[Zope] fyi: apache + ssl + zope + zope management interface example

Ricardo Anguiano anguiano@codesourcery.com
28 Mar 2003 14:48:17 -0800 

Greetings,

Here is an example apache httpd.conf fragment which gets apache + ssl
+ zope to all play nicely together.  If someone has a nicer way of
doing this, chime in.

The bonus in these instructions is that I also got the management
interface to come up via ssl.  I really struggled getting the
RewriteRules to work right.

These instructions worked for me using apache 2.0.20 and zope 2.6.1.

Prerequisites
=============
apache + mod_ssl are installed and functioning correctly.
www.example.com and manage.example.com have the same ip address.
zope runs on www.example.com port 8080.
zope has a Virtual Host Monster object in the root folder.
zope has a folder named "example" in the root folder.

Warnings
========
- Understand SSL, and get your certificates and options right for your
  needs.
- Verify that no important plaintext is transmitted.
- Restrict remote access to port 8080 or else folks will be able to
  connect to the zope management interface remotely without using SSL.
- Your mileage may vary.

Usage and Indications
======================
- http://www.example.com  serves content from zope's "example" folder.
- https://www.example.com serves content from zope's "example" folder,
  via SSL.
- http://www.example.com/manage is forbidden.
- https://www.example.com/manage is forbidden.
- https://manage.example.com/ brings up the "Zope Quick Start" page.
- https://manage.example.com/manage brings up an authentication dialog
  box for the zope management interface.

httpd.conf - virtual hosts section
==========
NameVirtualHost *
NameVirtualHost *:443

# NON-SSL EXAMPLE.COM SERVING CONTENT FROM THE "EXAMPLE" FOLDER
# MANAGE INTERFACE FORBIDDEN
<VirtualHost *>
  ServerName www.example.com
  RewriteEngine on
  RewriteCond %{REQUEST_URI} manage
  RewriteRule manage - [F]
  RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/www.example.com:80/example/VirtualHostRoot/$1 [P,L]
</VirtualHost>

# SSL EXAMPLE.COM SERVING CONTENT FROM THE "EXAMPLE" FOLDER
# MANAGE INTERFACE FORBIDDEN
<VirtualHost *:443>
  ServerName www.example.com

  # SSL
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  # REWRITE
  RewriteEngine on
  RewriteCond %{REQUEST_URI} manage
  RewriteRule manage - [F]
  RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/www.example.com:443/example/VirtualHostRoot/$1 [P,L]
</VirtualHost>

# MANAGEMENT INTERFACE VIA SSL
<VirtualHost *:443>
  ServerName manage.example.com

  # SSL
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  # REWRITE
  RewriteEngine on
  RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/manage.example.com:443/VirtualHostRoot/$1 [P,L]
</VirtualHost>

-- 
Ricardo Anguiano
http://www.codesourcery.com