
===========================================================
HOWTO to setup CPS with Apache httpd VirtualHost directives
===========================================================
*$Id: howto-virtual_hosts.txt 7153 2005-02-09 10:56:49Z madarche $*



Adapting those examples to your needs
=====================================

The port 9673 is the Zope default port on Debian, you might have to change it to
8080 depending on your configuration.

Note that in all the following examples "demo1.localdomain" can be replaced by
"localhost" if your Zope server runs on the same machine as your Apache httpd
server is.



Using Apache (apache-ssl package)
=================================

Here are some configuration examples using Apache httpd VirtualHost directives
as it can be setup on a Debian Sarge machine with the "apache-ssl" package.

Note that those configuration instructions are "apache-ssl" specific. It is of
course possible instead of using the "apache-ssl" package to use the "apache"
and "libapache-mod-ssl" packages, but the configuration to use might be slightly
different.

What you need:

* apt-get install apache-ssl

* Be sure to have the following line in your /etc/apache-ssl/modules.conf::

    LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so

* You should have the SSLDisable option at the server config level because we
  will be using virtual hosts.

* You should generate a private key and certificate files for your web server.


Simple HTTP + HTTPS configuration
---------------------------------

This configuration is what most people would need. This is not a secure
configuration but it is easy to setup and understand.

Example::

  <VirtualHost 192.168.2.20:80>
  ServerName mysite.net
  
  RewriteEngine on
  
  RewriteCond %{HTTP:Authorization}  ^(.*)
  RewriteRule ^/(.*) http://demo1.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
  
  CustomLog /var/log/apache-ssl/mysite.net.log combined
  ErrorLog /var/log/apache-ssl/mysite.net-error.log
  </VirtualHost>
  
  <VirtualHost 192.168.2.20:443>
  ServerName mysite.net
  
  SSLEnable
  SSLCertificateFile /etc/apache-ssl/ssl.crt/mysite.net.cert
  SSLCertificateKeyFile /etc/apache-ssl/ssl.key/mysite.net.key
  
  RewriteEngine on
  
  RewriteCond %{HTTP:Authorization}  ^(.*)
  RewriteRule ^/(.*)  http://demo1.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
  
  CustomLog /var/log/apache-ssl/mysite.net.log combined
  ErrorLog /var/log/apache-ssl/mysite.net-error.log
  </VirtualHost>


Secure HTTP + HTTPS configuration
---------------------------------

This is a secure configuration because:

* it forces the use of HTTPS for administering Zope in the ZMI

* it forces the use of HTTPS for authenticated users (because for logged users
  cookies containing vulnerable login/password information is sent with each
  request)

* it forces the use of HTTPS for users who wish to join the portal (because
  login information is provided in the join form)

Example::

  # Main HTTP access to http://mysite.net/ for anonymous users
  <VirtualHost 192.168.2.20:80>
  ServerName mysite.net
  
  RewriteEngine on
  
  # Using OR instead of the implicit AND between conditions
  RewriteCond %{REQUEST_URI} ^(.*)/manage(.*) [OR]
  RewriteCond %{REQUEST_URI} ^(.*)/login(.*) [OR]
  RewriteCond %{REQUEST_URI} ^(.*)/account_(.*) [OR]
  RewriteCond %{REQUEST_URI} ^(.*)/join_form$
  RewriteRule ^/(.*) https://mysite.net/$1 [R=permanent,L]
  
  RewriteCond %{HTTP:Authorization}  ^(.*)
  RewriteRule ^/(.*) http://demo1.localdomain:9673/VirtualHostBase/http/%{HTTP_HOST}:80/cps/VirtualHostRoot/$1 [P,L]
  
  CustomLog /var/log/apache-ssl/mysite.net.log combined
  ErrorLog /var/log/apache-ssl/mysite.net-error.log
  </VirtualHost>
  
  # Main HTTPS access to https://mysite.net/ for authenticated users
  <VirtualHost 192.168.2.20:443>
  ServerName mysite.net
  
  SSLEnable
  SSLCertificateFile /etc/apache-ssl/ssl.crt/mysite.net.cert
  SSLCertificateKeyFile /etc/apache-ssl/ssl.key/mysite.net.key
  
  RewriteEngine on
  
  RewriteCond %{HTTP:Authorization}  ^(.*)
  RewriteRule ^/(.*)  http://demo1.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:443/cps/VirtualHostRoot/$1 [P,L]
  
  CustomLog /var/log/apache-ssl/mysite.net.log combined
  ErrorLog /var/log/apache-ssl/mysite.net-error.log
  </VirtualHost>
  
  
  # HTTPS access to https://mysite.net:453/ for administrators.
  # This is the access to use to administer Zope through the ZMI.
  <VirtualHost 192.168.2.20:453>
  ServerName mysite.net
  
  SSLEnable
  SSLCertificateFile /etc/apache-ssl/ssl.crt/mysite.net.cert
  SSLCertificateKeyFile /etc/apache-ssl/ssl.key/mysite.net.key
  
  RewriteEngine on
  
  RewriteCond %{HTTP:Authorization}  ^(.*)
  RewriteRule ^/(.*)  http://demo1.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}/VirtualHostRoot/$1 [P,L]
  # Note that the line below with "%{HTTP_HOST}:453" will not work. The working
  # rule above has been crafted through the reading of the Z2.log file.
  #RewriteRule ^/(.*) http://demo1.localdomain:9673/VirtualHostBase/https/%{HTTP_HOST}:453/VirtualHostRoot/$1 [P,L]
  
  CustomLog /var/log/apache-ssl/mysite.net.log combined
  ErrorLog /var/log/apache-ssl/mysite.net-error.log
  </VirtualHost>



Using Apache2
=============

XXX: we are waiting for someone to contribute the corresponding apache2 virtual
hosts configuration.


Related information
===================

* bug #436
  "getBaseUrl.py doesn't work as expected behind Apache virtual hosts"
  http://bugs.nuxeo.com/bugzilla/show_bug.cgi?id=436

