[Zope] VHM and SSL protection problem
Sascha Welter
zopelist at betabug.ch
Mon Nov 7 04:05:59 EST 2005
(Sat, Nov 05, 2005 at 12:00:10PM -0500) zope-request at zope.org wrote/schrieb/egrapse:
> From: Sophia Grimm <sophiagrimm at yahoo.com>
> Subject: [Zope] VHM and SSL protection problem
>
> ...
> Installation #2: Plone 2.1/Zope 2.7.7
> I'm trying to use VHM and an Apache rewrite rule to
> protect this site with SSL. I'm using instructions
> from http://plone.org/documentation/how-to/apache-ssl
> . Step number 7 shows this rewrite rule:
>
> RewriteRule ^/(.*)
> http://localhost:8080/VirtualHostBase/https/www.yourmachinename.com:443/$1
Looking at what the zope witch <http://betabug.ch/zope/witch> tells me
(and myself guessing at what you really want to do):
RewriteRule ^$ \
http://127.0.0.1:8080/VirtualHostBase/\
https/%{SERVER_NAME}:443/VirtualHostRoot/ [L,P]
RewriteRule ^/(.*) \
http://127.0.0.1:8080/VirtualHostBase/\
https/%{SERVER_NAME}:443/VirtualHostRoot/$1 [L,P]
It seems that you are missing the [L,P] at the end, which tells apache
what to do once a RewriteRule matches.
> So if my original Zope site was
> http://www.sg.com:8080/
> the above rule should simply rewrite the URL to
> https://www.sg.com:443/
> which would force all requests for the http site to go
> through SSL before being forwarded to Zope. Correct?
No.
What this does is it enables your site to be served through SSL and
apache. The "force everything to SSL" rewriterule is another, different,
second rule. You likely need both, though I have not used fastcgi in a
while. The witch doesn't cover that rule style yet.
For redirecting access to the ZMI to SSL, many people use rules like
these:
RewriteRule ^/(.*)/manage(.*) https://%{SERVER_NAME}/$1/manage$2 [R=301,L]
RewriteRule ^/manage(.*) https://%{SERVER_NAME}/manage$1 [R=301,L]
ProxyPassReverse /manage https://%{SERVER_NAME}/manage
You could modify these to redirect everything to SSL. (There should
either be additional tests to check that you are not using SSL already,
or else this should be placed in the non-SSL virtual host setup). See
how these have R=301 in the last part? That's a redirect, not a rewrite.
Regards,
Sascha
More information about the Zope
mailing list