mod_rewrite rule to close managment screens from outsiders
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution? #</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l] RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule> -- Riku Voipio riku.voipio@tietoenator.com 09-862 60764
----- Original Message ----- From: Riku Voipio <riku.voipio@tietoenator.com> To: <zope@zope.org> Sent: Tuesday, June 27, 2000 4:05 PM Subject: [Zope] mod_rewrite rule to close managment screens from outsiders
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I didn't use , the `rewrite' module for something like this, but I remember that the order of the rules is VERY important. I suppose that when the first Cond is matched the last doesn't matter So maybe is better to invert the rules... PM
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I'm using <LocationMatch "/ssl|manage"> Deny from all </LocationMatch> to block any request from my virtual server on port 80 that is under the /ssl directory or has "manage" in it. You could then allow from localhost. I was thinking about extending this idea to protect myself from possible seccurity-holes in zope by denying everything and allowing only requests ending in _html or _img. Any opinions on that? --Ragnar
Ragnar Beer wrote:
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I'm using
<LocationMatch "/ssl|manage"> Deny from all </LocationMatch>
to block any request from my virtual server on port 80 that is under the /ssl directory or has "manage" in it. You could then allow from localhost.
I was thinking about extending this idea to protect myself from possible seccurity-holes in zope by denying everything and allowing only requests ending in _html or _img. Any opinions on that?
What about callable objects that don't end in either of these?
Ragnar Beer wrote:
I'm trying to deny external access to zope maintainance from elsewhere (just for sure), with Zope behind apache. However, It just doesn't seem work... Sure It's more apache's problem, but I guess someone around there has a working solution?
#</IfModule> dule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*) RewriteRule ^/Zope.*manage - [F] #</IfModule>
--
I'm using
<LocationMatch "/ssl|manage"> Deny from all </LocationMatch>
to block any request from my virtual server on port 80 that is under the /ssl directory or has "manage" in it. You could then allow from localhost.
I was thinking about extending this idea to protect myself from possible seccurity-holes in zope by denying everything and allowing only requests ending in _html or _img. Any opinions on that?
What about callable objects that don't end in either of these?
They wouldn't be callable from outside any more. This is the "deny everything that isn't allowed explicitly" policy. If I'd want them to be callable I'd have to put something in their names the makes it possible to identify them and then allow access. --Ragnar
participants (4)
-
Bill Anderson -
Marcel Preda -
Ragnar Beer -
Riku Voipio