> > >>Correct me if I'm wrong, but this IMO makes spoofing against a naked >>ZServer a childs play. It's just adding a custom header to the request. >>I also doubt that every reverse proxy overwrites this header, so >>zservers behind a proxy might also be hit. >> > >Note: this is using another web server to front for zope. It turns out >to be fairly safe -- I have used a variant for quite a while and did >quite a bit of testing. For short hand, I am going to call the other web >server apache. Apache presumably uses something like getpeername to >fill in its idea of HTTP_X_FORWARDED_FOR or REMOTE_ADDR. If the remote >user attempts to spoof it (by using hidden variables, or other HTTP >based techniques), the Zope server interprets this is a list, rather >than the expected string. This is easy to detect, and in fact, if you >fail to handle it, you will probably simply error out. > >If the attacker is using TCP spoofing, there is really not much you can >do at an application level. > >On the other hand, I am now conviced that this is not an intelligent >thing to do, not even for presentation. You already have Apache in >front, so why not use rewriting rules to make the URL distinguishable. >In this way, you can use one of the BASE or URL variables to determine >how the person got in. This gives you pretty much the same level of >control (especially if you are worried only about internal/external) as >using IP addresses, without modifying either Zope or Apache. > Jim, Oliver
Thanks. I'm glad we have smart and knowledgeable people available to discuss these kinds of things. My hope was that I could restrict my Manager account to a short list of machines, even through a squid or apache proxy. Essentially add a third thing to have besides username and password. Which I still think is better than just username and password, since Zope sees only *one* ip address coming from squid in the current situation. I'll have to do some more thinking... Regards, -- Jim Washington _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
