"Thierry Florac" <thierry.florac@onf.fr> writes:
I'd like to let users access my Zope web site normally through HTTP, but make my Zope management screens (in fact, any URL containing '/manage') only available through HTTPS.
We (still) don't use virtual host monster, but virtual site root instead (http://www.zope.org/Members/comlounge/vsr/). In Apache you can do something like this: RewriteRule ^.*/manage(_.*|())$ - [forbidden] Please be aware that there may be products that don't use the 'manage' convention. So this rule doesn't restrict all possible management screens. At the SSL server no special handling of management screens is necessary. Regards, Frank -- CTO fte@Lightwerk.com http://www.Lightwerk.com/ Fax: +49-2434-80 07 94 Phone: +49-2434-80 07 81 Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany Besuchen Sie uns auf der CeBIT: Halle 6, Stand F68 / 595
Hi...!! Very, very, very well !!! I installed and setup the VirtualSiteRoot product, which is really very simple to setup, and now it works really well, and without any complex rewriting or access rule !! From now, I can access my 'public' site through HTTP or HTTPS, and I HAVE to use HTTPS to access management interface. The only potential problem could be with management pages which don't use 'manage*' naming convention, but until now I didn't encoutered any one with well written products... For interested users, I can send my Apache rewriting rules on simple mail request... Thank you very much for your help ;-))) Thierry On 22.02.2002 - 09:24 Frank Tegtmeyer wrote:
"Thierry Florac" <thierry.florac@onf.fr> writes:
I'd like to let users access my Zope web site normally through HTTP, but make my Zope management screens (in fact, any URL containing '/manage') only available through HTTPS.
We (still) don't use virtual host monster, but virtual site root instead (http://www.zope.org/Members/comlounge/vsr/).
In Apache you can do something like this:
RewriteRule ^.*/manage(_.*|())$ - [forbidden]
Please be aware that there may be products that don't use the 'manage' convention. So this rule doesn't restrict all possible management screens.
At the SSL server no special handling of management screens is necessary.
Regards, Frank -- CTO fte@Lightwerk.com http://www.Lightwerk.com/ Fax: +49-2434-80 07 94 Phone: +49-2434-80 07 81 Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany Besuchen Sie uns auf der CeBIT: Halle 6, Stand F68 / 595
The only potential problem could be with management pages which don't use 'manage*' naming convention, but until now I didn't encoutered any one with well written products...
FYI, I use a subdomain, like manage.foo.com, which enforces use of SSL on all pages within that domain. However, it doesn't block people from trying to use manage_* methods, so they can always access them over the clear if they want to. seb
On 25.02.2002 - 12:27 seb bacon wrote:
The only potential problem could be with management pages which don't use 'manage*' naming convention, but until now I didn't encoutered any one with well written products...
FYI, I use a subdomain, like manage.foo.com, which enforces use of SSL on all pages within that domain. However, it doesn't block people from trying to use manage_* methods, so they can always access them over the clear if they want to.
It's another solution, but that's exactly what I don't want : I don't want users to be able to send clear passwords across network to access their management pages...!! Another reason is that I use virtual hosts and Apache rewrite rules, and my Zope server is protected by a firewall which have Zope real port (8080) closed, so managers can only access virtual hosts management screens, not the global Zope management screen handling products,... which can only be accessed from the local network. Thierry
participants (3)
-
Frank Tegtmeyer -
seb bacon -
Thierry Florac