Virtual Hosting in 2.2 - a Bestiary of Buglets
I setup virtual hosting on Zope 2.2.1 with SiteAccess 2. I used Apache with ProxyPass (Apache acting as a reverse HTTP proxy in front of ZServer) instead of FastCGI, since this is much faster (with caching headers apache is about 10 times as fast as ZServer). The setup is as follow - each site has a folder in /websites, so www.example.com is mapped to /websites/example in Zope. In /websites/example I have an Access Rule that tells Zope that the base url is http://www.example.com. Problem 1: HTTP and HTTPS (more of a proxypass issue) ======================================================= I want to be able to serve both http and https versions of a site from Apache. Problem is, because of the way proxying works, there is no way for Zope to know if it is origially being accessed via http or https. My solution? Add a folder in top level of Zope called "ssl". If we see our path as proxied by Apache is /ssl/websites/example, we know we are being accessed via SSL. Because of the magic of acquisition, this works, but it's still an ugly hack, and slows things down. Here's the SiteAccess rule I used: if REQUEST['PATH_INFO'][:5] == '/ssl/': REQUEST.setVirtualRoot('/') REQUEST.setServerURL(protocol='https', hostname='www.example.com', port='443') else: REQUEST.setVirtualRoot('/') REQUEST.setServerURL(hostname='www.example.com', port='80') Problem 2: ZCatalog ===================== All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject. However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be. Problem 3: Management interface ================================= The breadcrumbs in the folder management screen (e.g. "/ folder1 / folder2"), still show the "/ websites / example", with links, when using the virtual hosting. That is, the managemnt interface shows folders that we are not supposed to be able to access when we are using virtual hosting. Problem 4: Access to other virtual hosts (security issue?) ============================================================ When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example. -- Itamar S.T. itamar@maxnm.com Fingerprint = D365 7BE8 B81E 2B18 6534 025E D0E7 92DB E441 411C
Itamar Shtull-Trauring wrote:
Problem 1: HTTP and HTTPS (more of a proxypass issue) ======================================================= I want to be able to serve both http and https versions of a site from Apache. Problem is, because of the way proxying works, there is no way for Zope to know if it is origially being accessed via http or https.
There is a patch for apache which removes this problem, IIRC, stephenh@nipltd.com may be able to help more with that...
My solution? Add a folder in top level of Zope called "ssl". If we see our path as proxied by Apache is /ssl/websites/example, we know we are being accessed via SSL. Because of the magic of acquisition, this works, but it's still an ugly hack,
Why is it an ugly hack? Seems like quite a graceful solution to me...
and slows things down.
By how much? And why is this? I didn't the acquisiton caused a loss in performance :-S
Here's the SiteAccess rule I used:
if REQUEST['PATH_INFO'][:5] == '/ssl/': REQUEST.setVirtualRoot('/')
What difference does it make if you do REQUEST.setVirtualRoot('/',1)?
REQUEST.setServerURL(protocol='https', hostname='www.example.com', port='443')
Not sure about that port... IIUC, setServerURL should mean that all the links on your site contain: https://www.examples.com:443/ ...is that what you want? cheers, Chris
Chris Withers wrote:
What difference does it make if you do REQUEST.setVirtualRoot('/',1)?
This might actually solve most of my problems, since it deletes the parents I don't need from PARENTS. However, when I do this I can't view anything - it keeps raising Unauthorized. Setting the permissions to not acquire and be explicitly on does not help. -- Itamar S.T. itamar@maxnm.com Fingerprint = D365 7BE8 B81E 2B18 6534 025E D0E7 92DB E441 411C
Itamar Shtull-Trauring wrote:
What difference does it make if you do REQUEST.setVirtualRoot('/',1)?
This might actually solve most of my problems, since it deletes the parents I don't need from PARENTS. However, when I do this I can't view anything - it keeps raising Unauthorized. Setting the permissions to not acquire and be explicitly on does not help.
I guess I'd really like to know what the intended difference and uses of hard=0 and hard=1 are. Evan, Help?! cheers, Chris
Itamar Shtull-Trauring wrote:
All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject.
Using getPhysicalPath I hope and pray...
However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be.
That's as expected. I guess there needs to be some discussion about what 'should' happen here. I reckon there should be a getVirtualPath as well as a getPath. Comments welcome... For now, the workaround getobject().absolute_url() should work, but does mean loading the whole object into memory :-( cheers, Chris
Itamar Shtull-Trauring wrote:
The breadcrumbs in the folder management screen (e.g. "/ folder1 / folder2"), still show the "/ websites / example", with links, when using the virtual hosting. That is, the managemnt interface shows folders that we are not supposed to be able to access when we are using virtual hosting.
Well, the breadcrumbs use the following DTML: at /<dtml-var expr="tabs_path_info(SCRIPT_NAME, PATH_INFO)"> SCRIPT_NAME already makes me nervous, since it's on the deprecated list at: http://www.zope.org/Members/michel/Projects/Interfaces/PublisherRequest PATH_INFO is a REQUEST.environ thing, so it doesn't sounds like a good idea either :-S tabs_path_info() is defined in /lib/python/App/Management.py and /lib/python/OFS/PropertySheets.py The recent CVS checkins on these files don't mention changes to do with the Traversal interface so I wouldnt' eb surprised if these methods are old and broken WRT to virtual hosting :-( Out of interest, what happens if you click on the links-that-shouldn't-be-there? cheers, Chris PS: MJ or Evan might have a better cleu as to what's going on here...
Itamar Shtull-Trauring wrote:
When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example.
I don't think this is a 2.2 issue. It has always been like this AFAIK... What you really what is a non-acquiring folder for the /example and /example2 folders. This shouldn't be too hard to implement :-S Does this sounds like the right idea? cheers, Chris PS: This shouldn't really be a security issue, it's more of a 'niceness' thing as the security stuff will still work as it should (unless, perhaps, you do domain-based authentication...) Sadly, that sort of thing seems to go right down the priority lists :-( (go see http://www.zope.org/standard_html_footer for another example...)
From: Itamar Shtull-Trauring <itamar@maxnm.com>
Problem 1: HTTP and HTTPS (more of a proxypass issue) ======================================================= I want to be able to serve both http and https versions of a site from Apache. Problem is, because of the way proxying works, there is no way for Zope to know if it is origially being accessed via http or https. My solution? Add a folder in top level of Zope called "ssl". If we see our path as proxied by Apache is /ssl/websites/example, we know we are being accessed via SSL. Because of the magic of acquisition, this works, but it's still an ugly hack, and slows things down.
If you think that's an ugly hack, you'll probably hate what I do ;-) I have Apache RewriteRules that look like these: RewriteRule ^/(.*) http://localhost:8080/_proxy/http/%{HTTP_HOST}/example/$1 [P,L] (with https instead of http in secure virtual hosts, of course) ...and an Access Rule in my root folder (stack is the traversal stack): if stack and stack[-1] == '_proxy': stack.pop() base = "%s://%s" % (stack.pop(), stack.pop()) request.setURL(base=base) request.set('SiteRootPATH', '/') Finally, I have blank SiteRoots in my site folders.
Problem 2: ZCatalog ===================== All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject. However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be.
This is one of the many ZCatalog problems that Chris P. is now valiantly tackling.
Problem 3: Management interface ================================= The breadcrumbs in the folder management screen (e.g. "/ folder1 / folder2"), still show the "/ websites / example", with links, when using the virtual hosting. That is, the managemnt interface shows folders that we are not supposed to be able to access when we are using virtual hosting.
As Chris Withers points out, this is due to deprecated data passed in calls to tabs_path_info. I'll see that it gets fixed.
Problem 4: Access to other virtual hosts (security issue?) ============================================================ When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example.
Unless this is a real security concern for you, and can't be address within the standard Zope security framework, I wouldn't worry about it. As you noticed, the optional 'hard' parameter to setVirtualRoot was a weak stab in this direction, but I never spent enough time on it to really get it working. That would involve (at least) providing some kind of replacement Application instance to root acquisition in. Cheers, Evan @ digicool & 4-am
participants (3)
-
Chris Withers -
Evan Simpson -
Itamar Shtull-Trauring