[Zope] mod_rewrite rule to close managment
screensfromoutsiders
Ragnar Beer
rbeer@uni-goettingen.de
Wed, 28 Jun 2000 11:47:30 +0200
>Ragnar Beer wrote:
>>
>> >Ragnar Beer wrote:
>> >>
>> >> > > I'm trying to deny external access to zope maintainance
>>from elsewhere
>> >> >> (just for sure), with Zope behind apache. However, It
>> >> >> just doesn't seem work... Sure It's more apache's problem,
>>but I guess
>> >> >> someone around there has a working solution?
>> >> >>
>> >> >> #</IfModule>
>> >> >> dule mod_rewrite.c>
>> >> >> RewriteEngine on
>> >> >> RewriteCond %{HTTP:Authorization} ^(.*)
>> >> >> RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
>> >> >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
>> >> >>
>> >> >> RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
>> >> >> RewriteRule ^/Zope.*manage - [F]
>> >> >> #</IfModule>
>> >> >>
>> >> > > --
>> >>
>> >> I'm using
>> >>
>> >> <LocationMatch "/ssl|manage">
>> >> Deny from all
>> >> </LocationMatch>
>> >>
>> >> to block any request from my virtual server on port 80 that is under
>> >> the /ssl directory or has "manage" in it. You could then allow from
>> >> localhost.
>> >>
>> >> I was thinking about extending this idea to protect myself from
>> >> possible seccurity-holes in zope by denying everything and allowing
>> >> only requests ending in _html or _img. Any opinions on that?
>> >
>> >What about callable objects that don't end in either of these?
>> >
>>
>> They wouldn't be callable from outside any more. This is the "deny
>> everything that isn't allowed explicitly" policy. If I'd want them to
>> be callable I'd have to put something in their names the makes it
>> possible to identify them and then allow access.
>
>
>That's an awful lot of code to rewrite ;)
Right, this is rather a strategy to follow from the beginning.
Otherwise - arghh! (But it's very proactive, isn't it?)
--Ragnar