Re: [Zope] help with url rewriting
Faheem Mitha wrote: Turns out the problem was indeed with the Proxy, I had to change to Allow from all inside the proxy.conf, to enable reverse proxying. Order deny,allow #Deny from all #Allow from .your_domain.com Allow from all I'm not sure an open proxy is that hot an idea, but this has nothing to do with Zope. I suggest you go and ask on #apache on irc.freenode.net 1) I can still access my plone site unauthenticated via http://machine_address:9673/test_plone. Again, nothing to do with Zope. iptables is the way to go, and I bet £5 you lock yourself out of your machine within 2 hrs of playing with this ;-) Go to #debian on irc.freenode.net and wear flameproof clothing ;-) cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
Am Freitag, den 11.11.2005, 23:45 -0500 schrieb Faheem Mitha: On Fri, 11 Nov 2005, Faheem Mitha wrote: ... The main error is [Fri Nov 11 18:51:56 2005] [error] [client client_ip_address] client denied by server configuration: ^^ This means Apache, not Zope proxy:http://127.0.0.1:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone/colophon_anybrowser.png, referer: http://server_ip_address:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone 5) Here are the mods I have enabled. ... Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all ^ --- and here Allow from 127.0.0.0/255.0.0.0 ::1/128 ^ --- and here /Directory is the Problem. The example config needs to be changed to allow serving - this is true for static content as well as using mod_proxy. HTH Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Sat, 12 Nov 2005, Tino Wildenhain wrote: [snip] 5) Here are the mods I have enabled. ... Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all ^ --- and here Allow from 127.0.0.0/255.0.0.0 ::1/128 ^ --- and here /Directory is the Problem. The example config needs to be changed to allow serving - this is true for static content as well as using mod_proxy. I'm sorry. I don't follow what you mean. Can you be more explicit? The web server is working fine for regular web pages, both SSL and non-SSL. Thanks.Faheem. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
Am Samstag, den 12.11.2005, 03:26 -0500 schrieb Faheem Mitha: On Sat, 12 Nov 2005, Tino Wildenhain wrote: [snip] 5) Here are the mods I have enabled. ... Alias /doc/ /usr/share/doc/ Directory /usr/share/doc/ Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all ^ --- and here Allow from 127.0.0.0/255.0.0.0 ::1/128 ^ --- and here /Directory is the Problem. The example config needs to be changed to allow serving - this is true for static content as well as using mod_proxy. I'm sorry. I don't follow what you mean. Can you be more explicit? The web server is working fine for regular web pages, both SSL and non-SSL. Which pages beside the introductional page and the docs? And are you sure you want to access your Plone via http://yourserver/plone/ instead of http://yourserver/ ? Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Sat, 12 Nov 2005, Tino Wildenhain wrote: Am Samstag, den 12.11.2005, 03:26 -0500 schrieb Faheem Mitha: Which pages beside the introductional page and the docs? The pages in the Document Root work fine. That is, the pages at http://yourserver, which correspond to /var/www/html and https://yourserver, which correspond to /var/www/html-ssl. I have a config file called default, which is exactly like the ssl config file, except for being for port 80, and not having the Zope stuff in it. I can mail that if you want. And are you sure you want to access your Plone via http://yourserver/plone/ instead of http://yourserver/ ? Yes. Well, https://yourserver/plone. Thanks for your help. Faheem. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Fri, 11 Nov 2005, Faheem Mitha wrote: 6) I was wondering if there might be something wrong with the Proxy thing. I've kept proxy.conf at the Debian defaults. Included below. In particular ProxyRequest are off, but another Debian machine I have access to works fine with that setting. Turns out the problem was indeed with the Proxy, I had to change to Allow from all inside the proxy.conf, to enable reverse proxying. Order deny,allow #Deny from all #Allow from .your_domain.com Allow from all /Proxy I've now got a further question, in case anyone feels like indulging me. 1) I can still access my plone site unauthenticated via http://machine_address:9673/test_plone. What is the best way to switch that off so it can only be accessed via the https interface? Thanks. Faheem. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
Faheem Mitha wrote: Why not just: /plone(.*) This is the way to go, I don't know what Sascha meant when he was talking about 2 rules. However, he did have a very good point about SSL. If you want Apache to do the SSL encryption and decryption, then you need to set up mod_ssl, sort out the certificates, etc. I have this working on a few of my servers but I'm working offline so can't really have a look to see what you're doing wrong... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Fri, 11 Nov 2005, Chris Withers wrote: Faheem Mitha wrote: Why not just: /plone(.*) This is the way to go, I don't know what Sascha meant when he was talking about 2 rules. However, he did have a very good point about SSL. If you want Apache to do the SSL encryption and decryption, then you need to set up mod_ssl, sort out the certificates, etc. I have this working on a few of my servers but I'm working offline so can't really have a look to see what you're doing wrong... Yes, at least part of the problem is that I did not have SSL set up correctly, and I certainly didn't have certificates etc. I've done that now, so I'll try the Plone thing again. Sorry for my ignorance.Faheem. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Fri, 11 Nov 2005, Faheem Mitha wrote:
On Fri, 11 Nov 2005, Chris Withers wrote:
Faheem Mitha wrote:
Why not just:
/plone(.*)
This is the way to go, I don't know what Sascha meant when he was talking
about 2 rules.
However, he did have a very good point about SSL. If you want Apache to do
the SSL encryption and decryption, then you need to set up mod_ssl, sort
out the certificates, etc. I have this working on a few of my servers but
I'm working offline so can't really have a look to see what you're doing
wrong...
Yes, at least part of the problem is that I did not have SSL set up
correctly, and I certainly didn't have certificates etc. I've done that now,
so I'll try the Plone thing again.
Ok. I've now configured SSL correctly on my test machine, but am still
getting errors. I suspect this is an apache misconfiguration, which is
puzzling, since I have acess to a machine doing very similar things, also
running Debian sarge, which is working.
I'll list misc bits of info below, in the hope that this will help to
narrow the problem. I'll also list the ssl config portion of my apache
file at the bottom of this message for good measure.
1) Firstly, SSL is now working, certificates are offered and accepted,
yada yada.
2) I can acess the page at
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/test_plone/VirtualHostRoot/_vh_test_\plone$1
[L,P]
fine, where I have to replace 127.0.0.1 with the IP address of the machine
in question. This means the Virtual Host Monster is working correctly,
right?
3) The rewriting is actually happening, because the rewriting log shows
**
client_ip_address - - [11/Nov/2005:18:51:56 --0500]
[server_ip_address/sid#81565f0][rid#81ce540/initial] (2)
init rewrite engine with requested uri /test_plone/colophon_xhtml.png
client_ip_address - - [11/Nov/2005:18:51:56 --0500]
[server_ip_address/sid#81565f0][rid#81ce540/initial] (3)
applying pattern '^/test_plone(.*)' to uri
'/test_plone/colophon_xhtml.png'
client_ip_address - - [11/Nov/2005:18:51:56 --0500]
[server_ip_address/sid#81565f0][rid#81ce540/initial] (2)
rewrite /test_plone/colophon_xhtml.png -
http://127.0.0.1:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone/colophon_xhtml.png
client_ip_address - - [11/Nov/2005:18:51:56 --0500]
[server_ip_address/sid#81565f0][rid#81ce540/initial] (2)
forcing proxy-throughput with
http://127.0.0.1:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone/colophon_xhtml.png
client_ip_address - - [11/Nov/2005:18:51:56 --0500]
[server_ip_address/sid#81565f0][rid#81ce540/initial] (1)
go-ahead with proxy request
proxy:http://127.0.0.1:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone/colophon_xhtml.png
[OK]
***
This all looks pretty normal.
4) The error log is fairly unhelpful. Setting LogLevel to debug does
not seem to give any helpful information.
The main error is
[Fri Nov 11 18:51:56 2005] [error] [client client_ip_address] client denied by
server configuration:
proxy:http://127.0.0.1:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone/colophon_anybrowser.png,
referer:
http://server_ip_address:9673/VirtualHostBase/https/server_ip_address:443/test_plone/VirtualHostRoot/_vh_test_plone
5) Here are the mods I have enabled.
/etc/apache2/mods-enabled# ls -la
drwxr-xr-x 3 root root 4096 2005-11-11 17:21 .
drwxr-xr-x 10 root root 4096 2005-11-11 15:45 ..
lrwxrwxrwx 1 root root 37 2005-11-10 16:52 cgid.conf -
/etc/apache2/mods-available/cgid.conf
lrwxrwxrwx 1 root root 37 2005-11-10 16:52 cgid.load -
/etc/apache2/mods-available/cgid.load
lrwxrwxrwx 1 root root 28 2005-11-11 17:21 proxy.conf -
../mods-available/proxy.conf
lrwxrwxrwx 1 root root 28 2005-11-11 17:21 proxy.load -
../mods-available/proxy.load
lrwxrwxrwx 1 root root 30 2005-11-11 17:19 rewrite.load -
../mods-available/rewrite.load
lrwxrwxrwx 1 root root 26 2005-11-10 21:21 ssl.conf -
../mods-available/ssl.conf
lrwxrwxrwx 1 root root 26 2005-11-10 21:21 ssl.load -
../mods-available/ssl.load
lrwxrwxrwx 1 root root 40 2005-11-10 16:52 userdir.conf -
/etc/apache2/mods-available/userdir.conf
lrwxrwxrwx 1 root root 40 2005-11-10 16:52 userdir.load -
/etc/apache2/mods-available/userdir.load
These are included via the main config file.
6) I was wondering if there might be something wrong with the Proxy thing.
I've kept proxy.conf at the Debian defaults. Included below.
In particular ProxyRequest are off, but another Debian machine I have
access to works fine with that setting.
Thanks in advance for your help.
Faheem.
Re: [Zope] help with url rewriting
(Wed, Nov 09, 2005 at 10:41:32AM -0500) [EMAIL PROTECTED] wrote/schrieb/egrapse:
From: Faheem Mitha [EMAIL PROTECTED]
...
I running Apache 2.0 and Zope 2.7 on Debian Sarge. I've configured a zope
(Plone) instance located /var/lib/zope2.7/instance/dulci.
This can be accessed via
http://machine_address:9673/dulci. 9673 is the
^^
http
point on which Zope runs on Debian.
I'm trying to configure Apache so that all requests of the form
http://machine_address/plone are sent to
https://machine_address:9673/dulci
^^
https
http != https
Zope is unlikely to understand the rewritten URL with that https I would
say. I don't understand why you try to access Zope with SSL/https, plain
Zope does not understand that protocol.
If you try to use apache to do SSL for Zope, you will need it the other
way around.
And to force connections to go through SSL, you will need a rewriterule
to redirect (either for all URLs or for /manage URLs) or some fancier
Plone setup (which I never figured out).
and that the urls returned by Plone are consistent.
I added the following lines to my Apache config, representing my best
guess as to how this should work.
I don't know about the problems that Chris found with your RewriteRule,
but I stopped worrying, since I can always go to the witch and get a
usefull RewriteRule for most setups (if I might say so myself :-)
http://betabug.ch/zope/witch
The rewriting seems to work, since when
I go to
http://machine_address/plone
the log says
[Wed Nov 09 03:30:26 2005] [error] [client ...] client denied by
server configuration:
proxy:http://127.0.0.1:9673/VirtualHostBase/https/machine_address:443/dulci/VirtualHostRoot/_vh_plone
However, something must be broken.
...
RewriteRule ^/plone(/.*)?$
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/dulci/VirtualHostRoot/_vh_plone$1
[L,P]
As for the question mark, I guess you are trying to get in one rule what
most people (and the witch) do in two rules: Cover the case where
/plone ends the URL, as well the case where something comes behind
/plone. Regular expressions are tricky with that stuff, so it's better
to use 2 rules and be covered.
Googling for [zope apache rewriterule], the ZopeWiki page
(http://zopewiki.org/ZopeAndApache) comes on the first result page,
while the witch is currently on the second page. The help page from the
VHM is also very informative.
Regards,
Sascha
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
On Wed, 9 Nov 2005, Chris Withers wrote:
Faheem Mitha wrote:
the log says
[Wed Nov 09 03:30:26 2005] [error] [client ...] client denied by server
configuration:
This means you likely need to find something else in your apache.conf that's
causing this problem...
RewriteRule ^/plone(/.*)?$
That's odd..
Why not just:
/plone(.*)
?
This might actually be your problem, since that question mark means that $1
might not exist for:
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/dulci/VirtualHostRoot/_vh_plone$1
[L,P]
I tried
RewriteRule ^/plone(.*)
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/dulci/VirtualHostRoot/_vh_plone$1
[L,P]
This does not make any difference. Does this line, and the rest of the
config stuff otherwise look Ok?
Any idea what I might be looking for in the configuration? I'm mostly
using the Debian defaults.
Do I correctly understand that this rule will encrypt traffic sent to the
Zope instance, and coming out? That is the intention.
Thanks in advance.
Faheem.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] help with url rewriting
Dear People,
I running Apache 2.0 and Zope 2.7 on Debian Sarge. I've configured a zope
(Plone) instance located /var/lib/zope2.7/instance/dulci.
This can be accessed via http://machine_address:9673/dulci. 9673 is the
point on which Zope runs on Debian.
I'm trying to configure Apache so that all requests of the form
http://machine_address/plone are sent to
https://machine_address:9673/dulci
and that the urls returned by Plone are consistent.
I added the following lines to my Apache config, representing my best
guess as to how this should work. The rewriting seems to work, since when
I go to
http://machine_address/plone
the log says
[Wed Nov 09 03:30:26 2005] [error] [client ...] client denied by
server configuration:
proxy:http://127.0.0.1:9673/VirtualHostBase/https/machine_address:443/dulci/VirtualHostRoot/_vh_plone
However, something must be broken.
This seems to be a relatively straighforward matter, but I've already
spent a substantial amount of time on it, so I'd be obliged if someone
can point out if I am missing something obvious, as I probably am.
Please cc me on any reply. Thanks in advance.
NameVirtualHost *
VirtualHost *
[...]
IfModule mod_proxy.c
ProxyVia On
/IfModule
IfModule mod_rewrite.c
RewriteEngine On
RewriteRule ^/plone(/.*)?$
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/dulci/VirtualHostRoot/_vh_plone$1
[L,P]
/IfModule
/VirtualHost
***
Faheem.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] help with url rewriting
Faheem Mitha wrote:
the log says
[Wed Nov 09 03:30:26 2005] [error] [client ...] client denied by server
configuration:
This means you likely need to find something else in your apache.conf
that's causing this problem...
RewriteRule ^/plone(/.*)?$
That's odd..
Why not just:
/plone(.*)
?
This might actually be your problem, since that question mark means that
$1 might not exist for:
http://127.0.0.1:9673/VirtualHostBase/https/%{HTTP_HOST}:443/dulci/VirtualHostRoot/_vh_plone$1
[L,P]
cheers,
Chris
--
Simplistix - Content Management, Zope Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
