Apache + Zope + Authentication
Disclaimer: I have read 3 months worth of mailing list archives to no avail. Any help on the following problem will be much appreciated. I am trying to configure mod_rewrite to pass authentication information to Zope. Here is the current state of things: Relevant section from httpd.conf: --------------------------------- <Directory "/"> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all # allows Apache to pass authentication headers to zope RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/(.*) $1 [ENV=HTTP_CGI_AUTHORIZATION:%1] </Directory> RewriteLog /var/log/apache/rewrite_log RewriteLogLevel 9 Zope.cgi -------- #!/export/opt1/zope-2.0.1/pcgi/pcgi-wrapper PCGI_NAME=Zope PCGI_MODULE_PATH=/export/opt1/zope-2.0.1/lib/python/Zope PCGI_PUBLISHER=/export/opt1/zope-2.0.1/pcgi/pcgi_publisher.py PCGI_EXE=/opt/bin/python PCGI_SOCKET_FILE=/export/opt1/zope-2.0.1/var/pcgi.soc PCGI_PID_FILE=/export/opt1/zope-2.0.1/var/pcgi.pid PCGI_ERROR_LOG=/export/opt1/zope-2.0.1/var/pcgi.log PCGI_DISPLAY_ERRORS=1 BOBO_REALM=/export/opt1/zope-2.0.1/Zope.cgi BOBO_DEBUG_MODE=1 INSTANCE_HOME=/export/opt1/zope-2.0.1 Some other information ---------------------- Zope-2.0.1 is installed into /export/opt1/zope-2.0.1/. Web server document root is in /export/www, with HTML and cgi's in /export/www/{docs,cgi-bin}, respectively. After starting ZServer with pcgi enabled, I can connect to http://my.server.name:8080/manage and enter in the superuser name and password. This works perfectly which means that Zope is correctly configured to handle authentication of the superuser. If I shutdown ZServer and go to http://my.server.name/cgi-bin/Zope.cgi, I get the "Welcome to Zope" screen. However, if I try to enter http://my.server.name/cgi-bin/Zope.cgi/manage with the same superuser name and password, I'm denied access. This leads me to believe that the problem is with Apache passing off the authentication duties to Zope. If you need more information, please let me know. My head's sore from banging it up against the wall in my office =) Thanks in advance. Regards, Erick Mechler
On 14 Nov, Erick Mechler wrote:
Relevant section from httpd.conf: ---------------------------------
<Directory "/"> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all # allows Apache to pass authentication headers to zope RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/(.*) $1 [ENV=HTTP_CGI_AUTHORIZATION:%1]
try RewriteRule ^/Zope(.*) /path/to/your/cgi-bin/Zope.cgi$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-c gi,l], looks like you're not passing your info to Zope.cgi. The url to your zope site would then be machine.domain.tld/Zope/. you should also need a Options ExecCGI somewhere in that directory.
</Directory>
RewriteLog /var/log/apache/rewrite_log RewriteLogLevel 9
take a look into your rewrite.log, it will probably tell you what's wrong. Also, what OS/version and version of Apache are you running ? -Th
hi erick, try the following: replace your line:
RewriteRule ^/(.*) $1 [ENV=HTTP_CGI_AUTHORIZATION:%1]
with RewriteRule ^(.*) <location of Zope.cgi>$1 [e=HTTP_CGI_AUTHORIZATION: %1,t=application/x-httpd-cgi,l] works for me :) the $1 alone sends it nowhere, you need to prefix the full path to your zope.cgi file. jens
Thanks everyone for your help, but I'm still not getting it to work. Here again is the modified version of my httpd.conf: <Directory "/"> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Options +ExecCGI # allows Apache to pass authentication headers to zope RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /export/www/cgi-bin/Zope.cgi$1 \ [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l] </Directory> RewriteLog /var/log/apache/rewrite_log RewriteLogLevel 9 (Note that the two last lines are actually one). BTW, Thomas, making the changes that you suggested didn't let me go to http://my.machine.tld/Zope and access the Zope welcome screen; I got a file not found. I also neglected to tell you all that I'm running Apache 1.3.9 on Linux 2.2.12 kernel. Thanks again for your time. Erick At Sun, Nov 14, 1999 at 11:24:05PM -0500, Jens Vagelpohl said this: :: hi erick, :: :: try the following: :: :: replace your line: :: > RewriteRule ^/(.*) $1 [ENV=HTTP_CGI_AUTHORIZATION:%1] :: :: with :: :: RewriteRule ^(.*) <location of Zope.cgi>$1 [e=HTTP_CGI_AUTHORIZATION: :: %1,t=application/x-httpd-cgi,l] :: :: works for me :) :: :: the $1 alone sends it nowhere, you need to prefix the full path to your :: zope.cgi file. :: :: jens ::
On 14 Nov, Erick Mechler wrote:
Thanks everyone for your help, but I'm still not getting it to work. Here again is the modified version of my httpd.conf:
<Directory "/"> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Options +ExecCGI
not sure if the '+' is the right thing, but I meant that you need a Options ExecCGI on your cgi-bin directory. Sorry if that wasn't all clear
# allows Apache to pass authentication headers to zope RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /export/www/cgi-bin/Zope.cgi$1 \ [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l] </Directory>
RewriteLog /var/log/apache/rewrite_log RewriteLogLevel 9
next time you try, paste the relevant part of your rewrite log. That normally gives some clues....
(Note that the two last lines are actually one).
BTW, Thomas, making the changes that you suggested didn't let me go to http://my.machine.tld/Zope and access the Zope welcome screen; I got a file not found.
well, I hope you substituted your real machine name :> . Otherwise this suggests that your rewrite rule still is not working correctly. See above WRT rewrite_log
I also neglected to tell you all that I'm running Apache 1.3.9 on Linux 2.2.12 kernel.
hope you have mod_rewrite etc. configured into it. If you have an ircII client, hop over to #zope, we might be able to help you there -Th
:: not sure if the '+' is the right thing, but I meant that you need a :: Options ExecCGI on your cgi-bin directory. Sorry if that wasn't all :: clear Yeah, the "+" syntax is correct (apache.org/docs/mod/core.html#options) :: next time you try, paste the relevant part of your rewrite log. That :: normally gives some clues.... Here is the output to the rewrite log (level 9) as a result of me going to http://hal.rescomp.berkeley.edu/cgi-bin/Zope.cgi, and clicking on the "management screen" link. To the uneducated eye (mine) it doesn't look like there's anything special here, however. 169.229.70.180 - - [15/Nov/1999:01:10:41 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] add path-info postfix: /export/www/cgi-bin/Zope.cgi -> /export/www/cgi-bin/Zope.cgi/ 169.229.70.180 - - [15/Nov/1999:01:10:41 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] strip per-dir prefix: /export/www/cgi-bin/Zope.cgi/ -> export/www/cgi-bin/Zope.cgi/ 169.229.70.180 - - [15/Nov/1999:01:10:41 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] applying pattern '^/Zope(.*)' to uri 'export/www/cgi-bin/Zope.cgi/' 169.229.70.180 - - [15/Nov/1999:01:10:41 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (1) [per-dir /] pass through /export/www/cgi-bin/Zope.cgi 169.229.70.180 - - [15/Nov/1999:01:10:48 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] add path-info postfix: /export/www/cgi-bin/Zope.cgi -> /export/www/cgi-bin/Zope.cgi/manage 169.229.70.180 - - [15/Nov/1999:01:10:48 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] strip per-dir prefix: /export/www/cgi-bin/Zope.cgi/manage -> export/www/cgi-bin/Zope.cgi/manage 169.229.70.180 - - [15/Nov/1999:01:10:48 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] applying pattern '^/Zope(.*)' to uri 'export/www/cgi-bin/Zope.cgi/manage' 169.229.70.180 - - [15/Nov/1999:01:10:48 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (1) [per-dir /] pass through /export/www/cgi-bin/Zope.cgi 169.229.70.180 - - [15/Nov/1999:01:11:01 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] add path-info postfix: /export/www/cgi-bin/Zope.cgi -> /export/www/cgi-bin/Zope.cgi/manage 169.229.70.180 - - [15/Nov/1999:01:11:01 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] strip per-dir prefix: /export/www/cgi-bin/Zope.cgi/manage -> export/www/cgi-bin/Zope.cgi/manage 169.229.70.180 - - [15/Nov/1999:01:11:01 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (3) [per-dir /] applying pattern '^/Zope(.*)' to uri 'export/www/cgi-bin/Zope.cgi/manage' 169.229.70.180 - - [15/Nov/1999:01:11:01 -0800] [hal.rescomp.berkeley.edu/sid#82df19c][rid#82e31bc/initial] (1) [per-dir /] pass through /export/www/cgi-bin/Zope.cgi :: hope you have mod_rewrite etc. configured into it. [emechler@hal /var/log/apache]$ httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_rewrite.c mod_access.c mod_auth.c mod_setenvif.c mod_ssl.c mod_perl.c mod_php3.c [emechler@hal /var/log/apache]$ mod_rewrite is in there. Hey, I appreciate all of the help that you have given me so far. Please don't give up on me yet ;) Regards, Erick
On 15 Nov, Erick Mechler wrote:
:: not sure if the '+' is the right thing, but I meant that you need a :: Options ExecCGI on your cgi-bin directory. Sorry if that wasn't all :: clear
Yeah, the "+" syntax is correct (apache.org/docs/mod/core.html#options)
:: next time you try, paste the relevant part of your rewrite log. That :: normally gives some clues....
Here is the output to the rewrite log (level 9) as a result of me going to http://hal.rescomp.berkeley.edu/cgi-bin/Zope.cgi, and clicking on the
that looks like a SSL server to me, not sure if auth info gets properly passed w/ SSL. Also, try http://hal.rescomp.berkeley.edu/Zope/ and http://hal.rescomp.berkeley.edu/Zope/manage, and then look at the rewrite log to see how it matches things up. It should (depending on the apache version) look like : 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (2) init re write engine with requested uri /Zope/ 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (3) applyin g pattern '^/Zope(.*)' to uri '/Zope/' 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (4) Rewrite Cond: input='' pattern='^(.*)' => matched 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (2) rewrite /Zope/ -> /usr/local/www/cgi-bin/Zope.cgi/ 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (5) setting env variable 'HTTP_CGI_AUTHORIZATION' to '' 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (2) remembe r /usr/local/www/cgi-bin/Zope.cgi/ to have MIME-type 'application/x-httpd-cgi' 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (2) local p ath result: /usr/local/www/cgi-bin/Zope.cgi/ 192.168.1.3 - - [27/Oct/1999:22:49:57 -0700] [dorothy.hentschel.net/sid#ab034][rid#e4034/initial] (1) go-ahea d with /usr/local/www/cgi-bin/Zope.cgi/ [OK]
mod_rewrite is in there.
ok, just making sure :) -Th
"EM" == Erick Mechler <emechler@rescomp.berkeley.edu> writes:
EM> I am trying to configure mod_rewrite to pass authentication EM> information to Zope. Here is the current state of things: I think a better approach is to use mod_proxy. I don't remember who originally suggested this, but it seems to work very well for us, especially because my Zope server is on a different machine than my primary web server. The main problem is "tricking" Zope to use a different URL base, but 4am's SiteAccess is supposed to handle this (haven't tried it yet). Here are my Apache directives: ProxyPass /Zope/ "http://othermachine.python.org:8080/" ProxyPassReverse /Zope/ "http://othermachine.python.org:8080/" Makes it simple to just run ZServer using the standard configuration. Enjoy, -Barry
participants (4)
-
Barry A. Warsaw -
Erick Mechler -
Jens Vagelpohl -
thomas@hentschel.net