[Gllug] Securing zope with apache-ssl

Jim Bailey jim at freesolutions.net
Mon Jun 7 12:37:07 UTC 2004


Hi,

I am trying to get zope set up securely on a stand alone machine, my
method for this
after some googling is to connect to it via apache-ssl and have
mod_rewrite forward traffic to the zope interface.  For some reason
there is no docs on this in the security section of the Zope Book, only
some congratulatory black slapping on how great their user based ACLs
are for stopping people doing things they are not supposed to.  Yeah
great but that doesn't stop random j cracker finding the managers
password with some simple packet sniffing software, F.F.S.

Whatever, I found originally this link to using apache as a front end to
zope and started messing with that.
http://zope.org/Members/shaw/HowTo/ApacheFrontEnd

However after some fruitless bumbling I returned to google and found
this which was closer to the kind of set up I was looking for.

http://www.zopelabs.com/cookbook/1028143332

Further bumbling later I arrived with this recipe for my virtuals file.

<VirtualHost 217.158.120.148:443>
ServerName freesolutions.net
DocumentRoot /www/freesolutions.net/htdocs/zope
SSLEngine on
SSLCertificateFile /etc/ssl/new/vince_server.crt
SSLCertificateKeyFile /etc/ssl/new/vince_server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
#RewriteEngine on
# Do not allow use of the Zope management interfaces.
RewriteCond %{REQUEST_URI} manage
RewriteRule manage - [F]
RewriteRule ^/(.*)
http://localhost:9673/freesolutions/https/freesolutions.net:443/freesolutions.net/htdocs/zope/$1
[P,L]
</VirtualHost>

This didn't cause apache-ssl to die screaming horribly but did lock out
all the https pages on the box including webmail, not what I wanted.

It was then 0440hrs and my productive bumbling to tired typos ratio
reached an unacceptable level and I went to bed _after_ making sure
everything worked again ssl wise.

Anyone got an ideas as to why it will not work, I confess my knowledge
of zope and mod_rewrite are practically negligible and apologise for any
stupid mistakes.

Peace Jim
-- 
 Ethernet (n): something used to catch the etherbunny

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list