Re: [Zope-dev] Re: [Zope] PCGI?
Jamie Heilman wrote: Leonardo Rochael Almeida wrote: RewriteRule ^(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1 [P,L] This way you don't have to worry about what hostname the user uses to access their site. [security considerations snipped] And here's an argument which is not security related: This RewriteRule is broken, because HTTP_HOST might contain the port number. IIRC, wget does this, and the HTTP RFC does allow that. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
of course, you should also close port 8080 (or whatever your zope server runs on) from any access from hosts other than 127.0.0.1 Actually, I think you can do this already by *binding* that port only on 127.0.0.1. I believe there's a host parameter that lets you specify the host to bind to. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
here's an edited repost from an answer I got from this mailing list. it has helped me with zope+apache (+ ssl) and is a good start for the documentation upgrade, (although I personally use the apache proxypass directives) -- original help from Leonardo Rochael Almeida [EMAIL PROTECTED] -- Here is how you'd do it with VirtualHostMonster and apache: 1. add a single one virtual host monster to your Zope root. Give it any id you want. You can be creative, 'cause it won't matter :-) 2. In apache, change your configuration to read like below. To understand why the ProxyPass urls read like that, look at the VirtualHostMonster object or consult the SiteAccess2 documentation here: http://www.zope.org/Members/4am/SiteAccess2/info ### Apache ### # better to use the IP address instead of the name here, # to avoid dns lookups on apache initialization NameVirtualHost www.greatsite.com # better to use the IP address here too, for the same reason VirtualHost www.greatsite.com # here you put the server name instead of the address. # it won't result in a dns lookup. ServerName www.greatsite.com # secure /private RedirectMatch permanent ^/private https://www.greatsite.com/private$1 # the :80 below is NECESSARY. Don't ommit it ProxyPass / http://127.0.0.1:8080/VirtualHostBase/http/www.greatsite.com:80/greatsite/VirtualHostRoot/ /VirtualHost NameVirtualHost www.greatsite.com:443 VirtualHost www.greatsite.com:443 ServerName www.greatsite.com # note the protocol specification after VirtualHostBase. As above, # the port specification is not optional ProxyPass / http://127.0.0.1:8080/VirtuaHostBase/https/www.greatsite.com:443/greatsite/VirtualHostRoot/ SSLEngine on SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key /VirtualHost EOF I haven't tested the configuration above. I'd use RewriteRules instead of RedirectMatch and ProxyPass, but just because that's what I'm used to doing. Notice that ProxyPassReverse directives aren't needed, because the VirtualHostMonster, when presented with the above URLs, effectively convinces Zope that it's running in the above mentioned ports and protocols. No SiteRoot objects are needed. --- end of original help --- have fun, Sloot. -- Science can amuse and fascinate us all, but it is engineering that changes the world. Isaac Asimov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
RewriteRules, and to a lesser extent, ProxyPass, has almost completely replaced any CGI method with Apache. However, I don't know the status with other servers, primarily IIS, so I think it shouldn't be dropped completely. Good point regarding IIS. I think its possible to make the ASP 404 script best practice with IIS now (thanks to Leonardo http://www.zope.org/Members/hiperlogica/ASP404). As long as we make PCGI available there should be no problem. -- Andy McKay ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Beware, random notes below On Fri, 2003-02-14 at 11:24, Romain Slootmaekers wrote: here's an edited repost from an answer I got from this mailing list. it has helped me with zope+apache (+ ssl) and is a good start for the documentation upgrade, (although I personally use the apache proxypass directives) -- original help from Leonardo Rochael Almeida [EMAIL PROTECTED] -- [...] Wow, I'd forgoten about that one :-) Anyway, nowadays I use RewriteRules with [P] exclusively because they let me do something ProxyPass doesn't: RewriteRule ^(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1 [P,L] This way you don't have to worry about what hostname the user uses to access their site. You can get cookie problems and multiple logon problems if Zope's idea of the hostname is different from the browser's. In any case, I believe we should still have a proper persistent protocol to connect a frontend webserver to Zope. The current http proxying method, which is used by most everyone now, is fast enough for the majority of uses, but it still incurs in a tcp tearup+teardown for every hit. I believe we should have a proper persitent protocol, either PGCI or FastCGI (but probably not both, to avoid confusion), to connect Zope and front-end webservers and we should also make an effort to keep the connectors from major HTTP servers to those protocols in good shape. Apache+FastCGI+Zope work really nice (sans RESPONSE.write() streamming pages), but I couldn't get IIS+FastCGI to work no matter what I tried (IIS insists in associating the fastcgi connector with an extension, no matter what you do. Yes, you can associate it with all extensions. No, it doesn't work). I have some ideas about how to make a good IIS connector (definition of good: fast, with pretty URLs). It could be developed first with WinHTTP to take advantage of the current design of ASP404, but it would be faster if it didn't have to make and break a connection for every request. I haven't started on it yet because my expertise lies in 'nix development, so I'd prefer if someone with better Win32 devel skills took the job. If anyone is interested, drop me a line. Also, I'm holding on to the next ASP404 release because I need to give it better error handling and logging. All hits thru ASP404 look to IIS like, you guessed it, 404 errors instead of hits, so when you hide Zope behind IIS there's no single reliable access log you can use. If anyone can give me hints on these topics, please drop me a line too. Cheers, Leo -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Leonardo Rochael Almeida wrote: I believe we should have a proper persitent protocol, either PGCI or FastCGI (but probably not both, to avoid confusion), to connect Zope and front-end webservers and we should also make an effort to keep the connectors from major HTTP servers to those protocols in good shape. Apache+FastCGI+Zope work really nice (sans RESPONSE.write() streamming pages), but I couldn't get IIS+FastCGI to work no matter what I tried (IIS insists in associating the fastcgi connector with an extension, no matter what you do. Yes, you can associate it with all extensions. No, it doesn't work). FYI, SCGI is a new(ish) contender. It looks nice and simple, and it's designed for Python. http://www.mems-exchange.org/software/scgi/ Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Leonardo Rochael Almeida wrote: RewriteRule ^(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1 [P,L] This way you don't have to worry about what hostname the user uses to access their site. Ugh. The host header should be considered tainted data, and you just slapped it into a proxy request blindly. This probably isn't a good idea. Apache is only going to hold your hand so much here when it comes to protecting against various attempts at coercion. Go read src/main/http_vhost.c from the apache 1.3 source, jump down to around line 690. Apache's sanity checking is done in the context of the filesystem, not Zope URI space. There are things its going to let through which could lead to undesired behavior--underscores, question marks--use your imagination. (btw, your pattern is goofy, you don't need the ^ or $, (.*) is greedy enough by itself) -- Jamie Heilman http://audible.transient.net/~jamie/ I was in love once -- a Sinclair ZX-81. People said, No, Holly, she's not for you. She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway. -Holly ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] PCGI?
Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope-dev] Re: [Zope] PCGI?
How about making it a separately downloadable add-on like LocalFS, Squishdot, etc. etc. --Craeg Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
But mostly I thought PCGI (and FastCGI) was the preferred way, since it is covered in detail in Zope's doc/WEBSERVER.TXT and neither mod_proxy nor mod_redirect are mentioned in there. ;-) Unfortunately thats more a matter of documentation inertia more than anything. There are more articles on Zope.org about PCGI as well simply because it has been around the longest, although almost everyone I know runs through mod_proxy nowadays. -- Andy McKay ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? Be aware that there are Zope-specific patches (some of which I provided) in the version of PCGI that Zope ships with, so you can't refer everyone to the non-Zope version of PCGI available elsewhere on the web. The patches relate to error handling and meaningful reporting, not core functionality. -Jeff Dieter Maurer wrote: Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Hi I have always run Zope behind Apache utilising mod_proxy. I have to admit I never tried or really even evaluated pcgi, and don't build it when I install Zope. Is there a benefit of pcgi over using mod_proxy ? Rgds Tim Hoffman On Fri, 2003-02-14 at 09:16, Jeff Rush wrote: Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? Be aware that there are Zope-specific patches (some of which I provided) in the version of PCGI that Zope ships with, so you can't refer everyone to the non-Zope version of PCGI available elsewhere on the web. The patches relate to error handling and meaningful reporting, not core functionality. -Jeff Dieter Maurer wrote: Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
[me] AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. I meant mod_proxy of course. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
I had thought (obviously incorrectly) that mod_proxy was hard to configure correctly to pass all headers, particularly in complex virtual hosting scenarios. But I'm no Apache expert. And I thought that mod_redirect added overhead to every request, doing the redirect cycle via the browser. It also exposed the port 8000-based Zope to direct access, which some admin's might not want. But mostly I thought PCGI (and FastCGI) was the preferred way, since it is covered in detail in Zope's doc/WEBSERVER.TXT and neither mod_proxy nor mod_redirect are mentioned in there. ;-) I just figured PCGI was cleaner and let me delegate responsibility to each hosting client, to manage their own CGI-BIN stuff w/o access to Apache's config files.. So if we drop PCGI, we'll need an action item to rework that file and perhaps ZopeBook et. al. -Jeff Tim Hoffman wrote: I have always run Zope behind Apache utilising mod_proxy. I have to admit I never tried or really even evaluated pcgi, and don't build it when I install Zope. Is there a benefit of pcgi over using mod_proxy ? Guido van Rossum wrote: AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. On Fri, 2003-02-14 at 09:16, Jeff Rush wrote: Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )