[Zope] SSL over Multiple Zope/Plone sites?

David Pratt fairwinds at eastlink.ca
Tue Jan 24 14:51:48 EST 2006


Michael. I found a bookmark for something that might help. I remember 
this person had written a bit of a howto on some of this for Plone. His 
name was Eric Vought and his howto was SSL redirect around March of last 
year. His document which is now an orphan was at:

http://www.diversityink.com/documents/2005/1Q/howto-apache-zope-ssl

I don't know where he is any longer but perhaps someone on the plone 
list could help find the doc or Eric. If you happen to find a copy of 
the howto somewhere, I would be great if you could send a fresh link to 
me. I remember communicating with Eric at the time when I was trying to 
work this out for myself with CMF.

Regards,
David


David Pratt wrote:
> Hi Michael. First you need a way to get to the root of your site two 
> different ways. First is using the domain you have your ssl on and the 
> other for your other domain name(s)
> 
> www.domain_one.com               /site1
> www.mysecure_domain.com/site1    /site1
> 
> If you have apache proxy then you can set up yoru ssl on port 443 to 
> secure the domain you have the cert for. Under this domain you can have 
> any number of sites so long as the domain and ip are the same. ie
> 
> www.mysecure_domain.com/site1
> www.mysecure_domain.com/site2
> www.mysecure_domain.com/site3
> ...
> 
> So you will be able to get to the same site by either using
> ie
> http://www.domain_one.com
> or
> https://www.mysecure_domain.com/site1
> 
> http://www.domain_two.com
> or
> https://www.mysecure_domain.com/site2
> 
> http://www.domain_three.com
> or
> https://www.mysecure_domain.com/site3
> 
> since in VHM they are both pointing to the same root (/site1 )
> 
> As far as the login on Plone, I do not use Plone but you would have to 
> modify the zpt and script that calls the login to modify these links to 
> the url to for the other domain. This is where I cannot be sure of what 
> I did a year ago. I know for sure I had not completely worked it through 
> and would need to look at this again. I tried this on CMF. Give me a day 
> or two and I will see if I can locate anything more on this in my stuff. 
> I wish I had a better memory but a year seems like a long time ago. :-)
> 
> Regards,
> David
> 
> 
> michael nt milne wrote:
> 
>> Ok, that's really interesting. Thanks. Yes I could just stay using SSL 
>> after the login if there's a problem with going non-ssl
>>
>> I understand the setting up the single secure domain bit linked to the 
>> IP address but don't quite get how I would link each site's login 
>> areas to that? Basically are you saying you would, using re-write 
>> rules, just call http://www.plonesiteone.com/login_form  - 
>> http://mysecure_domain.com/plonesiteone/login_form ?
>>
>> It would be the same Plone login page but just have a different URL in 
>> the address bar, a https one?
>>
>> Also would you need to use VHM because I've got Apache virtual hosts 
>> set-up without actually doing anything in Zope. As long as VHM is on 
>> it is all fine.
>>
>> Thanks
>>
>> Michael
>>
>> On 1/24/06, *David Pratt* <fairwinds at eastlink.ca 
>> <mailto:fairwinds at eastlink.ca>> wrote:
>>
>>     I think this should be doable for single cert with multiple domains.
>>     Setup you exising ip with one domain (ie. mysecure_domain.com). 
>> Get the
>>     cert on this domain.
>>
>>     Setup a rewrite rule in apache for port 443 for mysecure_domain.com
>>
>>     You could use a self signed cert to experiment. When user logs in
>>     request login page goes to
>>
>>     site1 - http://domain_one.com:
>>     You would need to make your login go to you login page
>>     https://mysecure_domain/site1/login
>>
>>     site2 - http://domain_two.com:
>>     https://mysecure_domain/site2/login
>>     <https://mysecure_domain/site2/login>
>>
>>     Once logged in goes to whatever you have in your vhm
>>     http://www.domain_one.com    /site1 in vhm
>>     http://www.domain_two.com    /site2 in vhm
>>
>>     in vhm you'd have:
>>     www.domain_one.com           /site1
>>     www.mysecure_domain/site1    /site1
>>     www.domain_two.com           /site2
>>     www.mysecure_domain/site2    /site2
>>
>>     The problem here will be the session since when you login secure and
>>     switch back to the regular site, your ssl session will expire
>>     automatically but you'll need to pass it to nonssl to stay alive when
>>     you go back to nonssl. I think a solution might be to store it, go to
>>     nonssl and then retreive it when you do your redirect back to
>>     non-ssl. I
>>     have not tried this yet. Alternatively you could always stay in 
>> ssl from
>>     that point forward. Any technique from someone on this would be 
>> helpful
>>     since I am also interested in what possibilities there might be.
>>
>>     This should not give you a problem with the cert because identity on
>>     cert would match the ip. I think otherwise you are in a situation 
>> where
>>     you will need a dedicated server setup to have one ip per site and 
>> then
>>     you can just do a single rewrite per ip or use chained ssl if you 
>> have
>>     sub domains that you want to tie together under a single cert over 
>> one
>>     or more ips on one or more servers.
>>
>>     Regards,
>>     David
>>
>>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
> 


More information about the Zope mailing list