[Zope] SSL + ProxyPass + Zope question...

Steve Spicklemire steve@spvi.com
Sun, 5 Aug 2001 16:35:02 -0500


Hi Eric,

Ahh...  in this case maybe an AccessRule would be better. Note that you 
*can* use _SUPPRESS_ACCESS_RULE (or something like that, not sure of 
exact spelling) in the URL to override these.. but you have to *really* 
know about it to know that.

take care,
-steve

On Sunday, August 5, 2001, at 04:25 PM, Eric Walstad wrote:

> Thanks Steve,
> Yes, I have a redirect in there now similar to what wrote below.  One
> problem with doing it this way is that if the user *does* manage to get 
> to
> the page on the insecure port, the password they enter will be sent to 
> the
> server unencrypted.  Then the redirect takes over and everything else is
> done securely, which is better than nothing, but to me the password is
> important.  In my experience, even well educated users will manage to 
> find
> an application's "undocumented secrets" (bugs)  :).
> Thanks for all your feedback.  It's been very helpful.
> Eric.
>
> -----Original Message-----
> From: Steve Spicklemire [mailto:steve@spvi.com]
> Sent: Sunday, August 05, 2001 3:05 AM
> To: Eric Walstad
> Cc: Steve Spicklemire; zope@zope.org
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
> Hi Eric,
>
> 	Right... someone suggested a firewall.. which is fine if you want
> to make all of zope inaccessable on port 8080, and clearly it's a
> sure-fire solution. However it also requires that you have *access* to
> put up a firewall, which you might not! My thought was
> that, in Zope you could simply protect a particular area by adding code
> to standard_html_header in that area that did a check, e.g.,
>
> <dtml-if "URL[:5] == 'http:'">
> <dtml-call "RESPONSE.redirect('https:' + URL[5:])">
> <dtml-return "'REDIRECTING.. to secure port.. '">
> </dtml-if>
>
> ...
>
> This way, you could still use 8080 for other things if you wanted to. I
> guess the question comes down to 'who are you trying to protect from
> doing what?'. If it's your own users then, as Joachim mentioned maybe
> its just a matter of education?
>
> -steve
>
> On Saturday, August 4, 2001, at 11:48 PM, Eric Walstad wrote:
>
>> Hi Steve,
>> Well, in the condition I described, if the user knows the port that
>> Zope is
>> running on, they could bypass Apache altogether.  So, what I need is to
>> make
>> Zope inaccessible to the outside world.  That way, all traffic would
>> have to
>> be sent thru Apache.
>> Thanks,
>> Eric.
>>
>> -----Original Message-----
>> From: Steve Spicklemire [mailto:steve@spvi.com]
>> Sent: Friday, August 03, 2001 4:16 PM
>> To: Eric Walstad
>> Cc: Steve Spicklemire; zope@zope.org
>> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>>
>>
>>
>> Hi Eric,
>>
>> 	Apache sets an environment variable when SSL is used. You can check
>> for that varible in an Access rule, or standard_html_header or some
>> other method.
>>
>> -steve
>>
>> On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
>>
>>> Hello,
>>>
>>> Apache is listening on port 80 and 443, Zope listening on port 8080.
>>> When a
>>> request comes in for port 443 (or HTTPS) Apache forwards the request 
>>> to
>>> Zope
>>> on port 8080 and sends the results back out thru SSL, just as it
>>> should.  If
>>> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
>>> connection
>>> is created and the password is forwarded to Zope after it's been sent
>>> thru
>>> SSL.  However, if the user goes to
>>> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
>>> request
>>> and it goes straight to Zope.  The user is then prompted for a
>>> password,
>>> which would be sent back to Zope without SSL.
>>>
>>> So my question is, how do I keep Zope from accepting any requests from
>>> the
>>> outside world unless they've gone thru Apache first?  Can I tell Zope
>>> to
>>> listen on something like 192.168.1.123:8080 so that it will never see
>>> requests from the outside world?
>>>
>>> TIA,
>>>
>>> Eric.
>>>
>>>
>>> _______________________________________________
>>> Zope maillist  -  Zope@zope.org
>>> http://lists.zope.org/mailman/listinfo/zope
>>> **   No cross posts or HTML encoding!  **
>>> (Related lists -
>>>  http://lists.zope.org/mailman/listinfo/zope-announce
>>>  http://lists.zope.org/mailman/listinfo/zope-dev )