On 05/01/2011 22:13, Alex Clark wrote: > What about with no proxy/accelerator? I.e. just apache or nginx. In this > case it is much easier, I assume.
The problem we had was that all connections come from 127.0.0.1 the moment it is proxied via ANYTHING on the same host (or in the generic sense, everything comes from the same ip, the ip of the proxy). Your proxy needs to add the required information to a header so that the PAS plugin can obtain it from there. With squid it is easy, I think it adds x-forwarded-for by default, but I know you can tell apache's mod-proxy to do the same thing and I'm pretty certain nginx can too. If you use it with no proxy at all (in other words, zope is directly exposed to the outside world), then someone can send a request with that header included and trivially spoof their ip. Nobody really does that in production, but I felt it needs to be said. > Nice, does it have a UI? If not that's probably on the client's wish > list (even though it's probably not necessary; could probably get away > with a config file). It doesn't have UI. It has a properties tab in the zmi :-) Cheers, Izak _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
