> > > Just to be safe ... You shouldn't use this entire patch unless your
> > > server is behind apache or a proxy server and best if protected by a
> > > firewall. It could open a potential security leak if you use the
> > > "domains" field for authentication and the zope server is not
> > > protected by apache.
> > Is the issue that the X-Forwarded-For header controls the domain setting?
>yes ... everyone should probably not use this patch
My apologies if I kicked the ball a little harder than was needed to get it
In any case, it looks like a little more work is required before this patch
will be ready for mainstream.
'HTTP_X_FORWARDED_FOR' should probably be ignored unless Zope is
explicitly told to look at it. A list of allowed proxiers, perhaps set as a
Or a switch to turn it on (off by default) and a warning about restricting
direct connections to Zope are allowed from?
In the meantime, a couple of restrictive firewall rules on the my Zope box
prevent malicious users from connecting directly to Zope with fake
Soon as I get it all working perfectly I'll be putting everything I know about
using Zope with mod_proxy in a doc for zope.org. (Yes, yet another match
when you search for "proxypass", hopefully the last needed for while.)
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -