Re: [Zope-dev] Re: [Zope] PCGI?
Jamie Heilman wrote:
Leonardo Rochael Almeida wrote:
RewriteRule ^(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1 [P,L]
This way you don't have to worry about what hostname the user uses to
access their site.
[security considerations snipped]
And here's an argument which is not security related:
This RewriteRule is broken, because HTTP_HOST might contain the port
number. IIRC, wget does this, and the HTTP RFC does allow that.
cheers,
oliver
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
of course, you should also close port 8080 (or whatever your zope server runs on) from any access from hosts other than 127.0.0.1 Actually, I think you can do this already by *binding* that port only on 127.0.0.1. I believe there's a host parameter that lets you specify the host to bind to. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
here's an edited repost from an answer I got from this mailing list. it has helped me with zope+apache (+ ssl) and is a good start for the documentation upgrade, (although I personally use the apache proxypass directives) -- original help from Leonardo Rochael Almeida [EMAIL PROTECTED] -- Here is how you'd do it with VirtualHostMonster and apache: 1. add a single one virtual host monster to your Zope root. Give it any id you want. You can be creative, 'cause it won't matter :-) 2. In apache, change your configuration to read like below. To understand why the ProxyPass urls read like that, look at the VirtualHostMonster object or consult the SiteAccess2 documentation here: http://www.zope.org/Members/4am/SiteAccess2/info ### Apache ### # better to use the IP address instead of the name here, # to avoid dns lookups on apache initialization NameVirtualHost www.greatsite.com # better to use the IP address here too, for the same reason VirtualHost www.greatsite.com # here you put the server name instead of the address. # it won't result in a dns lookup. ServerName www.greatsite.com # secure /private RedirectMatch permanent ^/private https://www.greatsite.com/private$1 # the :80 below is NECESSARY. Don't ommit it ProxyPass / http://127.0.0.1:8080/VirtualHostBase/http/www.greatsite.com:80/greatsite/VirtualHostRoot/ /VirtualHost NameVirtualHost www.greatsite.com:443 VirtualHost www.greatsite.com:443 ServerName www.greatsite.com # note the protocol specification after VirtualHostBase. As above, # the port specification is not optional ProxyPass / http://127.0.0.1:8080/VirtuaHostBase/https/www.greatsite.com:443/greatsite/VirtualHostRoot/ SSLEngine on SSLCertificateFile /etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key /VirtualHost EOF I haven't tested the configuration above. I'd use RewriteRules instead of RedirectMatch and ProxyPass, but just because that's what I'm used to doing. Notice that ProxyPassReverse directives aren't needed, because the VirtualHostMonster, when presented with the above URLs, effectively convinces Zope that it's running in the above mentioned ports and protocols. No SiteRoot objects are needed. --- end of original help --- have fun, Sloot. -- Science can amuse and fascinate us all, but it is engineering that changes the world. Isaac Asimov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
RewriteRules, and to a lesser extent, ProxyPass, has almost completely replaced any CGI method with Apache. However, I don't know the status with other servers, primarily IIS, so I think it shouldn't be dropped completely. Good point regarding IIS. I think its possible to make the ASP 404 script best practice with IIS now (thanks to Leonardo http://www.zope.org/Members/hiperlogica/ASP404). As long as we make PCGI available there should be no problem. -- Andy McKay ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Beware, random notes below
On Fri, 2003-02-14 at 11:24, Romain Slootmaekers wrote:
here's an edited repost from an answer I got from this mailing list.
it has helped me with zope+apache (+ ssl) and is a good start for the
documentation upgrade, (although I personally use the apache proxypass
directives)
-- original help from Leonardo Rochael Almeida [EMAIL PROTECTED] --
[...]
Wow, I'd forgoten about that one :-)
Anyway, nowadays I use RewriteRules with [P] exclusively because they
let me do something ProxyPass doesn't:
RewriteRule ^(.*)$
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1
[P,L]
This way you don't have to worry about what hostname the user uses to
access their site. You can get cookie problems and multiple logon
problems if Zope's idea of the hostname is different from the browser's.
In any case, I believe we should still have a proper persistent protocol
to connect a frontend webserver to Zope. The current http proxying
method, which is used by most everyone now, is fast enough for the
majority of uses, but it still incurs in a tcp tearup+teardown for every
hit.
I believe we should have a proper persitent protocol, either PGCI or
FastCGI (but probably not both, to avoid confusion), to connect Zope and
front-end webservers and we should also make an effort to keep the
connectors from major HTTP servers to those protocols in good shape.
Apache+FastCGI+Zope work really nice (sans RESPONSE.write() streamming
pages), but I couldn't get IIS+FastCGI to work no matter what I tried
(IIS insists in associating the fastcgi connector with an extension, no
matter what you do. Yes, you can associate it with all extensions. No,
it doesn't work).
I have some ideas about how to make a good IIS connector (definition of
good: fast, with pretty URLs). It could be developed first with WinHTTP
to take advantage of the current design of ASP404, but it would be
faster if it didn't have to make and break a connection for every
request. I haven't started on it yet because my expertise lies in 'nix
development, so I'd prefer if someone with better Win32 devel skills
took the job. If anyone is interested, drop me a line.
Also, I'm holding on to the next ASP404 release because I need to give
it better error handling and logging. All hits thru ASP404 look to IIS
like, you guessed it, 404 errors instead of hits, so when you hide Zope
behind IIS there's no single reliable access log you can use. If anyone
can give me hints on these topics, please drop me a line too.
Cheers, Leo
--
Ideas don't stay in some minds very long because they don't like
solitary confinement.
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Leonardo Rochael Almeida wrote: I believe we should have a proper persitent protocol, either PGCI or FastCGI (but probably not both, to avoid confusion), to connect Zope and front-end webservers and we should also make an effort to keep the connectors from major HTTP servers to those protocols in good shape. Apache+FastCGI+Zope work really nice (sans RESPONSE.write() streamming pages), but I couldn't get IIS+FastCGI to work no matter what I tried (IIS insists in associating the fastcgi connector with an extension, no matter what you do. Yes, you can associate it with all extensions. No, it doesn't work). FYI, SCGI is a new(ish) contender. It looks nice and simple, and it's designed for Python. http://www.mems-exchange.org/software/scgi/ Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Leonardo Rochael Almeida wrote:
RewriteRule ^(.*)$
http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}:%{SERVER_PORT}/some/folder/VirtualHostRoot$1
[P,L]
This way you don't have to worry about what hostname the user uses to
access their site.
Ugh. The host header should be considered tainted data, and you just
slapped it into a proxy request blindly. This probably isn't a good
idea. Apache is only going to hold your hand so much here when it
comes to protecting against various attempts at coercion. Go read
src/main/http_vhost.c from the apache 1.3 source, jump down to around
line 690. Apache's sanity checking is done in the context of the
filesystem, not Zope URI space. There are things its going to let
through which could lead to undesired behavior--underscores, question
marks--use your imagination. (btw, your pattern is goofy, you don't
need the ^ or $, (.*) is greedy enough by itself)
--
Jamie Heilman http://audible.transient.net/~jamie/
I was in love once -- a Sinclair ZX-81. People said, No, Holly, she's
not for you. She was cheap, she was stupid and she wouldn't load
-- well, not for me, anyway. -Holly
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] PCGI?
Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope-dev] Re: [Zope] PCGI?
How about making it a separately downloadable add-on like LocalFS, Squishdot, etc. etc. --Craeg Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
But mostly I thought PCGI (and FastCGI) was the preferred way, since it is covered in detail in Zope's doc/WEBSERVER.TXT and neither mod_proxy nor mod_redirect are mentioned in there. ;-) Unfortunately thats more a matter of documentation inertia more than anything. There are more articles on Zope.org about PCGI as well simply because it has been around the longest, although almost everyone I know runs through mod_proxy nowadays. -- Andy McKay ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? Be aware that there are Zope-specific patches (some of which I provided) in the version of PCGI that Zope ships with, so you can't refer everyone to the non-Zope version of PCGI available elsewhere on the web. The patches relate to error handling and meaningful reporting, not core functionality. -Jeff Dieter Maurer wrote: Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Hi I have always run Zope behind Apache utilising mod_proxy. I have to admit I never tried or really even evaluated pcgi, and don't build it when I install Zope. Is there a benefit of pcgi over using mod_proxy ? Rgds Tim Hoffman On Fri, 2003-02-14 at 09:16, Jeff Rush wrote: Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? Be aware that there are Zope-specific patches (some of which I provided) in the version of PCGI that Zope ships with, so you can't refer everyone to the non-Zope version of PCGI available elsewhere on the web. The patches relate to error handling and meaningful reporting, not core functionality. -Jeff Dieter Maurer wrote: Jim Fulton wrote at 2003-2-13 11:30 -0500: I'm wondering how PCGI should be supported in Zope moving forward. Do we still need it? I would prefer to drop it (to reduce complexity). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
[me] AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. I meant mod_proxy of course. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. --Guido van Rossum (home page: http://www.python.org/~guido/) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] PCGI?
I had thought (obviously incorrectly) that mod_proxy was hard to configure correctly to pass all headers, particularly in complex virtual hosting scenarios. But I'm no Apache expert. And I thought that mod_redirect added overhead to every request, doing the redirect cycle via the browser. It also exposed the port 8000-based Zope to direct access, which some admin's might not want. But mostly I thought PCGI (and FastCGI) was the preferred way, since it is covered in detail in Zope's doc/WEBSERVER.TXT and neither mod_proxy nor mod_redirect are mentioned in there. ;-) I just figured PCGI was cleaner and let me delegate responsibility to each hosting client, to manage their own CGI-BIN stuff w/o access to Apache's config files.. So if we drop PCGI, we'll need an action item to rework that file and perhaps ZopeBook et. al. -Jeff Tim Hoffman wrote: I have always run Zope behind Apache utilising mod_proxy. I have to admit I never tried or really even evaluated pcgi, and don't build it when I install Zope. Is there a benefit of pcgi over using mod_proxy ? Guido van Rossum wrote: AFAIK most people use Apache's mod_redirect to a Zope HTTP server running at (e.g.) port 8000. No additional software needed. On Fri, 2003-02-14 at 09:16, Jeff Rush wrote: Having only ever used Zope-behind-PCGI myself, if we drop it, what would be the prevailing approach for running Zope behind Apache? Has everyone switched to FastCGI (or Quixote's SCGI) but me? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
