On Fri, 11 Nov 2005, Faheem Mitha wrote:

On Fri, 11 Nov 2005, Chris Withers wrote:

Faheem Mitha wrote:
Why not just:


This is the way to go, I don't know what Sascha meant when he was talking about "2 rules".

However, he did have a very good point about SSL. If you want Apache to do the SSL encryption and decryption, then you need to set up mod_ssl, sort out the certificates, etc. I have this working on a few of my servers but I'm working offline so can't really have a look to see what you're doing wrong...

Yes, at least part of the problem is that I did not have SSL set up correctly, and I certainly didn't have certificates etc. I've done that now, so I'll try the Plone thing again.

Ok. I've now configured SSL correctly on my test machine, but am still getting errors. I suspect this is an apache misconfiguration, which is puzzling, since I have acess to a machine doing very similar things, also running Debian sarge, which is working.

I'll list misc bits of info below, in the hope that this will help to narrow the problem. I'll also list the ssl config portion of my apache file at the bottom of this message for good measure.

1) Firstly, SSL is now working, certificates are offered and accepted, yada yada.

2) I can acess the page at{HTTP_HOST}:443/test_plone/VirtualHostRoot/_vh_test_\plone$1 [L,P]

fine, where I have to replace with the IP address of the machine in question. This means the Virtual Host Monster is working correctly, right?

3) The rewriting is actually happening, because the rewriting log shows

client_ip_address - - [11/Nov/2005:18:51:56 --0500] [server_ip_address/sid#81565f0][rid#81ce540/initial] (2) init rewrite engine with requested uri /test_plone/colophon_xhtml.png client_ip_address - - [11/Nov/2005:18:51:56 --0500] [server_ip_address/sid#81565f0][rid#81ce540/initial] (3) applying pattern '^/test_plone(.*)' to uri '/test_plone/colophon_xhtml.png' client_ip_address - - [11/Nov/2005:18:51:56 --0500] [server_ip_address/sid#81565f0][rid#81ce540/initial] (2) rewrite /test_plone/colophon_xhtml.png -> client_ip_address - - [11/Nov/2005:18:51:56 --0500] [server_ip_address/sid#81565f0][rid#81ce540/initial] (2) forcing proxy-throughput with client_ip_address - - [11/Nov/2005:18:51:56 --0500] [server_ip_address/sid#81565f0][rid#81ce540/initial] (1) go-ahead with proxy request proxy: [OK]

This all looks pretty normal.

4) The error log is fairly unhelpful. Setting LogLevel to debug does
not seem to give any helpful information.

The main error is

[Fri Nov 11 18:51:56 2005] [error] [client client_ip_address] client denied by 
server configuration:

5) Here are the mods I have enabled.

/etc/apache2/mods-enabled# ls -la

drwxr-xr-x   3 root root 4096 2005-11-11 17:21 .
drwxr-xr-x  10 root root 4096 2005-11-11 15:45 ..
lrwxrwxrwx   1 root root   37 2005-11-10 16:52 cgid.conf -> 
lrwxrwxrwx   1 root root   37 2005-11-10 16:52 cgid.load -> 
lrwxrwxrwx   1 root root   28 2005-11-11 17:21 proxy.conf -> 
lrwxrwxrwx   1 root root   28 2005-11-11 17:21 proxy.load -> 
lrwxrwxrwx   1 root root   30 2005-11-11 17:19 rewrite.load -> 
lrwxrwxrwx   1 root root   26 2005-11-10 21:21 ssl.conf -> 
lrwxrwxrwx   1 root root   26 2005-11-10 21:21 ssl.load -> 
lrwxrwxrwx   1 root root   40 2005-11-10 16:52 userdir.conf -> 
lrwxrwxrwx   1 root root   40 2005-11-10 16:52 userdir.load -> 

These are included via the main config file.

6) I was wondering if there might be something wrong with the Proxy thing. I've kept proxy.conf at the Debian defaults. Included below.

In particular ProxyRequest are off, but another Debian machine I have access to works fine with that setting.

Thanks in advance for your help.

NameVirtualHost *:443
<VirtualHost *:443>
        ServerAdmin [...]

        DocumentRoot /var/www/html-ssl
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        <Directory /var/www/html-ssl>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
# This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place
#               RedirectMatch ^/$ /apache2-default/

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/ssl.crt
        SSLCertificateKeyFile /etc/apache2/ssl/ssl.key

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

        Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from ::1/128

    RewriteEngine On
        RewriteLog /var/log/apache2/rewrite.log
    RewriteLogLevel 3
        RewriteRule ^/test_plone(.*) \{HTTP_HOST}:443/test_plone/VirtualHostRoot/_vh_test_\plone$1



<IfModule mod_proxy.c>

        #turning ProxyRequests on and allowing proxying from all may allow
        #spammers to use your proxy to send email.

        ProxyRequests Off

        <Proxy *>
                Order deny,allow
                Deny from all
                #Allow from .your_domain.com

        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
        # Set to one of: Off | On | Full | Block

        ProxyVia On

# To enable the cache as well, edit and uncomment the following lines:
        # (no cacheing without CacheRoot)

        CacheRoot "/var/cache/apache2/proxy"
        CacheSize 5
        CacheGcInterval 4
        CacheMaxExpire 24
        CacheLastModifiedFactor 0.1
        CacheDefaultExpire 1
        # Again, you probably should change this.
        #NoCache a_domain.com another_domain.edu joes.garage_sale.com


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to