[Zope] ProxyPass, proxy restriction
Paul
paul@oz.net
Fri, 25 Oct 2002 17:03:50 -0700 (PDT)
How can I let anyone proxy thru apache to zope, and yet restrict all
other proxying activity?
Background.
We've set up zope to get proxied through apache (1.3.x) via ProxyPass as
described in http://www.zope.org/Members/anser/apache_zserver.
Our httpd.conf contains:
<IfModule mod_proxy.c>
ProxyVia On
ProxyRequests On
ProxyPass /zope/ http://localhost:8080/
ProxyPassReverse /zope/ http://localhost:8080/
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from .foo.com, .someisp.com
# Allow from all
</Directory>
</IfModule>
So we have https://foo.com/zope/ pointing to the zope server on foo.com:
https --> apache (port 443) --> zope (port 8080)
Initially, we had restricted access to zope only from our domain and
some selected external ISPs (e.g. employees working from home).
Unfortunately, I've been asked to change this to "Allow from all"; i.e.
allow anyone to reach zope from outside via the apache proxy, because
people need access to it while on the road, etc. This has the unforunate
side effect of allowing _any_ proxying from outside; i.e. apache is now
essentially an open relay.
Proxying to zope is OK since zope is password protected, but we want to
disallow any other proxying activity. I haven't been able to find
good documentation on the <Directory proxy:*> directive.
Many thanks in advance.
-- Paul