I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL? I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) -- <- Ronald Offerman | ron@gjt-it.nl <- Root Powered Carrot Munchers Ltd. Inc. SA AG BV "Daddy, why do those people have to use Microsoft Windows?" "Don't stare, son; it's not polite." "M$ Windows NT, an accident waiting to happen" "What goes up, must come down. Ask any system administrator."
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL?
Andrew Kuchling has an old interface to SSLeay 0.6.x at: http://starship.skyport.net/crew/amk/python/crypto.html The SSLeay API has changed, though, on it's way to 0.9.x. There is also a reference to another project in progress, but I think last I checked, it didn't seem to be actively worked on. Basically, Andrew's SSLeay module would make a wrapper object around a socket object, so it was pretty easy to adapt existing apps to use SSL. I, for one, would like a working SSL interface again... -- Andy Dustman You should always say "spam" and "eggs" ComStar Communications Corp. instead of "foo" and "bar" (706) 549-7689 | PGP KeyID=0xC72F3F1D in Python examples. (Mark Lutz)
On Fri, Dec 11, 1998 at 05:21:17PM -0500, Andy Dustman wrote:
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL?
Andrew Kuchling has an old interface to SSLeay 0.6.x at:
http://starship.skyport.net/crew/amk/python/crypto.html
The SSLeay API has changed, though, on it's way to 0.9.x. There is also a reference to another project in progress, but I think last I checked, it didn't seem to be actively worked on. Basically, Andrew's SSLeay module would make a wrapper object around a socket object, so it was pretty easy to adapt existing apps to use SSL. I, for one, would like a working SSL interface again...
Check out mxCrypto, which is nothign but wrapped SSLeay... I don't have the URL handy. Chris -- | Christopher Petrilli | petrilli@amber.org
On Fri, 11 Dec 1998, Christopher G. Petrilli wrote:
Check out mxCrypto, which is nothign but wrapped SSLeay... I don't have the URL handy.
http://starship.skyport.net/~lemburg/ will get you pretty close, but, mxCrypto only provides an interface to ciphers and not to the SSL protocol itself, so it's not useful for this purpose. -- Andy Dustman You should always say "spam" and "eggs" ComStar Communications Corp. instead of "foo" and "bar" (706) 549-7689 | PGP KeyID=0xC72F3F1D in Python examples. (Mark Lutz)
On Fri, Dec 11, 1998 at 05:37:28PM -0500, Andy Dustman wrote:
On Fri, 11 Dec 1998, Christopher G. Petrilli wrote:
Check out mxCrypto, which is nothign but wrapped SSLeay... I don't have the URL handy.
http://starship.skyport.net/~lemburg/ will get you pretty close, but, mxCrypto only provides an interface to ciphers and not to the SSL protocol itself, so it's not useful for this purpose.
I'm gonna put my "work hat" on (I do crypto for a living :-), and say don't even try this one :-) It's too big a pain in the ass to get right, and Apache does a prettyy good job. If I was gonna try and shove it into Medusa (which I've thought about) THAT is a different question. Chris -- | Christopher Petrilli | petrilli@amber.org
On Fri, 11 Dec 1998, Christopher G. Petrilli wrote:
I'm gonna put my "work hat" on (I do crypto for a living :-), and say don't even try this one :-) It's too big a pain in the ass to get right, and Apache does a prettyy good job. If I was gonna try and shove it into And one can use BoboHTTPServer.py with Apache-SSL. Best of both worlds: -) BoboHTTPServer.py for development easeness. -) Apache as a frontend dealing with logging, SSL, and other nifty stuff.
Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.
Andy Dustman writes:
The SSLeay API has changed, though, on it's way to 0.9.x. There is also a reference to another project in progress, but I think last I checked, it didn't seem to be actively worked on. Basically, Andrew's SSLeay module would make a wrapper object around a socket object, so it was pretty easy to adapt existing apps to use SSL. I, for one, would like a working SSL interface again...
SSLeay is a pretty big API, and attempting to keep up-to-date with it by hand as I did simply doesn't work. Pat Knight's code, at http://www.ktgroup.co.uk/~pat/, uses SWIG to wrap SSLeay so it should scale better. I haven't tried it with SSLeay 0.9.x; someone should do that. -- A.M. Kuchling http://starship.skyport.net/crew/amk/ The mass of men lead lives of quiet desperation. -- Henry David Thoreau, _Walden_ (1854)
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL? Use mod_proxy with Apache-SSL. For example: RewriteEngine on RewriteRule ^/intern(.*) http://127.0.0.2:5000$1 [P]
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :)
Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL? Use mod_proxy with Apache-SSL. For example: RewriteEngine on RewriteRule ^/intern(.*) http://127.0.0.2:5000$1 [P] What is the advantage over running Zope using pcgi and Apache-SSL? I already use Apache Redirect for some secure parts of current websites, any advantage using the ReWriteEngine over Redirect? (besides it being invisible to the user)
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there. No problem to setup on our servers.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :) What do you intend to accomplish doing this?
-- <- Ronald Offerman | ron@gjt-it.nl <- Root Powered Carrot Munchers Ltd. Inc. SA AG BV "Daddy, why do those people have to use Microsoft Windows?" "Don't stare, son; it's not polite." "M$ Windows NT, an accident waiting to happen" "What goes up, must come down. Ask any system administrator."
On Sat, 12 Dec 1998, Ronald Offerman wrote:
On Fri, 11 Dec 1998, Ronald Offerman wrote:
I can run a secure Zope using pcgi and Apache-SSL. Anyone know of a way how to have ZopeHTTPServer do SSL? Use mod_proxy with Apache-SSL. For example: RewriteEngine on RewriteRule ^/intern(.*) http://127.0.0.2:5000$1 [P] What is the advantage over running Zope using pcgi and Apache-SSL? I already use Apache Redirect for some secure parts of current websites, any advantage using the ReWriteEngine over Redirect? (besides it being invisible to the user) The ReWriteEngine can do redirects too :) When I remember right, its: RewriteRule ^/intern(.*) https://somehost/$1 [R]
The advantages compared to pcgi: -) BHS is multithreaded. Not much use with Zope, but important for my stuff :). pcgi at the moment is being developed to be concurrent. -) pcgi processes run as the Webserver user, so you are limited to uid management a la Apache. BHS runs as the user it is started :) With some small patches to BHS one could even run it as root to allow remote as-root administration of a box. The proxy stuff has the advantage, that you can hide the real http interface somewhere on the inside (I like to create IP aliases for the loopback device *g*), and all accesses must go trough the external gateway.
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there.
No problem to setup on our servers.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :)
What do you intend to accomplish doing this? Easy. Take a site X, you could have http://X/ and https://X/ with the same content. Now some functions require user authentication -> But the credentials NEVER EVER should be send in clean, ...
So by killing the ``Not authorized'' (401?) error code, the user never even gets the possibility to enter a password when working in the clear :) Which should be a strong reminder to switch over to the secure server :) Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.
I already use Apache Redirect for some secure parts of current websites, any advantage using the ReWriteEngine over Redirect? (besides it being invisible to the user) The ReWriteEngine can do redirects too :) When I remember right, its: RewriteRule ^/intern(.*) https://somehost/$1 [R]
The advantages compared to pcgi: -) BHS is multithreaded. Not much use with Zope, but important for my stuff :). pcgi at the moment is being developed to be concurrent. So BoBoHTTPServer != ZopeHTTPServer? Or is it multithreaded but this feature is not used by Zope? -) pcgi processes run as the Webserver user, so you are limited to uid management a la Apache. BHS runs as the user it is started :) With some small patches to BHS one could even run it as root to allow remote as-root administration of a box.
The proxy stuff has the advantage, that you can hide the real http interface somewhere on the inside (I like to create IP aliases for the loopback device *g*), and all accesses must go trough the external gateway. And this is an invisible redirect. [Off topic:] It would be nice to use the ReWriteEngine to do load balancing over several servers this way ;=))
This assumes two things: -) You have an 127.0.0.2 lo:0 alias active ;) -) You have a patched BoboHTTPServer.py running there.
No problem to setup on our servers.
I don't want to allow management over insecure channels so is it possible to use a rewrite/URL refresh rule in Zope for /manage (it should redirect to https:) That's another thing I've been thinking about: -) BoboHTTPServer when running in nonssl mode should map the Non-Auth error code to another error code -> When accessing the http:// url the user isn't even prompted for an username/password :)
What do you intend to accomplish doing this? Easy. Take a site X, you could have http://X/ and https://X/ with the same content. Now some functions require user authentication -> But the credentials NEVER EVER should be send in clean, ... That is the reason why I want Zope to be able to send redirects for certain URLs, especially /manage, but others might also come in handy.
So by killing the ``Not authorized'' (401?) error code, the user never even gets the possibility to enter a password when working in the clear :) Which should be a strong reminder to switch over to the secure server :) I personally think it is an absolute requirement for Zopes TTW management. But 'killing' the error code is the wrong approach, I would like to see the Zope extended so we can limit what is visible depending on the users domain. This should be a document property so we will have to wait for Zope 2 to implement this in a clean way. A clean context (switch) depending on domain, language, authorisation etc should be standard.
-- <- Ronald Offerman | ron@gjt-it.nl <- Root Powered Carrot Munchers Ltd. Inc. SA AG BV "Daddy, why do those people have to use Microsoft Windows?" "Don't stare, son; it's not polite." "M$ Windows NT, an accident waiting to happen" "What goes up, must come down. Ask any system administrator."
On Sat, 12 Dec 1998, Ronald Offerman wrote:
So BoBoHTTPServer != ZopeHTTPServer? Or is it multithreaded but this feature is not used by Zope? Ok, some history lessons, hopefully I remember right, ... BHS == BoboHTTPServer.py ZHP == ZopeHTTPServer.py BP2 == BoboPOS2 BP3 == BoboPOS3
Ok, Amos orginally wrote BHS as an easy way to activate Bobo Applications. BHS always supported optionally multithreading. pcgi, which at the moment is single-threaded, didn't make me quite happy, single-threaded meaning that I cannot do anything lengthy in a method like creating a tar file, because it blocks the webserver for ALL users, and things like streaming are not possible at all. (1 user a time :( ). Now it happened that my first real Bobo application happens to rely strongly upon streaming to generate it's user interface. I've had to do many ugly things like embedding a Streaming Pseudo HTTPServer in the pcgi process that just serves the streams, etc. The real problem at the moment for Zope is that it uses BP2, which is single-threaded :(, which makes a multithreaded publisher of not much use to Zope users today. The ``split'' between ZHS and BHS stems from two things: -) I've extended BHS to allow publishing via mod_proxy/mod_rewrite. (It's basically allowing to set the idea of the publisher where it is published on the cmdline, instead of deriving it from the HTTP-request) It just happened as a idea to circumvent the no-SSL argument against BHS, when on a lazy sunday I've got bored and started to read the mod_rewrite documentation, ... -) I'm not using Zope, caused of a number of things, at the moment, so I've not patched in Zope Support in my BHS, while Amos did that and renamed it to ZHS. So you have basically two versions of a HTTPServer: -) ZHS with less features. -) my BHS version with more features, but no support for Bobo-the-Z-way, also called ZPublisher *g*
-) pcgi processes run as the Webserver user, so you are limited to uid management a la Apache. BHS runs as the user it is started :) With some small patches to BHS one could even run it as root to allow remote as-root administration of a box.
The proxy stuff has the advantage, that you can hide the real http interface somewhere on the inside (I like to create IP aliases for the loopback device *g*), and all accesses must go trough the external gateway. And this is an invisible redirect. [Off topic:] It would be nice to use the ReWriteEngine to do load balancing over several servers this way ;=)) It can me made quite easily: Assuming that random assignment is enough, than mod_rewrite can already do this, for more complicated stuff you would need a small external (say python) program to generate the URL.
You can even do more complicated stuff, like mapping a session ID into a port number: -) The user ``logs'' in, the central BHS start a child BHS, ... -) The user accesses transparently the child BHS, ... -) Every child BHS knows that it deals with one user :)
That is the reason why I want Zope to be able to send redirects for certain URLs, especially /manage, but others might also come in handy. Redirects are: -) Not so cool, many clients complain about this, ... -) Not so cool, as you need many certificates, consider a website www.X.com, that doesn't need a certificate and is managed via https://www.ISP.com/X/
So by killing the ``Not authorized'' (401?) error code, the user never even gets the possibility to enter a password when working in the clear :) Which should be a strong reminder to switch over to the secure server :) I personally think it is an absolute requirement for Zopes TTW management. But 'killing' the error code is the wrong approach, I would like to see the Yes and no. It's naturally much better to have a more general solution, but I tend to get quite paranoic when I'm wearing my sysadmin hat, so my servers will probably be patched to forbid authentication without SSL.
But then, at the moment my biggest headache and stomache come from POP3 and not httpd :) Andreas -- Win95: n., A huge annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.
participants (5)
-
Andreas Kostyrka -
Andrew M. Kuchling -
Andy Dustman -
Christopher G. Petrilli -
Ronald Offerman