On Thu, Jan 11, 2007 at 12:25:26PM -0500, [EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote on 01/11/2007 12:07:37 PM:
> > Hi,
> > I am writing a thesis about the security of Zope and have these
> > questions. I am wondering if this is the right place to ask.
> > Is Zope behind Apache the only solution to provide SSL connection to
> No, but it is the most common setup. Zope is believed to be very secure,
> but it has had, in no way, the amount of exposure, and thus
> that Apache has.
> Moreover using another web server in front of Zope has other benefits --
> 1) Static content can usually be displayed faster using a system tuned
> for static content, rather than one tuned for dynamic content.
> 2) URL-rewriting makes it possible to transparently distribute site
> site content to multiple Zope versions or multiple machines.
> 3) In some circumstances, the front-end webserver can provide caching
> services, reducing the load on the Zope portion.
I would add 4) the front-end server can provide "sanitizing" of
requests from buggy or malicious clients.
A search of the mail archives will find many people advising the same
thing. I recently experienced it myself. I wasted a lot of time
recently trying to find out why Zope was leaking memory on XML-RPC
requests *only* from a certain client. The leak was small, but under
load, Zope would exhaust the system's memory after a few days. I could
never determine the cause, nor could I provoke the leak with other
Then one day, the client switched from one Java XML-RPC library (an
old version of the Apache xmlrpc library) to another (Redstone I
think), and immediately the symptom stopped. Zope's memory usage
became quite stable. Nothing else was changed.
A good, battle-tested reverse proxy in front of Zope should help
protect against that kind of thing.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -