>>Correct me if I'm wrong, but this IMO makes spoofing against a naked 
>>ZServer a childs play. It's just adding a custom header to the request.
>>I also doubt that every reverse proxy overwrites this header, so 
>>zservers behind a proxy might also be hit.
>Note:  this is using another web server to front for zope.  It turns out
>to be fairly safe -- I have used a variant for quite a while and did
>quite a bit of testing.  For short hand, I am going to call the other web
>server apache.  Apache presumably uses something like getpeername to
>fill in its idea of HTTP_X_FORWARDED_FOR or REMOTE_ADDR.  If the remote
>user attempts to spoof it (by using hidden variables, or other HTTP
>based techniques), the Zope server interprets this is a list, rather
>than the expected string.  This is easy to detect, and in fact, if you
>fail to handle it, you will probably simply error out.
>If the attacker is using TCP spoofing, there is really not much you can
>do at an application level.
>On the other hand, I am now conviced that this is not an intelligent
>thing to do, not even for presentation.  You already have Apache in
>front, so why not use rewriting rules to make the URL distinguishable.
>In this way, you can use one of the BASE or URL variables to determine
>how the person got in.  This gives you pretty much the same level of
>control (especially if you are worried only about internal/external) as
>using IP addresses, without modifying either Zope or Apache.
Jim, Oliver

Thanks. I'm glad we have smart and knowledgeable people available to 
discuss these kinds of things.  My hope was that I could restrict my 
Manager account to a short list of machines, even through a squid or 
apache proxy.  Essentially add a third thing to have besides username 
and password.  Which I still think is better than just username and 
password, since Zope sees only *one* ip address coming from squid in the 
current situation.  I'll have to do some more thinking...


-- Jim Washington

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to