Hi I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on Windows but am slightly stuck on implementing the htaccess part of my solution. I've done extensive googleing but can't seen to find any solid documentation. My question is, do you need the <Directory> definition within the <VirtualHost> ? And what should this be set-to considering that no flat directory exists as everything is served from Plone. Also, where would you put the htpasswd file? In the Plone site somewhere? Thanks -- Michael
michael nt milne wrote:
I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on Windows but am slightly stuck on implementing the htaccess part of my solution. I've done extensive googleing but can't seen to find any solid documentation.
This is an Apache question, go ask on #apache on irc.freenode.net! I really don't understand why you'd use htaccess is you're already using Zope... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Sorry but there's alot of Apache knowledge here and it's completely relevant. Also Zope doesn't do SSL well and all password - login is basically insecure! I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable. On 2/7/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on Windows but am slightly stuck on implementing the htaccess part of my solution. I've done extensive googleing but can't seen to find any solid documentation.
This is an Apache question, go ask on #apache on irc.freenode.net!
I really don't understand why you'd use htaccess is you're already using Zope...
cheers,
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
Also I'm implementing an extranet solution where extra security is required-so therefore an apache login and a further plone login for editing the site. On 2/7/06, michael nt milne <michael.milne@gmail.com> wrote:
Sorry but there's alot of Apache knowledge here and it's completely relevant. Also Zope doesn't do SSL well and all password - login is basically insecure! I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable.
On 2/7/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on Windows but am slightly stuck on implementing the htaccess part of my solution. I've done extensive googleing but can't seen to find any solid documentation.
This is an Apache question, go ask on #apache on irc.freenode.net!
I really don't understand why you'd use htaccess is you're already using Zope...
cheers,
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
-- Michael
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure. On 2/7/06, michael nt milne <michael.milne@gmail.com> wrote:
Also I'm implementing an extranet solution where extra security is required-so therefore an apache login and a further plone login for editing the site.
On 2/7/06, michael nt milne <michael.milne@gmail.com> wrote:
Sorry but there's alot of Apache knowledge here and it's completely relevant. Also Zope doesn't do SSL well and all password - login is basically insecure! I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable.
On 2/7/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
I've managed to set-up SSL over Apache and Zope/Plone virtual hosts on Windows but am slightly stuck on implementing the htaccess part of my solution. I've done extensive googleing but can't seen to find any solid documentation.
This is an Apache question, go ask on #apache on irc.freenode.net!
I really don't understand why you'd use htaccess is you're already using Zope...
cheers,
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
-- Michael
-- Michael
On 07.02.06 23:58:20, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content.
Then you had the proper rights somehow.
I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
Authentication via .htpasswd uses the same HTTP method as the basic login into Zope. It's not more or less secure than authenticating directly with Zope. Andreas -- There is a 20% chance of tomorrow.
But if you've got Apache ssl as well then it's more secure. The problem I've found is that you can't put this in the httpd.conf unless it is wrapped in a <Directory></Directory> directive AuthType Basic AuthName "Members Only" AuthUserFile /path/to/.htpasswd require valid-user And the virutual host doesn't have a directory. If I were to place this in the zope root then I would password protect all the sites. I only wan't to password protect one etc. On 2/8/06, Andreas Pakulat <apaku@gmx.de> wrote:
On 07.02.06 23:58:20, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content.
Then you had the proper rights somehow.
I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
Authentication via .htpasswd uses the same HTTP method as the basic login into Zope. It's not more or less secure than authenticating directly with Zope.
Andreas
-- There is a 20% chance of tomorrow. _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne wrote:
But if you've got Apache ssl as well then it's more secure.
Yes, SSL is a transport encryption method, not an authentication method...
The problem I've found is that you can't put this in the httpd.conf unless it is wrapped in a <Directory></Directory> directive
AuthType Basic AuthName "Members Only" AuthUserFile /path/to/.htpasswd require valid-user
This is an Apache question, take it elsewhere! Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On 7 Feb 2006, at 23:58, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
As someone else has already mentioned, there is zero difference when it comes to "how secure" the login procedure is. It doesn't matter how you set up authentication if you haven't applied the proper permission settings in Zope to prevent showing that front page content you mentioned earlier. You need to get a better idea how to use the built-in Zope security mechanisms to achieve the security settings you would like to see. Using both Apache and Zope authentication will bring mostly pain. Your strategy is wrong. Get a better understanding of what Zope can do in that regard and then decide. jens
ok, I've gone into the security tab in the site root and set 'view' to 'authenticated' whilst de-selecting aquire. However, using the password that gets me into the overall 8080/manage doesn't work. Also the front page still comes up if you cancel the login box and the page displays without css. This shouldn't happen with view set to authenticated. On 2/8/06, Jens Vagelpohl <jens@dataflake.org> wrote:
On 7 Feb 2006, at 23:58, michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl. If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content. I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
As someone else has already mentioned, there is zero difference when it comes to "how secure" the login procedure is. It doesn't matter how you set up authentication if you haven't applied the proper permission settings in Zope to prevent showing that front page content you mentioned earlier. You need to get a better idea how to use the built-in Zope security mechanisms to achieve the security settings you would like to see.
Using both Apache and Zope authentication will bring mostly pain. Your strategy is wrong. Get a better understanding of what Zope can do in that regard and then decide.
jens
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Michael
michael nt milne wrote:
ok, I've gone into the security tab in the site root and set 'view' to 'authenticated' whilst de-selecting aquire.
Yay!
However, using the password that gets me into the overall 8080/manage doesn't work.
Huh? Can you provide any less information, or maybe make it a bit vaguer? ;-)
Also the front page still comes up if you cancel the login box and the page displays without css.
Then you still haven't sorted your permissions properly...
This shouldn't happen with view set to authenticated.
Then _you're_ doing something wrong, 'cos it works just fine for the rest of us... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Sorry but can't you post in one message? Also, Zope does do SSL but it's not as good as Apache. And some advice - keep personal insults out of it. On 2/8/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
ok, I've gone into the security tab in the site root and set 'view' to 'authenticated' whilst de-selecting aquire.
Yay!
However, using the password that gets me into the overall 8080/manage doesn't work.
Huh? Can you provide any less information, or maybe make it a bit vaguer? ;-)
Also the front page still comes up if you cancel the login box and the page displays without css.
Then you still haven't sorted your permissions properly...
This shouldn't happen with view set to authenticated.
Then _you're_ doing something wrong, 'cos it works just fine for the rest of us...
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne wrote:
Sorry but can't you post in one message?
That, coming from you, is pretty rich ;-)
Also, Zope does do SSL but it's not as good as Apache.
No, Zope doesn't. There are some half baked addons that sort of promise to do something like SSL, but I'd trust them as far as I can throw them, and I've never had much success trying to throw software...
And some advice - keep personal insults out of it.
aye aye cap'n ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
glad you've taken that on board :-) Over and out from me on this one as well. By the way using the <location></location> directive is the way to password protect using Apache on non directory based virtual hosts. It works using the URL line rather than directory access. Just so you know. And that wasn't even sourced from an Apache board. A Plone list member very kindly proferred the information. But then again this isn't an Apache list is it.. On 2/9/06, Chris Withers <chris@simplistix.co.uk> wrote:
michael nt milne wrote:
Sorry but can't you post in one message?
That, coming from you, is pretty rich ;-)
Also, Zope does do SSL but it's not as good as Apache.
No, Zope doesn't. There are some half baked addons that sort of promise to do something like SSL, but I'd trust them as far as I can throw them, and I've never had much success trying to throw software...
And some advice - keep personal insults out of it.
aye aye cap'n ;-)
Chris
-- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
-- Michael
michael nt milne schrieb:
glad you've taken that on board :-) Over and out from me on this one as well. By the way using the <location></location> directive is the way to password protect using Apache on non directory based virtual hosts. It works using the URL line rather than directory access. Just so you know. And that wasn't even sourced from an Apache board. A Plone list member very kindly proferred the information. But then again this isn't an Apache list is it..
Its still kinda silly to try to protect Zope resources with big fat Apache hammer ;) It kinda "works" for Root (/) and only one account, but you are lost if you want to have different users with fine grained security and zope actually knowing them. Dont work against zope. Work with it. And if something does not work as expected, you need to post _all_ the gory details of your configuration and what you really did. If you cant remember, start over with a clean fresh Data.fs and write down all steps you took. --Tino
michael nt milne wrote:
Also, just to say that I did a test on only letting authenticated and managers view the root page of the site over ssl.
How?
If you just cancelled the login box or closed it, the whole front page was displayed without any css but you could still get all the content.
Well, then you didn't set permissions correctly...
I've had this quite a bit before so that's why I'm looking into Apache authentication. I just don't think that Zope authentication is secure.
You just don't think, or research, which is more your problem... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
michael nt milne wrote:
Also I'm implementing an extranet solution where extra security is required-so therefore an apache login and a further plone login for editing the site.
I commented to someone asking similar questions about them being stupid, lazy or both. I don't think you're lazy ;-) Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
michael nt milne wrote:
Sorry but there's alot of Apache knowledge here and it's completely relevant.
No it isn't, if you want to use Apache auth, go ask on an Apache forum. You don't, but you think you do, and you won't listen to anyone, which is annoying in its own right...
Also Zope doesn't do SSL well
Zope doesn't do SSL at all, there's no point. Secure transport and authentication have little to do with each other...
and all password - login is basically insecure!
Not if it's over SSL...
I've found out that I'm best using httpd.conf and not htaccess . Also irc.freenode is unusable.
Oh don't be so rediculous... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On 2/7/06, michael nt milne <michael.milne@gmail.com> wrote:
Also Zope doesn't do SSL well and all password - login is basically insecure!
If you mean that logins without SSL are basically insecure, ok. But given your other posts, if you mean that Zope authentication is somehow inherently insecure (other than non-SSL traffic being in the clear), please consider that the problems you experienced with it don't lead to that conclusion. I run secured Zope sites on Classified networks, and wouldn't be able to if Zope security was as broken as you make it out to be. If you need Apache auth and then need Plone auth, and you have a question about configuring Apache auth, then it's appropriate to ask an Apache list. The Apache httpd docs are also very good.
participants (6)
-
Andreas Pakulat -
Chris Withers -
Jens Vagelpohl -
michael nt milne -
Robert Boyd -
Tino Wildenhain