[Zope] fyi: apache + ssl + zope + zope management interface example

Ricardo Anguiano anguiano@codesourcery.com
28 Mar 2003 18:18:26 -0800

Jamie Heilman <jamie@audible.transient.net> writes:
> [...superfluous conditions...]

Thanks for the info.  I will have to test without the conditions.

> These examples also fail to address the issues discussed in
> http://marc.theaimsgroup.com/?l=zope&m=104426779414836
> but then, they are just examples, and nobody would dream of using them
> blindly without first reading the documentation right?  Right.

I am unclear on the problem.  I am not using a cache.  If I was using
a cache, wouldn't the "tainted" URIs just fill my cache with garbage
and degrade performance?  If that isn't the only impact, it looks like
you provide a nice set of RewriteConds in your email which addresses
this problem.

> What you've done here will work ... mostly.  I've even advocated it
> in the past, but its probably worth noting blocking 'manage' strings
> only works from a pragmatic sense.  I believe there are management
> interfaces that don't have that string in them (I swear I saw one
> the other day though I don't remember in what now...)

AFAIK, the only zope management interface on unmodified zope, is
/manage.  Pointers to documentation or source code for other
management interfaces are appreciated.

> and as such if your goal is 100% assurance that auth headers for
> management never pass in the clear this config might not cut it.
> I've been considering an alternate approach, I'd entertain any
> commentary.

>From SYN to FIN, tcpdump -s 100 -X just showed garbage, so that meets
my needs.  Can you describe a situation where the configuration is
broken and allows plaintext transmissions?  If the example is broken,
I would like to fix it.  It is important that the example not provide
a false sense of security.

> I was thinking of using client certs with mod_ssl's FakeBasicAuth
> function in conjunction with a specialized UserFolder that only
> authenticates requests which are received via a known secure route.
> I've verified that when using FakeBasicAuth and mod_rewrite/proxy
> that the proxied request is indeed sent with an appropriately
> crafted WWW-Authenticate header.  

Do you have a pointer to an example?

> The problem I've been mulling over is that this means the passwords
> of your users are all identical in the user folder. (read up on
> mod_ssl if don't understand why) This means that whatever variable
> that holds the flag indicating the request came from a secure source
> must be protected from any form of duress.  (Otherwise I can see a
> scenario where users could possibly script themselves new
> credentials.)  To date thats about as far as I've gotten with this
> idea, I'm not sure what the best way to protect a variable of that
> much importance would be.

My ssl-fu is not 31337, so I am not sure what you're your talking
about with UserFolder, and you lose me after that.  Apparently, I need
to read the ssl documentation more carefully.

If you don't trust the world to connect to your management interface
because you fear exposed interfaces, client certs (or at the very
least ip address based ACLS) seem like the way to go.

There are a few of ways which guarantee that no plaintext is
transmitted onto the network:

        1) ssh (inconvenient)
        2) vpn (haven't tried)
        3) ssl (seems to work)

SSL seems to be the broadest solution because you can get an SSL
browser on almost any system. 

Ricardo Anguiano