[Zope] ProxyPass, proxy restriction

Paul paul@oz.net
Fri, 25 Oct 2002 17:03:50 -0700 (PDT)


How can I let anyone proxy thru apache to zope, and yet restrict all
other proxying activity?

Background.
We've set up zope to get proxied through apache (1.3.x) via ProxyPass as
described in  http://www.zope.org/Members/anser/apache_zserver.
Our httpd.conf contains:

  <IfModule mod_proxy.c>
      ProxyVia         On
      ProxyRequests    On
      ProxyPass        /zope/ http://localhost:8080/
      ProxyPassReverse /zope/ http://localhost:8080/

      <Directory proxy:*>
          Order deny,allow
          Deny from all
          Allow from .foo.com, .someisp.com
  #       Allow from all
      </Directory>
  </IfModule>

So we have https://foo.com/zope/ pointing to the zope server on foo.com:

    https --> apache (port 443) --> zope (port 8080)

Initially, we had restricted access to zope only from our domain and
some selected external ISPs (e.g. employees working from home).

Unfortunately, I've been asked to change this to "Allow from all"; i.e.
allow anyone to reach zope from outside via the apache proxy, because
people need access to it while on the road, etc.  This has the unforunate
side effect of allowing _any_ proxying from outside; i.e. apache is now
essentially an open relay.

Proxying to zope is OK since zope is password protected, but we want to
disallow any other proxying activity.  I haven't been able to find 
good documentation on the <Directory proxy:*> directive.

Many thanks in advance.

-- Paul