Plone › Product Developers

Need Help Configuring Zope Behind Apache

9 messages Options
Embed this post
Permalink
Mark Phillips () Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink
I am having a terrible time trying to get my zope server to work behind apache 2.2.9. I am running an Debian server with plone 2.5.5.
 
I have this in my site file (/etc/apache2/sites-enabled):

<VirtualHost *:80>
    ServerName ahsnews.com
    ServerAlias www.ahsnews.com
    ServerAdmin [hidden email]
    ServerSignature on

    DocumentRoot /var/www

    CustomLog     "|/usr/sbin/rotatelogs /var/log/apache2/ahsnews.com/ahsnews.com-access.log 86400" combined
    ErrorLog      "|/usr/sbin/rotatelogs /var/log/apache2/ahsnews.com/ahsnews.com-error.log 86400"
    LogLevel debug


    RewriteEngine on

    # use RewriteLog to debug problems with your rewrite rules
    # disable it after you found the error our your harddisk will be filled *very fast*
    RewriteLog "/var/log/apache2/rewrite_log"
    RewriteLogLevel 3

    RewriteRule ^/(.*) \
        http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/ahs/newspaper/VirtualHostRoot/$1 [L,P]

    ProxyRequests On

    <Proxy *>
      Order Deny,Allow
      Deny from All
      Allow from ahsnews.com
    </Proxy>
</VirtualHost>

The only modification that will work is if I put Allow from All in the Proxy directive. Then the plone site is displayed in a browser. Any thing else, and I get error 403 - You don't have permission to access / on this server.
 
I have tried all sorts of combinations, but nothing works...
Allow from 127.0.0.1
Allow from xxx.xxx.xxx.xxx     where xxx.xxx.xxx.xxx is the IP of the server
Allow from .ahsnews.com
 
I also have all the proxy modules enabled: proxy, proxy_http, proxy_connect, proxy_ftp.

Any suggestions would be greatly appreciated.
 
Thanks!
 
Mark


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Ricardo Newbery-2 () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink

On Jul 27, 2009, at 6:47 PM, Mark Phillips wrote:

> I am having a terrible time trying to get my zope server to work  
> behind apache 2.2.9. I am running an Debian server with plone 2.5.5.
>
  [...]

>     RewriteEngine on
>
>     # use RewriteLog to debug problems with your rewrite rules
>     # disable it after you found the error our your harddisk will be  
> filled *very fast*
>     RewriteLog "/var/log/apache2/rewrite_log"
>     RewriteLogLevel 3
>
>     RewriteRule ^/(.*) \
>         http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/
> ahs/newspaper/VirtualHostRoot/$1 [L,P]
>
>     ProxyRequests On
>
>     <Proxy *>
>       Order Deny,Allow
>       Deny from All
>       Allow from ahsnews.com
>     </Proxy>


"ProxyRequests On" makes your Apache a forward proxy.  You want a  
simple reverse proxy.  Dump that line and the following Proxy block.

Ric



_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Mark Phillips () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink


On Mon, Jul 27, 2009 at 7:33 PM, Mark Phillips <[hidden email]> wrote:

On Mon, Jul 27, 2009 at 7:16 PM, Ricardo Newbery <[hidden email]> wrote:

On Jul 27, 2009, at 6:47 PM, Mark Phillips wrote:

I am having a terrible time trying to get my zope server to work behind apache 2.2.9. I am running an Debian server with plone 2.5.5.

 [...]

   RewriteEngine on

   # use RewriteLog to debug problems with your rewrite rules
   # disable it after you found the error our your harddisk will be filled *very fast*
   RewriteLog "/var/log/apache2/rewrite_log"
   RewriteLogLevel 3

   RewriteRule ^/(.*) \
       http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/ahs/newspaper/VirtualHostRoot/$1 [L,P]

   ProxyRequests On

   <Proxy *>
     Order Deny,Allow
     Deny from All
     Allow from ahsnews.com
   </Proxy>


"ProxyRequests On" makes your Apache a forward proxy.  You want a simple reverse proxy.  Dump that line and the following Proxy block.

Ric


Ric,
 
Thanks...I did what you suggested, but I still get the dreaded 403 error and no access to my site. Any other thoughts?
 
Thanks again,
 
Mark
oops...forgoet to copy the plone developers list. Also, some further information - here is the error from the apache logs:
 
[Mon Jul 27 19:37:18 2009] [error] [client 68.231.182.244] client denied by server configuration: proxy:http://127.0.0.1:8080/VirtualHostBase/http/ahsnews.com:80/ahs/newspaper/VirtualHostRoot/

The server is remote, and the client (68.231.182.244) is the computer on my desk.
 
Mark

_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Ricardo Newbery-2 () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink

On Jul 27, 2009, at 7:39 PM, Mark Phillips wrote:

>
>
> On Mon, Jul 27, 2009 at 7:33 PM, Mark Phillips <[hidden email]
> > wrote:
>
> On Mon, Jul 27, 2009 at 7:16 PM, Ricardo Newbery <[hidden email]
> > wrote:
>
> On Jul 27, 2009, at 6:47 PM, Mark Phillips wrote:
>
> I am having a terrible time trying to get my zope server to work  
> behind apache 2.2.9. I am running an Debian server with plone 2.5.5.
>
>  [...]
>
>    RewriteEngine on
>
>    # use RewriteLog to debug problems with your rewrite rules
>    # disable it after you found the error our your harddisk will be  
> filled *very fast*
>    RewriteLog "/var/log/apache2/rewrite_log"
>    RewriteLogLevel 3
>
>    RewriteRule ^/(.*) \
>        http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/
> ahs/newspaper/VirtualHostRoot/$1 [L,P]
>
>    ProxyRequests On
>
>    <Proxy *>
>      Order Deny,Allow
>      Deny from All
>      Allow from ahsnews.com
>    </Proxy>
>
>
> "ProxyRequests On" makes your Apache a forward proxy.  You want a  
> simple reverse proxy.  Dump that line and the following Proxy block.
>
> Ric
>
>
> Ric,
>
> Thanks...I did what you suggested, but I still get the dreaded 403  
> error and no access to my site. Any other thoughts?
>
> Thanks again,
>
> Mark
> oops...forgoet to copy the plone developers list. Also, some further  
> information - here is the error from the apache logs:
>
> [Mon Jul 27 19:37:18 2009] [error] [client 68.231.182.244] client  
> denied by server configuration: proxy:http://127.0.0.1:8080/VirtualHostBase/http/ahsnews.com:80/ahs/newspaper/VirtualHostRoot/
>
> The server is remote, and the client (68.231.182.244) is the  
> computer on my desk.
>
> Mark



You sure you deleted the Proxy block?  I've heard that some Apache  
installs show anomalous default proxy behavior.  You can try forcing  
the proper default:

<Proxy *>
   Order Deny,Allow
   Allow from all
</Proxy>

Also check the rest of the config for any other proxy directives that  
might be overriding the default behavior.

Ric




_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Ricardo Newbery-2 () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink

On Jul 27, 2009, at 7:57 PM, Ricardo Newbery wrote:

> You sure you deleted the Proxy block?  I've heard that some Apache  
> installs show anomalous default proxy behavior.  You can try forcing  
> the proper default:
>
> <Proxy *>
>  Order Deny,Allow
>  Allow from all
> </Proxy>
>
> Also check the rest of the config for any other proxy directives  
> that might be overriding the default behavior.
>
> Ric


Specifically, I think Debian and Ubuntu may set a default proxy deny  
all in mods-enabled/proxy.conf -- probably to protect people from the  
security consequences of unknowingly turning on ProxyRequests  ;-)

Ric



_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Mark Phillips () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink
In reply to this post by Ricardo Newbery-2


On Mon, Jul 27, 2009 at 7:57 PM, Ricardo Newbery <[hidden email]> wrote:

On Jul 27, 2009, at 7:39 PM, Mark Phillips wrote:



On Mon, Jul 27, 2009 at 7:33 PM, Mark Phillips <[hidden email]> wrote:

On Mon, Jul 27, 2009 at 7:16 PM, Ricardo Newbery <[hidden email]> wrote:

On Jul 27, 2009, at 6:47 PM, Mark Phillips wrote:

I am having a terrible time trying to get my zope server to work behind apache 2.2.9. I am running an Debian server with plone 2.5.5.

 [...]

  RewriteEngine on

  # use RewriteLog to debug problems with your rewrite rules
  # disable it after you found the error our your harddisk will be filled *very fast*
  RewriteLog "/var/log/apache2/rewrite_log"
  RewriteLogLevel 3

  RewriteRule ^/(.*) \
      http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/ahs/newspaper/VirtualHostRoot/$1 [L,P]

  ProxyRequests On

  <Proxy *>
    Order Deny,Allow
    Deny from All
    Allow from ahsnews.com
  </Proxy>


"ProxyRequests On" makes your Apache a forward proxy.  You want a simple reverse proxy.  Dump that line and the following Proxy block.

Ric


Ric,

Thanks...I did what you suggested, but I still get the dreaded 403 error and no access to my site. Any other thoughts?

Thanks again,

Mark
oops...forgoet to copy the plone developers list. Also, some further information - here is the error from the apache logs:

[Mon Jul 27 19:37:18 2009] [error] [client 68.231.182.244] client denied by server configuration: proxy:http://127.0.0.1:8080/VirtualHostBase/http/ahsnews.com:80/ahs/newspaper/VirtualHostRoot/

The server is remote, and the client (68.231.182.244) is the computer on my desk.

Mark



You sure you deleted the Proxy block?  I've heard that some Apache installs show anomalous default proxy behavior.  You can try forcing the proper default:

<Proxy *>
 Order Deny,Allow
 Allow from all
</Proxy>

Also check the rest of the config for any other proxy directives that might be overriding the default behavior.

Ric

This is my entire config file:
 
<VirtualHost *:80>
    ServerName ahsnews.com
    ServerAlias www.ahsnews.com
    ServerAdmin [hidden email]
    ServerSignature on

    CustomLog     "|/usr/sbin/rotatelogs /var/log/apache2/ahsnews.com/ahsnews.com-access.log 86400" combined
    ErrorLog      "|/usr/sbin/rotatelogs /var/log/apache2/ahsnews.com/ahsnews.com-error.log 86400"
    LogLevel debug

    RewriteEngine on

    # use RewriteLog to debug problems with your rewrite rules
    # disable it after you found the error our your harddisk will be filled *very fast*
    RewriteLog "/var/log/apache2/rewrite_log"
    RewriteLogLevel 3

    RewriteRule ^/(.*) \
        http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}:80/ahs/newspaper/VirtualHostRoot/$1 [L,P]

</VirtualHost>

And I still got error 403. I added the stanza:

<Proxy *>
 Order Deny,Allow
 Allow from all
</Proxy>

and I now can get to my plone site. However, doesn't that <Proxy *> make may server an open proxy for everyone to use?
 
Mark
 


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Ricardo Newbery-2 () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink

On Jul 27, 2009, at 9:19 PM, Mark Phillips wrote:

> I added the stanza:
>
> <Proxy *>
>  Order Deny,Allow
>  Allow from all
> </Proxy>
>
> and I now can get to my plone site. However, doesn't that <Proxy *>  
> make may server an open proxy for everyone to use?
>
> Mark


Not when configured as a reverse proxy.  You may want to read up on  
the difference between a forward proxy and a reverse proxy.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Ric




_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Mark Phillips () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink


On Mon, Jul 27, 2009 at 10:28 PM, Ricardo Newbery <[hidden email]> wrote:

On Jul 27, 2009, at 9:19 PM, Mark Phillips wrote:

I added the stanza:

<Proxy *>
 Order Deny,Allow
 Allow from all
</Proxy>

and I now can get to my plone site. However, doesn't that <Proxy *> make may server an open proxy for everyone to use?

Mark


Not when configured as a reverse proxy.  You may want to read up on the difference between a forward proxy and a reverse proxy.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Ric

Ric,
 
Thanks for all your help. One last question. I have read almost all of the help pages on the plone site about setting up zope behind apache, and one of them recommended this addition to the apache config:
 
    # prevent the webserver from being used as proxy
    <LocationMatch "^[^/]">
       Deny from all
    </LocationMatch>

Is it necessary?
 
Also, (ok, two questions...;-) ) how can I test if my server is acting as an open proxy from the command line - my server does not have X running? I google that, and found one reference that suggested

telnet xxx.xxx.xxx.xxx 80
GET http://www.yahoo.com HTTP/1.1

If yahoo is returned, then it is acting as an open proxy. Are there other ways?
 
Thanks!
 
Mark


_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Ricardo Newbery-2 () Re: Need Help Configuring Zope Behind Apache
Reply Threaded More More options
Print post
Permalink

On Jul 28, 2009, at 7:06 AM, Mark Phillips wrote:

> Ric,
>
> Thanks for all your help. One last question. I have read almost all  
> of the help pages on the plone site about setting up zope behind  
> apache, and one of them recommended this addition to the apache  
> config:
>
>     # prevent the webserver from being used as proxy
>     <LocationMatch "^[^/]">
>        Deny from all
>     </LocationMatch>
>
> Is it necessary?


No.



> Also, (ok, two questions...;-) ) how can I test if my server is  
> acting as an open proxy from the command line - my server does not  
> have X running? I google that, and found one reference that suggested
>
> telnet xxx.xxx.xxx.xxx 80
> GET http://www.yahoo.com HTTP/1.1
>
> If yahoo is returned, then it is acting as an open proxy. Are there  
> other ways?
>
> Thanks!
>
> Mark



The test above will only reveal an "HTTP" proxy on port 80, but will  
not reveal a non-HTTP proxy or a proxy on another port.  Note that a  
forward proxy is only an "open proxy" if it's accessible to the  
general anonymous public.  There are legitimate uses for forward  
proxies in more controlled deployments.

Yes, there are other ways to test for open proxies.  For a more  
comprehensive test, you could run something like proxycheck (http://www.corpit.ru/mjt/proxycheck.html 
) on a list of ports collected from a port scan.  I believe there are  
also some web based services out there somewhere.

In the Apache case, you just need to ensure you have ProxyRequests set  
to "off" (which is the default) and you're fine.  Unless you truly  
need to run a forward proxy, in which case, you should very carefully  
read the Apache docs on how to set this up safely.

Some misc. info on securing open proxies:
http://www.spamlinks.net/prevent-secure-proxy-fix.htm

Ric




_______________________________________________
Product-Developers mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/product-developers
Free Embeddable Forum Powered by Nabble Help