[Zope] Running Management Interface on Separate HTTP Port

Michel Pelletier michel@digicool.com
Thu, 24 Feb 2000 21:04:40 -0800


Roland Reumerman wrote:
> 
> My company is commited to implementing Zope for use on the extranet, and I'm
> kind of leading this new endeavour. One thing I stumbled across today was
> the issue of SECURITY. The Zope web app server and accompanying Oracle
> database will be run off the same machine on the extranet, so there's no
> security issue with our itnranet there. However, the consultant from the
> firewall company recommended that we use different HTTP ports for the
> customer interface/application and the management interface.
> 
> I couldn't find anything that could relate to that issue in the Zope
> documentation, and a search through egroups.com only showed some message
> from someone who thought the management screens could be shielded off by
> only allowing HTTPS, but that's a different solution. Does this mean it
> simply isn't possible (yet), or did I gloss over some obscure functionality
> that could pull it off for me

Zope does not differentiate between managment methods and, say, DTML
methods that are public (other than authenticating them against Zope's
security system, of course).  They are all just objects in an object
space.  I would suggest using Apache and rewrite rules to ensure that
only those you know can get to /manage anything.  Also, Apache
introduces another process 'layer' between your Zope and the world;
thus, there may be some yet unknown Apache buffer overflow bug, but that
doesn't mean they've broken directly into your Zope (in fact, they've
only won half the battle at that point...) also, Apache has years and
years of millions of sites beating on it.  It's pretty secure.

-Michel