Hi, maybe I'm blind, but I can't make it working. I've seen the hints to put <cgi-environment> HTTPS ON </cgi-environment> into zope.conf. This works, but that doesn't distinguish beetwenn different ports. That ist, even plain http-request will return URLs with "https" als the protocol. It is quite easy to start to different http-server on different ports, like <http-server> address 80 </http-server> <http-server> address 443 </http-server> Now the missing piece is, to add the "HTTPS ON" Header only for request to port 443. Thanks, Sascha -- Gallileus - the power of knowledge Gallileus GmbH http://www.gallileus.info/ Pintschstraße 16 fon +49-(0)30-41 93 43 43 10249 Berlin fax +49-(0)30-41 93 43 45 Germany ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ AKTUELLER HINWEIS (Mai 2004) Literatur Alerts - Literatursuche (wie) im Schlaf! Ab jetzt mehr dazu unter: http://www.gallileus.info/gallileus/about/products/alerts/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sascha Ottolski <sascha.ottolski@gallileus.de> writes:
Now the missing piece is, to add the "HTTPS ON" Header only for request to port 443.
exactly. Thats why I wrote a patch. It adds a <https-server> stanza identical to <http-server> but adding the HTTPS ON header automatically. I think, it would be better to allow multiple <http-server> stanzas with embedded <cgi-environment> like: <http-server> address 443 <cgi-environment> HTTPS ON </cgi-environment> </http-sever> (THIS DOES NOT WORK NOW AS OF 2004-05-06 ITS A SUGGESTION !!!) but my solution was much simpler to implement. The patch is not large, so I think, it's ok to post it here, as others might well be interested as well. This is against Zope-2.7.0. --- /root/build/Zope-2.7.0/lib/python/ZServer/datatypes.py 2004-04-07 00:54:43.000000000 +0200 +++ lib/python/ZServer/datatypes.py 2004-04-07 13:36:19.000000000 +0200 @@ -74,6 +74,34 @@ from ZServer import HTTPServer return HTTPServer.zhttp_handler(self.module, '', self.cgienv) +class HTTPSServerFactory(ServerFactory): + def __init__(self, section): + ServerFactory.__init__(self, section.address) + self.force_connection_close = section.force_connection_close + # webdav-source-server sections won't have webdav_source_clients: + webdav_clients = getattr(section, "webdav_source_clients", None) + self.webdav_source_clients = webdav_clients + + def create(self): + from ZServer import HTTPServer + from ZServer.AccessLogger import access_logger + handler = self.createHandler() + handler._force_connection_close = self.force_connection_close + if self.webdav_source_clients: + handler.set_webdav_source_clients(self.webdav_source_clients) + server = HTTPServer.zhttp_server(ip=self.host, port=self.port, + resolver=self.dnsresolver, + logger_object=access_logger) + server.install_handler(handler) + return server + + def createHandler(self): + from ZServer import HTTPServer + cgienv = {} + cgienv.update(self.cgienv) + cgienv['HTTPS'] = 'ON' + return HTTPServer.zhttp_handler(self.module, '', cgienv) + class WebDAVSourceServerFactory(HTTPServerFactory): def createHandler(self): --- /root/build/Zope-2.7.0/lib/python/ZServer/component.xml 2003-03-24 23:32:39.000000000 +0100 +++ lib/python/ZServer/component.xml 2004-04-07 13:34:38.000000000 +0200 @@ -21,6 +21,19 @@ </key> </sectiontype> + <sectiontype name="https-server" + datatype=".HTTPSServerFactory" + implements="ZServer.server"> + <key name="address" datatype="inet-address"/> + <key name="force-connection-close" datatype="boolean" default="off"/> + <key name="webdav-source-clients"> + <description> + Regular expression used to identify clients who should + receive WebDAV source responses to GET requests. + </description> + </key> + </sectiontype> + <sectiontype name="webdav-source-server" datatype=".WebDAVSourceServerFactory" implements="ZServer.server"> -- -- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply -- received off-list at that address will be *silently* and -- *unconditionally* dropped. You can attribute this inconvenience to -- the proliferation of spammers on the Internet. I hope, you can -- understand my position and accept my counter measures.
Stefan Bund wrote:
<http-server> address 443 <cgi-environment> HTTPS ON </cgi-environment> </http-sever>
Does this actually make Zope server HTTPS though? I would be pretty suprised. I'd be much less suprised if it just caused Zope to serve normal HTTP on port 443 and put 'https' at the start of urls and not 'http'. You sure that's what you want? Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
Chris Withers <chris@simplistix.co.uk> writes:
I'd be much less suprised if it just caused Zope to serve normal HTTP on port 443 and put 'https' at the start of urls and not 'http'.
You sure that's what you want?
Yes :-) (ok, not running on port 443 on my setup). Zope is running behind pound, and pound does the SSL wrapping. Stefan. -- -- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply -- received off-list at that address will be *silently* and -- *unconditionally* dropped. You can attribute this inconvenience to -- the proliferation of spammers on the Internet. I hope, you can -- understand my position and accept my counter measures.
Sascha Ottolski wrote at 2004-5-6 17:00 +0200:
maybe I'm blind, but I can't make it working. I've seen the hints to put
<cgi-environment> HTTPS ON </cgi-environment>
into zope.conf. This works, but that doesn't distinguish beetwenn different ports. That ist, even plain http-request will return URLs with "https" als the protocol.
It is quite easy to start to different http-server on different ports, like
<http-server> address 80 </http-server>
<http-server> address 443 </http-server>
When you use VHM (VirtualHostMonster) (and Apache), you can explicitely specify how the URLs should look like. When you do not use VHM, you can use an "AccessRule" to specify the URL based on the "SERVER_PORT". For this, you could use the same methods that VHM uses (look at its source). Alternatively, you could modify ZPublisher and let it preset its SERVER_URL based on the port (what you would do in the "AccessRule", otherwise). -- Dieter
On Thu, May 06, 2004 at 05:00:16PM +0200, Sascha Ottolski wrote:
maybe I'm blind, but I can't make it working. I've seen the hints to put
You can with ZServerSSL, which works with Zope 2.7.0. I've been beta testing a Windows installer; apart from one site all beta testers who provided feedback reported the installer (and ZServerSSL itself ;-) works fine. There are also several beta testers from whom I've not heard since sending them the installer. ;-\ If you aren't on Windows, just apply the patches manually. Find ZServerSSL in the current M2Crypto distribution. (I also have a beta installer for Plone2 almost done, but I've been too busy to send it to the several people who asked. Sorry.) Cheers. -- Ng Pheng Siong <ngps@netmemetic.com> http://firewall.rulemaker.net -+- Firewall Change Management & Version Control http://sandbox.rulemaker.net/ngps -+- ZServerSSL/Zope Windows Installers
participants (5)
-
Chris Withers -
Dieter Maurer -
Ng Pheng Siong -
Sascha Ottolski -
Stefan Bund