[Zope] ZServer ACL

sean.upton@uniontrib.com sean.upton@uniontrib.com
Mon, 20 Aug 2001 18:21:28 -0700 

Some suggestions, from practical experience:
1 - You want a firewall or router rule to block public access to 8080 on
that box.  Why not use NetFilter/IPTables to set this up on your Linux box,
or for that matter, just set up a Cisco router ACL, which is even easier if
you can?
2 - Bind Zope to an destination interface/IP with the -a option for z2.py
	a. If squid/apache runs on the same box, bind it only to loopback
(very secure, but limits some remote admin functionality if you are not
careful).  
	b. If you need to, bind ZServer to a management network that is only
accessed by the proxy and any private administrative clients.
	c. If you are really paranoid, segment proxy traffic onto its own
network, and bind ZServer onto that network; then force your managment/admin
traffic to go through the proxy or from localhost.
3 - Use squid; you will get much more powerful acls that will allow you to
block certain pages as well as use acls to determine what is cached and not
cached.  You can do all sorts of ACLs, for that matter.  You can also use a
redirector both to rewrite URLs for VHM, and also rewrite blocked management
URLs to internal URLs that only can be used on a private network (that is,
if you are a bit paranoid). Squid is going to be faster anyhow.  Squid also
does a nice job round-robin load distribution to ZEO clients.
4 - If you are running ZEO, protect the storage server by keeping it on its
own VLAN with a private IP.
5 - use squid ACLs for everything we need in the ACL department, including
blocking ZMI access on the public interface(s) of the caching proxy.
6 - Keep our Zope/ZEO nodes on a private network behind Squid proxies to
keep them out of 'public' internet view, and give them internet access via
NAT on a firewall.  Squid serves both a private and a public network, and
the private network is less restricted, and you rely on
host/application/Zope security beyond that.

Sean

-----Original Message-----
From: Todd Hepler [mailto:thepler@caspiannetworks.com]
Sent: Monday, August 20, 2001 5:32 PM
To: zope@zope.org
Subject: [Zope] ZServer ACL


I'm relatively new to Zope and python.

I have Apache with ProxyPass (port 80) set up on the same box as Zope
with a VirtualHostMonster (port 8080). I want to make it so that
clients cannot "go around" Apache and talk directly to port 8080, so
I'm looking for a way to make Zope only accept requests that come from
localhost (or a specified IP address). I can't find anything on
zope.org related to ACLs of this nature or blocking access to ZServer
based on IP address. Any ideas? I dug through the medusa and ZServer
code, but the answer isn't jumping out at me.

I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7.

Why would I want this? (you might ask)

To scale, I want to be able to turn on caching in Apache, or replace
Apache with squid. This won't improve performance if the pages that
come out of Zope refer directly to port 8080. The clients would end up
"going around" the cache.

I know there are ways to make Zope generate appropriate URLs and thus
not go around port 80, but I'm not interested in those solutions here.
Even those solutions won't stop someone from hardcoding a reference to
port 8080 in one of their pages. I want to simply shut off access to
it in the first place so that if someone even tries it, they fail.

Thanks,
-todd

_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )