Re: [Zope] securing webdav
Am Samstag, 24. September 2005 01:08 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org http://zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? depending on your situation, a ssh tunnel might be feasible; works perfectly. small drawback is, you obviously have to open a ssh session first (ssh-agent is your friend). Cheers, Sascha ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Hi Sascha. I realize that you can forward a port this way but this requires providing server accounts to users in addition to zope accounts. scponly is a product to remove other shell functionality - so you can hand out accounts in a more untrusted situation. Either way, handing out server accounts is not something I favor. I am looking for either for a proper zope solution or a way of using the apache proxy to accomplish this. David is right, I have also seen very little about securing webdav outside of ZServerSSL and m2crypto. Anyone happy with the results? I am not even certain if it works with 2.8. What about sftp? Anyone using Zope Corp's sftp package that can comment? I believe twisted is in the mix for Zope3 and sftp. Can anyone comment on this or whether this solution has some potential for Zope2. I think the Zope Corp idea was twisted obtaining the data on port and supplying the data to zope in the background. Regards, David On Saturday, September 24, 2005, at 08:39 AM, Sascha Ottolski wrote: Am Samstag, 24. September 2005 01:08 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org http://zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? depending on your situation, a ssh tunnel might be feasible; works perfectly. small drawback is, you obviously have to open a ssh session first (ssh-agent is your friend). Cheers, Sascha ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Am Samstag, den 24.09.2005, 00:29 -0300 schrieb David Pratt: Hi Tino. Over HTTP is not the problem. It is more on normally https you are rewriting your requests to port 443 with apache proxy and your usual webdav server is port 1980 that is not secure. Ah so. I use webdav over the standard port and not unsing the separate webdav only server. ZServer handles webdav just fine. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Am Samstag, den 24.09.2005, 13:39 +0200 schrieb Sascha Ottolski: Am Samstag, 24. September 2005 01:08 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org http://zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? depending on your situation, a ssh tunnel might be feasible; works perfectly. small drawback is, you obviously have to open a ssh session first (ssh-agent is your friend). Oh, its not that hard either, you can use apache as proxy for any host:port combination. That means if you really want to use the separate zope webdav daemon, you can use another hostname, say https://dav.yourdomain.com/ to proxy to zopeserver:webdavport or https://yourdomain.com:8443/ - which works too (and has the advantage of keeping the ssl-certificate valid) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Am Samstag, 24. September 2005 01:08 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org http://zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? forget that one: another approach might be put a pound reverse proxy in front of your zope, that handles your ssl connection. Cheers, Sascha ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Am Freitag, den 23.09.2005, 16:08 -0700 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? webdav works over http - yes, the same http your browser uses. Apache handles this fine. Nothing to do. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] securing webdav
Hi Tino. Over HTTP is not the problem. It is more on normally https you are rewriting your requests to port 443 with apache proxy and your usual webdav server is port 1980 that is not secure. I am in the same boat as David. I haven't got my webdav running securely at this point either. The only thing I have heard about is the running m2crypto with ZServerSSL but I have read mixed reviews so have been reluctant to install it. Either way I am looking for something also for securing webdav and ftp as well. As far as sftp I know that Zope Corp has a product in CVS but I have not heard whether it works or if anyone is using it. It relies on on the deprecated Twisted 1.1.1 which is at least 2 or 3 years old. I read earlier today of a product called scponly that could help but it looks like it has had some history of vulnerability so not so sure about this solution at this point either. Regards, David On Friday, September 23, 2005, at 09:01 PM, Tino Wildenhain wrote: Am Freitag, den 23.09.2005, 16:08 -0700 schrieb David Bear: I run zope in back of apache, and let apache handle tls/ssl. In all the searching on zope.org though I haven't found any documents on how to let apache handle securing webdav for zope as well. Anyone see/written such? webdav works over http - yes, the same http your browser uses. Apache handles this fine. Nothing to do. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )