>Ragnar Beer wrote:
>>
>>  >Ragnar Beer wrote:
>>  >>
>>  >>  >  > I'm trying to deny external access to zope maintainance 
>>from elsewhere
>>  >>  >>  (just for  sure), with Zope behind apache. However, It
>>  >>  >>  just doesn't seem work... Sure It's more apache's problem, 
>>but I guess
>>  >>  >>  someone around there has a working solution?
>>  >>  >>
>>  >>  >>  #</IfModule>
>>  >>  >>  dule mod_rewrite.c>
>>  >>  >>  RewriteEngine on
>>  >>  >>  RewriteCond %{HTTP:Authorization}  ^(.*)
>>  >>  >>  RewriteRule ^/Zope(.*) /usr/lib/cgi-bin/Zope/$1
>>  >>  >[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
>>  >>  >>
>>  >>  >>  RewriteCond %{REMOTE_ADDR} !^193\.143\.156\.(.*)
>>  >>  >>  RewriteRule ^/Zope.*manage - [F]
>>  >>  >>  #</IfModule>
>>  >>  >>
>>  >>  >  > --
>>  >>
>>  >>  I'm using
>>  >>
>>  >>  <LocationMatch "/ssl|manage">
>>  >>  Deny from all
>>  >>  </LocationMatch>
>>  >>
>>  >>  to block any request from my virtual server on port 80 that is under
>>  >>  the /ssl directory or has "manage" in it. You could then allow from
>>  >>  localhost.
>>  >>
>>  >>  I was thinking about extending this idea to protect myself from
>>  >>  possible seccurity-holes in zope by denying everything and allowing
>>  >>  only requests ending in _html or _img. Any opinions on that?
>>  >
>>  >What about callable objects that don't end in either of these?
>>  >
>>
>>  They wouldn't be callable from outside any more. This is the "deny
>>  everything that isn't allowed explicitly" policy. If I'd want them to
>>  be callable I'd have to put something in their names the makes it
>>  possible to identify them and then allow access.
>
>
>That's an awful lot of code to rewrite ;)


Right, this is rather a strategy to follow from the beginning. 
Otherwise - arghh! (But it's very proactive, isn't it?)

--Ragnar

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to