subject:"Re\: \[Zope\] Forcing all Zope access to come through an Apache\/SSL proxy"

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

2005-04-28 Thread calisp

On 28/04/05, Reuven M. Lerner <[EMAIL PROTECTED]> wrote:
[...]
> The above should make it possible (I believe), an HTTPS connection
> between my browser and my cup.  Apache should then take that incoming
> SSL request and issue its own request to the Zope server.  Zope will
> respond, sending it back to Apache, which (in turn) sends it back to me.
> 
> But of course, that doesn't happen.   Zope's provides indicates that
> many of the requests begin with "\x80g\x01\x03".
[...]

The following works for me... 

-


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/ssl/[domain].crt
SSLCertificateKeyFile /etc/httpd/ssl/[domain].key

SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ServerName [domain]
RewriteEngine On
ProxyVia On
RewriteRule ^/(.*)
http://localhost:8080/VirtualHostBase/https/[domain]:443/folder/VirtualHostRoot/$1
[L,P]


Order Deny,Allow
Deny from All



-

HTH,

Calisp
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

2005-04-28 Thread Daniel Dekany

Thursday, April 28, 2005, 8:23:27 AM, Reuven M. Lerner wrote:

> I've written a Zope application that needs to be behind SSL.  I assumed
> that the most straightforward way to do this would be to (1) set up Zope
> on port 8080 and (2) use Apache to act as a proxy between the outside 
> world and Zope.  Unfortunately, while it was a piece of cake to set up a
> proxy for non-SSL access to Zope, I'm rather stumped regarding SSL.  
> I've done non-SSL proxying for years with mod_rewrite, and it was really
> a snap, so I'm surprised that this is so difficult.
[snip]

I copy-paste bellow something similar... It's a bit more what you
wanted, as it let you access the t1.net with HTTP and HTTPS, and t2.net
with HTTP only.

1. In Zope, I have made a VirtualHostMonster. I guess doesn't mater where I
do it, but it happens to be in the root of the ZODB.

2. In the Apache2 httpd.conf (the /siteRoot_t1.net is a Plone object
that corresponds to http://t1.net/, etc.):

...

NameVirtualHost *:80


ServerName t1.net
ProxyPass / 
http://localhost:8080/VirtualHostBase/http/t1.net:80/siteRoot_t1.net/VirtualHostRoot/
ProxyPassReverse / 
http://localhost:8080/VirtualHostBase/http/t1.net:80/siteRoot_t1.net/VirtualHostRoot/



ServerName t2.net
ProxyPass / 
http://localhost:8080/VirtualHostBase/http/t2.net:80/siteRoot_t2.net/VirtualHostRoot/
ProxyPassReverse / 
http://localhost:8080/VirtualHostBase/http/t2.net:80/siteRoot_t2.net/VirtualHostRoot/



ServerName t1.net

SSLEngine On
SSLCertificateFile conf/ssl/t1.cert
SSLCertificateKeyFile conf/ssl/t1.key
SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
#CustomLog logs/ssl_request_log \
#  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPass / 
http://localhost:8080/VirtualHostBase/https/t1.net:443/siteRoot_t1.net/VirtualHostRoot/
ProxyPassReverse / 
http://localhost:8080/VirtualHostBase/https/t1.net:443/siteRoot_t1.net/VirtualHostRoot/


...


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

2005-04-28 Thread Jürgen Herrmann

hi!

i use mod_proxy for this, here's the config snippet:


ServerName foo.com
ServerAdmin [EMAIL PROTECTED]
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPass /misc_ http://localhost:8080/misc_
ProxyPass /p_ http://localhost:8080/p_
ProxyVia on
SSLEngine on
SSLCertificateFile /path/to/my/server.crt
SSLCertificateKeyFile /path/to/my/server.key


i have to admit that i never tried mod_rewrite on this issue before,
so i can't tell you what's wrong with your config, i just can give you
an working solution :)

regards, juergen herrmann



[ Reuven M. Lerner wrote:]
> I've written a Zope application that needs to be behind SSL.  I assumed
> that the most straightforward way to do this would be to (1) set up Zope
> on port 8080 and (2) use Apache to act as a proxy between the outside
> world and Zope.  Unfortunately, while it was a piece of cake to set up a
> proxy for non-SSL access to Zope, I'm rather stumped regarding SSL.
> I've done non-SSL proxying for years with mod_rewrite, and it was really
> a snap, so I'm surprised that this is so difficult.
>
> Zope is working just fine when I access it directly (using HTTP) on port
> 8080.  I have installed the (self-signed) SSL certificate into Apache
> without any trouble, and am able to access individual documents on disk
> via SSL, using Apache.  So if all I would want is to use Apache with
> SSL, I would be done by now.
>
> Here is the relevant portion of the Apache configuration file (with
> names and numbers changed somewhat):
>
> 
> ServerName myserver.com
> ServerAdmin [EMAIL PROTECTED]
>
> SSLProxyEngine on
> RewriteEngine On
>
> RewriteRule ^/(.*)
> http://localhost:8080/VirtualHostBase/https/myserver.com:443/app/$1
> [L,P]
>
> 
>
> The above should make it possible (I believe), an HTTPS connection
> between my browser and my cup.  Apache should then take that incoming
> SSL request and issue its own request to the Zope server.  Zope will
> respond, sending it back to Apache, which (in turn) sends it back to me.
>
> But of course, that doesn't happen.   Zope's provides indicates that
> many of the requests begin with "\x80g\x01\x03".  My guess is that the
> SSL request is being piped to Zope directly, but it's hard to know from
> just a few characters.  Does this mean that I need to do some more
> translating, from HTTP into HTTPS?
>
> Not that it should make any difference, but I'm running Apache 2.0.52 on
> Red Hat Enterprise 4.0, with Zope 2.7.5 and Python 2.3.4.
>
> Thanks in advance for any advice you might have,
>
> Reuven
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>


___

>> XLhost.de - eXperts in Linux hosting <<

Juergen Herrmann
Weiherweg 10, 93051 Regensburg, Germany
Fon:  +49 (0)700 XLHOSTDE [0700 95467833]
Fax:  +49 (0)721 151 463027

ICQ:  27139974  -  IRC: [EMAIL PROTECTED]
WEB:  http://www.XLhost.de
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy

3 matches

Site Navigation

Mail list logo

Footer information