[Zope] ZMI access using URL other than manage
Lennart Regebro
regebro at gmail.com
Fri Mar 25 07:48:00 EST 2005
On Fri, 25 Mar 2005 08:30:05 -0400, David Pratt <fairwinds at eastlink.ca> wrote:
> Hi. I am working on a financial product and it appears to me that the
> /manage login for Zope could be a potential problem if you are running
> zope since your server is easily guessed and one can go to this url and
> try passwords. Can someone suggest an alternative to this or some
> modification to Zope that might make this less obvious. I best I can
> think of would be to do a rewrite on the /manage url but I still need
> manager access to zmi through the web. I plan on forcing ssl through
> apache when making a connection on whatever URL is used to login. Any
> ideas?
You can set up apache so it only allows access to "manage*" from
certain adresses, like your internal net and stuff. I don't have the
examples at close hand,sorry.
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope
mailing list