Re: [Zope] SSL over Multiple Zope/Plone sites?
michael nt milne wrote: I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. To vary either IP address or port for different SSL site is a common method and gives you the biggest advantages. Nevetheless, you can host multiple SSL sites on single IP:port combination, provided you share also a single certificate for them. Apache is able to serve one cert for multiple SSL sites. To prevent the annoying client-side dialog box saying the cert is for different domain, your certificate must be a little special. There are 2 ways I'm aware of to manage this: 1) Wildcard certificate, issued for *.domain.com. This way the certificate will match anything.domain.com, but anything must not contain a dot. Also I'm not sure whether all current browsers support this technique. 2) The subjectAltName capability as described here: http://wiki.cacert.org/wiki/VhostsApache. Note that the CommonName must be repeated as the first subjectAltName, since it's ignored afterwards. I'm currently on my way to test the second way for my sites, but preliminary tests went well. -- \//\/\ (Sometimes credited as BA92 C339 6DD2 51F6 BACB 4C1B 5470 360E 20E5 926D.) [ When you find a virus in mail from me, then I intended to infect you, ] [ since I use SW that is not distributing malware w/o my knowledge. ] begin:vcard fn:Vlada Macek n:Macek;Vlada adr:;;;Liberec;;;Czech Republic email;internet:[EMAIL PROTECTED] title:UNIX Admin Developer tel;cell:+420 608 978 164 x-mozilla-html:FALSE version:2.1 end:vcard ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Jeff Donsbach schrieb: On 1/24/06, michael nt milne [EMAIL PROTECTED] wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? I believe you can use SSL and name based virtual hosts if you use unique ports for each vhost. I've never done it myself, but I remember reading that somewhere in Apache documentation that it was possible. Well we are telling exactly this all the time here in this thread :-) But strictly speaking its not name based vhost if you use the IP address to determine the vhost. It usually has a name too (and it has to - in order for the certificate to work) And for the hosting provider, dont believe they know all and everything. Been there, seen so much... ;) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
David Pratt -Hi Michael. First you need a way to get to the root of your site two different ways. First is using the domain you have your ssl on and the other for your other domain name(s) Thanks for that David. I will try out what you say.Hopefully it will work because not being able to do multiple virtual hosts on SSL is a real problem. Jonathan Cyr [EMAIL PROTECTED]to ZOPE.org More options Jan 24 (14 hours ago) You can have one HTTPS/SSL per IP per port. Jonathan, so this would mean using one IP address with SSL on multiple port addresses , 90, 100, 110 etc etc which would then match to the Plone 8080 port? The port doesn't have to be 443? On 1/25/06, Tino Wildenhain [EMAIL PROTECTED] wrote: Jeff Donsbach schrieb: On 1/24/06, michael nt milne [EMAIL PROTECTED] wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? I believe you can use SSL and name based virtual hosts if you use unique ports for each vhost. I've never done it myself, but I remember reading that somewhere in Apache documentation that it was possible. Well we are telling exactly this all the time here in this thread :-) But strictly speaking its not name based vhost if you use the IP address to determine the vhost. It usually has a name too (and it has to - in order for the certificate to work) And for the hosting provider, dont believe they know all and everything. Been there, seen so much... ;) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Jens Vagelpohl wrote: On 24 Jan 2006, at 18:10, David Pratt wrote: Have you tested this? The authentication machinery uses cookies, and the browser will not send cookies that were set by the secure login host to the unsecured sites. ...only if the secure bit of the cookie is set ;-) Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 25 Jan 2006, at 14:26, Chris Withers wrote: Jens Vagelpohl wrote: On 24 Jan 2006, at 18:10, David Pratt wrote: Have you tested this? The authentication machinery uses cookies, and the browser will not send cookies that were set by the secure login host to the unsecured sites. ...only if the secure bit of the cookie is set ;-) This is about different hostnames, remember? jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 1/24/06, michael nt milne [EMAIL PROTECTED] wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? No, because it is a technical limitation. The SSL certificate is used to encrypt the channel to the client. As the named virtual host selection is based on the Host header sent over this encrypted channel, you cannot use a SSL certificate per named virtual host. Hence the limitation of one SSL certificate per IP address. You can work around this limitation if all your virtual hosts share the same top-level domain name, by using a wildcard certificate. For example, for all example.com virtual hosts, one *.example.com SSL certificate can be used without the browser ever complaining about a name mismatch. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Hi The virtual hosts are all served from the same server but they don't actually share the same domain. They have different domain names but are served from the same IP. I'm going to try David Pratt's method above to set up a mysecure.domain.com and then use Apache to re-write in and out of the login areas etc. Thanks for all the help Michael On 1/25/06, Martijn Pieters [EMAIL PROTECTED] wrote: On 1/24/06, michael nt milne [EMAIL PROTECTED] wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? No, because it is a technical limitation. The SSL certificate is used to encrypt the channel to the client. As the named virtual host selection is based on the Host header sent over this encrypted channel, you cannot use a SSL certificate per named virtual host. Hence the limitation of one SSL certificate per IP address. You can work around this limitation if all your virtual hosts share the same top-level domain name, by using a wildcard certificate. For example, for all example.com virtual hosts, one *.example.com SSL certificate can be used without the browser ever complaining about a name mismatch. -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Jens Vagelpohl wrote: ...only if the secure bit of the cookie is set ;-) This is about different hostnames, remember? Well, in that case https has nothing to do with it ;-) cookies for one domain never get sent to another, unless you're using IE or something ;-) Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] SSL over Multiple Zope/Plone sites?
HiI've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation:http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server.ThanksMichael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 24 Jan 2006, at 14:30, michael nt milne wrote: Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. You can run SSL on virtual hosts, but Apache cannot present different server certificates to the browser based on virtual hosts. So every virtual host with a hostname that does not match the certificate Apache presents on the IP will produce nasty popup boxes on clients. To prevent those warnings you *must* use separate IPs for every SSL- secured hostname you plan on serving, so the statement one SSL site per IP is basically correct. I don't know if making Zope serve out SSL directly helps that (I doubt it) because I wouldn't consider using it. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
michael nt milne schrieb: Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. Not entirely correct. You can run ssl over VirtualHosts but they have to bind to different IP addresses. NameBasedVHosts (only) cannot serve different ssl-certificates. As said, if you have one IP address per certificate you can easily set up Apache Vhosts as proxy to zope with ssl. HTH Tino Wildenhain ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Jens Vagelpohl schrieb: ... I don't know if making Zope serve out SSL directly helps that (I doubt it) because I wouldn't consider using it. No, it does not. You only add the hassle to deal with nasty zope patches to the scene. Only IP per ssl-host helps :-) Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 24 Jan 2006, at 14:59, Tino Wildenhain wrote: Jens Vagelpohl schrieb: ... I don't know if making Zope serve out SSL directly helps that (I doubt it) because I wouldn't consider using it. No, it does not. You only add the hassle to deal with nasty zope patches to the scene. Only IP per ssl-host helps :-) Yes, the fact that all those make Zope speak HTTPS-solutions consist of patches and hacks is the exact reason why I would never consider them. I wanted to stay polite. ;) jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 24 Jan 2006, at 15:12, michael nt milne wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? No I don't. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? On 1/24/06, Jens Vagelpohl [EMAIL PROTECTED] wrote: On 24 Jan 2006, at 14:59, Tino Wildenhain wrote: Jens Vagelpohl schrieb: ... I don't know if making Zope serve out SSL directly helps that (I doubt it) because I wouldn't consider using it. No, it does not. You only add the hassle to deal with nasty zope patches to the scene. Only IP per ssl-host helps :-)Yes, the fact that all those make Zope speak HTTPS-solutions consist of patches and hacks is the exact reason why I would neverconsider them. I wanted to stay polite. ;)jens___Zope maillist- Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
michael nt milne schrieb: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? Well to really puzzle you, ssl can work with more then one certificate per IP - but not https (http-ssl). You can work with all protocols (SMTP, IMAP, ...) which support start-tls. However this does not help with your current project and was just a sidenote to be complete. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
I guess though that the pop-up for the certificate only happens once for each client when they enter the site? On 1/24/06, Jens Vagelpohl [EMAIL PROTECTED] wrote:On 24 Jan 2006, at 15:12, michael nt milne wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts?No I don't.jens___Zope maillist- Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 24 Jan 2006, at 15:46, michael nt milne wrote: On 1/24/06, Jens Vagelpohl [EMAIL PROTECTED] wrote: On 24 Jan 2006, at 15:12, michael nt milne wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? No I don't. I guess though that the pop-up for the certificate only happens once for each client when they enter the site? yes jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Use a wildcard certificate, if all of your subdomains on the server belong to a single domain. Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael _ Slobodan Jovcic Teaching Enhancement Center Office of Instructional Development, UCLA (310) 794 2099 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
ok, they're not technically subdomains but full domains in their own right but served from a single server which has its own domain. Would a wild card work with that? Would the pop-ups still be present when a user enters the site? On 1/24/06, Slobodan Jovcic [EMAIL PROTECTED] wrote: Use a wildcard certificate, if all of your subdomains on the serverbelong to a single domain. Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael_ Slobodan JovcicTeaching Enhancement CenterOffice of Instructional Development, UCLA(310) 794 2099___Zope maillist- Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 24 Jan 2006, at 17:31, michael nt milne wrote: ok, they're not technically subdomains but full domains in their own right but served from a single server which has its own domain. Would a wild card work with that? Would the pop-ups still be present when a user enters the site? This will nor work, no. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Um, not really. In order for the wildcard cert e.g. *.mydomain.com to work, all the sites have to be on subdomains like site1.mydomain.com, site2.mydomain.com, etc. It doesn't matter if the sites are on virtual hosts or not. Serving the cert on anything that doesn't end with "mydomain.com" will activate a pop-up.For single-domain certificates, yes, you have to have each domain on a separate IP address.Jovca _Slobodan JovcicTeaching Enhancement CenterOffice of Instructional Development, UCLA(310) 794 2099 On Jan 24, 2006, at 9:31 AM, michael nt milne wrote:ok, they're not technically subdomains but full domains in their own right but served from a single server which has its own domain. Would a wild card work with that? Would the pop-ups still be present when a user enters the site? On 1/24/06, Slobodan Jovcic [EMAIL PROTECTED] wrote: Use a wildcard certificate, if all of your subdomains on the serverbelong to a single domain. Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael_ Slobodan JovcicTeaching Enhancement CenterOffice of Instructional Development, UCLA(310) 794 2099___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
ok, so for single different domains, hosted virtually on one single IP address I will have to brave the SSL pop up occurring when users enter the login area for Plone. I'm only going to have it on the login areas so it's not so bad. Better than having no SSL at all on logon. There must be lots of people running Zope/Plone sites with un-secured logon areas. Really easy to hack and then change the content of the site etc. On 1/24/06, Slobodan Jovcic [EMAIL PROTECTED] wrote: Um, not really. In order for the wildcard cert e.g. *.mydomain.com to work, all the sites have to be on subdomains like site1.mydomain.com, site2.mydomain.com, etc. It doesn't matter if the sites are on virtual hosts or not.Serving the cert on anything that doesn't end with mydomain.com will activate a pop-up.For single-domain certificates, yes, you have to have each domain on a separate IP address. Jovca _Slobodan JovcicTeaching Enhancement CenterOffice of Instructional Development, UCLA(310) 794 2099 On Jan 24, 2006, at 9:31 AM, michael nt milne wrote:ok, they're not technically subdomains but full domains in their own right but served from a single server which has its own domain. Would a wild card work with that? Would the pop-ups still be present when a user enters the site? On 1/24/06, Slobodan Jovcic [EMAIL PROTECTED] wrote: Use a wildcard certificate, if all of your subdomains on the server belong to a single domain. Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael_ Slobodan JovcicTeaching Enhancement CenterOffice of Instructional Development, UCLA(310) 794 2099___Zope maillist- Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
I think this should be doable for single cert with multiple domains. Setup you exising ip with one domain (ie. mysecure_domain.com). Get the cert on this domain. Setup a rewrite rule in apache for port 443 for mysecure_domain.com You could use a self signed cert to experiment. When user logs in request login page goes to site1 - http://domain_one.com: You would need to make your login go to you login page https://mysecure_domain/site1/login site2 - http://domain_two.com: https://mysecure_domain/site2/login Once logged in goes to whatever you have in your vhm http://www.domain_one.com/site1 in vhm http://www.domain_two.com/site2 in vhm in vhm you'd have: www.domain_one.com /site1 www.mysecure_domain/site1/site1 www.domain_two.com /site2 www.mysecure_domain/site2/site2 The problem here will be the session since when you login secure and switch back to the regular site, your ssl session will expire automatically but you'll need to pass it to nonssl to stay alive when you go back to nonssl. I think a solution might be to store it, go to nonssl and then retreive it when you do your redirect back to non-ssl. I have not tried this yet. Alternatively you could always stay in ssl from that point forward. Any technique from someone on this would be helpful since I am also interested in what possibilities there might be. This should not give you a problem with the cert because identity on cert would match the ip. I think otherwise you are in a situation where you will need a dedicated server setup to have one ip per site and then you can just do a single rewrite per ip or use chained ssl if you have sub domains that you want to tie together under a single cert over one or more ips on one or more servers. Regards, David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Ok, that's really interesting. Thanks. Yes I could just stay using SSL after the login if there's a problem with going non-sslI understand the setting up the single secure domain bit linked to the IP address but don't quite get how I would link each site's login areas to that? Basically are you saying you would, using re-write rules, just call http://www.plonesiteone.com/login_form - http://mysecure_domain.com/plonesiteone/login_form ?It would be the same Plone login page but just have a different URL in the address bar, a https one? Also would you need to use VHM because I've got Apache virtual hosts set-up without actually doing anything in Zope. As long as VHM is on it is all fine.ThanksMichael On 1/24/06, David Pratt [EMAIL PROTECTED] wrote: I think this should be doable for single cert with multiple domains.Setup you exising ip with one domain (ie. mysecure_domain.com). Get thecert on this domain.Setup a rewrite rule in apache for port 443 for mysecure_domain.com You could use a self signed cert to experiment. When user logs inrequest login page goes tosite1 - http://domain_one.com:You would need to make your login go to you login page https://mysecure_domain/site1/loginsite2 - http://domain_two.com:https://mysecure_domain/site2/login Once logged in goes to whatever you have in your vhmhttp://www.domain_one.com/site1 in vhmhttp://www.domain_two.com/site2 in vhm in vhm you'd have:www.domain_one.com /site1www.mysecure_domain/site1/site1www.domain_two.com /site2www.mysecure_domain/site2/site2The problem here will be the session since when you login secure and switch back to the regular site, your ssl session will expireautomatically but you'll need to pass it to nonssl to stay alive whenyou go back to nonssl. I think a solution might be to store it, go tononssl and then retreive it when you do your redirect back to non-ssl. I have not tried this yet. Alternatively you could always stay in ssl fromthat point forward. Any technique from someone on this would be helpfulsince I am also interested in what possibilities there might be. This should not give you a problem with the cert because identity oncert would match the ip. I think otherwise you are in a situation whereyou will need a dedicated server setup to have one ip per site and then you can just do a single rewrite per ip or use chained ssl if you havesub domains that you want to tie together under a single cert over oneor more ips on one or more servers.Regards,David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Hi Jens. I tried something similar to this about a year ago as an experiment. I think the problem I had at the time with with session expiring and I was thinking about storing the session data in the database and retrieving it back when user went back to non-ssl. This was a while ago and I did not follow it through at the time. I am use CMF not Plone however. Regards, David Jens Vagelpohl wrote: On 24 Jan 2006, at 18:10, David Pratt wrote: I think this should be doable for single cert with multiple domains. Setup you exising ip with one domain (ie. mysecure_domain.com). Get the cert on this domain. snip Have you tested this? The authentication machinery uses cookies, and the browser will not send cookies that were set by the secure login host to the unsecured sites. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Hi Michael. First you need a way to get to the root of your site two different ways. First is using the domain you have your ssl on and the other for your other domain name(s) www.domain_one.com /site1 www.mysecure_domain.com/site1/site1 If you have apache proxy then you can set up yoru ssl on port 443 to secure the domain you have the cert for. Under this domain you can have any number of sites so long as the domain and ip are the same. ie www.mysecure_domain.com/site1 www.mysecure_domain.com/site2 www.mysecure_domain.com/site3 ... So you will be able to get to the same site by either using ie http://www.domain_one.com or https://www.mysecure_domain.com/site1 http://www.domain_two.com or https://www.mysecure_domain.com/site2 http://www.domain_three.com or https://www.mysecure_domain.com/site3 since in VHM they are both pointing to the same root (/site1 ) As far as the login on Plone, I do not use Plone but you would have to modify the zpt and script that calls the login to modify these links to the url to for the other domain. This is where I cannot be sure of what I did a year ago. I know for sure I had not completely worked it through and would need to look at this again. I tried this on CMF. Give me a day or two and I will see if I can locate anything more on this in my stuff. I wish I had a better memory but a year seems like a long time ago. :-) Regards, David michael nt milne wrote: Ok, that's really interesting. Thanks. Yes I could just stay using SSL after the login if there's a problem with going non-ssl I understand the setting up the single secure domain bit linked to the IP address but don't quite get how I would link each site's login areas to that? Basically are you saying you would, using re-write rules, just call http://www.plonesiteone.com/login_form - http://mysecure_domain.com/plonesiteone/login_form ? It would be the same Plone login page but just have a different URL in the address bar, a https one? Also would you need to use VHM because I've got Apache virtual hosts set-up without actually doing anything in Zope. As long as VHM is on it is all fine. Thanks Michael On 1/24/06, *David Pratt* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think this should be doable for single cert with multiple domains. Setup you exising ip with one domain (ie. mysecure_domain.com). Get the cert on this domain. Setup a rewrite rule in apache for port 443 for mysecure_domain.com You could use a self signed cert to experiment. When user logs in request login page goes to site1 - http://domain_one.com: You would need to make your login go to you login page https://mysecure_domain/site1/login site2 - http://domain_two.com: https://mysecure_domain/site2/login https://mysecure_domain/site2/login Once logged in goes to whatever you have in your vhm http://www.domain_one.com/site1 in vhm http://www.domain_two.com/site2 in vhm in vhm you'd have: www.domain_one.com /site1 www.mysecure_domain/site1/site1 www.domain_two.com /site2 www.mysecure_domain/site2/site2 The problem here will be the session since when you login secure and switch back to the regular site, your ssl session will expire automatically but you'll need to pass it to nonssl to stay alive when you go back to nonssl. I think a solution might be to store it, go to nonssl and then retreive it when you do your redirect back to non-ssl. I have not tried this yet. Alternatively you could always stay in ssl from that point forward. Any technique from someone on this would be helpful since I am also interested in what possibilities there might be. This should not give you a problem with the cert because identity on cert would match the ip. I think otherwise you are in a situation where you will need a dedicated server setup to have one ip per site and then you can just do a single rewrite per ip or use chained ssl if you have sub domains that you want to tie together under a single cert over one or more ips on one or more servers. Regards, David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
Michael. I found a bookmark for something that might help. I remember this person had written a bit of a howto on some of this for Plone. His name was Eric Vought and his howto was SSL redirect around March of last year. His document which is now an orphan was at: http://www.diversityink.com/documents/2005/1Q/howto-apache-zope-ssl I don't know where he is any longer but perhaps someone on the plone list could help find the doc or Eric. If you happen to find a copy of the howto somewhere, I would be great if you could send a fresh link to me. I remember communicating with Eric at the time when I was trying to work this out for myself with CMF. Regards, David David Pratt wrote: Hi Michael. First you need a way to get to the root of your site two different ways. First is using the domain you have your ssl on and the other for your other domain name(s) www.domain_one.com /site1 www.mysecure_domain.com/site1/site1 If you have apache proxy then you can set up yoru ssl on port 443 to secure the domain you have the cert for. Under this domain you can have any number of sites so long as the domain and ip are the same. ie www.mysecure_domain.com/site1 www.mysecure_domain.com/site2 www.mysecure_domain.com/site3 ... So you will be able to get to the same site by either using ie http://www.domain_one.com or https://www.mysecure_domain.com/site1 http://www.domain_two.com or https://www.mysecure_domain.com/site2 http://www.domain_three.com or https://www.mysecure_domain.com/site3 since in VHM they are both pointing to the same root (/site1 ) As far as the login on Plone, I do not use Plone but you would have to modify the zpt and script that calls the login to modify these links to the url to for the other domain. This is where I cannot be sure of what I did a year ago. I know for sure I had not completely worked it through and would need to look at this again. I tried this on CMF. Give me a day or two and I will see if I can locate anything more on this in my stuff. I wish I had a better memory but a year seems like a long time ago. :-) Regards, David michael nt milne wrote: Ok, that's really interesting. Thanks. Yes I could just stay using SSL after the login if there's a problem with going non-ssl I understand the setting up the single secure domain bit linked to the IP address but don't quite get how I would link each site's login areas to that? Basically are you saying you would, using re-write rules, just call http://www.plonesiteone.com/login_form - http://mysecure_domain.com/plonesiteone/login_form ? It would be the same Plone login page but just have a different URL in the address bar, a https one? Also would you need to use VHM because I've got Apache virtual hosts set-up without actually doing anything in Zope. As long as VHM is on it is all fine. Thanks Michael On 1/24/06, *David Pratt* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think this should be doable for single cert with multiple domains. Setup you exising ip with one domain (ie. mysecure_domain.com). Get the cert on this domain. Setup a rewrite rule in apache for port 443 for mysecure_domain.com You could use a self signed cert to experiment. When user logs in request login page goes to site1 - http://domain_one.com: You would need to make your login go to you login page https://mysecure_domain/site1/login site2 - http://domain_two.com: https://mysecure_domain/site2/login https://mysecure_domain/site2/login Once logged in goes to whatever you have in your vhm http://www.domain_one.com/site1 in vhm http://www.domain_two.com/site2 in vhm in vhm you'd have: www.domain_one.com /site1 www.mysecure_domain/site1/site1 www.domain_two.com /site2 www.mysecure_domain/site2/site2 The problem here will be the session since when you login secure and switch back to the regular site, your ssl session will expire automatically but you'll need to pass it to nonssl to stay alive when you go back to nonssl. I think a solution might be to store it, go to nonssl and then retreive it when you do your redirect back to non-ssl. I have not tried this yet. Alternatively you could always stay in ssl from that point forward. Any technique from someone on this would be helpful since I am also interested in what possibilities there might be. This should not give you a problem with the cert because identity on cert would match the ip. I think otherwise you are in a situation where you will need a dedicated server setup to have one ip per site and then you can just do a single rewrite per ip or use chained ssl if you have sub domains that you want to tie together under a single cert over one or more ips on one or more servers. Regards, David ___ Zope
Re: [Zope] SSL over Multiple Zope/Plone sites?
You can have one HTTPS/SSL per IP per port. I use Pound instead of Apache, and can run an instance for each port. I use HTTPS on port 444, and 445 for testing/staging arrangements that match the production HTTPS on 443. I can set up a self-signed or 3rd party certificate for each port, and the domain is set in each new certificate. And simply use a standard web page to redirect to the new HTTPS port. (https://stagingarea.something.com:444/directory) Also, you can use Pound to virtual host SSL sites, but the certificate will not match, and a warning to the user. If you accept the warning, you are secure, but not very friendly. Pound can be found at http://www.pound.ch/pound and is very Zope friendly. This is not a user-friendly solution for production-level sites, but great for staging/testing/experimental/admin needs. Not sure, if this helps, -Jon michael nt milne wrote: Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Jonathan Cyr http://www.cyr.info http://www.weddingweblog.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
er Pound can be found at http://www.apsis.ch/pound -Jon Jonathan Cyr wrote: You can have one HTTPS/SSL per IP per port. I use Pound instead of Apache, and can run an instance for each port. I use HTTPS on port 444, and 445 for testing/staging arrangements that match the production HTTPS on 443. I can set up a self-signed or 3rd party certificate for each port, and the domain is set in each new certificate. And simply use a standard web page to redirect to the new HTTPS port. (https://stagingarea.something.com:444/directory) Also, you can use Pound to virtual host SSL sites, but the certificate will not match, and a warning to the user. If you accept the warning, you are secure, but not very friendly. Pound can be found at http://www.pound.ch/pound and is very Zope friendly. This is not a user-friendly solution for production-level sites, but great for staging/testing/experimental/admin needs. Not sure, if this helps, -Jon michael nt milne wrote: Hi I've got a few Plone sites set-up using Apache through Zope. The question is, I'd like to implement SSL on the site login etc, as it's not secure without this. There's also one site I'd like to serve completely over https. However. I'm told that you can't run SSL on virtual hosts and can only have once SSL site per IP address. What would be the way round this? I know I could set-up SSL on Zope only using the following documentation: http://www.zope.org/Members/Ioan/ZopeSSL but if I can't carry this through to Apache then I'd have to run Zope as the web server as well as the application server. Thanks Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Jonathan Cyr http://www.cyr.info http://www.weddingweblog.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] SSL over Multiple Zope/Plone sites?
On 1/24/06, michael nt milne [EMAIL PROTECTED] wrote: Ok, thanks. The annoying thing is that I am renting a virtual dedicated server which allows multiple domain names obviously but not multiple IP addresses. Or it probably costs more for that. Do you reckon SSL will ever be available for virtual single IP based hosts? I believe you can use SSL and name based virtual hosts if you use unique ports for each vhost. I've never done it myself, but I remember reading that somewhere in Apache documentation that it was possible. Jeff D ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )