>Ragnar Beer wrote:
>>
>>  >  > I'm trying to deny external access to zope maintainance from elsewhere
>>  >>  (just for  sure), with Zope behind apache. However, It
>>  >>  just doesn't seem work... Sure It's more apache's problem, but I guess
>>  >>  someone around there has a working solution?
>>  >>
>>  >>  #</IfModule>
>>  >>  dule mod_rewrite.c>
>>  >>  RewriteEngine on
>>  >>  RewriteCond %{HTTP:Authorization}  ^(.*)
>>  >>  RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
>>  >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
>>  >>
>>  >>  RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
>>  >>  RewriteRule ^/Zope.*manage - [F]
>>  >>  #</IfModule>
>>  >>
>>  >  > --
>>
>>  I'm using
>>
>>  <LocationMatch "/ssl|manage">
>>  Deny from all
>>  </LocationMatch>
>>
>>  to block any request from my virtual server on port 80 that is under
>>  the /ssl directory or has "manage" in it. You could then allow from
>>  localhost.
>>
>>  I was thinking about extending this idea to protect myself from
>>  possible seccurity-holes in zope by denying everything and allowing
>>  only requests ending in _html or _img. Any opinions on that?
>
>What about callable objects that don't end in either of these?
>

They wouldn't be callable from outside any more. This is the "deny 
everything that isn't allowed explicitly" policy. If I'd want them to 
be callable I'd have to put something in their names the makes it 
possible to identify them and then allow access.

--Ragnar

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to