod_proxy.c> ProxyRequests Off </IfModule> Relevant doc snip: """The forward proxy is activated using the ProxyRequests directive. Because forward proxys allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy. A reverse proxy, by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.""" So the above enables mod_proxy, but does not enable ProxyRequests, which still allows it to work as a reverse proxy, which is what you need. Of course, for your VirtualHost, you also need something like this: RewriteEngine on RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/example.net:80/example.net/Virtua... [P] if you are using VirtualHostMonster in your Zope instance. -- Computer interfaces should never be made of meat.
I've changed a few things and it appears to work now - but how do I check whether I have inadvertantly enabled an open proxy? Are there any known tests which I can run? -- John On Mon, Sep 13, 2004 at 11:16:37AM -0400, Andy Dustman wrote:
On Mon, 13 Sep 2004 16:02:48 +0100, John Poltorak <jp@warpix.org> wrote:
I'm running Red Hat 7.3, Apache 1.3.27 and Zope 2.6.2b3.
I did manage to configure Apache to use Zope but ended up creating an Open Proxy. Without enabling proxy requests, I couldn't use a direct URL to Zope. I'm no expert here, so there may be something basic which I have overlooked, but I've spent a while digging around without success.
http://httpd.apache.org/docs/mod/mod_proxy.html
What I have on my Apache-1.3 server, which is the front-end for a Zope instance, is this:
<IfModule mod_proxy.c> ProxyRequests Off </IfModule>
Relevant doc snip:
"""The forward proxy is activated using the ProxyRequests directive. Because forward proxys allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.
A reverse proxy, by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin."""
So the above enables mod_proxy, but does not enable ProxyRequests, which still allows it to work as a reverse proxy, which is what you need.
Of course, for your VirtualHost, you also need something like this:
RewriteEngine on RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/example.net:80/example.net/Virtua... [P]
if you are using VirtualHostMonster in your Zope instance. -- Computer interfaces should never be made of meat. _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
John Poltorak wrote:
I've changed a few things and it appears to work now - but how do I check whether I have inadvertantly enabled an open proxy?
Are there any known tests which I can run?
http://www.unicom.com/sw/pxytest/ Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Many thanks for that - it was very useful. Mentioning this utility some Zope FAQ would be a good idea. -- John On Mon, Sep 13, 2004 at 12:59:04PM -0400, Tres Seaver wrote:
John Poltorak wrote:
I've changed a few things and it appears to work now - but how do I check whether I have inadvertantly enabled an open proxy?
Are there any known tests which I can run?
http://www.unicom.com/sw/pxytest/
Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (5)
-
Andrew Sawyers -
Andy Dustman -
Jens Vagelpohl -
John Poltorak -
Tres Seaver