Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy
On 28/04/05, Reuven M. Lerner <[EMAIL PROTECTED]> wrote: [...] > The above should make it possible (I believe), an HTTPS connection > between my browser and my cup. Apache should then take that incoming > SSL request and issue its own request to the Zope server. Zope will > respond, sending it back to Apache, which (in turn) sends it back to me. > > But of course, that doesn't happen. Zope's provides indicates that > many of the requests begin with "\x80g\x01\x03". [...] The following works for me... - ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/httpd/ssl/[domain].crt SSLCertificateKeyFile /etc/httpd/ssl/[domain].key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ServerName [domain] RewriteEngine On ProxyVia On RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/https/[domain]:443/folder/VirtualHostRoot/$1 [L,P] Order Deny,Allow Deny from All - HTH, Calisp ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy
Thursday, April 28, 2005, 8:23:27 AM, Reuven M. Lerner wrote: > I've written a Zope application that needs to be behind SSL. I assumed > that the most straightforward way to do this would be to (1) set up Zope > on port 8080 and (2) use Apache to act as a proxy between the outside > world and Zope. Unfortunately, while it was a piece of cake to set up a > proxy for non-SSL access to Zope, I'm rather stumped regarding SSL. > I've done non-SSL proxying for years with mod_rewrite, and it was really > a snap, so I'm surprised that this is so difficult. [snip] I copy-paste bellow something similar... It's a bit more what you wanted, as it let you access the t1.net with HTTP and HTTPS, and t2.net with HTTP only. 1. In Zope, I have made a VirtualHostMonster. I guess doesn't mater where I do it, but it happens to be in the root of the ZODB. 2. In the Apache2 httpd.conf (the /siteRoot_t1.net is a Plone object that corresponds to http://t1.net/, etc.): ... NameVirtualHost *:80 ServerName t1.net ProxyPass / http://localhost:8080/VirtualHostBase/http/t1.net:80/siteRoot_t1.net/VirtualHostRoot/ ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/t1.net:80/siteRoot_t1.net/VirtualHostRoot/ ServerName t2.net ProxyPass / http://localhost:8080/VirtualHostBase/http/t2.net:80/siteRoot_t2.net/VirtualHostRoot/ ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/t2.net:80/siteRoot_t2.net/VirtualHostRoot/ ServerName t1.net SSLEngine On SSLCertificateFile conf/ssl/t1.cert SSLCertificateKeyFile conf/ssl/t1.key SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 #CustomLog logs/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ProxyPass / http://localhost:8080/VirtualHostBase/https/t1.net:443/siteRoot_t1.net/VirtualHostRoot/ ProxyPassReverse / http://localhost:8080/VirtualHostBase/https/t1.net:443/siteRoot_t1.net/VirtualHostRoot/ ... ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Forcing all Zope access to come through an Apache/SSL proxy
hi! i use mod_proxy for this, here's the config snippet: ServerName foo.com ServerAdmin [EMAIL PROTECTED] ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ ProxyPass /misc_ http://localhost:8080/misc_ ProxyPass /p_ http://localhost:8080/p_ ProxyVia on SSLEngine on SSLCertificateFile /path/to/my/server.crt SSLCertificateKeyFile /path/to/my/server.key i have to admit that i never tried mod_rewrite on this issue before, so i can't tell you what's wrong with your config, i just can give you an working solution :) regards, juergen herrmann [ Reuven M. Lerner wrote:] > I've written a Zope application that needs to be behind SSL. I assumed > that the most straightforward way to do this would be to (1) set up Zope > on port 8080 and (2) use Apache to act as a proxy between the outside > world and Zope. Unfortunately, while it was a piece of cake to set up a > proxy for non-SSL access to Zope, I'm rather stumped regarding SSL. > I've done non-SSL proxying for years with mod_rewrite, and it was really > a snap, so I'm surprised that this is so difficult. > > Zope is working just fine when I access it directly (using HTTP) on port > 8080. I have installed the (self-signed) SSL certificate into Apache > without any trouble, and am able to access individual documents on disk > via SSL, using Apache. So if all I would want is to use Apache with > SSL, I would be done by now. > > Here is the relevant portion of the Apache configuration file (with > names and numbers changed somewhat): > > > ServerName myserver.com > ServerAdmin [EMAIL PROTECTED] > > SSLProxyEngine on > RewriteEngine On > > RewriteRule ^/(.*) > http://localhost:8080/VirtualHostBase/https/myserver.com:443/app/$1 > [L,P] > > > > The above should make it possible (I believe), an HTTPS connection > between my browser and my cup. Apache should then take that incoming > SSL request and issue its own request to the Zope server. Zope will > respond, sending it back to Apache, which (in turn) sends it back to me. > > But of course, that doesn't happen. Zope's provides indicates that > many of the requests begin with "\x80g\x01\x03". My guess is that the > SSL request is being piped to Zope directly, but it's hard to know from > just a few characters. Does this mean that I need to do some more > translating, from HTTP into HTTPS? > > Not that it should make any difference, but I'm running Apache 2.0.52 on > Red Hat Enterprise 4.0, with Zope 2.7.5 and Python 2.3.4. > > Thanks in advance for any advice you might have, > > Reuven > > ___ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > ___ >> XLhost.de - eXperts in Linux hosting << Juergen Herrmann Weiherweg 10, 93051 Regensburg, Germany Fon: +49 (0)700 XLHOSTDE [0700 95467833] Fax: +49 (0)721 151 463027 ICQ: 27139974 - IRC: [EMAIL PROTECTED] WEB: http://www.XLhost.de ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )