Yes, the point would be to be able to do this with ZServer and not Apache. Lacking an Apache server, and wanting to dump IIS, I opted for a ZServer only solution. Alan
-----Original Message----- From: Jonathan (Listserv Account) [mailto:listsmurf@ur.nl] Sent: Wednesday, March 21, 2001 4:17 AM To: zope@zope.org Subject: RE: [Zope] Virtual Hosting configuration for Zope I might be missing something here, but isn't it easier to use just Virtual Host Monster in Zope (add once), configure Apache with ProxyPass and the stuff needed for mass virtual hosting and be done with it?
Is this for an intranet application or something exposed to the raw internet? IMO ZServer's http implementation isnt sufficiently robust to be exposed directly to untrusted clients. On Thu, 22 Mar 2001 09:32:21 -0600, "Capesius, Alan" <CapesiusA@Sysmex.com> wrote:
Yes, the point would be to be able to do this with ZServer and not Apache. Lacking an Apache server, and wanting to dump IIS, I opted for a ZServer only solution.
Toby Dickenson tdickenson@geminidataloggers.com
On 22 Mar 2001 16:17:24 +0000, Toby Dickenson wrote:
Is this for an intranet application or something exposed to the raw internet?
IMO ZServer's http implementation isnt sufficiently robust to be exposed directly to untrusted clients.
Upon what do you base this? Bill
On 22 Mar 2001 20:13:20 -0700, Bill Anderson <bill@libc.org> wrote: (my appologies for the delayed reply)
On 22 Mar 2001 16:17:24 +0000, Toby Dickenson wrote:
Is this for an intranet application or something exposed to the raw internet?
IMO ZServer's http implementation isnt sufficiently robust to be exposed directly to untrusted clients.
Upon what do you base this?
There are a number of obvious but minor vulnerabilities. Im sure they are all fixable, but they contribute to giving me a sense of caution. For example the medusa http server buffers incoming http headers in memory using string concatenation, and does not place an upper limit on the total size of headers. A malicious http request containing a large number of headers is an effective denial-of-service attack; consuming memory equal to the size of the headers sent, and O(n^2) processor time (because of the concatenation) [I hope this doesnt come across as FUD; this is the only aspect of Zope security that causes me any concern, and the easy fix (use of a front-end proxy) is recommended for other reasons too] Toby Dickenson tdickenson@geminidataloggers.com
participants (3)
-
Bill Anderson -
Capesius, Alan -
Toby Dickenson