[Zope] mod_rewrite rule to close managment screens fromoutsiders
Bill Anderson
bill@libc.org
Tue, 27 Jun 2000 16:25:54 -0600
Ragnar Beer wrote:
>
> > > I'm trying to deny external access to zope maintainance from elsewhere
> >> (just for sure), with Zope behind apache. However, It
> >> just doesn't seem work... Sure It's more apache's problem, but I guess
> >> someone around there has a working solution?
> >>
> >> #</IfModule>
> >> dule mod_rewrite.c>
> >> RewriteEngine on
> >> RewriteCond %{HTTP:Authorization} ^(.*)
> >> RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
> >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
> >>
> >> RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
> >> RewriteRule ^/Zope.*manage - [F]
> >> #</IfModule>
> >>
> > > --
>
> I'm using
>
> <LocationMatch "/ssl|manage">
> Deny from all
> </LocationMatch>
>
> to block any request from my virtual server on port 80 that is under
> the /ssl directory or has "manage" in it. You could then allow from
> localhost.
>
> I was thinking about extending this idea to protect myself from
> possible seccurity-holes in zope by denying everything and allowing
> only requests ending in _html or _img. Any opinions on that?
What about callable objects that don't end in either of these?