Hi, I am writing a thesis about the security of Zope and have these questions. I am wondering if this is the right place to ask. Is Zope behind Apache the only solution to provide SSL connection to Zope? If not what are the other options? Have there been any work on making Zope being able to handle SSL itself? If not, why it is hard to? Kindest regards ~Meitham
--On 11. Januar 2007 17:07:37 +0000 Meitham Jamaa <meithamj@gmail.com> wrote:
Hi,
I am writing a thesis about the security of Zope and have these questions. I am wondering if this is the right place to ask.
Is Zope behind Apache the only solution to provide SSL connection to Zope?
That's the recommended and "best-practice" solution (besides using Squid)
If not what are the other options? Have there been any work on making Zope being able to handle SSL itself? If not, why it is hard to?
There are patches for ZServer available however that's not the recommended solution. -aj
zope-bounces@zope.org wrote on 01/11/2007 12:07:37 PM:
Hi,
I am writing a thesis about the security of Zope and have these questions. I am wondering if this is the right place to ask.
Is Zope behind Apache the only solution to provide SSL connection to Zope?
No, but it is the most common setup. Zope is believed to be very secure, but it has had, in no way, the amount of exposure, and thus battle-hardening that Apache has. Moreover using another web server in front of Zope has other benefits -- 1) Static content can usually be displayed faster using a system tuned for static content, rather than one tuned for dynamic content. 2) URL-rewriting makes it possible to transparently distribute site site content to multiple Zope versions or multiple machines. 3) In some circumstances, the front-end webserver can provide caching services, reducing the load on the Zope portion.
If not what are the other options?
Note: any SSL proxy can be used. Apache is just common, and does URL-rewriting.
Have there been any work on making Zope being able to handle SSL itself?
It has been done in the past. I don't think that there is a current patch available.
If not, why it is hard to?
Not particularly hard. You just don't get the other side-benefits. jim penny
On Thu, Jan 11, 2007 at 12:25:26PM -0500, JPenny@ykksnap-america.com wrote:
zope-bounces@zope.org wrote on 01/11/2007 12:07:37 PM:
Hi,
I am writing a thesis about the security of Zope and have these questions. I am wondering if this is the right place to ask.
Is Zope behind Apache the only solution to provide SSL connection to Zope?
No, but it is the most common setup. Zope is believed to be very secure, but it has had, in no way, the amount of exposure, and thus battle-hardening that Apache has.
Moreover using another web server in front of Zope has other benefits -- 1) Static content can usually be displayed faster using a system tuned for static content, rather than one tuned for dynamic content. 2) URL-rewriting makes it possible to transparently distribute site site content to multiple Zope versions or multiple machines. 3) In some circumstances, the front-end webserver can provide caching services, reducing the load on the Zope portion.
I would add 4) the front-end server can provide "sanitizing" of requests from buggy or malicious clients. A search of the mail archives will find many people advising the same thing. I recently experienced it myself. I wasted a lot of time recently trying to find out why Zope was leaking memory on XML-RPC requests *only* from a certain client. The leak was small, but under load, Zope would exhaust the system's memory after a few days. I could never determine the cause, nor could I provoke the leak with other clients. Then one day, the client switched from one Java XML-RPC library (an old version of the Apache xmlrpc library) to another (Redstone I think), and immediately the symptom stopped. Zope's memory usage became quite stable. Nothing else was changed. A good, battle-tested reverse proxy in front of Zope should help protect against that kind of thing. -- Paul Winkler http://www.slinkp.com
participants (4)
-
Andreas Jung -
JPenny@ykksnap-america.com -
Meitham Jamaa -
Paul Winkler