[opencms-dev] proxying the admin tool
Kelley, Kevin
kkelley at onetooneinteractive.com
Wed Nov 16 15:00:18 CET 2005
Thanks Arash,
Our site is hosted by a third party hosting company. So we just have a
single app server sitting behind a firewall with only ports 80 & 443
open.
Also, as a follow up to the configuration I gave, I've added an extra
element to make the error screen more graceful. I have created a 404
error page and a 500 error page in my default site. So in my apache
configuration, inside the virtualhost for the opencms site, my
configuration now looks like:
ErrorDocument 403 /general/error_404.html
<Location ~ "^/.*/system/.*$">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.64/255.255.255.192
</Location>
If there is a forbidden status code thrown, apache will forward to my
custom error page which I have set as a 404 (File Not Found) error.
That way, users trying to hit the admin login page won't even know it's
an opencms site.
Cheers,
Kevin
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash Kaffamanesh
Sent: Tuesday, November 15, 2005 5:12 PM
To: 'The OpenCms mailing list'
Subject: RE: [opencms-dev] proxying the admin tool
Hi Kevin,
normaly in a DMZ you shall not allow the apache to know about IP
adresses in your LAN, unless there will be some security problems! Let
say your firewall shall allow apache webserver to know about the
ip-adresses of your imployees in your LAN, so you have to open some
punched holes in your firewall from DMZ into LAN :-)
Perhaps I'm wrong.
Anyway your solution is pretty nice, congrats!
Best Regards,
Arash
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Kelley, Kevin
Sent: Dienstag, 15. November 2005 22:16
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool
Hi Arash,
I've actually just finished implementing the solution I wrote about
before and all seems to work quite well. I had a number of people
outside of my network try to access the admin tool and they got an
Access Denied Error. Apache will only allow our employees to see the
admin application (well, everything behind a url with /system/ in it)
because I supplied our network/netmask to the Allow from line.
Kevin
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash Kaffamanesh
Sent: Tuesday, November 15, 2005 3:55 PM
To: 'The OpenCms mailing list'
Subject: RE: [opencms-dev] proxying the admin tool
Hi,
as I understand your production server is behind your firewall (let say
in a DMZ) and your employees shouldn't have access to it, but these
solutions with IP restrictions and so on work only from your LAN and the
workplace will still be accessible from outside (from internet) and your
employees or some hackers could hack you from home :-)
The best way is to use a master / slave installation with OCEE Cluster
Module (commercial module from Alkacon Software).
The solution for the upload applet can be solved by signing the applet
(not tested myself, but somehow sure about it).
I guess: You shall checkout the applet source and use a trusted
certificate to sign it!
HTH,
Kind Regards,
Arash
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Dienstag, 15. November 2005 20:44
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool
Kevin,
Will this work if I am using a custom module for my site? Won't
references to that module require that external users access the
/system/ directory?
Let me know what you think. Thanks a ton for responding though!!
Jeff
_____
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Kelley, Kevin
Sent: Tuesday, November 15, 2005 2:29 PM
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool
Hi Jeff,
I was hoping someone would respond to this as well... but since they
didn't, I started playing around with my apache config.
The following is what I've come up with and on some basic testing it
seems to work well. I will have to do some more rigorous testing. I am
using Apache 2.0.55 and Tomcat 5.5 on windows 2000 and 2003 machines
with OpenCms 6.0.2
My requirements are similar to yours I want to limit connections to the
admin app to only IPs originating from our companies subnet.
All I did was make sure the mod_access module is active in your
httpd.conf file... should look like:
LoadModule access_module modules/mod_access.so
Then, in the virtual host I setup for the application, I simply added
the following:
<Location ~ "^/.*/system/.*$" >
Order Deny,Allow
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
</Location>
This is basically saying if the URL contains the system directory, deny
all clients from accessing except those at the IP addresses specified.
You can check out the apache documentation on mod_access for more
advanced configuration like specifying IP ranges or subnets.
http://httpd.apache.org/docs/2.0/mod/mod_access.html
I hope this helps and if anyone sees anything wrong with this approach,
please speak up!
Kevin
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Tuesday, November 15, 2005 11:55 AM
To: The OpenCms mailing list
Subject: RE: [opencms-dev] proxying the admin tool
Does anyone have any input on this? I put this up about a week ago and
have not received a single reply.
To summarize I am looking for a way to proxy out the OpenCMS workplace
so that it is not available on a production network. The way I am doing
it below 99% works but has a few serious quirks like the upload applet
not working.
Please help!
-Jeff
_____
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeff Moser
Sent: Wednesday, November 09, 2005 10:26 AM
To: opencms-dev at opencms.org
Subject: [opencms-dev] proxying the admin tool
To all,
Has anyone come up with a process for proxying the admin tool to
internal users only? I am working with OpenCMS 6 and have a production
and development VLAN. I would like to make it so that the admin tool is
not accessible on the production network (externally available) but is
accessible on the development network. Currently I have Apache setup to
allow access to the proxy host on the development VLAN using the
following:
ProxyPass /system/ http://production_server/system/
ProxyPassReverse /system/ http://production_server/system/
ProxyPass /export/ http://production_server/export/
ProxyPassReverse /export/ http://production_server/export/
ProxyPass /resources/ http://production_server/resources/
ProxyPassReverse /resources/ http://production_server/resources/
ProxyPass /opencms/ http://production_server/opencms/
ProxyPassReverse /opencms/ http://production_server/opencms/
This allows access to the Admin tool from the proxy host; however the
upload applet does not work. I ran a snoop on the requests being made
through the proxy host for the upload applet and it seems that the call
to that upload jar file is being made directly to the production host,
not through the proxy.
Any input on why this is happening or perhaps a better method of
proxying the admin tool would be greatly appreciated!
Regards,
Jeff
jeff.moser
network administrator
tel 267.615.2682
cell 215.990.3467
refinery
top 30 US interactive agency
<http://www.refinery.com/whitepapers.aspx> Click for: Useful tips and
sage advice on interactive. 5 Minute Whitepaper.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20051116/7a5e28c4/attachment.htm>
More information about the opencms-dev
mailing list