I've spent some time looking through Zope.org for some enlightenment concerning how best to use Zope with SSL, but there are many different tutorials, with different answers. What does the list currently recommend about the following options: * Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl? * Do I need to use the Zope.cgi script, and if not, how do I get around it? * How is mod_proxy used with SSL, and how is this different from using mod_rewrite alone? * Is it better to use Virtual Host Monsters or the "Site Access" product to serve different sites from the same Zope instance. The various howtos and The Zope Book are all over the map on what to do in this case. I'm curious which solution performs best for multiple sites under one instance. Thanks, Rob
Rob Thorne wrote:
* Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl? ... * How is mod_proxy used with SSL, and how is this different from using mod_rewrite alone? ... I'm curious which solution performs best for multiple sites under one instance.
mod_rewrite & mod_proxy used together to act as a gateway server for a ZServer instance bound to an unprivileged port on the loopback interface, is the prefered, and currently "best" way to use Zope[1]. If you set this scenario up, you will in the process use a VirtualHostMonster which is provided by the SiteAccess Product. Zope.cgi is, for all intents and purposes, a deprecated technique which should not be used with new Zope installations (and indeed, isn't included in the 2.7 code-base at all). Adding mod_ssl to the picture isn't overly difficult, assuming you've read the documentation for mod_rewrite and VirtualHostMonsters. Loading mod_proxy is necessary because its presence enhances the abilities of mod_rewrite, you needn't use any of mod_proxy's directives directly. -- Jamie Heilman http://audible.transient.net/~jamie/ [1] It is the prefered way, because it is the most performant. It is not the most secure, but you said you wanted performance.
Jaime, Much thanks. Do you know of any good sample configurations for using mod_proxy and mod_rewrite? I've previously used Zope.cgi together with mod_rewrite, which works, but I suspect isn't efficient. Seeing an actual configuration would help, since I can look at the Apache directives and see how they actually work. Regards, Rob Jamie Heilman wrote:
Rob Thorne wrote:
* Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl?
...
* How is mod_proxy used with SSL, and how is this different from using mod_rewrite alone?
...
I'm curious which solution performs best for multiple sites under one instance.
mod_rewrite & mod_proxy used together to act as a gateway server for a ZServer instance bound to an unprivileged port on the loopback interface, is the prefered, and currently "best" way to use Zope[1]. If you set this scenario up, you will in the process use a VirtualHostMonster which is provided by the SiteAccess Product. Zope.cgi is, for all intents and purposes, a deprecated technique which should not be used with new Zope installations (and indeed, isn't included in the 2.7 code-base at all). Adding mod_ssl to the picture isn't overly difficult, assuming you've read the documentation for mod_rewrite and VirtualHostMonsters. Loading mod_proxy is necessary because its presence enhances the abilities of mod_rewrite, you needn't use any of mod_proxy's directives directly.
Rob Thorne wrote:
Do you know of any good sample configurations for using mod_proxy and mod_rewrite?
Sample configurations just lead to people replicating each others mistakes indefinately, I'm not in the habbit of giving them out when sober. Read the online docs (they have examples), learn the subject matter, and experiment. http://zope.org/Documentation/Books/ZopeBook/2_6Edition/VirtualHosting.stx http://httpd.apache.org/docs/mod/mod_rewrite.html -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
----- Original Message ----- From: "Rob Thorne" <rob@torenware.com> To: <zope@zope.org> Sent: Monday, September 22, 2003 6:44 AM Subject: [Zope] Best Practice for Apache 2.0, Zope and SSL
I've spent some time looking through Zope.org for some enlightenment concerning how best to use Zope with SSL, but there are many different tutorials, with different answers. What does the list currently recommend about the following options:
* Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl? * Do I need to use the Zope.cgi script, and if not, how do I get around it? * How is mod_proxy used with SSL, and how is this different from using mod_rewrite alone? * Is it better to use Virtual Host Monsters or the "Site Access" product to serve different sites from the same Zope instance.
The various howtos and The Zope Book are all over the map on what to do in this case. I'm curious which solution performs best for multiple sites under one instance.
Thanks, Rob
I got problems with some pages when publishing Zope behind Apache 2 : The content-length header is removed from Zope response, and in some situations, it's a problem (i.e. viewing a PDF URL with IE). It appears to be an Apache bug... --Gilles
Rob Thorne wrote:
I've spent some time looking through Zope.org for some enlightenment concerning how best to use Zope with SSL, but there are many different tutorials, with different answers. What does the list currently recommend about the following options:
* Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl?
Run Zope and proxy/rewrite to it from Apache with mod_ssl
* Do I need to use the Zope.cgi script, and if not, how do I get around it?
No, you don't need it.
* How is mod_proxy used with SSL, and how is this different from using mod_rewrite alone?
Pass, ask an Apache expert ;-)
* Is it better to use Virtual Host Monsters or the "Site Access" product to serve different sites from the same Zope instance.
VHM's are definitely the way to go... cheers, Chris
On Sun, Sep 21, 2003 at 09:44:06PM -0700, Rob Thorne wrote:
* Is there a good patch for ZServer to support https directly, or should I run ZServer under Apache 2.0 with mod_ssl?
<plug> ZServerSSL, bundled with M2Crypto. </plug> I'm managing my remote Zopes using this. My as-yet unpublished code base does client cert authentication; and I'm hoping to hook up ZSyncer or something similar to keep my Zopes in sync. Think rsync-over-ssh-with-key-authentication. Cheers. -- Ng Pheng Siong <ngps@netmemetic.com> http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL
participants (5)
-
Chris Withers -
Gilles Lenfant -
Jamie Heilman -
Ng Pheng Siong -
Rob Thorne