[Zope] mod_rewrite rule to close managment screens
fromoutsiders
Ragnar Beer
rbeer@uni-goettingen.de
Wed, 28 Jun 2000 10:14:39 +0200
>Ragnar Beer wrote:
>>
>> > > I'm trying to deny external access to zope maintainance from elsewhere
>> >> (just for sure), with Zope behind apache. However, It
>> >> just doesn't seem work... Sure It's more apache's problem, but I guess
>> >> someone around there has a working solution?
>> >>
>> >> #</IfModule>
>> >> dule mod_rewrite.c>
>> >> RewriteEngine on
>> >> RewriteCond %{HTTP:Authorization} ^(.*)
>> >> RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
>> >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
>> >>
>> >> RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
>> >> RewriteRule ^/Zope.*manage - [F]
>> >> #</IfModule>
>> >>
>> > > --
>>
>> I'm using
>>
>> <LocationMatch "/ssl|manage">
>> Deny from all
>> </LocationMatch>
>>
>> to block any request from my virtual server on port 80 that is under
>> the /ssl directory or has "manage" in it. You could then allow from
>> localhost.
>>
>> I was thinking about extending this idea to protect myself from
>> possible seccurity-holes in zope by denying everything and allowing
>> only requests ending in _html or _img. Any opinions on that?
>
>What about callable objects that don't end in either of these?
>
They wouldn't be callable from outside any more. This is the "deny
everything that isn't allowed explicitly" policy. If I'd want them to
be callable I'd have to put something in their names the makes it
possible to identify them and then allow access.
--Ragnar