[Zope] fyi: apache + ssl + zope + zope management interface example

Jamie Heilman jamie@audible.transient.net
Fri, 28 Mar 2003 16:52:18 -0800 

Ricardo Anguiano wrote:
> - Restrict remote access to port 8080 or else folks will be able to
>   connect to the zope management interface remotely without using SSL.

Or just bind zope to something in 127.0.0.0/8 which should obviates
the need for additional access restrictions (from the outside world).
(Assuming a non-routing host I suppose.)

> <VirtualHost *>
>   ServerName www.example.com
>   RewriteEngine on
>   RewriteCond %{REQUEST_URI} manage

The above RewriteCond is superfluous, the RewriteRule below is
sufficient.

>   RewriteRule manage - [F]
>   RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/www.example.com:80/example/VirtualHostRoot/$1 [P,L]
> </VirtualHost>


> <VirtualHost *:443>
>   ServerName www.example.com
...
>   RewriteEngine on
>   RewriteCond %{REQUEST_URI} manage

ibid

>   RewriteRule manage - [F]
>   RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/www.example.com:443/example/VirtualHostRoot/$1 [P,L]
> </VirtualHost>


These examples also fail to address the issues discussed in
http://marc.theaimsgroup.com/?l=zope&m=104426779414836
but then, they are just examples, and nobody would dream of using them
blindly without first reading the documentation right?  Right.

What you've done here will work ... mostly.  I've even advocated it in
the past, but its probably worth noting blocking 'manage' strings only
works from a pragmatic sense.  I believe there are management
interfaces that don't have that string in them (I swear I saw one the
other day though I don't remember in what now...) and as such if your
goal is 100% assurance that auth headers for management never pass in
the clear this config might not cut it.  I've been considering an
alternate approach, I'd entertain any commentary.

I was thinking of using client certs with mod_ssl's FakeBasicAuth
function in conjunction with a specialized UserFolder that only
authenticates requests which are received via a known secure route.
I've verified that when using FakeBasicAuth and mod_rewrite/proxy that
the proxied request is indeed sent with an appropriately crafted
WWW-Authenticate header.  The problem I've been mulling over is that
this means the passwords of your users are all identical in the user
folder. (read up on mod_ssl if don't understand why)  This means that
whatever variable that holds the flag indicating the request came from a
secure source must be protected from any form of duress.  (Otherwise I
can see a scenario where users could possibly script themselves new
credentials.)  To date thats about as far as I've gotten with this
idea, I'm not sure what the best way to protect a variable of that
much importance would be.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer