On Thu, Jan 11, 2007 at 12:25:26PM -0500, [EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote on 01/11/2007 12:07:37 PM:
> > Hi,
> > 
> > I am writing a thesis about the security of Zope and have these
> > questions. I am wondering if this is the right place to ask.
> > 
> > Is Zope behind Apache the only solution to provide SSL connection to 
> Zope?
> No, but it is the most common setup.  Zope is believed to be very secure,
> but it has had, in no way, the amount of exposure, and thus 
> battle-hardening
> that Apache has.
> Moreover using another web server in front of Zope has other benefits --
>   1)  Static content can usually be displayed faster using a system tuned
>       for static content, rather than one tuned for dynamic content.
>   2)  URL-rewriting makes it possible to transparently distribute site
>       site content to multiple Zope versions or multiple machines.
>   3)  In some circumstances, the front-end webserver can provide caching
>       services, reducing the load on the Zope portion.

I would add 4) the front-end server can provide "sanitizing" of
requests from buggy or malicious clients.

A search of the mail archives will find many people advising the same
thing. I recently experienced it myself. I wasted a lot of time
recently trying to find out why Zope was leaking memory on XML-RPC
requests *only* from a certain client. The leak was small, but under
load, Zope would exhaust the system's memory after a few days. I could
never determine the cause, nor could I provoke the leak with other

Then one day, the client switched from one Java XML-RPC library (an
old version of the Apache xmlrpc library) to another (Redstone I
think), and immediately the symptom stopped. Zope's memory usage
became quite stable. Nothing else was changed.

A good, battle-tested reverse proxy in front of Zope should help
protect against that kind of thing.


Paul Winkler
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to