[Zope] Zope setup with firewall

Nemeth Miklos nemeth@iqsoft.hu
Wed, 17 Nov 1999 13:10:18 +0100


Thanks a lot! I am going to discuss the topic with my network admin.
(1)
Just one more thing to make me sure:
There is no possiblity to access Zope directly (that is without going out to
the Internet) from the local network in this architecture?
(2)
And another one. What about this "layout":
AnyBrowser+SSL <--HTTP--> Apache Proxy+SSL <--> firewall <--> Apache+SSL+pcgi
<---> Zope+Fnorb
<--IIOP--> SQLBroker+ORBacus <--SQL*Net--> CorporateDatabase(Oracle7)
The first Apache would be set up restricting acces with the Location tags in
httpsd.conf as you suggested. This would be used only for forwarding
appropriate HTTP requests to the second Apache server.
All internal users might be able to diractly access Zope through the second
Apache server.

Miklos Nemeth

Ewald Wasscher wrote:

> Nemeth Miklos wrote:
> >
> > I'd like to have the following architecture:
> >
> > AnyBrowser+SSL <-HTTP-> Apache+SSL+pcgi <--> firewall <--> Zope+Fnorb
> > <-IIOP-> SQLBroker+ORBacus <-SQL*Net-> CorporateDatabase(Oracle7)
> >
> > The users access Zope from the Internet via an Apache+SSL server.
> > For security reasons my network administrator (responsible for security)
> > does not want to allow any Zope management activity initiated from the
> > Internet.
> > However I do want to manage Zope from the internal network while web
> > clients are using my Zope application at the same time.
> > (1) How can I access my Zope from the internal network? Can anyone
> > suggests me a solution to my problem?
>
> The network administrator could try something like the following setup
> in
> the apache configuration file:
>
> <Location /zopesite/manage>
> order allow, deny
> Allow from .iqsoft.hu
> </Location>
>
> Make sure this section comes before the Rewriterules that apply to Zope.
> Please take a look at the apache docs and adjust this where needed. Make
> sure you test the setup, and don't blame me if something goes wrong. You
> could setup certificate authentication for this <Location> to make it
> more
> secure. At least for Apache+mod_ssl there is a (dirty) way to do this.
>
> > A less important problem is that my network administrator also wishes a
> > secured communication between the Apache+SSL server and Zope (over the
> > firewall). This communication is the task of pcgi.
> > (2) Is there any solution to do this?
>
> One solution could be to install some kind of Vitual Private Network
> package (IPSec, cipe, PGPnet (commercial), etc). The network
> administrator should know what I mean.
>
> A simpler (but perhaps less secure) option would be the use of sslwrap
> (http://www.rickk.com/sslwrap/) or stunnel
> (http://blah.lpt.fi/doc/stunnel/)
> to SSL-ify the connection between Apache and Zope.
>
> <--CUT-->
>
> Ewald Wasscher