SSL + ProxyPass + Zope question...
Hello, Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL. So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world? TIA, Eric.
Hi Eric, Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method. -steve On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric. -----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question... Hi Eric, Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method. -steve On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Eric, Right... someone suggested a firewall.. which is fine if you want to make all of zope inaccessable on port 8080, and clearly it's a sure-fire solution. However it also requires that you have *access* to put up a firewall, which you might not! My thought was that, in Zope you could simply protect a particular area by adding code to standard_html_header in that area that did a check, e.g., <dtml-if "URL[:5] == 'http:'"> <dtml-call "RESPONSE.redirect('https:' + URL[5:])"> <dtml-return "'REDIRECTING.. to secure port.. '"> </dtml-if> ... This way, you could still use 8080 for other things if you wanted to. I guess the question comes down to 'who are you trying to protect from doing what?'. If it's your own users then, as Joachim mentioned maybe its just a matter of education? -steve On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Thanks Steve, Yes, I have a redirect in there now similar to what wrote below. One problem with doing it this way is that if the user *does* manage to get to the page on the insecure port, the password they enter will be sent to the server unencrypted. Then the redirect takes over and everything else is done securely, which is better than nothing, but to me the password is important. In my experience, even well educated users will manage to find an application's "undocumented secrets" (bugs) :). Thanks for all your feedback. It's been very helpful. Eric. -----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Sunday, August 05, 2001 3:05 AM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question... Hi Eric, Right... someone suggested a firewall.. which is fine if you want to make all of zope inaccessable on port 8080, and clearly it's a sure-fire solution. However it also requires that you have *access* to put up a firewall, which you might not! My thought was that, in Zope you could simply protect a particular area by adding code to standard_html_header in that area that did a check, e.g., <dtml-if "URL[:5] == 'http:'"> <dtml-call "RESPONSE.redirect('https:' + URL[5:])"> <dtml-return "'REDIRECTING.. to secure port.. '"> </dtml-if> ... This way, you could still use 8080 for other things if you wanted to. I guess the question comes down to 'who are you trying to protect from doing what?'. If it's your own users then, as Joachim mentioned maybe its just a matter of education? -steve On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Eric, Ahh... in this case maybe an AccessRule would be better. Note that you *can* use _SUPPRESS_ACCESS_RULE (or something like that, not sure of exact spelling) in the URL to override these.. but you have to *really* know about it to know that. take care, -steve On Sunday, August 5, 2001, at 04:25 PM, Eric Walstad wrote:
Thanks Steve, Yes, I have a redirect in there now similar to what wrote below. One problem with doing it this way is that if the user *does* manage to get to the page on the insecure port, the password they enter will be sent to the server unencrypted. Then the redirect takes over and everything else is done securely, which is better than nothing, but to me the password is important. In my experience, even well educated users will manage to find an application's "undocumented secrets" (bugs) :). Thanks for all your feedback. It's been very helpful. Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Sunday, August 05, 2001 3:05 AM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Right... someone suggested a firewall.. which is fine if you want to make all of zope inaccessable on port 8080, and clearly it's a sure-fire solution. However it also requires that you have *access* to put up a firewall, which you might not! My thought was that, in Zope you could simply protect a particular area by adding code to standard_html_header in that area that did a check, e.g.,
<dtml-if "URL[:5] == 'http:'"> <dtml-call "RESPONSE.redirect('https:' + URL[5:])"> <dtml-return "'REDIRECTING.. to secure port.. '"> </dtml-if>
...
This way, you could still use 8080 for other things if you wanted to. I guess the question comes down to 'who are you trying to protect from doing what?'. If it's your own users then, as Joachim mentioned maybe its just a matter of education?
-steve
On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Zopers, I did some research on this ... but im up against deadlines :-) (1): Apparently <dtml-raise Unauthorized> creates a "rendering loop". That is, you raise Unauthorized, get the login screen, enter a VALID userid/password, click OK and you get yet ANOTHER login screen. This isnt very helpful. I want to be able to login new users without the need for the user to terminate the browser and restart. I am really hoping that someone has solved this problem (without turning to 3rd party login managers). (2): Also, is there a way to login a user "programmically", that is, by avoiding the browser login screen and logging the user in via a python script or DTML???? Any insights please! Thanks, David
Hi David The problem is (I think) that raise Unauthorized is unconditional. You'll need something along the lines of: <form action="reauth" method="POST"> <center> <br> <br> <h2> Re-Authenticate as a different user...</h2><br><br> <table width=80%> <tr><td> You are currently authenticated as: <!--#var AUTHENTICATED_USER--></td></tr> <tr><td> Who would you like to authenticate as? <input name=authName size=40></td></tr> <tr><td><input type=submit value="Re Authenticate"> </td></tr></table> </center> </form> where rauth is a DTML Method like: <!--#if "_.has_key('AUTHENTICATED_USER') and AUTHENTICATED_USER.getUserName() == authName"--> <!--#call "RESPONSE.redirect('http://your.place/where/you/want/them/to/go')"--> <!--#else--> <!--#raise Unauthorized--> <!--#/raise--> <!--#/if--> (excuse the old syntax.. I resurrected this from some *old* code) -steve David Hassalevris wrote:
Hi Zopers,
I did some research on this ... but im up against deadlines :-)
(1): Apparently <dtml-raise Unauthorized> creates a "rendering loop". That is, you raise Unauthorized, get the login screen, enter a VALID userid/password, click OK and you get yet ANOTHER login screen.
This isnt very helpful.
I want to be able to login new users without the need for the user to terminate the browser and restart.
I am really hoping that someone has solved this problem (without turning to 3rd party login managers).
(2): Also, is there a way to login a user "programmically", that is, by avoiding the browser login screen and logging the user in via a python script or DTML????
Any insights please! Thanks, David
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Forgot to mention.. Also.. you can just dismiss the authentication prompt (after a 'raise Unauthorized') and then go to a protected page that doesn't have an unconditional 'raise Unauthorised' and you should be allowed to log in again.. -steve Steve Spicklemire wrote:
Hi David
The problem is (I think) that raise Unauthorized is unconditional. You'll need something along the lines of:
On Sun, 05 Aug 2001 14:43:38 -0700 David Hassalevris <bluepaul@earthlink.net> wrote:
Hi Zopers,
I did some research on this ... but im up against deadlines :-) (1): Apparently <dtml-raise Unauthorized> creates a "rendering loop". That is, you raise Unauthorized, get the login screen, enter a VALID userid/password, click OK and you get yet ANOTHER login screen.
I want to be able to login new users without the need for the user to terminate the browser and restart.
This is a problem with HTTP basic authentication, and unfortunately there's nothing that Zope can do about it. The same problem would happen under any system that used HTTP basic authentication.
I am really hoping that someone has solved this problem (without turning to 3rd party login managers).
Nope, you need a user folder that supports cookie-based authentication, sorry..
(2): Also, is there a way to login a user "programmically", that is, by avoiding the browser login screen and logging the user in via a python script or DTML????
There is a way, but it's not documented, and it's only available from within "unrestricted code" (External Methods and Python Products). For an example, see the EventWrapper class inside CoreSessionTracking's SessionDataManager.py file.
This is a problem with HTTP basic authentication, and unfortunately there's nothing that Zope can do about it. The same problem would happen under any system that used HTTP basic authentication.
I am really hoping that someone has solved this problem (without turning to 3rd party login managers).
Nope, you need a user folder that supports cookie-based authentication, sorry..
The easiest way ist to use Shane's "CookieCrumbler" - very easy to install and maintain, and converts any user folder to work with cookie-based authentication ... Joachim
the easiest way to prevent *all* outside access to zope directly, if your apache and zope run on the same box, is to have zope listen on the localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to the start script (the actual port doesn't matter that much). the "-X" option is there to turn off any services that might want to start up and listen, like FTP or the monitor daemon. then you just change your rewrite or proxy rules in apache to redirect through port 127.0.0.1 jens On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
Jens, Having tried that a few days ago, I'm not sure that it actually works. I was still able to connect via the global IP and the port number specified. Maybe I was doing something wrong? Phil ----- Original Message ----- From: "Jens Vagelpohl" <jens@zope.com> To: <zope@zope.org> Sent: Monday, August 06, 2001 1:11 PM Subject: Re: [Zope] SSL + ProxyPass + Zope question...
the easiest way to prevent *all* outside access to zope directly, if your apache and zope run on the same box, is to have zope listen on the localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to the start script (the actual port doesn't matter that much).
the "-X" option is there to turn off any services that might want to start up and listen, like FTP or the monitor daemon.
then you just change your rewrite or proxy rules in apache to redirect through port 127.0.0.1
jens
On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
My bad, I didn't read you the mail correctly, I tried the -a option. ----- Original Message ----- From: "Phil Harris" <phil.harris@zope.co.uk> To: "Jens Vagelpohl" <jens@zope.com>; <zope@zope.org> Sent: Monday, August 06, 2001 1:20 PM Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Jens,
Having tried that a few days ago, I'm not sure that it actually works.
I was still able to connect via the global IP and the port number specified.
Maybe I was doing something wrong?
Phil
----- Original Message ----- From: "Jens Vagelpohl" <jens@zope.com> To: <zope@zope.org> Sent: Monday, August 06, 2001 1:11 PM Subject: Re: [Zope] SSL + ProxyPass + Zope question...
the easiest way to prevent *all* outside access to zope directly, if your apache and zope run on the same box, is to have zope listen on the localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to the start script (the actual port doesn't matter that much).
the "-X" option is there to turn off any services that might want to start up and listen, like FTP or the monitor daemon.
then you just change your rewrite or proxy rules in apache to redirect through port 127.0.0.1
jens
On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Great! That's just what I was looking for. Thanks, Jens! Eric.
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Jens Vagelpohl Sent: Monday, August 06, 2001 5:12 AM To: zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
the easiest way to prevent *all* outside access to zope directly, if your apache and zope run on the same box, is to have zope listen on the localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to the start script (the actual port doesn't matter that much).
the "-X" option is there to turn off any services that might want to start up and listen, like FTP or the monitor daemon.
then you just change your rewrite or proxy rules in apache to redirect through port 127.0.0.1
jens
On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
Hi Steve, Well, in the condition I described, if the user knows the port that Zope is running on, they could bypass Apache altogether. So, what I need is to make Zope inaccessible to the outside world. That way, all traffic would have to be sent thru Apache. Thanks, Eric.
-----Original Message----- From: Steve Spicklemire [mailto:steve@spvi.com] Sent: Friday, August 03, 2001 4:16 PM To: Eric Walstad Cc: Steve Spicklemire; zope@zope.org Subject: Re: [Zope] SSL + ProxyPass + Zope question...
Hi Eric,
Apache sets an environment variable when SSL is used. You can check for that varible in an Access rule, or standard_html_header or some other method.
-steve
On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
Hello,
Apache is listening on port 80 and 443, Zope listening on port 8080. When a request comes in for port 443 (or HTTPS) Apache forwards the request to Zope on port 8080 and sends the results back out thru SSL, just as it should. If a user goes to https://mysite.com/PasswordProtectedArea/ an SSL connection is created and the password is forwarded to Zope after it's been sent thru SSL. However, if the user goes to http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the request and it goes straight to Zope. The user is then prompted for a password, which would be sent back to Zope without SSL.
So my question is, how do I keep Zope from accepting any requests from the outside world unless they've gone thru Apache first? Can I tell Zope to listen on something like 192.168.1.123:8080 so that it will never see requests from the outside world?
TIA,
Eric.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (7)
-
Chris McDonough -
David Hassalevris -
Eric Walstad -
Jens Vagelpohl -
Joachim Werner -
Phil Harris -
Steve Spicklemire