Using SSL with Zope/Apache with url rewriting.
Hi all, I've got my Zope server happily working away behind apache, using URL rewriting. But given as I don't entirely understand URL rewriting or virtual host monsters yet, I have almost no idea how to get SSL working. I need a secure connection to Zope. SSL on apache is working fine, using a dummy certificate. Thanks for any direction you may be able to give me. Alec Munro
Chris Withers wrote:
Alec Munro wrote:
virtual host monsters yet, I have almost no idea how to get SSL working. I need a secure connection to Zope.
Why? Surely that bit should be behind your firewall?
cheers,
Chris
I guess I misphrased it. I need a secure method of communication with Zope. I want to be able to log in to the ZMI, or other administration tools, from a remote location, without sending passwords flying across the internet in cleartext. The server is a dedicated box in San Antonio, and I'm in Halifax. I don't actually need the communication between Apache and Zope to be secure, at least as long as they are behind the same firewall. I think I've got it figured out anyway, but I would still appreciate suggestions. Thanks, Alec
On Wed, 2002-07-31 at 05:24, Alec Munro wrote:
Chris Withers wrote:
Alec Munro wrote:
virtual host monsters yet, I have almost no idea how to get SSL working. I need a secure connection to Zope.
Why? Surely that bit should be behind your firewall?
cheers,
Chris
I guess I misphrased it. I need a secure method of communication with Zope. I want to be able to log in to the ZMI, or other administration tools, from a remote location, without sending passwords flying across the internet in cleartext. The server is a dedicated box in San Antonio, and I'm in Halifax. I don't actually need the communication between Apache and Zope to be secure, at least as long as they are behind the same firewall.
I think I've got it figured out anyway, but I would still appreciate suggestions.
ssh tunneling. Cygwin has a nice sshd if the server has Windows on it.
Thanks,
Alec
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) -- Jack Coates Monkeynoodle: A Scientific Venture...
"Alec Munro" <alec.munro@eoascientific.com> writes:
I guess I misphrased it. I need a secure method of communication with Zope. I want to be able to log in to the ZMI, or other administration tools, from a remote location, without sending passwords flying across the internet in cleartext. The server is a dedicated box in San Antonio, and I'm in Halifax. I don't actually need the communication between Apache and Zope to be secure, at least as long as they are behind the same firewall.
I think I've got it figured out anyway, but I would still appreciate suggestions.
Thanks,
Alec
This is what we did for apache + zope. There may be better ways. Make sure you have mod_ssl installed. Add this section for your <host.domain.com> and <ip-address> in httpd.conf and restart apache. I tested it by watching tcpdump -x | hex2ascii. There were no cleartext passwords and the content was also protected. <VirtualHost ip-address:443> ServerName host.domain.com DocumentRoot /var/inet/html SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown RewriteEngine on # Do not allow use of the Zope management interfaces. RewriteCond %{REQUEST_URI} manage RewriteRule manage - [F] RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/host.domain.com:443/intranet/Vir... [P,L] </VirtualHost> Ricardo Anguiano anguiano@codesourcery.com CodeSourcery, LLC http://www.codesourcery.com
I finally got this working with fastcgi from the Zope howto Apache, Zope and FastCGI... Be awaew of: /var/www/htdocs/zope 127.0.0.1:8089 Zope.fcgi is an auto generated file. My inexperience with Zope and Apache, but this works for me. Let me know if there is anything that makes no sense or how to get rid of the zope/Zope.fcgi from the URL. And this is the script that starts Zope #!/bin/sh export INSTANCE_HOME=/home/zope export PYTHONHOME=/usr/local/lib/zope umask 077 exec /usr/local/bin/python2.1 -O $PYTHONHOME/z2.py -F 8089 -D "$@" -u www -p /home/zope/Zope.cgi This is part of my httpd.conf #Section 1 ... LoadModule proxy_module /usr/lib/apache/modules/libproxy.so LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so LoadModule fastcgi_module /usr/lib/apache/modules/mod_fastcgi.so ... AddModule mod_proxy.c AddModule mod_alias.c AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_so.c AddModule mod_setenvif.c AddModule mod_ssl.c AddModule mod_fastcgi.c #Section 2 <IfModule mod_fastcgi.c> FastCGIExternalServer /var/www/htdocs/zope/Zope.fcgi \ -host 127.0.0.1:8089 \ -pass-header Authorization RewriteEngine on ReWriteCond %{HTTP:Authorization} ^/(.*) RewriteRule ^/(.*) /var/www/htdocs/zope/Zope.fcgi/$1 \ [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,L] <Directory /var/www/htdocs/zope> SetHandler fastcgi-script AddHandler fastcgi-script .fcgi AllowOverride none Options ExecCGI Order allow,deny Allow from all </Directory> </IfModule> <IfDefine SSL> Listen 80 Listen 443 </IfDefine> .... ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # <IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> <IfModule mod_ssl.c> SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/arandom 512 SSLLog logs/ssl_engine_log SSLLogLevel info </IfModule> <IfDefine SSL> # ## SSL Virtual Host Context ## <VirtualHost _default_:443> #DocumentRoot /var/www/htdocs/manual ServerName your.host.here ServerAdmin you@here.com ErrorLog logs/error_log TransferLog logs/access_log SSLEngine on SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> HTH Alec Munro wrote:
Chris Withers wrote:
Alec Munro wrote:
virtual host monsters yet, I have almost no idea how to get SSL working. I need a secure connection to Zope.
Why? Surely that bit should be behind your firewall?
cheers,
Chris
I guess I misphrased it. I need a secure method of communication with Zope. I want to be able to log in to the ZMI, or other administration tools, from a remote location, without sending passwords flying across the internet in cleartext. The server is a dedicated box in San Antonio, and I'm in Halifax. I don't actually need the communication between Apache and Zope to be secure, at least as long as they are behind the same firewall.
I think I've got it figured out anyway, but I would still appreciate suggestions.
participants (5)
-
Alec Munro -
Chris Withers -
Jack Coates -
Jordi YC -
Ricardo Anguiano