Skip to content. | Skip to navigation

Sections
Personal tools
What is this?
Hi, my name is Tom Lazar and I'm a Plone and Zope developer based in Berlin, Germany and this is my personal and professional (no big difference, really...) website.
Quills
Atom
RDF
RSS 2.0
Powered by Quills
 

Securing Zope and Plone Pt. I: WebDAV over HTTPS

Filed Under:

"The Internet is no flower meadow." (Ancient German Proverb)

As much as I've become to appreciate Zope and Plone, one thing has bothered me (about my particular setup, it's nothing Zope or Plone specific) and that is: lack of encryption.

So while my SquirrelMail and Mailman installations have been secured with https from the start, and Cyrus and Exim both speak SSL and except for DNS no traffic on my machines was unencrypted, I still had the web admin interface and WebDAV access of Plone and Zope in plaintext. Ouch!

Today, while hanging out at the club, I realized, that I would either have to go home too soon or start to implement HTTPS for my Zope installation - doing any kind of unencrypted traffic at the CCC is simply not an option ;-)

So, with a little help from Cryx and Erdgeist I finally got my lazy ass up (not literally, of course) and secured my setup.

I am now posting this to tomster.org/blog via WebDAV and HTTPS, while slowly sliding off a a sofa at the club house. In case you are interested in the specific configuration or can help me with my ZMI problem, please read on.

Assuming, you've already got a https host running, add the following to your VirtualHost section. (installing a certificate and generally enabling https is not covered here. But here.)

This will give you WebDAV access via the URL https://hostname.tld/webdav/ (You will, of course, have to use a HTTPS enabled WebDAV client. Unfortunately, MacOS X's Finder supports only unencrypted WebDAV. Currently, the only alternative known to me is Goliath.)

ProxyPass /webdav/ http://localhost:1984/
ProxyPassReverse /webdav/ http://localhost:1984/

That's it!. Can't believe I've waited this long ;-) Unfortunately, one problem still remains: I can't access the ZMI (listening on port 8080 /manage/) via https.

Theoretically, I should be able to acces it via https://tomster.org/zmi/manage with the following ProxyPass directive:

ProxyPass /zmi/ http://localhost:8080/
ProxyPassReverse /zmi/ http://localhost:8080/

Anf while https://tomster.org/zmi/ yields the default start screen of Zope, https://tomster.org/zmi/manage/ seems to redirect to localhost?!? If anybody has got a solution to that, please let me know. Thanks!

Re: Securing Zope and Plone Pt. I: WebDAV over HTTPS

Posted by teo at Feb 06, 2004 12:16 PM

You need a VirtualHostMonster in your root site.

But I have a question, how do you add entries to COREBlog via WebDAV?, I couldn't :)

Re: Securing Zope and Plone Pt. I: WebDAV over HTTPS

Posted by Hinnerk at Feb 18, 2004 11:54 PM

/etc/httpd.conf: # Zope ProxyPass /zope http://123.123.123.123:8080 ProxyPassReverse /zope http://123.123.123.123:8080 # Pictures etc. ProxyPass /misc http://123.123.123.123:8080/misc ProxyPass /p http://123.123.123.123:8080/p

in Zope: - manage - add SiteRoot - Title (ignored) - Base https://your.url.here/zope - Path /

... of course this will break your configuration...

Re: Securing Zope and Plone Pt. I: WebDAV over HTTPS

Posted by techmetal at Aug 09, 2004 09:31 AM

Have you tried ssh forwarding to access the ZMI?

for example, on localhost run: ssh -L localport:zopeserver:8080 login@zopeserver

Then access with your webbrowser: http://localhost:localport/manage

to access ZMI with ssh encryption.
Weblog Authors

admin

admin

Tom Lazar

Location: Berlin, Germany
Tom Lazar