[Zope] mod_rewrite rule to close managmentscreensfromoutsiders

Bill Anderson bill@libc.org
Wed, 28 Jun 2000 12:21:25 -0600 

Ragnar Beer wrote:
> 
> >Ragnar Beer wrote:
> >>
> >>  >Ragnar Beer wrote:
> >>  >>
> >>  >>  >  > I'm trying to deny external access to zope maintainance
> >>from elsewhere
> >>  >>  >>  (just for  sure), with Zope behind apache. However, It
> >>  >>  >>  just doesn't seem work... Sure It's more apache's problem,
> >>but I guess
> >>  >>  >>  someone around there has a working solution?
> >>  >>  >>
> >>  >>  >>  #</IfModule>
> >>  >>  >>  dule mod_rewrite.c>
> >>  >>  >>  RewriteEngine on
> >>  >>  >>  RewriteCond %{HTTP:Authorization}  ^(.*)
> >>  >>  >>  RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
> >>  >>  >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
> >>  >>  >>
> >>  >>  >>  RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
> >>  >>  >>  RewriteRule ^/Zope.*manage - [F]
> >>  >>  >>  #</IfModule>
> >>  >>  >>
> >>  >>  >  > --
> >>  >>
> >>  >>  I'm using
> >>  >>
> >>  >>  <LocationMatch "/ssl|manage">
> >>  >>  Deny from all
> >>  >>  </LocationMatch>
> >>  >>
> >>  >>  to block any request from my virtual server on port 80 that is under
> >>  >>  the /ssl directory or has "manage" in it. You could then allow from
> >>  >>  localhost.
> >>  >>
> >>  >>  I was thinking about extending this idea to protect myself from
> >>  >>  possible seccurity-holes in zope by denying everything and allowing
> >>  >>  only requests ending in _html or _img. Any opinions on that?
> >>  >
> >>  >What about callable objects that don't end in either of these?
> >>  >
> >>
> >>  They wouldn't be callable from outside any more. This is the "deny
> >>  everything that isn't allowed explicitly" policy. If I'd want them to
> >>  be callable I'd have to put something in their names the makes it
> >>  possible to identify them and then allow access.
> >
> >
> >That's an awful lot of code to rewrite ;)
> 
> Right, this is rather a strategy to follow from the beginning.
> Otherwise - arghh! (But it's very proactive, isn't it?)
> 
> --Ragnar

Actually, I was referring to products you didn't write. For example,
ZStyleSheets. IIRC, they are callable objects, not using an index_html.
Likewise, I beleive for such products as YiHAW, KnowledgeKit, KMNet
News, WorldPilot, etc..

But hey, nobody ever said security was easy ;-)