[opencms-dev] proxying the admin tool

Kelley, Kevin kkelley at onetooneinteractive.com
Tue Nov 15 21:16:39 CET 2005 

I think that will be ok.  I'm using a custom module (templates,
elements, etc)... and it seems to work fine.  The mod_access is working
on the URL in your browser (the client request) and all paths to system
resources are internal.

 

 

 

-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Tuesday, November 15, 2005 2:44 PM
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool

 

Kevin,

 

Will this work if I am using a custom module for my site?  Won't
references to that module require that external users access the
/system/ directory?

 

Let me know what you think.  Thanks a ton for responding though!!

 

Jeff 

 

  _____  

From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Kelley, Kevin
Sent: Tuesday, November 15, 2005 2:29 PM
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool

 

Hi Jeff, 

I was hoping someone would respond to this as well... but since they
didn't, I started playing around with my apache config.

 

The following is what I've come up with and on some basic testing it
seems to work well.  I will have to do some more rigorous testing.  I am
using Apache 2.0.55 and Tomcat 5.5 on windows 2000 and 2003 machines
with OpenCms 6.0.2

 

My requirements are similar to yours I want to limit connections to the
admin app to only IPs originating from our companies subnet.  

 

All I did was make sure the mod_access module is active in your
httpd.conf file... should look like:




LoadModule access_module modules/mod_access.so

 

Then, in the virtual host I setup for the application, I simply added
the following:

 

 <Location ~ "^/.*/system/.*$" >

      Order Deny,Allow

      Deny from all

      Allow from 192.168.1.1

      Allow from 192.168.1.2

</Location>

 

This is basically saying if the URL contains the system directory, deny
all clients from accessing except those at the IP addresses specified.
You can check out the apache documentation on mod_access for more
advanced configuration like specifying IP ranges or subnets.

 

http://httpd.apache.org/docs/2.0/mod/mod_access.html

 

I hope this helps and if anyone sees anything wrong with this approach,
please speak up!

Kevin

 

-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Tuesday, November 15, 2005 11:55 AM
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool

 

Does anyone have any input on this?  I put this up about a week ago and
have not received a single reply.

 

To summarize I am looking for a way to proxy out the OpenCMS workplace
so that it is not available on a production network.  The way I am doing
it below 99% works but has a few serious quirks like the upload applet
not working.

 

Please help!

 

-Jeff 

 

  _____  

From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Wednesday, November 09, 2005 10:26 AM
To: opencms-dev at opencms.org
Subject: [opencms-dev] proxying the admin tool

 

To all,

 

Has anyone come up with a process for proxying the admin tool to
internal users only?  I am working with OpenCMS 6 and have a production
and development VLAN.  I would like to make it so that the admin tool is
not accessible on the production network (externally available) but is
accessible on the development network.  Currently I have Apache setup to
allow access to the proxy host on the development VLAN using the
following:

 

ProxyPass          /system/ http://production_server/system/ 
ProxyPassReverse   /system/ http://production_server/system/ 
ProxyPass          /export/ http://production_server/export/ 
ProxyPassReverse   /export/ http://production_server/export/ 
ProxyPass          /resources/ http://production_server/resources/ 
ProxyPassReverse   /resources/ http://production_server/resources/ 
ProxyPass          /opencms/ http://production_server/opencms/ 
ProxyPassReverse   /opencms/ http://production_server/opencms/

 

This allows access to the Admin tool from the proxy host; however the
upload applet does not work.  I ran a snoop on the requests being made
through the proxy host for the upload applet and it seems that the call
to that upload jar file is being made directly to the production host,
not through the proxy.

 

Any input on why this is happening or perhaps a better method of
proxying the admin tool would be greatly appreciated!

 

Regards,

Jeff

jeff.moser
network administrator
tel 267.615.2682
cell 215.990.3467 

refinery
top 30 US interactive agency
 <http://www.refinery.com/whitepapers.aspx> Click for: Useful tips and
sage advice on interactive. 5 Minute Whitepaper. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20051115/69530149/attachment.htm>

More information about the opencms-dev mailing list