[Zope] SSL + ProxyPass + Zope question...

Eric Walstad eric@walstads.net
Sun, 05 Aug 2001 14:25:40 -0700


Thanks Steve,
Yes, I have a redirect in there now similar to what wrote below.  One
problem with doing it this way is that if the user *does* manage to get to
the page on the insecure port, the password they enter will be sent to the
server unencrypted.  Then the redirect takes over and everything else is
done securely, which is better than nothing, but to me the password is
important.  In my experience, even well educated users will manage to find
an application's "undocumented secrets" (bugs)  :).
Thanks for all your feedback.  It's been very helpful.
Eric.

-----Original Message-----
From: Steve Spicklemire [mailto:steve@spvi.com]
Sent: Sunday, August 05, 2001 3:05 AM
To: Eric Walstad
Cc: Steve Spicklemire; zope@zope.org
Subject: Re: [Zope] SSL + ProxyPass + Zope question...


Hi Eric,

	Right... someone suggested a firewall.. which is fine if you want
to make all of zope inaccessable on port 8080, and clearly it's a
sure-fire solution. However it also requires that you have *access* to
put up a firewall, which you might not! My thought was
that, in Zope you could simply protect a particular area by adding code
to standard_html_header in that area that did a check, e.g.,

<dtml-if "URL[:5] == 'http:'">
<dtml-call "RESPONSE.redirect('https:' + URL[5:])">
<dtml-return "'REDIRECTING.. to secure port.. '">
</dtml-if>

...

This way, you could still use 8080 for other things if you wanted to. I
guess the question comes down to 'who are you trying to protect from
doing what?'. If it's your own users then, as Joachim mentioned maybe
its just a matter of education?

-steve

On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:

> Hi Steve,
> Well, in the condition I described, if the user knows the port that
> Zope is
> running on, they could bypass Apache altogether.  So, what I need is to
> make
> Zope inaccessible to the outside world.  That way, all traffic would
> have to
> be sent thru Apache.
> Thanks,
> Eric.
>
> -----Original Message-----
> From: Steve Spicklemire [mailto:steve@spvi.com]
> Sent: Friday, August 03, 2001 4:16 PM
> To: Eric Walstad
> Cc: Steve Spicklemire; zope@zope.org
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
>
> Hi Eric,
>
> 	Apache sets an environment variable when SSL is used. You can check
> for that varible in an Access rule, or standard_html_header or some
> other method.
>
> -steve
>
> On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
>
>> Hello,
>>
>> Apache is listening on port 80 and 443, Zope listening on port 8080.
>> When a
>> request comes in for port 443 (or HTTPS) Apache forwards the request to
>> Zope
>> on port 8080 and sends the results back out thru SSL, just as it
>> should.  If
>> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
>> connection
>> is created and the password is forwarded to Zope after it's been sent
>> thru
>> SSL.  However, if the user goes to
>> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
>> request
>> and it goes straight to Zope.  The user is then prompted for a
>> password,
>> which would be sent back to Zope without SSL.
>>
>> So my question is, how do I keep Zope from accepting any requests from
>> the
>> outside world unless they've gone thru Apache first?  Can I tell Zope
>> to
>> listen on something like 192.168.1.123:8080 so that it will never see
>> requests from the outside world?
>>
>> TIA,
>>
>> Eric.
>>
>>
>> _______________________________________________
>> Zope maillist  -  Zope@zope.org
>> http://lists.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>  http://lists.zope.org/mailman/listinfo/zope-announce
>>  http://lists.zope.org/mailman/listinfo/zope-dev )