Re: [Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)
Joachim Werner [EMAIL PROTECTED] said: Apache can then also be used to serve static parts of your web site, like large documents or images. Also, Apache can be used to cache Zope requests. I use Squid, not Apache as a reverse web proxy in front of Zope. I did a bit of testing, and you can very well serve your static content from Zope in this setup - I am planning to assign caching control properties to parts of the document structure and make Zope 'kick' Squid for a refresh when cached documents are edited. Initial experiments got me 500 requests per second on cached documents - Zope wasn't touched at all. Regarding your problem: Set up a simple packet filter firewall (most Linux distros have scripts for that, e.g. SuSE has "firewals") and don't allow access to port 8080. Something like % ipchains -A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT should totally block port 8080. If you work from 1.2.3.4, you can do: % ipchains -I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT and your machine is the only one that can get to this port. If you want to have this done automagically, create /etc/ipchains.conf: % cat /etc/ipchains.conf EOF -I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT -A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT EOF and execute '/sbin/ipchains-restore /etc/ipchains.conf' from /etc/rc.d/boot.local (or similar). Disclaimers: I haven't tested these rules; you should have a kernel that does packet filtering; you're not worth the root password if you let someone else tell you firewalling rules without understanding /exactly/ what they do ;-) -- Cees de Groot http://www.cdegroot.com [EMAIL PROTECTED] GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD 1986 F303 937F E098 9E8B ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)
From: "Fred Wilson Horch" [EMAIL PROTECTED] Sent: Friday, November 17, 2000 2:22 AM Subject: [Zope] Running Mailman CGI under Zope ZServer ...snip... First, am I really the first person to try running CGI scripts from ZServer? I have found some hints here and there of people doing somewhat similar things, but I haven't yet found a product for easily adding legacy CGI scripts to a Zope site. It seems most people run Zope behind Apache. Is ZServer really slow or buggy or something? ...other good stuff snipped... I have a similar question. I am planning and building a site in which about 50% of the content needs to be accessed using SSL only (it's personal information and we are using 128-bit SSL). Since I am only the databaseweb-guy and not a sysadmin-guy (yet :), I had one of my colleagues configure Apache and Zope using the "Apache ZServer" how to. This works well and Apache serves Zope pretty well and we can even use SSL (there are some issues to be resolved that I suspect are due to misconfiguration on our server). However, I can always access Zope directly using port 8080 (or whatever port where ZServer is listening to) without SSL. This is aboviously not the intended behaviour. Is there a way to prevent this? I know there is ZServerSSL but isn't the whole point of using Apache that it is a better and more robust web-server than Zserver? (apart from the fact that we need to serve a lot of static content as well). What are the main resons for serving Zope behind Apache? Thanks for any input, Sincerley, /dario - Dario Lopez-Kästen Systems Developer Chalmers Univ. of Technology [EMAIL PROTECTED] ICQ will yield no hitsIT Systems Services ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Reasons for Apache?? SSL?? (was Running Mailman CGI under Zope ZServer)
how to. This works well and Apache serves Zope pretty well and we can even use SSL (there are some issues to be resolved that I suspect are due to misconfiguration on our server). However, I can always access Zope directly using port 8080 (or whatever port where ZServer is listening to) without SSL. This is aboviously not the intended behaviour. Is there a way to prevent this? I know there is ZServerSSL but isn't the whole point of using Apache that it is a better and more robust web-server than Zserver? (apart from the fact that we need to serve a lot of static content as well). What are the main resons for serving Zope behind Apache? A lot of Zope sites (including www.zope.org itself) actually use Apache only as a proxy server, i.e. Apache doesn't SERVE the content, but just relays requests to ZServer (you'd need the SiteAccess product on the Zope part for this configuration option). So you can have different Zope servers serve parts of the same web site, use Apache to set up virtual servers, or easily set up SSL for parts of your site. Apache can then also be used to serve static parts of your web site, like large documents or images. Also, Apache can be used to cache Zope requests. ZServer (with or without Apache as a proxy) is definitely faster than any other option (FastCGI, ...). Regarding your problem: Set up a simple packet filter firewall (most Linux distros have scripts for that, e.g. SuSE has "firewals") and don't allow access to port 8080. Cheers Joachim. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
