<html xmlns:ns1="http://www.exclaimer.co.uk">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{margin-right:0in;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.emailstyle18
{font-family:Arial;
color:windowtext;}
span.emailstyle19
{font-family:Arial;
color:navy;}
span.emailstyle21
{font-family:Arial;
color:navy;}
span.EmailStyle210
{font-family:Arial;
color:navy;}
span.EmailStyle23
{font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I think that will be ok. I’m
using a custom module (templates, elements, etc)… and it seems to work
fine. The mod_access is working on the URL in your browser (the client
request) and all paths to system resources are internal.</span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b> opencms-dev-bounces@opencms.org
[mailto:opencms-dev-bounces@opencms.org] <b><span style='font-weight:bold'>On
Behalf Of </span></b>Jeff Moser<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Tuesday,
November 15, 2005</span></font><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>2:44 PM</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b> The OpenCms mailing list<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [opencms-dev]
proxying the admin tool</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Kevin,</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Will this work if I am
using a custom module for my site? Won’t references to that module
require that external users access the /system/ directory?</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Let me know what you
think. Thanks a ton for responding though!!</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Jeff </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<div>
<div class=MsoNormal align=center style='margin-left:.5in;text-align:center'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal style='margin-left:.5in'><b><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
opencms-dev-bounces@opencms.org [mailto:opencms-dev-bounces@opencms.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Kelley, Kevin<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Tuesday,
November 15, 2005</span></font><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>2:29 PM</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b> The OpenCms mailing list<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [opencms-dev]
proxying the admin tool</span></font></p>
</div>
<p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Hi Jeff, </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>I was hoping someone
would respond to this as well… but since they didn’t, I started
playing around with my apache config.</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>The following is what
I’ve come up with and on some basic testing it seems to work well.
I will have to do some more rigorous testing. I am using Apache 2.0.55
and Tomcat 5.5 on windows 2000 and 2003 machines with OpenCms 6.0.2</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>My requirements are
similar to yours I want to limit connections to the admin app to only IPs
originating from our companies subnet. </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>All I did was make sure
the mod_access module is active in your httpd.conf file… should look
like:</span></font></p>
<font size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:
Arial;color:navy'><br clear=all style='page-break-before:always'>
</span></font>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>LoadModule access_module
modules/mod_access.so</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Then, in the virtual host
I setup for the application, I simply added the following:</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> <Location ~
"^/.*/system/.*$" ></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>
Order Deny,Allow</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>
Deny from all</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>
Allow from 192.168.1.1</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>
Allow from 192.168.1.2</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'></Location></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>This is basically saying
if the URL contains the system directory, deny all clients from accessing
except those at the IP addresses specified. You can check out the apache
documentation on mod_access for more advanced configuration like specifying IP
ranges or subnets.</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><a
href="http://httpd.apache.org/docs/2.0/mod/mod_access.html">http://httpd.apache.org/docs/2.0/mod/mod_access.html</a></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>I hope this helps and if
anyone sees anything wrong with this approach, please speak up!</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Kevin</span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br>
<b><span style='font-weight:bold'>From:</span></b>
opencms-dev-bounces@opencms.org [mailto:opencms-dev-bounces@opencms.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Jeff Moser<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Tuesday,
November 15, 2005</span></font><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>11:55 AM</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b> The OpenCms mailing list<br>
<b><span style='font-weight:bold'>Subject:</span></b> RE: [opencms-dev]
proxying the admin tool</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>Does
anyone have any input on this? I put this up about a week ago and have
not received a single reply.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>To
summarize I am looking for a way to proxy out the OpenCMS workplace so that it
is not available on a production network. The way I am doing it below 99%
works but has a few serious quirks like the upload applet not working.</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>Please
help!</span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'>-Jeff </span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 color=navy
face=Arial><span style='font-size:10.0pt;font-family:Arial;color:navy'> </span></font></p>
<div>
<div style='margin-left:.5in'>
<div class=MsoNormal align=center style='margin-left:.5in;text-align:center'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
</div>
<p class=MsoNormal style='margin-left:1.0in'><b><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
opencms-dev-bounces@opencms.org [mailto:opencms-dev-bounces@opencms.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Jeff Moser<br>
<b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Wednesday,
November 09, 2005</span></font><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> </span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>10:26 AM</span></font><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br>
<b><span style='font-weight:bold'>To:</span></b> opencms-dev@opencms.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [opencms-dev] proxying
the admin tool</span></font></p>
</div>
<p class=MsoNormal style='margin-left:1.0in'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<div>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>To all,<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><u4:p> </u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Has anyone come up with a process
for proxying the admin tool to internal users only? I am working with
OpenCMS 6 and have a production and development VLAN. I would like to make
it so that the admin tool is not accessible on the production network
(externally available) but is accessible on the development network.
Currently I have Apache setup to allow access to the proxy host on the
development VLAN using the following:<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><u4:p> </u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>ProxyPass
/system/ http://production_server/system/</span></font><font
face=Arial><span style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPassReverse /system/ http://production_server/system/</span></font><font
face=Arial><span style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPass /export/
http://production_server/export/</span></font><font face=Arial><span
style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPassReverse /export/ http://production_server/export/</span></font><font
face=Arial><span style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPass /resources/
http://production_server/resources/</span></font><font face=Arial><span
style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPassReverse /resources/ http://production_server/resources/</span></font><font
face=Arial><span style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPass /opencms/
http://production_server/opencms/</span></font><font face=Arial><span
style='font-family:Arial'> <br>
</span></font><font size=2 face=Arial><span style='font-size:10.0pt;font-family:
Arial'>ProxyPassReverse /opencms/ http://production_server/opencms/<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><u4:p> </u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>This allows access to the Admin tool
from the proxy host; however the upload applet does not work. I ran a
snoop on the requests being made through the proxy host for the upload applet
and it seems that the call to that upload jar file is being made directly to
the production host, not through the proxy.<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><u4:p> </u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Any input on why this is happening
or perhaps a better method of proxying the admin tool would be greatly
appreciated!<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><u4:p> </u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Regards,<u4:p></u4:p></span></font></p>
<p class=MsoNormal style='margin-left:1.0in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Jeff<u4:p></u4:p></span></font></p>
</div>
<div>
<p style='margin-left:1.0in'><strong><b><font size=1 color="#fe370b"
face=Verdana><span style='font-size:8.0pt;font-family:Verdana;color:#FE370B'>jeff.moser</span></font></b></strong><br>
<font size=1 color="#293133" face=Verdana><span style='font-size:8.0pt;
font-family:Verdana;color:#293133'>network administrator</span></font><br>
<font size=1 color="#293133" face=Verdana><span style='font-size:8.0pt;
font-family:Verdana;color:#293133'>tel 267.615.2682</span></font><br>
<font size=1 color="#293133" face=Verdana><span style='font-size:8.0pt;
font-family:Verdana;color:#293133'>cell 215.990.3467</span></font> </p>
</div>
<div>
<p class=MsoNormal style='margin-left:1.0in'><strong><b><font size=1
color="#293133" face=Verdana><span style='font-size:8.0pt;font-family:Verdana;
color:#293133'>refinery</span></font></b></strong><br>
<font size=1 color="#293133" face=Verdana><span style='font-size:8.0pt;
font-family:Verdana;color:#293133'>top 30 </span></font><font size=1
color="#293133" face=Verdana><span style='font-size:8.0pt;font-family:Verdana;
color:#293133'>US</span></font><font size=1 color="#293133" face=Verdana><span
style='font-size:8.0pt;font-family:Verdana;color:#293133'> interactive agency</span></font><br>
<font size=1 color="#293133" face=Verdana><span style='font-size:8.0pt;
font-family:Verdana;color:#293133'><ns1:HTML_ONLY w:insAuthor="Unknown" w:insDate="2005-11-15T14:40:00Z" w:endInsAuthor="Unknown" w:endInsDate="2005-11-15T14:40:00Z"><a
href="http://www.refinery.com/whitepapers.aspx"
title="http://www.refinery.com/whitepapers.aspx"><font color="#293133"><span
style='color:#293133'>Click for: Useful tips and sage advice on interactive. 5
Minute Whitepaper.</span></font></a></ns1:HTML_ONLY></span></font> </p>
</div>
</div>
</body>
</html>