We are trying to add a new user into our acl_users folder which includes a domain criteria to prevent people from logging into Zope from outwith our network. As we are using Apache, all traffic to our site comes through Apache and therefore all access seems to come through the same IP address. This is making it impossible for us to restrict access to a specific domain. Has anyone else had this problem, and if so, did they manage to get round it? ------------------------------------------------- Craig Stoddart IT Software Development Officer Dundee City Council IT Division Northern College Technical Block Gardyne Road Dundee DD5 1NY Phone: 01382 438170 Fax: 01382 438002 E-mail: craig.stoddart@dundeecity.gov.uk -------------------------------------------------
On 13 Jun 2001, Craig Stoddart wrote:
We are trying to add a new user into our acl_users folder which includes a domain criteria to prevent people from logging into Zope from outwith our network.
As we are using Apache, all traffic to our site comes through Apache and therefore all access seems to come through the same IP address. This is making it impossible for us to restrict access to a specific domain.
Why not filter from inside Apache instead ? What about forbidding access to the Zope port with a firewall ? just my 0.0002 euros. Jerome Alet
On Wed, Jun 13, 2001 at 10:16:00AM -0000, Craig Stoddart wrote:
We are trying to add a new user into our acl_users folder which includes a domain criteria to prevent people from logging into Zope from outwith our network.
As we are using Apache, all traffic to our site comes through Apache and therefore all access seems to come through the same IP address. This is making it impossible for us to restrict access to a specific domain.
Has anyone else had this problem, and if so, did they manage to get round it?
OK, this is essentially the problem I asked about a couple of days ago. This will work: DocumentRoot /var/www RewriteEngine On RewriteLog "/var/log/apache-ssl/rewrite_log" RewriteLogLevel 0 ProxyRequests on <Directory /var/www/dynamic> RewriteEngine On RewriteRule ^/var/www/dynamic/(.*) http://localhost:8080/$1?REMOTE_ADDR=%{RE MOTE_ADDR} [QSA,P] </Directory> (Possibly with some adjustment). Caveats/Comments: 1) Be sure to test with RewriteLogLevel at least 1, you have to see what the Rule is doing to you addresses and may need to adjust accordingly. I found that my setup on my test and production machine was subtly different; on one machine I needed ^/var/www/dynamic/(.*) as my pattern, on the other it was only ^(.*). 2) You may, need to create an empty directory /var/www/dynamic (as above). 3) This is suitable for a mixed static/dynamic site. Change the Rule to suit your site's policy. This rule uses Zope to serve the dynamic folder and apache to server anything else; you might want to have Zope server anything with a few exceptions. 4) I am running apache-ssl in front. Works fine. 5) QSA does the right thing. If there is already a query string, the '?' will be automagically converted to '&'. 6) You will now have two REMOTE_ADDR objects available, one in environ and one in QUERY_STRING. You have to be sure to fetch the one form the QUERY_STRING. 7) It might be easier to use RewriteRule ^/var/www/dynamic/(.*) http://localhost:8080/$1?TRUE_REMOTE_ADDR=%{REMOTE_ADDR} [QSA,P] Jim Penny
------------------------------------------------- Craig Stoddart IT Software Development Officer
Dundee City Council IT Division Northern College Technical Block Gardyne Road Dundee DD5 1NY
Phone: 01382 438170 Fax: 01382 438002 E-mail: craig.stoddart@dundeecity.gov.uk -------------------------------------------------
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Craig Stoddart -
Jerome Alet -
Jim Penny