[Zope] apache open proxy configuration problem

Kanealii, Priam Mr KRS Priam.Kanealii at kls.usaka.smdc.army.mil
Fri Oct 14 17:54:05 EDT 2005


I abandoned mod_proxy for mod_rewrite. Security-wise, mod_rewrite had
less to worry about (this is important when website administration
changes hands).

The sample configuration below shows how to handle Zope resource
quirks and how to proxy requests to and from folders in Zope (both
tested). The last rule is my guess at what "proxy everything to and
from Zope" would look like (untested). Apache is listening on 80 and
routes requests to a Zope instance listening on 8080.

<IfModule mod_rewrite.c>

    RewriteEngine On
    RewriteLog "/path/to/rewrite_log"

    # Zope serves some system-ish content from p_ and misc_.
    RewriteRule ^/p_(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1
[L,P]
    RewriteRule ^/misc_(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/misc
_$1 [L,P]

    # Apache folders served by Zope folders.
    RewriteRule ^/folder1(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/fold
er1$1 [L,P]
    RewriteRule ^/folder2(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/fold
er2$1 [L,P]

    # Push everything to Zope?
    RewriteRule ^(.*)
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/$1
[L,P]

</IfModule>

Aloha,
Priam

-----Original Message-----
From: zope-bounces at zope.org [mailto:zope-bounces at zope.org] On Behalf Of Ed
Colmar
Sent: Saturday, October 15, 2005 9:19 AM
To: zope at zope.org
Subject: [Zope] apache open proxy configuration problem

I've been running zope through apache for years and years now, and I 
have a new machine set up with apache 2.0.48 and zope (Zope 2.8.0-final, 
python 2.3.5, linux2)

Using Identical Vhost configuration settings from an old machine all has 
been well, up until about 5 days ago, when I noticed the machine getting 
slammed, and wierd logs started showing up like:

xxx.xxx.xxx.xxx - - [14/Oct/2005:14:09:06 -0700] "GET 
http://partners.mygeek.com:80/search.jsp?partnerid=98885&pagesize=12 
HTTP/1.1" 403 406

(IP removed to protect the guilty)

In my quick research to try to determine the problem, I found people 
advising to turn "ProxyRequests Off", which I did, but did not have any 
effect.

Luckily this is just a development server, not a live production server, 
so its not super critical, but I'm nervous now that my production server 
might be in the same state...

Here is a sample vhost.conf entry:

NameVirtualHost 192.168.1.32
<VirtualHost 192.168.1.32>
ServerName www.greengraphics.net
ServerPath /var/www/greengraphics/www
DocumentRoot /var/www/greengraphics/www
ServerAdmin webmaster
RewriteEngine On
TransferLog logs/Vhost-greengraphics-access.log
ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
ProxyPass / 
http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/green
graphics/VirtualHostRoot/
ProxyPassReverse / 
http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/green
graphics/VirtualHostRoot/
</VirtualHost>



mod_proxy.conf looks like:




<IfDefine HAVE_PROXY>
  <IfModule !mod_proxy.c>
    LoadModule proxy_module             modules/mod_proxy.so
    #LoadModule proxy_connect_module    modules/mod_proxy_connect.so
    #LoadModule proxy_ftp_module        modules/mod_proxy_ftp.so
    LoadModule proxy_http_module        modules/mod_proxy_http.so
  </IfModule>
</IfDefine>

<IfModule mod_proxy.c>

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#

ProxyRequests Off

<Proxy *>
    Order deny,allow
    Deny from all
#    Allow from .your-domain.com
</Proxy>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: 
headers)
# Set to one of: Off | On | Full | Block
#

ProxyVia On

# End of proxy directives.

</IfModule>


any suggestions?  places to look to verify security?

Thanks!

-ed
_______________________________________________
Zope maillist  -  Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20051015/c59c9e45/attachment.htm


More information about the Zope mailing list