[Zope] SSL + ProxyPass + Zope question...

Eric Walstad eric@walstads.net
Mon, 06 Aug 2001 09:33:38 -0700


Great!  That's just what I was looking for.
Thanks, Jens!
Eric.

> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Jens
> Vagelpohl
> Sent: Monday, August 06, 2001 5:12 AM
> To: zope@zope.org
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
> the easiest way to prevent *all* outside access to zope directly, if your
> apache and zope run on the same box, is to have zope listen on the
> localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to
> the start script (the actual port doesn't matter that much).
>
> the "-X" option is there to turn off any services that might want
> to start
> up and listen, like FTP or the monitor daemon.
>
> then you just change your rewrite or proxy rules in apache to redirect
> through port 127.0.0.1
>
> jens
>
>
>
>
> On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:
>
> > Hi Steve,
> > Well, in the condition I described, if the user knows the port
> that Zope
> > is
> > running on, they could bypass Apache altogether.  So, what I need is to
> > make
> > Zope inaccessible to the outside world.  That way, all traffic
> would have
> > to
> > be sent thru Apache.
> > Thanks,
> > Eric.
> >
> > -----Original Message-----
> > From: Steve Spicklemire [mailto:steve@spvi.com]
> > Sent: Friday, August 03, 2001 4:16 PM
> > To: Eric Walstad
> > Cc: Steve Spicklemire; zope@zope.org
> > Subject: Re: [Zope] SSL + ProxyPass + Zope question...
> >
> >
> >
> > Hi Eric,
> >
> > 	Apache sets an environment variable when SSL is used. You can check
> > for that varible in an Access rule, or standard_html_header or some
> > other method.
> >
> > -steve
> >
> > On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
> >
> >> Hello,
> >>
> >> Apache is listening on port 80 and 443, Zope listening on port 8080.
> >> When a
> >> request comes in for port 443 (or HTTPS) Apache forwards the request to
> >> Zope
> >> on port 8080 and sends the results back out thru SSL, just as it
> >> should.  If
> >> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
> >> connection
> >> is created and the password is forwarded to Zope after it's been sent
> >> thru
> >> SSL.  However, if the user goes to
> >> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
> >> request
> >> and it goes straight to Zope.  The user is then prompted for a
> password,
> >> which would be sent back to Zope without SSL.
> >>
> >> So my question is, how do I keep Zope from accepting any requests from
> >> the
> >> outside world unless they've gone thru Apache first?  Can I
> tell Zope to
> >> listen on something like 192.168.1.123:8080 so that it will never see
> >> requests from the outside world?
> >>
> >> TIA,
> >>
> >> Eric.
> >>
> >
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )