[Zope] ZServer ACL

Jack Coates jack@monkeynoodle.org
Mon, 20 Aug 2001 20:22:44 -0700 (PDT)


On Mon, 20 Aug 2001, Todd Hepler wrote:

> I'm relatively new to Zope and python.
>
> I have Apache with ProxyPass (port 80) set up on the same box as Zope
> with a VirtualHostMonster (port 8080). I want to make it so that
> clients cannot "go around" Apache and talk directly to port 8080, so
> I'm looking for a way to make Zope only accept requests that come from
> localhost (or a specified IP address). I can't find anything on
> zope.org related to ACLs of this nature or blocking access to ZServer
> based on IP address. Any ideas? I dug through the medusa and ZServer
> code, but the answer isn't jumping out at me.
>

Sean Upton already gave you some good answers -- but an additional
important step is to do this is to use Wietse Venema's TCP Wrappers to
limit access right there on the box.

The internet interface isn't the only unsafe one...

> I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7.
>
> Why would I want this? (you might ask)
>
> To scale, I want to be able to turn on caching in Apache, or replace
> Apache with squid. This won't improve performance if the pages that
> come out of Zope refer directly to port 8080. The clients would end up
> "going around" the cache.
>

You can also put squid in front of the Zope server in a transparent
acceleration mode -- look on LDP for a HOWTO. (should be valid on
Solaris).

> I know there are ways to make Zope generate appropriate URLs and thus
> not go around port 80, but I'm not interested in those solutions here.
> Even those solutions won't stop someone from hardcoding a reference to
> port 8080 in one of their pages. I want to simply shut off access to
> it in the first place so that if someone even tries it, they fail.
>
> Thanks,
> -todd
>
--
Jack Coates
Monkeynoodle: A Scientific Venture...