[Zope] SSL + ProxyPass + Zope question...

Phil Harris phil.harris@zope.co.uk
Mon, 6 Aug 2001 13:27:39 +0100


My bad, I didn't read you the mail correctly, I tried the -a option.

----- Original Message -----
From: "Phil Harris" <phil.harris@zope.co.uk>
To: "Jens Vagelpohl" <jens@zope.com>; <zope@zope.org>
Sent: Monday, August 06, 2001 1:20 PM
Subject: Re: [Zope] SSL + ProxyPass + Zope question...


> Jens,
>
> Having tried that a few days ago, I'm not sure that it actually works.
>
> I was still able to connect via the global IP and the port number
specified.
>
> Maybe I was doing something wrong?
>
> Phil
>
> ----- Original Message -----
> From: "Jens Vagelpohl" <jens@zope.com>
> To: <zope@zope.org>
> Sent: Monday, August 06, 2001 1:11 PM
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
> > the easiest way to prevent *all* outside access to zope directly, if
your
> > apache and zope run on the same box, is to have zope listen on the
> > localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080"
to
> > the start script (the actual port doesn't matter that much).
> >
> > the "-X" option is there to turn off any services that might want to
start
> > up and listen, like FTP or the monitor daemon.
> >
> > then you just change your rewrite or proxy rules in apache to redirect
> > through port 127.0.0.1
> >
> > jens
> >
> >
> >
> >
> > On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
> >
> > > Hi Steve,
> > > Well, in the condition I described, if the user knows the port that
Zope
> > > is
> > > running on, they could bypass Apache altogether.  So, what I need is
to
> > > make
> > > Zope inaccessible to the outside world.  That way, all traffic would
> have
> > > to
> > > be sent thru Apache.
> > > Thanks,
> > > Eric.
> > >
> > > -----Original Message-----
> > > From: Steve Spicklemire [mailto:steve@spvi.com]
> > > Sent: Friday, August 03, 2001 4:16 PM
> > > To: Eric Walstad
> > > Cc: Steve Spicklemire; zope@zope.org
> > > Subject: Re: [Zope] SSL + ProxyPass + Zope question...
> > >
> > >
> > >
> > > Hi Eric,
> > >
> > > Apache sets an environment variable when SSL is used. You can check
> > > for that varible in an Access rule, or standard_html_header or some
> > > other method.
> > >
> > > -steve
> > >
> > > On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
> > >
> > >> Hello,
> > >>
> > >> Apache is listening on port 80 and 443, Zope listening on port 8080.
> > >> When a
> > >> request comes in for port 443 (or HTTPS) Apache forwards the request
to
> > >> Zope
> > >> on port 8080 and sends the results back out thru SSL, just as it
> > >> should.  If
> > >> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
> > >> connection
> > >> is created and the password is forwarded to Zope after it's been sent
> > >> thru
> > >> SSL.  However, if the user goes to
> > >> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
> > >> request
> > >> and it goes straight to Zope.  The user is then prompted for a
> password,
> > >> which would be sent back to Zope without SSL.
> > >>
> > >> So my question is, how do I keep Zope from accepting any requests
from
> > >> the
> > >> outside world unless they've gone thru Apache first?  Can I tell Zope
> to
> > >> listen on something like 192.168.1.123:8080 so that it will never see
> > >> requests from the outside world?
> > >>
> > >> TIA,
> > >>
> > >> Eric.
> > >>
> > >
> >
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )