[Zope] hacking SSL support

Thomas Anderson tn-anderson at comcast.net
Thu Feb 5 11:16:27 EST 2004


I've recently installed Zope 2.6.3 with Pound 1.6 in front.
I tried the replacement z2.py that ships with Pound, with no luck.
All the docs I've read suggest that getting a SSL wrapper in front
of Zope is a solved problem, yet I keep running into problems like
the below in the html source generated by the default index_html:

img src="http://localhost:443/p_/ZopeButton" width="115"

This of course needs to be https://localhost:443/... for it to work.

There are 3 ways I can see to fix this.. For my purposes replacing
"http" with "https" for all self-referencing URLs generated by Zope
would be fine. This is to be a secure server so turning off http
completely is fine for me.

It would be better (and a much prettier hack) if I leveraged the
X-Forwarded-For header, that way http://zopehost:8080 would still 
work. If Zope could be set up to detect if X-Forwared-For was set 
to my Pound front-end's IP and generate all https:// URLs in the
replies..... that would be awesome. 

I wonder though if perhaps Zope should just be smarter about 
seeing a port number of 443 and automatically generate https URLs
in response. Would that break anything existing?

If anyone has already done work in this area, or has an idea
where in the Zope code would be a good place to start hacking,
please let me know! I'd like to make the smallest patch to
Zope possible so that it can be maintained easily in future
versions and possibly even merged into 2.6.x or 2.7.x.

Tom




More information about the Zope mailing list