[Zope] HELP! Security!

trashMan trashman at httconsulting.com
Sat Jan 31 17:27:21 EST 2004


I've a big problem with security!!
I use apache with mod_proxy and rewriterule with zope for a single site in
cmf and there are a lot of server that use my apache as proxy! 

I know that mod_proxy is open by default so i've inserted in httpd.conf

<LocationMatch  "^[^/]">
  Deny from all
</LocationMatch>

without result.

My site work with ip and is:

Win 2000 server
Zope 263
Apache 2.0.48


The httpd.conf is

ServerRoot "C:/Programmi/Apache Group/Apache2"
PidFile logs/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild  0
</IfModule>

Listen 217.xx:80

LoadModule access_module modules/mod_access.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_module modules/mod_auth.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so

ServerAdmin admin at xxx.it 
ServerName yy.xxx.it:80 
UseCanonicalName Off 
DocumentRoot "C:/Programmi/Apache Group/Apache2/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
DirectoryIndex index.html
AccessFileName .htaccess
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
TypesConfig conf/mime.types
DefaultType text/plain
HostnameLookups Off
ErrorLog logs/error.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access.log common 
ServerTokens Full 
ServerSignature On 
ScriptAlias /cgi-bin/ "C:/Programmi/Apache Group/Apache2/cgi-bin/"
<Directory "C:/Programmi/Apache Group/Apache2/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

<LocationMatch  "^[^/]">
  Deny from all
</LocationMatch>

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^.*:80$
RewriteRule ^/(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/$1 [L,P] 
</VirtualHost>

<VirtualHost 217.xx:80>
NameVirtualHost  217.xx:80
CustomLog logs/sito-access_log combined
ErrorLog logs/sito-error_log
ServerName 217.xx
ServerAdmin admin
RewriteEngine on
RewriteRule ^/(.*)
http://localhost:8080/VirtualHostBase/http/217.xx:80/sito.it/VirtualHostRoot
/$1 [L,P]

</VirtualHost>


Can you help me?? 

Massimiliano






More information about the Zope mailing list