Ragnar Beer wrote:
> 
> >  > I'm trying to deny external access to zope maintainance from elsewhere
> >>  (just for  sure), with Zope behind apache. However, It
> >>  just doesn't seem work... Sure It's more apache's problem, but I guess
> >>  someone around there has a working solution?
> >>
> >>  #</IfModule>
> >>  dule mod_rewrite.c>
> >>  RewriteEngine on
> >>  RewriteCond %{HTTP:Authorization}  ^(.*)
> >>  RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
> >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
> >>
> >>  RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
> >>  RewriteRule ^/Zope.*manage - [F]
> >>  #</IfModule>
> >>
> >  > --
> 
> I'm using
> 
> <LocationMatch "/ssl|manage">
> Deny from all
> </LocationMatch>
> 
> to block any request from my virtual server on port 80 that is under
> the /ssl directory or has "manage" in it. You could then allow from
> localhost.
> 
> I was thinking about extending this idea to protect myself from
> possible seccurity-holes in zope by denying everything and allowing
> only requests ending in _html or _img. Any opinions on that?

What about callable objects that don't end in either of these?

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to