After much struggling ... the docs REALLY REALLY must be improved ... I finally understood what zope was for yesterday, in a spectactular epiphany! After installing PyGreSQL and mucking about with some dtml-in statements, I am hooked. Addicted. Zope is The Only Way To Web... (I think I'll be keeping my personal website outside of it, but mainly because I *want* my personal website to be crufty and poorly designed... that's what makes it personal ^_^) However, this new rush of excitement was tempered by the realization that I probably couldn't use it for the distributed authoring purposes that I had hoped I could. Security is a HUGE concern for me: students from college campuses log in to my server, and many of them are on networks where sniffers are running. This is not a random paranoid raving, either: our server has been attacked three times in the past six months. The attacks succeeded the first time, but we have since wised up and insisted that everyone connect over SSH only, no telnet, and Debian keeps us up-to-date on security fixes. A few questions: * Is there any way to secure the authentication process that Zope has, on the wire? * Can this be done internally to ZServer? If not, I have had some problems connecting over the Apache thing to the management interface. I hope that this is resolvable. (Debian Apache/Zope users?) Anyway, now that I know what's going on ... zope is AMAZING. I can't believe how easy it is to set up complex database-oriented websites. -- ______ __ __ _____ _ _ | ____ | \_/ |_____] |_____| |_____| |_____ | | | | @ t w i s t e d m a t r i x . c o m http://www.twistedmatrix.com/~glyph/
On Tue, 29 Feb 2000 13:39:36 -0500 (EST) glyph <glyph@twistedmatrix.com> wrote:
However, this new rush of excitement was tempered by the realization that I probably couldn't use it for the distributed authoring purposes that I had hoped I could. Security is a HUGE concern for me: students from college campuses log in to my server, and many of them are on networks where sniffers are running.
About the best you are going to do is to us SSL. You can of course just put everything under SSL, but given the overhead of SSL that may not be wise (see the archives for some stats on the area). I'm still looking for a way to do: -- Initial authentication occurs under SSL and generates a short lived session key (hour or two) -- Normal page loads are in the clear and use the session key. -- Significant user actions require re-authentication under SSL (eg PW changes). -- J C Lawrence Home: claw@kanga.nu ----------(*) Other: coder@kanga.nu --=| A man is as sane as he is dangerous to his environment |=--
On 29 Feb, J C Lawrence wrote:
About the best you are going to do is to us SSL. You can of course just put everything under SSL, but given the overhead of SSL that may not be wise (see the archives for some stats on the area). I'm still looking for a way to do:
Well, given that I'd only really want SSL for my authors... Is there a simple way to "turn on" SSL in ZServer, or will I need to use Apache to serve? -- ______ __ __ _____ _ _ | ____ | \_/ |_____] |_____| |_____| |_____ | | | | @ t w i s t e d m a t r i x . c o m http://www.twistedmatrix.com/~glyph/
On Tue, 29 Feb 2000 17:46:38 -0500 (EST) glyph <glyph@twistedmatrix.com> wrote:
Is there a simple way to "turn on" SSL in ZServer, or will I need to use Apache to serve?
Not that I know of. AFAICT you currently need to have Apache front for ZServer (and Apache thus provide SSL). There's a python package going about (see archives) that holds out the promise of being able to do SSL in ZServer, but I don't know that anybody has done that yet. It would also (seemingly) suffer the same problems as the Apache route in that it would be an all-or-nothing approach. Please realise, I've not /done/ all this, its just what I've genned from the list, and may be in error. -- J C Lawrence Home: claw@kanga.nu ----------(*) Other: coder@kanga.nu --=| A man is as sane as he is dangerous to his environment |=--
On 29 Feb, J C Lawrence wrote:
On Tue, 29 Feb 2000 17:46:38 -0500 (EST) glyph <glyph@twistedmatrix.com> wrote:
Is there a simple way to "turn on" SSL in ZServer, or will I need to use Apache to serve?
Not that I know of. AFAICT you currently need to have Apache front for ZServer (and Apache thus provide SSL). There's a python package going about (see archives) that holds out the promise of being able to do SSL in ZServer, but I don't know that anybody has done that yet. It would also (seemingly) suffer the same problems as the Apache route in that it would be an all-or-nothing approach.
Please realise, I've not /done/ all this, its just what I've genned from the list, and may be in error.
Okay. Perhaps someone else on the list can answer this one then: I have a standard Debian install of Zope. ZServer works fine. Apache works fine. Zope shows up fine in apache. Except... I can't log in. At all. With any username. What do I have to do to get Apache to recognize Zope's authentication? -- ______ __ __ _____ _ _ | ____ | \_/ |_____] |_____| |_____| |_____ | | | | @ t w i s t e d m a t r i x . c o m http://www.twistedmatrix.com/~glyph/
On 29 Feb, I wrote:
Okay. Perhaps someone else on the list can answer this one then: I have a standard Debian install of Zope. ZServer works fine. Apache works fine. Zope shows up fine in apache. Except... I can't log in. At all. With any username. What do I have to do to get Apache to recognize Zope's authentication?
Just to follow up to myself so you know: I have seen snippets about RewriteRules all over the place for using Apache with Zope... I have tried everything i've found, and nothing has worked so far. (The RewriteRules appear to do nothing at all...) -- ______ __ __ _____ _ _ | ____ | \_/ |_____] |_____| |_____| |_____ | | | | @ t w i s t e d m a t r i x . c o m http://www.twistedmatrix.com/~glyph/
participants (2)
-
glyph@twistedmatrix.com -
J C Lawrence