Sascha Ottolski <sascha.ottolski(at)gallileus.de> writes:[...]

After having posted the solution to zope(at)zope.org already, I find, you
have cross-posted to the pound ML. So your problem really is the same as
mine was :-)

Ok, I'll just ask here: I have developed a simple patch to the config
machinery adding an additional servertype (<https-server>) to the Zope
config. Should I post the patch here again or is everybody interested
also following the zope(at)zope.org list?

I suggest to include something like this either into zope itself or,
if that does not happen, at least add this (or a better :-) ) patch to
the pound distribution (like the patched Versions of z2.py). I'd
offer this patch for inclusion.

Stefan.
[...]

Am Donnerstag, 6. Mai 2004 18:05 schrieben Sie:[...]

ah, overread this, you're talking about 

HTTPSHeaders 1 "Front-End-Https: on"

Maybe this should go into the man page aswell :-) Didn't try it, but 
this really should to the trick.
[...]

As far as I interpreted the schemas right, its not.
[...]

That still leaves the problem at the zope end: you would need to start 
two zope-server aswell, as HTTPS ON can only be configured as an global 
parameter :-( Your first suggestions seems to be promising, though.

In addition, I've found another solution, that seems to work quite well: 
add an access rule like this:

request = container.REQUEST
if request.SERVER_URL[-4:] == ':443':
    request.setServerURL(protocol='https')
    #request.setServerURL(protocol='http', port='80')

The second commented line seems to be an interesing option if you don't 
want every URL to be "https".


Cheers,

Sascha
[...]

Am Donnerstag, 6. Mai 2004 18:38 schrieben Sie:[...]

well, I was curious and tested it, and it doesn't, but this might be 
zopes fault. I tried


HTTPSHeaders 0 "HTTPS: ON"


Zope then receives "HTTP_HTTPS ON" but looks for "HTTPS ON":


if have_env('HTTPS') and (
    environ['HTTPS'] == "on" or environ['HTTPS'] == "ON"):
    protocol = 'https'
elif (have_env('SERVER_PORT_SECURE') and
    environ['SERVER_PORT_SECURE'] == "1"):
    protocol = 'https'


Of course, the fix on zopes end would be easy.


Cheers,

Sascha


P.S. It really would be nice if the listsoftware would add a reply-to 
header :-)
[...]

Wow ... a load of new ideas ...

Robert Segall <roseg(at)apsis.ch> writes:[...]

I don't remember, if I tested that. May be I did not coming from 2.6
with the 'pre-installed' idea, I had to start an additional server
type.
[...]

I tried that. It's not possible
[...]

Yeah, that will work, of course, but that means, that for *every* Zope
Instance, I'd need it's own ZEO server. Ok, ZEO has some advantages,
but that would complicate the setup considerably ...
[...]

?? Using Zope 2.6 ? That is out of question for me. 2.7 has several
new features, not the least being the *much* better configurability.

I'll check on the HTTPS-Header stuff and report back on the result.
[...]

Sascha Ottolski <sascha.ottolski(at)gallileus.de> writes:[...]

Ok. Good point. May be I will alter the patch. However, it might well
be that this is intentional, since arbitrary HTTP headers can be sent
by the client to Zope. If Zope is running behing pound, this is no
Problem using 'HeadRemove' but without pound, this might be
problematic.

So the best solution might well be, to add a config variable to enable
Zope to owner 'Front-end-Https: on'  headers or the like.

Alternatively, I could think honoring this header, if the connection
comes in from a 'trusted-proxy'. Hmm. I might just write such a patch
:-) I already did to make Zope honor 'X-Forwarded-For' headers
coming from a 'trusted-proxy' on writing the Z2.log.
[...]

Not really. I think, the current configuration is better: reply
replies to the author, followup replies to the list. It's my finger
slipping to 'r' instead of 'f' ...
[...]

I'll try a short summary of the status (including messages from the Zope 
list).

Problem: having Zope 2.7 behind Pound, serving both HTTP and HTTPS requests.

Proposed solutions:

- have Pound add a "HTTPS: On" header to requests (same as for OWA). Zope 
translates this to "HTTP_HTTPS: On", so it won't work. Zope could be patched 
to accept it.

- have a nested "HTTPS ON" directive in the Zope config. Zope does not accept 
this - directives may not be nested, they are always global.

- run two Pound instances and two ZEO clients as back-ends, one for HTTP and 
one for HTTPS. Solution works but is complex.

- use an AccessRule in Zope to force HTTPS. Works, but then all the contents 
of the Folder are served exclusively via HTTPS.

- various Zope source and/or application patches suggested by Stefan Bund and 
Sascha Ottolski (see the Zope mailing list for details).

I hope this is correct - please let me know if I missed anything. I would also 
be interested in hearing what you actually used for a solution.[...]

Robert Segall <roseg(at)apsis.ch> writes:[...]

As far as I understood, this is not correct. Since the AccessRule can
check the port number, you need to start two http servers on two
different ports and do the rewrite magic only on one of the port
numbers. Hmm. But I don't know, whether you can start two http servers
and can't check right now.

The only problem is, that whenever you reconfigure the ports, you need
to update the AccessRule.

But there is another possibility, which I believe now is the best
solution. You can write an AccessRule to check for the HTTP_HTTPS
(or HTTP_FRONT_END_HTTPS) header. Then you don't even need to start
two http servers.

The only thing I don't like about this is, that for every instance
installation you have to manipulate the ZODB. Therefore I think, I
might just write a simple file-system Product for Zope, which uses
the AccessRule idea checking the HTTP headers. From a Product I can
just call register_before_traverse at Product initialization
time, which I find to be better that adding some Object TTW.

I don't have too much time for this at the moment even though this
will be only a few lines of code. I'll get to it, when I have to make
the next Server upgrade.

Stefan.
[...]

Am Montag, 10. Mai 2004 21:35 schrieb Stefan Bund:[...]

no, you don't have to. If your frontend pound listens on both port 80 
and 443, but forwards all requests to the same backend port, your done. 
Since pound doesn't manipulate the original headers, you'll find if it 
was http or https in your access rule. Then, you can decide how URLs 
should be written by Zope. Of course, you can add more distinctions 
here, like which URL was called etc. I would think that that way one 
single access rule in the root should be able to handle everything you 
need:

request = container.REQUEST
if request.SERVER_URL[-4:] == ':443':
    if request.PATH.find('someURLstring') >= 0:
        request.setServerURL(protocol='https')
    else:
        request.setServerURL(protocol='http', port='80')

[...]

But anyway, if you really need to, you could start different 
http-servers on different port, just add more <http-server> blocks in 
your zope.conf.

However, I couldn't find out how one single pound would be able to 
redirect traffic to two different ports on behalf of the original 
request, so two pound would be necessary. Which is ugly, I think.

Or could you do something like:

HTTPSHeaders 1 "HTTPS: ON"

URLGroup ".*"
HeadRequire HTTPS "ON"
BackEnd 127.0.0.1,1443,9
EndGroup

URLGroup ".*"
BackEnd 127.0.0.1,1080,9
EndGroup


I don't think so, but didn't try. And if I'm right the original port 
isn't available for the URLGroup check, either, to do something like

URLGroup ":443.*"
BackEnd 127.0.0.1,1443,9
EndGroup


Anyway, I think the accessrule trick does well enough, at least for 
me :-)


Cheers,

Sascha

[...]

On Tuesday 11 May 2004 11.12, Sascha Ottolski wrote:[...]

Very nice! May I ask why you don't do same on HTTP_HTTPS?
[...]

De gustibus et coloribus non est disputandum.
[...]

Doesn't work - headers are checked BEFORE adding.
[...]

Not really, more like:

URLGroup ".*"
HeadRequire Host ".*:443"
BackEnd 127.0.0.1,1443,9
EndGroup
[...]
[...]

Am Dienstag, 11. Mai 2004 14:10 schrieb Robert Segall:[...]

uh, very good point :-) The idea with HTTPS: ON was to let zope 
automagically detect the case that a SSL-request came in, which happens 
somewere in ZPublisher/HTTPRequest.py:

            if have_env('HTTPS') and (
                environ['HTTPS'] == "on" or environ['HTTPS'] == "ON"):
                protocol = 'https'
            elif (have_env('SERVER_PORT_SECURE') and
                environ['SERVER_PORT_SECURE'] == "1"):
                protocol = 'https'
[...]

thats it! Thanks a lot, that was the missing piece :-) BTW, if I see 
this right this would as well eliminate the need for two pound 
instances for your z2.py patches for 2.5 and 2.6, right?


Cheers,

Sascha
[...]

On Tuesday 11 May 2004 14.53, Sascha Ottolski wrote:[...]

Yes it would. Perhaps you would care to write a short README/FAQ/HOWTO entry 
to add to the next release?[...]

Am Dienstag, 11. Mai 2004 14:58 schrieb Robert Segall:[...]

I'll give my very best...but please hang on until next week.

Sascha
[...]