问题
I would like to know how I can disable webdav access to my plone4 server. The server is configured to block all direct http access to the normal zope client ports (8080, and 8081), and it is impossible to access plone externally via the http://ploneservername:8080 address. This is intended as we want all client connections to be encrypted. I have configured it so that all access has to be proxied via an apache2 service running on the same server that listens/terminates SSL on port 443. The standard zope listening ports (8080, 8081, 8100) are only configured to listen on the 127.0.0.1 address, they are not available from outside the box. The apache service proxies all SSL/443 traffic to 127.0.0.1:8080 which is what the zope client is listening on.
The only port that external clients can connect to on the box is 443 which is served by apache, and which proxies to the http/8080 address (via proxypass directive using the virtualhostmonster). This all works perfectly.
The problem is that webdav clients are still able to connect to the box via SSL/port443 and successfully authenticate and upload/download files. This is the case even though the webdav port hasn't been opened / configured anywhere in the plone config files, and the server is not listening for webdav connections when viewed through netstat -ap. I have been able to connect using 2 different webdav clients (bitkinex and win7 built-in), using the https://ploneserveraddress URL. I was under the impression that webdav should only be available if it's been explicitly enabled via the zope instance sections of the config file.
Is there a way to completely shut down webdav access? Simply ommiting it from the config files hasn't stopped us being able to connect using this method when going in via apache/443/SSL. Any help would be appreciated. Thanks.
回答1:
WebDAV runs on the same port (since 4.0?). In addition to any other Plone-internal solutions, you can configure your Apache to only allow some HTTP verbs: http://httpd.apache.org/docs/2.1/mod/core.html#limit . This helps insofar as a browser usually only generates GET and POST. (You might want to double-check with the AJAX-y editor features, though.)
来源:https://stackoverflow.com/questions/9127269/how-can-i-stop-people-accessing-a-plone-server-via-webdav