[Setup] (no subject)

duese2004 at gmx.de duese2004 at gmx.de
Mon Feb 27 10:14:01 UTC 2006 

Hi,

I have a serious problem with Zope 2.9.0.

So far I was running Plone 2.0.5 on a Zope 2.8.4 behind apache. For several
reasons I only allow access via https. With Zope 2.8.4 everything worked
fine with a fastcgi configuration and applying rewrite rules.

In Zope 2.9.0 fastcgi is not supported anymore and you are recommended to
use mod_proxy. Well ... As you can imagine - I tried and I tried hard ... 

Everything works fine with HTTP but as soon as I am using HTTPS I can not
login anymore. 

I tried to narrow down the problem but I somehow can not figure out what is
wrong. I looked at the network traffic and all POSTs (transmitting the
password to zope) seem to work fine. Actually, the rewritten HTTPS POSTs
look identical to HTTP POSTs. Only difference in the communication with
Zope: Zope/Plone (The CookieCrumbler) does not return a SetCookie
instruction, to be more precise, the CookieCrumbler does not even touch the
header :-(

Please see some snippets from my httpd.conf at the end of this email.

I would really appreciate your help. I looked for manuals describing the
setup of a scenario like mine but I could not find any configuration that is
similar to mine. Please note that I do not have another choice than running
zope behind https completely (security policy of our network admin).

Every hint is very welcome!

Thank you for your help,
Dan

<start of httpd.conf>

...

Listen server:80
Listen server:443

LoadModule headers_module	modules/mod_headers.so
LoadModule ssl_module		modules/mod_ssl.so
LoadModule proxy_module		modules/mod_proxy.so
LoadModule proxy_http_module	modules/mod_proxy_http.so
LoadModule rewrite_module	modules/mod_rewrite.so

...

<VirtualHost server:80>

...

 # we don't need a DocumentRoot for a zope only sites
 DocumentRoot  /home/zope/instances/www/

 CustomLog     /usr/local/apache2/logs/zope-access.log combined
 ErrorLog      /usr/local/apache2/logs/zope-error.log LogLevel warn

 <IfModule mod_rewrite.c>
   RewriteEngine On

   RewriteRule ^/$ https://server/softsec/ [NC,R=301,L]
   RewriteRule ^/(.*) https://server/$1 [NC,R=301,L]
 </IfModule>

 <IfModule mod_proxy.c>
   ProxyVia On

  # prevent the webserver from beeing used as proxy
   <LocationMatch "^[^/]">
     Deny from all
   </LocationMatch>
 </IfModule>

</VirtualHost>

...

# SSL host serving actual access to zope

<VirtualHost server:443>
 ServerName    server
 ServerSignature On

 DocumentRoot  /home/zope/instances/www/
 DirectoryIndex index_html

 #<IfModule mod_fastcgi.c>
 #  <Directory /home/zope/instances/www/>
 #    SetHandler fastcgi-script
 #    AddHandler fastcgi-script .fcgi
 #    AllowOverride none
 #    Options ExecCGI
 #    Order allow,deny
 #    Allow from all
 #  </Directory>
 #</IfModule>

 CustomLog     /usr/local/apache2/logs/zope-ssl-access.log combined
 ErrorLog      /usr/local/apache2/logs/zope-ssl-error.log
 LogLevel info

 SSLEngine on
 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

 <Location />
   # Force usage of ssl encryption
   SSLRequireSSL

   # SSL client certs:  none, optional, require
   # Note: optional doesn't work with all browsers
   SSLVerifyDepth 1
   SSLVerifyClient none

   AuthUserFile /home/other/.htpasswd
   AuthType Basic
   Require valid-user 

   SSLOptions +StdEnvVars +StrictRequire
   # SetHandler fastcgi-script
 </Location>


 <IfModule mod_rewrite.c>
  RewriteEngine On

  RewriteLog "/usr/local/apache2/logs/server-ssl-rewrite_log"
  RewriteLogLevel 2

  # new rules do not allow authentication

  RewriteRule ^/(.*)
\
http://127.0.0.1:18080/VirtualHostBase/https/server:443/soft/VirtualHostRoot/$1
[P,L]
  RewriteRule ^/soft(.*)
\
http://127.0.0.1:18080/VirtualHostBase/https/server:443/soft/VirtualHostRoot/_vh_soft$1
[P,L]

  # old fastcgi rewrite rules

 # RewriteRule ^/$ \
/zope.fcgi/VirtualHostBase/https/server:443/soft/VirtualHostRoot/_vh_soft/
[L]
 # RewriteRule ^/soft(.*) \
/zope.fcgi/VirtualHostBase/https/server:443/soft/VirtualHostRoot/_vh_soft/$1
[L]
 </IfModule>

 <IfModule mod_proxy.c>
  ProxyVia On

# I also tried to use PROXYPASS but it does not work 

#  ProxyPass /soft
http://127.0.0.1:18080/VirtualHostBase/https/server:443/soft/VirtualHostRoot/_vh_soft
#  ProxyPassReverse /softsec_test
http://127.0.0.1:18080/VirtualHostBase/https/server:443/soft/VirtualHostRoot/_vh_soft
#  ProxyPassReverseCookieDomain 127.0.0.1 server
#  ProxyPassReverseCookiePath /soft/ /soft/

  # prevent the webserver from beeing used as proxy
  <LocationMatch "^[^/]">
    # SetHandler fastcgi-script
    Deny from all
  </LocationMatch>
 </IfModule>

</VirtualHost>

... 

<end of httpd.conf>

-- 
DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert:
GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl

More information about the Setup mailing list