[Zope] SSL + ProxyPass + Zope question...

Phil Harris phil.harris@zope.co.uk
Mon, 6 Aug 2001 13:20:37 +0100 

Jens,

Having tried that a few days ago, I'm not sure that it actually works.

I was still able to connect via the global IP and the port number specified.

Maybe I was doing something wrong?

Phil

----- Original Message -----
From: "Jens Vagelpohl" <jens@zope.com>
To: <zope@zope.org>
Sent: Monday, August 06, 2001 1:11 PM
Subject: Re: [Zope] SSL + ProxyPass + Zope question...


> the easiest way to prevent *all* outside access to zope directly, if your
> apache and zope run on the same box, is to have zope listen on the
> localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to
> the start script (the actual port doesn't matter that much).
>
> the "-X" option is there to turn off any services that might want to start
> up and listen, like FTP or the monitor daemon.
>
> then you just change your rewrite or proxy rules in apache to redirect
> through port 127.0.0.1
>
> jens
>
>
>
>
> On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
>
> > Hi Steve,
> > Well, in the condition I described, if the user knows the port that Zope
> > is
> > running on, they could bypass Apache altogether.  So, what I need is to
> > make
> > Zope inaccessible to the outside world.  That way, all traffic would
have
> > to
> > be sent thru Apache.
> > Thanks,
> > Eric.
> >
> > -----Original Message-----
> > From: Steve Spicklemire [mailto:steve@spvi.com]
> > Sent: Friday, August 03, 2001 4:16 PM
> > To: Eric Walstad
> > Cc: Steve Spicklemire; zope@zope.org
> > Subject: Re: [Zope] SSL + ProxyPass + Zope question...
> >
> >
> >
> > Hi Eric,
> >
> > Apache sets an environment variable when SSL is used. You can check
> > for that varible in an Access rule, or standard_html_header or some
> > other method.
> >
> > -steve
> >
> > On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
> >
> >> Hello,
> >>
> >> Apache is listening on port 80 and 443, Zope listening on port 8080.
> >> When a
> >> request comes in for port 443 (or HTTPS) Apache forwards the request to
> >> Zope
> >> on port 8080 and sends the results back out thru SSL, just as it
> >> should.  If
> >> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
> >> connection
> >> is created and the password is forwarded to Zope after it's been sent
> >> thru
> >> SSL.  However, if the user goes to
> >> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
> >> request
> >> and it goes straight to Zope.  The user is then prompted for a
password,
> >> which would be sent back to Zope without SSL.
> >>
> >> So my question is, how do I keep Zope from accepting any requests from
> >> the
> >> outside world unless they've gone thru Apache first?  Can I tell Zope
to
> >> listen on something like 192.168.1.123:8080 so that it will never see
> >> requests from the outside world?
> >>
> >> TIA,
> >>
> >> Eric.
> >>
> >
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )