[Zope] Can we please eradicate dangerous how-tos on zope.org? was: Re: [Zope]
Zope and Apache+SSL
Oliver Bleutgen
myzope@gmx.net
Wed, 03 Jul 2002 19:45:33 +0200
Alexandre Peshansky wrote:
> I am trying to set up Zope so that it is accessible via secure link
> through Apache.
> Configuration:
> Solaris 2.8
> Apache-2.0 with mod_ssl and mod_proxy shared
> Zope 2.5
>
> Apache lives in /usr/local/apache2 and has the following in its
> configuration:
> <IfModule mod_proxy.c>
> ProxyRequests On
^^^^^^^^^^^^^^
Nooooo! Don't do that (at least if you haven't really configured/secured
your server). You have just opened your server as a proxy for the whole
world.
Put in ProxyRequests Off an everything you configured below will still
work, you just won't function as a public anonymizer.
Btw, did you get that config option from a howto on zope? If so, please
post the URL so that we can slap the creator ;->.
Sorry, no time to help with your problem, just wanted to get that hole
out of the way.
Btw: google shows me the following pages on www.zope.org which contain
this false and dangerous information
http://www.zope.org/Members/Jace/apache-vhm
http://www.zope.org/About/Apache
The last one should IMO at least contain remarks about the dangers of
that config line.
cheers,
oliver