Ragnar Beer <rbeer@uni-goettingen.de> writes:

...

...

I'm confused by a note in your caching howto about managing Zope using an SSL connection:

Apache+ZServer+SSL From the author of this How-To I also got a very good tip for what to do if you want to manage your website via https to avoid sending your unencrypted password over the net: Reverse the setup he describes, i.e. instead of creating a folder "ssl" and making the base of the site root "https://..." create a folder "http" and make the base of the site root "http://..."

Isn't the username/password still sent in clear text (mime-encoded) as soon as you attempt to manage anything in the /http folder because of the unencrytped connection (http://...) specified by the siteroot?

-kevin

Of course you need to use the https protocol! The advantage of the reversed setup is that if you configure it that way then the "natural" way to access the site can be https and http is the special case and not the other way round.

Ragnar

But you can't use https to access the "http" folder once you've created the SiteRoot that specifies a base of "http://..." in that folder. This means it is impossible to manage the http section without sending your password in clear text if you set things up the way you recommend.

[snip] That's one thing I hate about SiteRoots - once you created them you can't manage them anymore in some situations :( But that's only true for the SiteRoot object itself. For me it's perfectly possible to manage the http section without sending my password in cleartext and I wouldn't have considered using Zope at all if that wouldn't have been possible. My SiteRoot 'http' located in the root folder looks like this: Base: http://www.myaddress.de Path: / So 'http' is _not_ a folder - it's a SiteRoot object! So it's only another possible way to access the whole site. Then in my virtual host port 80 section as a security precaution access is forbidden to anything the contains the string 'manage'. This way I can never accidentally manage the site sending a password cleartext. Also the access to the folders containing ssl-only stuff is forbidden in this section. On the other hand in the port 443 section the whole site is accessible (with few exceptions) so that I can manage everything with https. I don't know about your setup but I think this solution is very flexible so that it should be possible to adapt it to a large range of problems. Ragnar