[Zope] mod_rewrite rule to close managment screens from
outsiders
Ragnar Beer
rbeer@uni-goettingen.de
Tue, 27 Jun 2000 22:18:49 +0200
> > I'm trying to deny external access to zope maintainance from elsewhere
>> (just for sure), with Zope behind apache. However, It
>> just doesn't seem work... Sure It's more apache's problem, but I guess
>> someone around there has a working solution?
>>
>> #</IfModule>
>> dule mod_rewrite.c>
>> RewriteEngine on
>> RewriteCond %{HTTP:Authorization} ^(.*)
>> RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
>[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
>>
>> RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
>> RewriteRule ^/Zope.*manage - [F]
>> #</IfModule>
>>
> > --
I'm using
<LocationMatch "/ssl|manage">
Deny from all
</LocationMatch>
to block any request from my virtual server on port 80 that is under
the /ssl directory or has "manage" in it. You could then allow from
localhost.
I was thinking about extending this idea to protect myself from
possible seccurity-holes in zope by denying everything and allowing
only requests ending in _html or _img. Any opinions on that?
--Ragnar