On Thu, Jan 11, 2007 at 12:25:26PM -0500, [EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] wrote on 01/11/2007 12:07:37 PM: > > > Hi, > > > > I am writing a thesis about the security of Zope and have these > > questions. I am wondering if this is the right place to ask. > > > > Is Zope behind Apache the only solution to provide SSL connection to > Zope? > > No, but it is the most common setup. Zope is believed to be very secure, > but it has had, in no way, the amount of exposure, and thus > battle-hardening > that Apache has. > > Moreover using another web server in front of Zope has other benefits -- > 1) Static content can usually be displayed faster using a system tuned > for static content, rather than one tuned for dynamic content. > 2) URL-rewriting makes it possible to transparently distribute site > site content to multiple Zope versions or multiple machines. > 3) In some circumstances, the front-end webserver can provide caching > services, reducing the load on the Zope portion.
I would add 4) the front-end server can provide "sanitizing" of requests from buggy or malicious clients. A search of the mail archives will find many people advising the same thing. I recently experienced it myself. I wasted a lot of time recently trying to find out why Zope was leaking memory on XML-RPC requests *only* from a certain client. The leak was small, but under load, Zope would exhaust the system's memory after a few days. I could never determine the cause, nor could I provoke the leak with other clients. Then one day, the client switched from one Java XML-RPC library (an old version of the Apache xmlrpc library) to another (Redstone I think), and immediately the symptom stopped. Zope's memory usage became quite stable. Nothing else was changed. A good, battle-tested reverse proxy in front of Zope should help protect against that kind of thing. -- Paul Winkler http://www.slinkp.com _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
