[Zope] SSL + ProxyPass + Zope question...

Jens Vagelpohl jens@zope.com
Mon, 6 Aug 2001 08:11:48 -0400


the easiest way to prevent *all* outside access to zope directly, if your 
apache and zope run on the same box, is to have zope listen on the 
localhost address only (127.0.0.1). simply pass "-X -w 127.0.0.1:8080" to 
the start script (the actual port doesn't matter that much).

the "-X" option is there to turn off any services that might want to start 
up and listen, like FTP or the monitor daemon.

then you just change your rewrite or proxy rules in apache to redirect 
through port 127.0.0.1

jens




On Sunday, August 5, 2001, at 12:48 , Eric Walstad wrote:

> Hi Steve,
> Well, in the condition I described, if the user knows the port that Zope 
> is
> running on, they could bypass Apache altogether.  So, what I need is to 
> make
> Zope inaccessible to the outside world.  That way, all traffic would have 
> to
> be sent thru Apache.
> Thanks,
> Eric.
>
> -----Original Message-----
> From: Steve Spicklemire [mailto:steve@spvi.com]
> Sent: Friday, August 03, 2001 4:16 PM
> To: Eric Walstad
> Cc: Steve Spicklemire; zope@zope.org
> Subject: Re: [Zope] SSL + ProxyPass + Zope question...
>
>
>
> Hi Eric,
>
> 	Apache sets an environment variable when SSL is used. You can check
> for that varible in an Access rule, or standard_html_header or some
> other method.
>
> -steve
>
> On Friday, August 3, 2001, at 06:02 PM, Eric Walstad wrote:
>
>> Hello,
>>
>> Apache is listening on port 80 and 443, Zope listening on port 8080.
>> When a
>> request comes in for port 443 (or HTTPS) Apache forwards the request to
>> Zope
>> on port 8080 and sends the results back out thru SSL, just as it
>> should.  If
>> a user goes to https://mysite.com/PasswordProtectedArea/ an SSL
>> connection
>> is created and the password is forwarded to Zope after it's been sent
>> thru
>> SSL.  However, if the user goes to
>> http://mysite.com:8080/PasswordProtectedArea/ Apache never sees the
>> request
>> and it goes straight to Zope.  The user is then prompted for a password,
>> which would be sent back to Zope without SSL.
>>
>> So my question is, how do I keep Zope from accepting any requests from
>> the
>> outside world unless they've gone thru Apache first?  Can I tell Zope to
>> listen on something like 192.168.1.123:8080 so that it will never see
>> requests from the outside world?
>>
>> TIA,
>>
>> Eric.
>>
>