Learning Zope - Using Zope with Apache on RedHat 6.1

Author: Miklos Nemeth, nemeth@iqsoft.hu
Last modified: 1999.12.29

Why use Zope with Apache?

Zope installation is extremelly simple if you use ZServer. But if you want to use Zope with Apache, the installation procedure might be a nightmare. I fight nearly a half day to install Zope with Apache. This document describes the steps I used to install my Zope with my Apache.

Apache is mandatory if you want to build an SSL-secured website. ZServer does not support SSL at the moment. Apache is the number 1 webserver of the world and provides much more services than ZServer.

The configuration

I used RedHat 6.1, Apache 1.3.9 installed the standard RedHat way: (1) httpd.conf in /etc/httpd/conf, (2) document root directory: /home/httpd (owned by root) (3) the user/grout to run httpd: nobody/nobody (4) port: 80 (5) startup/shutdown script: /etc/rc.d/init.d/httpd

The first phase is to install Zope

  1. Change (ie. su) to root, and cd to /usr/local.
  2. Extract the Zope distribution file: tar xfz Zope-2.1.1-linux2-x86.tgz
  3. cd to Zope-2.1.1-linux2-x86
  4. run $ ./install -u nobody -g nobody If you do not specify "-u nobody and -g nobody" install will not set correctly the ownership of some files and directories. nobody/nobody will be set as the user for the files Zope.cgi, access, start, stop and the var directory and its contents.
  5. Try to remember (ie. jot down to a safe place) the password of the user "superuser". The password is printed on the screen by install.
  6. Copy the Zope.cgi into the directory /home/httpd/cgi-bin with "cp -p":cp -p Zope.cgi /home/httpd/cgi-bin. The -p option of the cp command is very important. The Zope.cgi should be owned by nobody even in the /home/httpd/cgi-bin directory.
  7. Start ZServer as nobody (if you are logged in as root): su nobody start. ZServer will use ports 8080, 8021, 8099. If these ports are in use on your system, you should explicitly specify port numbers for the start script (see the z2.py options -P, -w, -f, -m). It is crucial not to start ZServer as root, otherwise it creates the var/pcgi.soc file as root, and pcgi-wrapper (see later) will not have permission to open it as it will be run as nobody by Apache. You do not have to specify -p for the start script: PCGI is enabled by default. If you want to have some info about the available parameters for start, have a look at z2.py (start invokes the z2.py module). Later you may edit the start script as suggested by the "Gotchas for Zope Beginners" HOWTO.
  8. If you later wishes to stop ZServer, open a new terminal and invoke: su nobody /usr/local/Zope-2.1.1-linux2-x86/stop.

Editing /etc/httpd/conf/httpd.conf

The second phase is to edit /etc/httpd/conf/httpd.conf to force Apache passing authentication data to Zope.cgi
  1. As root edit httpd.conf, and add to the end the following lines: 
    RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^/Zope(.*) /home/httpd/cgi-bin/Zope.cgi$1
[e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
    The RewriteRule directives must be placed on a single line. For more info see "Gotchas for Zope Beginners".
  2. Restart (as root) your Apache server by: /etc/rc.d/init.d/httpd restart
  3. Start Netscape and type the URL: http://localhost/Zope. You will see the "Welcome to Zope" page. Click on the "management screen" link.
  4. You will be asked for a username and password. Type in "superuser" and the password you have jot down during the Zope install. If the user name and password are correct you will have the main Zope management page.
  5. You may connect to the management page directly by using the URL: http://localhost/Zope/manage.
  6. Notice that the root folder of your Zope site will be named Zope
  7. You may also connect to ZServer directly (avoiding PCGI): http://localhost:8080/manage. In this case the root folder will be unnamed.

Why the user nobody?

When Apache (ie. httpd) is started as root it opens the privileged ports (80, 443 (SSL)), opens the log files, and then stops acting as the potentially dangerous root and become nobody (as specified in httpd.conf). All CGI programs/scripts will be run as nobody. The Zope.cgi (see below) is also run by nobody. The simplest configuration is to run Zope as nobody, too. If you are an experienced UNIX administrator, and you understand how Apache and PCGI works, you may invent more complicated setups.

What is this Zope.cgi, and how does it work?

Zope.cgi is an executable file, but it is not a shell script to be executed by sh. If you look at the first line you will understand the trick: #!/usr/local/Zope-2.1.1-linux2-x86/pcgi/pcgi-wrapper That is, Zope.cgi will be run by pcgi-wrapper, when Apache starts Zope.cgi (as nobody -- remember!), if an URL requests to do so. pcgi-wrapper parses the content of Zope.cgi and tries to connect to a running server. An important directive is PCGI_SOCKET_FILE which points to /usr/local/Zope-2.1.1-linux2-x86/var/pcgi.soc. This file is used as a communication medium between pcgi-wrapper (invoked by Apache) and ZServer (started by the start script). Each time pcgi-wrapper started (as a normal CGI program) it connects to ZServer via the pcgi.soc socket file, transfers the HTTP request to ZServer, waits for the respose and returns data back to the Apache server. Note that ZServer is started once and runs forever, but PCGI is started each time a Zope request is received by Apache.

Why to use PCGI?

ZServer does not support SSL, which may be an important requirement in your case. Apache supports SSL (Apache+SSL or mod_ssl), and thus Zope may be used in secured communication with the help of PCGI.

What are the shortcomings of PCGI?

Other invaluable documents