Re: [Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)

2000-11-18 Thread Cees de Groot

Joachim Werner [EMAIL PROTECTED] said:
Apache can then also be used to serve
static parts of your web site, like large documents or images. Also, Apache
can be used to cache Zope requests. 

I use Squid, not Apache as a reverse web proxy in front of Zope. I did a bit
of testing, and you can very well serve your static content from Zope in this
setup - I am planning to assign caching control properties to parts of the 
document structure and make Zope 'kick' Squid for a refresh when cached 
documents are edited. Initial experiments got me 500 requests per second
on cached documents - Zope wasn't touched at all. 

Regarding your problem: Set up a simple packet filter firewall (most Linux
distros have scripts for that, e.g. SuSE has "firewals") and don't allow
access to port 8080.

Something like
% ipchains -A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
should totally block port 8080. If you work from 1.2.3.4, you can do:
% ipchains -I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
and your machine is the only one that can get to this port. If you want
to have this done automagically, create /etc/ipchains.conf:

% cat /etc/ipchains.conf EOF
-I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
-A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
EOF

and execute '/sbin/ipchains-restore /etc/ipchains.conf' from
/etc/rc.d/boot.local (or similar).

Disclaimers: I haven't tested these rules; you should have a kernel that does
packet filtering; you're not worth the root password if you let someone else
tell you firewalling rules without understanding /exactly/ what they do ;-)


-- 
Cees de Groot   http://www.cdegroot.com [EMAIL PROTECTED]
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD  1986 F303 937F E098 9E8B

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)

2000-11-17 Thread Dario Lopez-Kästen

 From: "Fred Wilson Horch" [EMAIL PROTECTED]
 Sent: Friday, November 17, 2000 2:22 AM
 Subject: [Zope] Running Mailman CGI under Zope ZServer

...snip...

 First, am I really the first person to try running CGI scripts from
 ZServer?  I have found some hints here and there of people doing
 somewhat similar things, but I haven't yet found a product for easily
 adding legacy CGI scripts to a Zope site.  It seems most people run Zope
 behind Apache.  Is ZServer really slow or buggy or something?

...other good stuff snipped...

I have a similar question. I am planning and building  a site in which about
50% of the content needs to be accessed using SSL only (it's personal
information and we are using 128-bit SSL).

Since I am only the databaseweb-guy and not a sysadmin-guy (yet :), I had
one of my colleagues configure Apache and Zope using the "Apache  ZServer"
how to. This works well and Apache serves Zope pretty well and we can even
use SSL (there are some issues to be resolved that I suspect are due to
misconfiguration on our server). However, I can always access Zope directly
using port 8080 (or whatever port where ZServer is listening to) without
SSL.

This is aboviously not the intended behaviour. Is there a way to prevent
this? I know there is ZServerSSL but isn't the whole point of using Apache
that it is a better and more robust web-server than Zserver? (apart from the
fact that we need to serve a lot of static content as well).

What are the main resons for serving Zope behind Apache?

Thanks for any input,

Sincerley,

/dario

- 
Dario Lopez-Kästen Systems Developer  Chalmers Univ. of Technology
[EMAIL PROTECTED]  ICQ will yield no hitsIT Systems  Services


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)

2000-11-17 Thread Joachim Werner

 how to. This works well and Apache serves Zope pretty well and we can even
 use SSL (there are some issues to be resolved that I suspect are due to
 misconfiguration on our server). However, I can always access Zope
directly
 using port 8080 (or whatever port where ZServer is listening to) without
 SSL.

 This is aboviously not the intended behaviour. Is there a way to prevent
 this? I know there is ZServerSSL but isn't the whole point of using Apache
 that it is a better and more robust web-server than Zserver? (apart from
the
 fact that we need to serve a lot of static content as well).

 What are the main resons for serving Zope behind Apache?

A lot of Zope sites (including www.zope.org itself) actually use Apache only
as a proxy server, i.e. Apache doesn't SERVE the content, but just relays
requests to ZServer (you'd need the SiteAccess product on the Zope part for
this configuration option). So you can have different Zope servers serve
parts of the same web site, use Apache to set up virtual servers, or easily
set up SSL for parts of your site. Apache can then also be used to serve
static parts of your web site, like large documents or images. Also, Apache
can be used to cache Zope requests. ZServer (with or without Apache as a
proxy) is definitely faster than any other option (FastCGI, ...).

Regarding your problem: Set up a simple packet filter firewall (most Linux
distros have scripts for that, e.g. SuSE has "firewals") and don't allow
access to port 8080.

Cheers

Joachim.


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )