I would like to force users to manage a Zope/Plone site through SSL, and only through SSL. I have a site http://www.site.com:80, which is also directly accessible as https://www.site.com:443. The problem about forcing SSL for authenticated members is that with Apache, I can only really do so for a subdirectory. So if the site would be viewed at directory / (e.g. /products/fly), but all authenticated members see the site as /authenticated (e.g. /authenticated/products/fly), then Apache's Redirect could be used. However, Zope doesn't use different paths for authenticated and anonymous members. Since every page rendered uses standard_html_header, could I put a DTML Method or Python script in there that does the following: - Check if the access is by an authenticated member. - if yes: check for presence of the string 'https' in request/PATH_INFO - if not present: redirect to another URL How would that look? I don't know how to check for membership or how to issue an HTTP Redirect. Thanks! -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc all information contained in the above is false, for reasons of military security.
You could use apache virtual host directives to do this. Set up one virtual host using 443 and another using 80. They could point to the same place with one using ssl and the other unsecured. Search the archives for Apache Virtual Hosts use with Zope. Kevin martin f krafft wrote:
I would like to force users to manage a Zope/Plone site through SSL, and only through SSL. I have a site http://www.site.com:80, which is also directly accessible as https://www.site.com:443.
The problem about forcing SSL for authenticated members is that with Apache, I can only really do so for a subdirectory. So if the site would be viewed at directory / (e.g. /products/fly), but all authenticated members see the site as /authenticated (e.g. /authenticated/products/fly), then Apache's Redirect could be used.
However, Zope doesn't use different paths for authenticated and anonymous members.
Since every page rendered uses standard_html_header, could I put a DTML Method or Python script in there that does the following:
- Check if the access is by an authenticated member. - if yes: check for presence of the string 'https' in request/PATH_INFO - if not present: redirect to another URL
How would that look? I don't know how to check for membership or how to issue an HTTP Redirect.
Thanks!
also sprach Kevin Carlson <khcarlso@bellsouth.net> [2003.02.03.1610 +0100]:
You could use apache virtual host directives to do this. Set up one virtual host using 443 and another using 80. They could point to the same place with one using ssl and the other unsecured. Search the archives for Apache Virtual Hosts use with Zope.
Please read my initial post:
I would like to force users to manage a Zope/Plone site through SSL, and only through SSL. I have a site http://www.site.com:80, which is also directly accessible as https://www.site.com:443.
This is already accomplished. My members can very well login and edit the pages through SSL, but they can also do so through regular HTTP on port 80. I don't want that. Only anonymous users may use port 80. Non-anonymous users, and anyone accessing the login form, *must* be going through port 443 with SSL! Hope this is clearer. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc "it is only the modern that ever becomes old-fashioned." -- oscar wilde
martin f krafft wrote:
also sprach Kevin Carlson <khcarlso@bellsouth.net> [2003.02.03.1610 +0100]:
You could use apache virtual host directives to do this. Set up one virtual host using 443 and another using 80. They could point to the same place with one using ssl and the other unsecured. Search the archives for Apache Virtual Hosts use with Zope.
Please read my initial post:
I would like to force users to manage a Zope/Plone site through SSL, and only through SSL. I have a site http://www.site.com:80, which is also directly accessible as https://www.site.com:443.
This is already accomplished. My members can very well login and edit the pages through SSL, but they can also do so through regular HTTP on port 80. I don't want that. Only anonymous users may use port 80. Non-anonymous users, and anyone accessing the login form, *must* be going through port 443 with SSL!
Hope this is clearer.
Maybe this thread http://mail.zope.org/pipermail/zope-dev/2003-January/018499.html helps you, esp. Dieter Maurer's last post there. It answers the question how to send a redirect to a https uri instead of a "forbidden" . HTH, oliver
martin f krafft wrote at 2003-2-3 16:34 +0100:
also sprach Kevin Carlson <khcarlso@bellsouth.net> [2003.02.03.1610 +0100]:
You could use apache virtual host directives to do this. Set up one virtual host using 443 and another using 80. They could point to the same place with one using ssl and the other unsecured. Search the archives for Apache Virtual Hosts use with Zope.
Please read my initial post:
I would like to force users to manage a Zope/Plone site through SSL, and only through SSL. I have a site http://www.site.com:80, which is also directly accessible as https://www.site.com:443.
This is already accomplished. My members can very well login and edit the pages through SSL, but they can also do so through regular HTTP on port 80. I don't want that. Only anonymous users may use port 80. Non-anonymous users, and anyone accessing the login form, *must* be going through port 443 with SSL! Rewrite rules can be made local to virtual hosts.
Add rewrite rules to the HTTP virtual host that turn each URL containing "/manage" into a "forbidden" response. Of course, omit these rewrite rules from the HTTPS virtual host. Dieter
also sprach Dieter Maurer <dieter@handshake.de> [2003.02.03.2028 +0100]:
Rewrite rules can be made local to virtual hosts.
I know.
Add rewrite rules to the HTTP virtual host that turn each URL containing "/manage" into a "forbidden" response.
That doesn't really fix the problem for Plone though. I'd have to add rules for /login_form as well as /edit, which might well be overkill. So there is no way to do this from within Zope? This should definitely become a feature. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc "we have a firm commitment to nato, we are a part of nato. we have a firm commitment to europe. we are a part of europe." - george w. bush
participants (4)
-
Dieter Maurer -
Kevin Carlson -
martin f krafft -
Oliver Bleutgen