[Zope] FIXED SSL support
Thomas Anderson
tn-anderson at comcast.net
Thu Feb 5 12:53:25 EST 2004
Fixed it for both http and https to work correctly.
See patch attached.
Tom
On Thu, 2004-02-05 at 11:16, Thomas Anderson wrote:
> I've recently installed Zope 2.6.3 with Pound 1.6 in front.
> I tried the replacement z2.py that ships with Pound, with no luck.
> All the docs I've read suggest that getting a SSL wrapper in front
> of Zope is a solved problem, yet I keep running into problems like
> the below in the html source generated by the default index_html:
>
> img src="http://localhost:443/p_/ZopeButton" width="115"
>
> This of course needs to be https://localhost:443/... for it to work.
>
> There are 3 ways I can see to fix this.. For my purposes replacing
> "http" with "https" for all self-referencing URLs generated by Zope
> would be fine. This is to be a secure server so turning off http
> completely is fine for me.
>
> It would be better (and a much prettier hack) if I leveraged the
> X-Forwarded-For header, that way http://zopehost:8080 would still
> work. If Zope could be set up to detect if X-Forwared-For was set
> to my Pound front-end's IP and generate all https:// URLs in the
> replies..... that would be awesome.
>
> I wonder though if perhaps Zope should just be smarter about
> seeing a port number of 443 and automatically generate https URLs
> in response. Would that break anything existing?
>
> If anyone has already done work in this area, or has an idea
> where in the Zope code would be a good place to start hacking,
> please let me know! I'd like to make the smallest patch to
> Zope possible so that it can be maintained easily in future
> versions and possibly even merged into 2.6.x or 2.7.x.
>
> Tom
>
>
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
-------------- next part --------------
--- z2.py 2004-02-04 16:40:52.000000000 -0500
+++ z2.py.pound1.6 2004-02-05 12:45:48.000000000 -0500
@@ -105,6 +105,18 @@
Multiple -w options can be provided to run multiple servers.
+ -y port
+
+ The encrypted Web server (HTTPS) port. This defaults to %(HTTPS_PORT)s. The
+ standard port for HTTPS services is 443. If this is a dash
+ (e.g. -y -), then HTTPS is disabled.
+
+ The number can be preeceeded by an ip address follwed by a colon
+ to specify an address to listen on. This allows different servers
+ to listen on different addresses.
+
+ Multiple -y options can be provided to run multiple servers.
+
-W port
The "WebDAV source" port. If this is a dash (e.g. -w -), then
@@ -289,6 +301,12 @@
# HTTP enivornment settings.
HTTP_ENV={}
+# Port for HTTPS Server. The standard port for HTTPS services is 443.
+HTTPS_PORT=8443
+
+# HTTP enivornment settings.
+HTTPS_ENV={}
+
# Should we close all HTTP connections, ignoring the (usually absent)
# 'Connection:' header?
FORCE_HTTP_CONNECTION_CLOSE=0
@@ -389,7 +407,7 @@
warnings.warn(err)
opts, args = getopt.getopt(sys.argv[1:],
- 'hz:Z:t:i:a:d:u:w:W:f:p:m:Sl:2DP:rF:L:XM:C',
+ 'hz:Z:t:i:a:d:u:w:y:W:f:p:m:Sl:2DP:rF:L:XM:C',
['icp=', 'force-http-connection-close'
])
@@ -439,13 +457,15 @@
DEBUG=1
elif o=='-S': sys.ZMANAGED=1
elif o=='-X':
- MONITOR_PORT=HTTP_PORT=FTP_PORT=FCGI_PORT=ICP_PORT=0
+ MONITOR_PORT=HTTP_PORT=HTTPS_PORT=FTP_PORT=FCGI_PORT=ICP_PORT=0
WEBDAV_SOURCE_PORT=0
PCGI_FILE=''
elif o=='-m':
MONITOR_PORT=server_info(MONITOR_PORT, v)
elif o=='-w':
HTTP_PORT=server_info(HTTP_PORT, v)
+ elif o=='-y':
+ HTTPS_PORT=server_info(HTTPS_PORT, v)
elif o=='-C' or o=='--force-http-connection-close':
FORCE_HTTP_CONNECTION_CLOSE=1
elif o=='-W':
@@ -454,6 +474,7 @@
FTP_PORT=server_info(FTP_PORT, v)
elif o=='-P':
HTTP_PORT=server_info(HTTP_PORT, v, 80)
+ HTTPS_PORT=server_info(HTTPS_PORT, v, 443)
FTP_PORT=server_info(FTP_PORT, v, 21)
elif o=='--icp':
ICP_PORT=server_info(ICP_PORT, v)
@@ -676,6 +697,45 @@
zh._force_connection_close = 1
hs.install_handler(zh)
+ # HTTPS Server
+ if HTTPS_PORT:
+ if isinstance(HTTPS_PORT, IntType): HTTPS_PORT=((IP_ADDRESS, HTTPS_PORT),)
+ for address, port in HTTPS_PORT:
+ try:
+ hs = zhttp_server(
+ ip=address,
+ port=port,
+ resolver=rs,
+ logger_object=lg)
+ except socket.error, why:
+ if why[0] == 98: # address in use
+ raise port_err % {'port':port,
+ 'socktype':'TCP',
+ 'protocol':'HTTPS',
+ 'switch':'-y'}
+ raise
+ # Handler for a published module. zhttp_handler takes 3 arguments:
+ # The name of the module to publish, and optionally the URI base
+ # which is basically the SCRIPT_NAME, and optionally a dictionary
+ # with CGI environment variables which override default
+ # settings. The URI base setting is useful when you want to
+ # publish more than one module with the same HTTP server. The CGI
+ # environment setting is useful when you want to proxy requests
+ # from another web server to ZServer, and would like the CGI
+ # environment to reflect the CGI environment of the other web
+ # server.
+ try:
+ del HTTPS_ENV['HTTP']
+ except KeyError:
+ pass
+ HTTPS_ENV['HTTPS']='ON'
+
+ zh = zhttp_handler(MODULE, '', HTTPS_ENV)
+ if FORCE_HTTP_CONNECTION_CLOSE:
+ zh._force_connection_close = 1
+ hs.install_handler(zh)
+
+
# WebDAV source Server (runs HTTP, but munges request to return
# 'manage_FTPget').
if WEBDAV_SOURCE_PORT:
More information about the Zope
mailing list