Sascha Ottolski <sascha.ottolski(at)gallileus.de> writes:
> Now the missing piece is, to add the "HTTPS ON" Header only for request 
> to port 443. As far as I understand, pound can't do this.

After having posted the solution to zope(at)zope.org already, I find, you
have cross-posted to the pound ML. So your problem really is the same as
mine was :-)

Ok, I'll just ask here: I have developed a simple patch to the config
machinery adding an additional servertype (<https-server>) to the Zope
config. Should I post the patch here again or is everybody interested
also following the zope(at)zope.org list?

I suggest to include something like this either into zope itself or,
if that does not happen, at least add this (or a better :-) ) patch to
the pound distribution (like the patched Versions of z2.py). I'd
offer this patch for inclusion.

Stefan.

-- 
-- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply
-- received off-list at that address will be *silently* and
-- *unconditionally* dropped. You can attribute this inconvenience to
-- the proliferation of spammers on the Internet. I hope, you can
-- understand my position and accept my counter measures.

Am Donnerstag, 6. Mai 2004 18:05 schrieben Sie:
> - if 2.7 honours the "Https: On" header in requests (the way OWA
> does) then it is easy to add that header only to HTTPS requests in
> Pound. See the README for details.

ah, overread this, you're talking about 

HTTPSHeaders 1 "Front-End-Https: on"

Maybe this should go into the man page aswell :-) Didn't try it, but 
this really should to the trick.

>
> - failing that I would look again at the 2.7 config - could it be
> that the directives can be nested?

As far as I interpreted the schemas right, its not.

>
> - as a last instance: start two ZEO clients, one for HTTP and one for
> HTTPS. Run two Pound instances. Ugly, but guaranteed to work...

That still leaves the problem at the zope end: you would need to start 
two zope-server aswell, as HTTPS ON can only be configured as an global 
parameter :-( Your first suggestions seems to be promising, though.

In addition, I've found another solution, that seems to work quite well: 
add an access rule like this:

request = container.REQUEST
if request.SERVER_URL[-4:] == ':443':
    request.setServerURL(protocol='https')
    #request.setServerURL(protocol='http', port='80')

The second commented line seems to be an interesing option if you don't 
want every URL to be "https".


Cheers,

Sascha

-- 
Gallileus - the power of knowledge

Gallileus GmbH                    http://www.gallileus.info/

Pintschstraße 16                  fon +49-(0)30-41 93 43 43
10249 Berlin                      fax +49-(0)30-41 93 43 45
Germany



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AKTUELLER HINWEIS (Mai 2004)

Literatur Alerts - Literatursuche (wie) im Schlaf!

Ab jetzt mehr dazu unter:
http://www.gallileus.info/gallileus/about/products/alerts/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Am Donnerstag, 6. Mai 2004 18:38 schrieben Sie:
> Am Donnerstag, 6. Mai 2004 18:05 schrieben Sie:
> > - if 2.7 honours the "Https: On" header in requests (the way OWA
> > does) then it is easy to add that header only to HTTPS requests in
> > Pound. See the README for details.
>
> ah, overread this, you're talking about
>
> HTTPSHeaders 1 "Front-End-Https: on"
>
> Maybe this should go into the man page aswell :-) Didn't try it, but
> this really should to the trick.

well, I was curious and tested it, and it doesn't, but this might be 
zopes fault. I tried


HTTPSHeaders 0 "HTTPS: ON"


Zope then receives "HTTP_HTTPS ON" but looks for "HTTPS ON":


if have_env('HTTPS') and (
    environ['HTTPS'] == "on" or environ['HTTPS'] == "ON"):
    protocol = 'https'
elif (have_env('SERVER_PORT_SECURE') and
    environ['SERVER_PORT_SECURE'] == "1"):
    protocol = 'https'


Of course, the fix on zopes end would be easy.


Cheers,

Sascha


P.S. It really would be nice if the listsoftware would add a reply-to 
header :-)

-- 
Gallileus - the power of knowledge

Gallileus GmbH                    http://www.gallileus.info/

Pintschstraße 16                  fon +49-(0)30-41 93 43 43
10249 Berlin                      fax +49-(0)30-41 93 43 45
Germany



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AKTUELLER HINWEIS (Mai 2004)

Literatur Alerts - Literatursuche (wie) im Schlaf!

Ab jetzt mehr dazu unter:
http://www.gallileus.info/gallileus/about/products/alerts/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Wow ... a load of new ideas ...

Robert Segall <roseg(at)apsis.ch> writes:
> - if 2.7 honours the "Https: On" header in requests (the way OWA does)
> then it is easy to add that header only to HTTPS requests in Pound. See
> the README for details.

I don't remember, if I tested that. May be I did not coming from 2.6
with the 'pre-installed' idea, I had to start an additional server
type.

> - failing that I would look again at the 2.7 config - could it be that
> the directives can be nested?

I tried that. It's not possible

> - as a last instance: start two ZEO clients, one for HTTP and one for
> HTTPS. Run two Pound instances. Ugly, but guaranteed to work...

Yeah, that will work, of course, but that means, that for *every* Zope
Instance, I'd need it's own ZEO server. Ok, ZEO has some advantages,
but that would complicate the setup considerably ...

> I won't even start on the possibility of using 2.6 with the existing
> patch.

?? Using Zope 2.6 ? That is out of question for me. 2.7 has several
new features, not the least being the *much* better configurability.

I'll check on the HTTPS-Header stuff and report back on the result.

-- 
-- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply
-- received off-list at that address will be *silently* and
-- *unconditionally* dropped. You can attribute this inconvenience to
-- the proliferation of spammers on the Internet. I hope, you can
-- understand my position and accept my counter measures.

Sascha Ottolski <sascha.ottolski(at)gallileus.de> writes:
> Zope then receives "HTTP_HTTPS ON" but looks for "HTTPS ON":

Ok. Good point. May be I will alter the patch. However, it might well
be that this is intentional, since arbitrary HTTP headers can be sent
by the client to Zope. If Zope is running behing pound, this is no
Problem using 'HeadRemove' but without pound, this might be
problematic.

So the best solution might well be, to add a config variable to enable
Zope to owner 'Front-end-Https: on'  headers or the like.

Alternatively, I could think honoring this header, if the connection
comes in from a 'trusted-proxy'. Hmm. I might just write such a patch
:-) I already did to make Zope honor 'X-Forwarded-For' headers
coming from a 'trusted-proxy' on writing the Z2.log.

> P.S. It really would be nice if the listsoftware would add a reply-to 
> header :-)

Not really. I think, the current configuration is better: reply
replies to the author, followup replies to the list. It's my finger
slipping to 'r' instead of 'f' ...

-- 
-- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply
-- received off-list at that address will be *silently* and
-- *unconditionally* dropped. You can attribute this inconvenience to
-- the proliferation of spammers on the Internet. I hope, you can
-- understand my position and accept my counter measures.

I'll try a short summary of the status (including messages from the Zope 
list).

Problem: having Zope 2.7 behind Pound, serving both HTTP and HTTPS requests.

Proposed solutions:

- have Pound add a "HTTPS: On" header to requests (same as for OWA). Zope 
translates this to "HTTP_HTTPS: On", so it won't work. Zope could be patched 
to accept it.

- have a nested "HTTPS ON" directive in the Zope config. Zope does not accept 
this - directives may not be nested, they are always global.

- run two Pound instances and two ZEO clients as back-ends, one for HTTP and 
one for HTTPS. Solution works but is complex.

- use an AccessRule in Zope to force HTTPS. Works, but then all the contents 
of the Folder are served exclusively via HTTPS.

- various Zope source and/or application patches suggested by Stefan Bund and 
Sascha Ottolski (see the Zope mailing list for details).

I hope this is correct - please let me know if I missed anything. I would also 
be interested in hearing what you actually used for a solution.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Robert Segall <roseg(at)apsis.ch> writes:
> - use an AccessRule in Zope to force HTTPS. Works, but then all the contents 
> of the Folder are served exclusively via HTTPS.

As far as I understood, this is not correct. Since the AccessRule can
check the port number, you need to start two http servers on two
different ports and do the rewrite magic only on one of the port
numbers. Hmm. But I don't know, whether you can start two http servers
and can't check right now.

The only problem is, that whenever you reconfigure the ports, you need
to update the AccessRule.

But there is another possibility, which I believe now is the best
solution. You can write an AccessRule to check for the HTTP_HTTPS
(or HTTP_FRONT_END_HTTPS) header. Then you don't even need to start
two http servers.

The only thing I don't like about this is, that for every instance
installation you have to manipulate the ZODB. Therefore I think, I
might just write a simple file-system Product for Zope, which uses
the AccessRule idea checking the HTTP headers. From a Product I can
just call register_before_traverse at Product initialization
time, which I find to be better that adding some Object TTW.

I don't have too much time for this at the moment even though this
will be only a few lines of code. I'll get to it, when I have to make
the next Server upgrade.

Stefan.

-- 
-- *DON'T* TRY TO REACH ME DIRECTLY AT ABOVE EMAIL ADDRESS. Any reply
-- received off-list at that address will be *silently* and
-- *unconditionally* dropped. You can attribute this inconvenience to
-- the proliferation of spammers on the Internet. I hope, you can
-- understand my position and accept my counter measures.

Am Montag, 10. Mai 2004 21:35 schrieb Stefan Bund:
> Robert Segall <roseg(at)apsis.ch> writes:
> > - use an AccessRule in Zope to force HTTPS. Works, but then all the
> > contents of the Folder are served exclusively via HTTPS.
>
> As far as I understood, this is not correct. Since the AccessRule can
> check the port number, you need to start two http servers on two
> different ports and do the rewrite magic only on one of the port

no, you don't have to. If your frontend pound listens on both port 80 
and 443, but forwards all requests to the same backend port, your done. 
Since pound doesn't manipulate the original headers, you'll find if it 
was http or https in your access rule. Then, you can decide how URLs 
should be written by Zope. Of course, you can add more distinctions 
here, like which URL was called etc. I would think that that way one 
single access rule in the root should be able to handle everything you 
need:

request = container.REQUEST
if request.SERVER_URL[-4:] == ':443':
    if request.PATH.find('someURLstring') >= 0:
        request.setServerURL(protocol='https')
    else:
        request.setServerURL(protocol='http', port='80')


> numbers. Hmm. But I don't know, whether you can start two http
> servers and can't check right now.

But anyway, if you really need to, you could start different 
http-servers on different port, just add more <http-server> blocks in 
your zope.conf.

However, I couldn't find out how one single pound would be able to 
redirect traffic to two different ports on behalf of the original 
request, so two pound would be necessary. Which is ugly, I think.

Or could you do something like:

HTTPSHeaders 1 "HTTPS: ON"

URLGroup ".*"
HeadRequire HTTPS "ON"
BackEnd 127.0.0.1,1443,9
EndGroup

URLGroup ".*"
BackEnd 127.0.0.1,1080,9
EndGroup


I don't think so, but didn't try. And if I'm right the original port 
isn't available for the URLGroup check, either, to do something like

URLGroup ":443.*"
BackEnd 127.0.0.1,1443,9
EndGroup


Anyway, I think the accessrule trick does well enough, at least for 
me :-)


Cheers,

Sascha


-- 
Gallileus - the power of knowledge

Gallileus GmbH                    http://www.gallileus.info/

Pintschstraße 16                  fon +49-(0)30-41 93 43 43
10249 Berlin                      fax +49-(0)30-41 93 43 45
Germany



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AKTUELLER HINWEIS (Mai 2004)

Literatur Alerts - Literatursuche (wie) im Schlaf!

Ab jetzt mehr dazu unter:
http://www.gallileus.info/gallileus/about/products/alerts/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On Tuesday 11 May 2004 11.12, Sascha Ottolski wrote:
> Am Montag, 10. Mai 2004 21:35 schrieb Stefan Bund:
> > Robert Segall <roseg(at)apsis.ch> writes:
> > > - use an AccessRule in Zope to force HTTPS. Works, but then all the
> > > contents of the Folder are served exclusively via HTTPS.
> >
> > As far as I understood, this is not correct. Since the AccessRule can
> > check the port number, you need to start two http servers on two
> > different ports and do the rewrite magic only on one of the port
>
> no, you don't have to. If your frontend pound listens on both port 80
> and 443, but forwards all requests to the same backend port, your done.
> Since pound doesn't manipulate the original headers, you'll find if it
> was http or https in your access rule. Then, you can decide how URLs
> should be written by Zope. Of course, you can add more distinctions
> here, like which URL was called etc. I would think that that way one
> single access rule in the root should be able to handle everything you
> need:
>
> request = container.REQUEST
> if request.SERVER_URL[-4:] == ':443':
>     if request.PATH.find('someURLstring') >= 0:
>         request.setServerURL(protocol='https')
>     else:
>         request.setServerURL(protocol='http', port='80')

Very nice! May I ask why you don't do same on HTTP_HTTPS?

> > numbers. Hmm. But I don't know, whether you can start two http
> > servers and can't check right now.
>
> But anyway, if you really need to, you could start different
> http-servers on different port, just add more <http-server> blocks in
> your zope.conf.
>
> However, I couldn't find out how one single pound would be able to
> redirect traffic to two different ports on behalf of the original
> request, so two pound would be necessary. Which is ugly, I think.

De gustibus et coloribus non est disputandum.

> Or could you do something like:
>
> HTTPSHeaders 1 "HTTPS: ON"
>
> URLGroup ".*"
> HeadRequire HTTPS "ON"
> BackEnd 127.0.0.1,1443,9
> EndGroup
>
> URLGroup ".*"
> BackEnd 127.0.0.1,1080,9
> EndGroup

Doesn't work - headers are checked BEFORE adding.

> I don't think so, but didn't try. And if I'm right the original port
> isn't available for the URLGroup check, either, to do something like
>
> URLGroup ":443.*"
> BackEnd 127.0.0.1,1443,9
> EndGroup

Not really, more like:

URLGroup ".*"
HeadRequire Host ".*:443"
BackEnd 127.0.0.1,1443,9
EndGroup

> Anyway, I think the accessrule trick does well enough, at least for
> me :-)
>
>
> Cheers,
>
> Sascha

-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Am Dienstag, 11. Mai 2004 14:10 schrieb Robert Segall:
> >
> > request = container.REQUEST
> > if request.SERVER_URL[-4:] == ':443':
> >     if request.PATH.find('someURLstring') >= 0:
> >         request.setServerURL(protocol='https')
> >     else:
> >         request.setServerURL(protocol='http', port='80')
>
> Very nice! May I ask why you don't do same on HTTP_HTTPS?

uh, very good point :-) The idea with HTTPS: ON was to let zope 
automagically detect the case that a SSL-request came in, which happens 
somewere in ZPublisher/HTTPRequest.py:

            if have_env('HTTPS') and (
                environ['HTTPS'] == "on" or environ['HTTPS'] == "ON"):
                protocol = 'https'
            elif (have_env('SERVER_PORT_SECURE') and
                environ['SERVER_PORT_SECURE'] == "1"):
                protocol = 'https'

>
> Not really, more like:
>
> URLGroup ".*"
> HeadRequire Host ".*:443"
> BackEnd 127.0.0.1,1443,9
> EndGroup

thats it! Thanks a lot, that was the missing piece :-) BTW, if I see 
this right this would as well eliminate the need for two pound 
instances for your z2.py patches for 2.5 and 2.6, right?


Cheers,

Sascha

-- 
Gallileus - the power of knowledge

Gallileus GmbH                    http://www.gallileus.info/

Pintschstraße 16                  fon +49-(0)30-41 93 43 43
10249 Berlin                      fax +49-(0)30-41 93 43 45
Germany



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AKTUELLER HINWEIS (Mai 2004)

Literatur Alerts - Literatursuche (wie) im Schlaf!

Ab jetzt mehr dazu unter:
http://www.gallileus.info/gallileus/about/products/alerts/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On Tuesday 11 May 2004 14.53, Sascha Ottolski wrote:
> Am Dienstag, 11. Mai 2004 14:10 schrieb Robert Segall:
> > > request = container.REQUEST
> > > if request.SERVER_URL[-4:] == ':443':
> > >     if request.PATH.find('someURLstring') >= 0:
> > >         request.setServerURL(protocol='https')
> > >     else:
> > >         request.setServerURL(protocol='http', port='80')
> >
> > Very nice! May I ask why you don't do same on HTTP_HTTPS?
>
> uh, very good point :-) The idea with HTTPS: ON was to let zope
> automagically detect the case that a SSL-request came in, which happens
> somewere in ZPublisher/HTTPRequest.py:
>
>             if have_env('HTTPS') and (
>                 environ['HTTPS'] == "on" or environ['HTTPS'] == "ON"):
>                 protocol = 'https'
>             elif (have_env('SERVER_PORT_SECURE') and
>                 environ['SERVER_PORT_SECURE'] == "1"):
>                 protocol = 'https'
>
> > Not really, more like:
> >
> > URLGroup ".*"
> > HeadRequire Host ".*:443"
> > BackEnd 127.0.0.1,1443,9
> > EndGroup
>
> thats it! Thanks a lot, that was the missing piece :-) BTW, if I see
> this right this would as well eliminate the need for two pound
> instances for your z2.py patches for 2.5 and 2.6, right?

Yes it would. Perhaps you would care to write a short README/FAQ/HOWTO entry 
to add to the next release?
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Am Dienstag, 11. Mai 2004 14:58 schrieb Robert Segall:
> Yes it would. Perhaps you would care to write a short
> README/FAQ/HOWTO entry to add to the next release?

I'll give my very best...but please hang on until next week.

Sascha

-- 
Gallileus - the power of knowledge

Gallileus GmbH                    http://www.gallileus.info/

Pintschstraße 16                  fon +49-(0)30-41 93 43 43
10249 Berlin                      fax +49-(0)30-41 93 43 45
Germany



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
AKTUELLER HINWEIS (Mai 2004)

Literatur Alerts - Literatursuche (wie) im Schlaf!

Ab jetzt mehr dazu unter:
http://www.gallileus.info/gallileus/about/products/alerts/
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++