Setting up Apache with HTTP/HTTPS for a ZEO Cluster

Meta:

Valid for:  Silva 0.9
Author:     Martijn Faassen
Email:      faassen@infrae.com
CVS:        $Revision: 1.4 $ $Date: 2002/12/23 20:52:08 $

Introduction

These notes describe how to set up Apache with Zope so that it will support the following virtual hosts:

https://zope.domain.tld: a virtual host for https access to the zope root, used by system-level management of Zope. http access to zope.domain.tld is disallowed.
http://web.domain.tld: a virtual host to the silva root (/silva in zope). This is for end-user access to the content.
http://secure-web.domain.tld: a virtual host for https access to the silva root (/silva in zope). http access to secure-web.domain.tld is disallowed. This is for authenticated access to content and the Silva edit and management screens.

The http/https problem

Whenever Zope determines a user needs authorization in order to take a certain action, it is required that this user only contacts Zope using an encrypted protocol: https. Access using http is only allowed for public pages that do not require any authorization.

This is accomplished by redirecting a user that tries to go to a non-public area to log in through https://secure-web.domain.tld, thus using https. If Zope detects the user tries to access an area that needs authorization, it first determines whether the user is coming in through secure-web.domain.tld. If not, the user is redirected to secure-web.domain.tld.

If the user has not logged in previously, a login form will be presented and the user can log in (through the secure host). Otherwise the user will get access to the content (if the browser carries the correct authentication information, otherwise a login form appears as well).

The detection and redirection of login requests is implemented by using a Zope product called CookieCrumbler. This is a Zope extension that enables one to replace the browser login dialog with a web-based login form. Authentication is done using session cookies that disappear after a user logs out or shuts down their web browser. Because of the cookie based login, it is important to have two seperate host names for secure and non-secure access (secure-web.domain.tld versus web.domain.tld), as cookies only distinguish between hostname and do not take into account the used protocol.

Even if a user after having previously logged in through secure-web.domain.tld tries to go to an area requiring login on web.domain.tld, this will be detected by the system automatically as the user has no authentication information for web.domain.tld. Therefore, the user will be redirected back to secure-web.domain.tld.

Virtual hosts and Zope

Zope can do virtual hosting using the built-in 'Virtual Host Monster' object. The 'Virtual Host Monster' is in the Zope root, and watches for URLs of a special format that will be generated by the Apache frontend. A description of the rewrite rules:

for the virtual host https://zope.domain.tld:

RewriteRule ^/(.*) /var/www/zope/Zope.fcgi/VirtualHostBase/http/zope.domain.tld:80/VirtualHostRoot/$1 [L]

https://zope.domain.tld should be an ip-based virtual host (see below for explanation).
the virtual host http://zope.domain.tld is blocked.

This is using the same ip address as https://zope.domain.tld.
for the virtual host http://web.domain.tld:

RewriteRule ^/(.*) /var/www/zope/Zope.fcgi/VirtualHostBase/http/web.domain.tld:80/silva/VirtualHostRoot/$1 [L]

http://web.domain.tld can share the ip address with https://secure-web.domain.tld, but should have a different ip address as zope.domain.tld.
for the virtual host https://secure-web.domain.tld:

RewriteRule ^/(.*) /var/www/zope/Zope.fcgi/VirtualHostBase/https/secure-web.domain.tld:443/silva/VirtualHostRoot/$1 [L]
the virtual host http://secure-web.domain.tld is blocked.

It is possible to use port-based virtual hosting to distinguish between 'http://web.domain.tld' and 'https://secure-web.domain.tld'. It is also possible to block 'http://secure-web.domain.tld' as it can be distinguished from 'http://web.domain.tld' using name-based virtual hosting.

Unfortunately it is not possible to distinguish between two https based virtual hosts by name -- the https protocol does not support name-based virtual hosting. We therefore have to use ip based virtual hosting in order to allow access to the Zope root using 'https://zope.domain.tld' -- 'zope.domain.tld' needs to be assigned a different ip address as 'https://secure-web.domain.tld' (and thus 'http://web.domain.tld').

Caveats

Does the load balancer support ip-based virtual hosting?