[Zope] Zope+Apache+ProxyPass

Ragnar Beer rbeer@uni-goettingen.de
Tue, 27 Feb 2001 14:31:28 +0100 

>Ragnar Beer <rbeer@uni-goettingen.de> writes:
>
>>  >I'm confused by a note in your caching howto about managing Zope using
>>  >an SSL connection:
>>  >
>>  >   Apache+ZServer+SSL From the author of this How-To I also got a very
>>  >   good tip for what to do if you want to manage your website via https
>>  >   to avoid sending your unencrypted password over the net: Reverse the
>>  >   setup he describes, i.e.  instead of creating a folder "ssl" and
>>  >   making the base of the site root "https://..." create a folder
>>  >   "http" and make the base of the site root "http://..."
>>  >
>>  >Isn't the username/password still sent in clear text (mime-encoded) as
>>  >soon as you attempt to manage anything in the /http folder because of
>>  >the unencrytped connection (http://...) specified by the siteroot?
>>  >
>>  >-kevin
>>
>>  Of course you need to use the https protocol! The advantage of the
>>  reversed setup is that if you configure it that way then the
>>  "natural" way to access the site can be https and http is the special
>>  case and not the other way round.
>>
>>  Ragnar
>
>But you can't use https to access the "http" folder once you've
>created the SiteRoot that specifies a base of "http://..." in that
>folder.  This means it is impossible to manage the http section
>without sending your password in clear text if you set things up the
>way you recommend.

[snip]

That's one thing I hate about SiteRoots - once you created them you 
can't manage them anymore in some situations :( But that's only true 
for the SiteRoot object itself. For me it's perfectly possible to 
manage the http section without sending my password in cleartext and 
I wouldn't have considered using Zope at all if that wouldn't have 
been possible.

My SiteRoot 'http' located in the root folder looks like this:
Base: http://www.myaddress.de
Path: /
So 'http' is _not_ a folder - it's a SiteRoot object!

So it's only another possible way to access the whole site.
Then in my virtual host port 80 section as a security precaution 
access is forbidden to anything the contains the string 'manage'. 
This way I can never accidentally manage the site sending a password 
cleartext. Also the access to the folders containing ssl-only stuff 
is forbidden in this section.

On the other hand in the port 443 section the whole site is 
accessible (with few exceptions) so that I can manage everything with 
https.

I don't know about your setup but I think this solution is very 
flexible so that it should be possible to adapt it to a large range 
of problems.

Ragnar