[Zope] SSL + ProxyPass + Zope question...

Steve Spicklemire steve@spvi.com
Sun, 5 Aug 2001 05:05:11 -0500 

Hi Eric,

	Right... someone suggested a firewall.. which is fine if you want 
to make all of zope inaccessable on port 8080, and clearly it's a 
sure-fire solution. However it also requires that you have *access* to 
put up a firewall, which you might not! My thought was
that, in Zope you could simply protect a particular area by adding code 
to standard_html_header in that area that did a check, e.g.,

<dtml-if "URL[:5] == 'http:'">
<dtml-call "RESPONSE.redirect('https:' + URL[5:])">
<dtml-return "'REDIRECTING.. to secure port.. '">
</dtml-if>

...

This way, you could still use 8080 for other things if you wanted to. I 
guess the question comes down to 'who are you trying to protect from 
doing what?'. If it's your own users then, as Joachim mentioned maybe 
its just a matter of education?

-steve

On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:

> Hi Steve,
> Well, in the condition I described, if the user knows the port that 
> Zope is
> running on, they could bypass Apache altogether.  So, what I need is to 
> make
> Zope inaccessible to the outside world.  That way, all traffic would 
> have to
> be sent thru Apache.
> Thanks,
> Eric.
>
> -----Original Message-----
> From: Steve Spicklemire [mailto:steve@spvi.com]
> Sent: Friday, August 03, 2001 4:16 PM
> To: Eric Walstad
> Cc: Steve Spicklemire; zope@zope.org
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
>
> Hi Eric,
>
> 	Apache sets an environment variable when SSL is used. You can check
> for that varible in an Access rule, or standard_html_header or some
> other method.
>
> -steve
>
> On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
>
>> Hello,
>>
>> Apache is listening on port 80 and 443, Zope listening on port 8080.
>> When a
>> request comes in for port 443 (or HTTPS) Apache forwards the request to
>> Zope
>> on port 8080 and sends the results back out thru SSL, just as it
>> should.  If
>> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
>> connection
>> is created and the password is forwarded to Zope after it's been sent
>> thru
>> SSL.  However, if the user goes to
>> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
>> request
>> and it goes straight to Zope.  The user is then prompted for a 
>> password,
>> which would be sent back to Zope without SSL.
>>
>> So my question is, how do I keep Zope from accepting any requests from
>> the
>> outside world unless they've gone thru Apache first?  Can I tell Zope 
>> to
>> listen on something like 192.168.1.123:8080 so that it will never see
>> requests from the outside world?
>>
>> TIA,
>>
>> Eric.
>>
>>
>> _______________________________________________
>> Zope maillist  -  Zope@zope.org
>> http://lists.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>  http://lists.zope.org/mailman/listinfo/zope-announce
>>  http://lists.zope.org/mailman/listinfo/zope-dev )