For anyone who may need it, here is a howto to get Zope working via SSL on a RAQ3. I found that the Proxy Server method has some problems and is not compatible with some Zope products. The FastCGI method has worked flawlessly with all the products which I have installed on it in the last few months. Enjoy... The comments expressed in this email are my own and not necessarily those of my employer. Installing Zope First you need to create a user called Zope as it is not wise to run Zope as root for all sorts of reasons. 1. Log in to the Cobalt as root using an SSH2 client. 2. Type * adduser zope 3. Then type * passwd zope 4. Enter the zope user password, write it down and don't forget it. 5. Start a new SSL2 session but this time log in as user "zope". 6. In your local browser go to the Zope website http://www.zope.org . 7. Find the lastest stable Linux distribution and find the URL for the binary download, copy the URL of the .tgz file to your clipboard. 8. Back in your zope SSL2 session, type * wget * ,spacebar, then press shift-insert key. This should paste the URL after wget. Press return. 9. This should now download Zope directly onto the Cobalt. 10. Type * tar zxf *.tgz * ln -s zope * ,press the TAB key, then spacebar then continue by typing * zope * ,then press return, * cd zope * ./install 11. Make a careful note of your admin when it is displayed password otherwise you will be stuffed. 12. Now to test our shiney new Zope installation, type * ./start 13. After a pause it should come up with some encouraging words to say it's running. 14. Point your web browser at your Cobalt server and add :8080 at the end of the URL and you should see the Zope screen of life! 15. Go to the link saying Management screens, you should see a kind of directory structure. 16. Click on the folder called acl_users. 17. Click on Add. 18. Enter a name, like "support" or "superuser", enter a strong password and select the Role as being Manager. 19. Click on Add. 20. From now on, log in as this manager rather than admin. 21. On the left frame, click on the folder called Control Panel. 22. Shut down the Zope server with the button provided. ---------------------------------------------------------- UK2NET say that we should not mess with Apache or Sendmail in terms of re-compiling or upgrading the packages. As FastCGI is not included as standard how do we add it? Fortunately, modules can be added to Apache as modules, or DSOs, as they are refered to. 1. First we need to log on as root with SSH2, like we did in the previous Installing Zope phase. 2. Next we type * cd /usr/local/src 3. Point your web browser at the website http://www.fastcgi.com/ and copy the link location of the mod_fastCGI .tgz file. 4. Now in your root SSH2 session type wget then shift-insert and download that file. 5. Type (you may get some obscure warning when using apxs about it not finding Apache. I found this not to be a problem) * tar zxf mod* * cd mod_*_* * apxs -o mod_fastcgi.so -c *.c * apxs -i -a -n fastcgi mod_fastcgi.so 6. Now we need to edit the main http.conf file. To do this type * pico /etc/httpd/conf/httpd.conf 7. Scroll down until you see a line starting "LoadModule fastcgi_module" and make it say LoadModule fastcgi_module /usr/lib/apache/mod_fastcgi.so 8. Scroll down until you see a line starting "AddModule mod_fastcgi.c". Just to check it's there! 9. Scroll down to a line # Listen: Allows you to bind Apache to specific IP addresses and/or and just before it insert the following... # # Modified by <ME> xx/x/xx for Zope via FCGI # FastCgiIpcDir /tmp FastCgiExternalServer /home/sites/site1/web/Zope \ -socket zope.soc \ -pass-header Authorization <Location /Zope> SetHandler fastcgi-script </Location> This assumes you want your Zope stuff to appear on the first website (site1) under a sub directory called "Zope". If not then change /home/sites/site1/web/Zope to something more appropriate. To find out what site number your site is, have a look at /home/sites and do an "ln -l". You will see that the directories for the sites are acutally soft links to site1, site2 etc. 1. Press CTRL-O then CRTL-X to save the file and exit Pico. 2. Type the following to restart Apache * /etc/rc.d/init.d/httpd restart Hopefully you got no errors and if you type ps -aux you get some entries with /usr/sbin/httpd in them. ----------------------------------------------------------------------- Zope to Apache OK, we are going to do two things here. One is to get Zope to use FastCGI and the other is to get Zope to run as Zope but called from root as a background process. This will pave the way to the next step of getting zope to run as a daemon automatically. I am assuming that >= Zope 2.4 was installed. 1. Log in as root. 2. Type * cd /home/zope/zope * pico startd 3. In this blank file enter the following... #! /bin/sh reldir=`dirname $0` INST_HOME=`cd $reldir; pwd` export INST_HOME exec /home/zope/zope/bin/python \ $INST_HOME/z2.py \ -F /tmp/zope.soc \ -w - \ -D "$@" \ -u zope & 1. Press CTRL-O then CRTL-X to save and exit pico. 2. Type * chmod 755 startd 3. Now we test it. Type * ./startd All being well after a few tens of seconds Zope should start and be visible under whatever your first Cobalt site name is under the sub directory Zope e.g. http://www.freddy.com/Zope. The start file also supresses access to Zope on port 8080 with the -w - command so you can now only access it from Apache. Now we stop it by going to the Control Panel in Zope and shutting Zope down. -------------------------------------------------------------------------- Making Zope run as a daemon It is quite dangerous to add start-up scripts as they can easily hose Linux and prevent it from re-booting. This can be rescued on a desktop PC but when your Cobalt server is sat at an ISP with no other link to you than the internet, then making it un-bootable isn't really an option! However, we can test the start/stop script before making it part of the system. I also modified the script I found on the web for Zope by putting in a time out so that if Zope doesn't start for any reason the script doesn't just sit there forever waiting for it. 1. Log in as root 2. Type pico /etc/rc.d/init.d/zope 3. Copy from this page and then paste (SHIFT-INSERT) into pico the following script... #!/bin/bash # # /etc/rc.d/init.d/zope # # Starts the zope daemon - by Markoer # # processname: zope # Source function library. . /etc/rc.d/init.d/functions case "$1" in start) # Check if zope is already running if [ ! -f /var/lock/subsys/zope ] ; then echo -n 'Starting zope daemon: ' /home/zope/zope/startd 2> /dev/null i=0 while [ $i -lt 90 ]; do [ -f /home/zope/zope/var/Z2.pid ] && break sleep 1 && echo -n "." let i=i+1 done if [ $i -ge 90 ] ; then echo "Time out." exit 1 else cat /home/zope/zope/var/Z2.pid > /var/lock/subsys/zope touch /var/lock/subsys/zope cat /home/zope/zope/var/Z2.pid > /var/run/zope.pid touch /var/run/zope echo " OK" fi else echo "zope already running." fi echo ;; stop) echo -n 'Stopping zope daemon: ' [ -f /home/zope/zope/var/Z2.pid ] && kill `cat /home/zope/zope/var/Z2.pid` rm -f /var/lock/subsys/zope rm -f /home/zope/zope/var/Z2.pid rm -f /home/zope/zope/var/pcgi.soc rm -f /home/zope/zope/var/Data.fs.lock rm -f /home/zope/zope/var/zProcessManager.pid echo " OK" echo ;; reload|restart) $0 stop $0 start ;; status) if [ -f /home/zope/zope/var/Z2.pid ] ; then cat /home/zope/zope/var/Z2.pid > /var/lock/subsys/zope touch /var/lock/subsys/zope cat /home/zope/zope/var/Z2.pid > /var/run/zope.pid touch /var/run/zope echo "zope (pid `head -1 /var/run/zope.pid`) is running..." else echo "zope not running." fi ;; *) echo "Usage: /etc/rc.d/init.d/zope {start|stop|restart|reload|status}" exit 1 esac 1. Type * chmod 755 /etc/rc.d/init.d/zope 2. Now we test it. Type * /etc/rc.d/init.d/zope restart Yes, that's right, restart. After a few seconds it should acknowlege that Zope has started, otherwise it will either time out after 90 seconds or appear to start immediately. OK, we've proved our point so just type * /etc/rc.d/init.d/zope stop Note that if Zope doesn't compile it just won't start but you won't know why. If you add a Zope product and it breaks Zope you will have to just use the start and stop commands in the /home/zope/zope directory as user "zope" and get Zope running on port 8080 to see the compile error messages. Once it is OK you can start zope as a daemon again. If all has gone well so far we are ready to build zope into the run levels so that it gets started and stopped with the other daemons. Type the following lines, or better still, copy and past them (paste=SHIFT-INSERT) into your root SSH2 session... * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc0.d/K78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc1.d/K78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc2.d/S78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc3.d/S78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc4.d/S78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc5.d/S78zope * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc6.d/K78zope Now reboot your server via the Cobalt admin web interface and pray! You should see Zope running when the server comes back up. ---------------------------------------------------------------------------- - Set up SSL There are three modivations for making Zope work through Apache on Zope, 1. To get Zope to listen on Port 80 instead of 8080, 2. To get Zope integrated into an Apache web site, 3. To get the advantages of Apache features such as SSL. First it might be an idea to get SSL working on Apache. This is done through the standard Server and Site administration pages as per the instruction manual. I used a self-generated certificate because I am not using the server for credit card transactions and I am not paying £££ just to make a silly browser warning message disappear. SSL is simply being used to protect usernames, passwords and against casual eavesdroppers. This site is an extranet. When the site has SSL enabled you should find that you can access Zope via http:// or https://. Once in https:// mode any links in the page will automatically have https:// in them if they are to the same site. This is the way Cobalt/Apache does things. If we want to enforce SSL then we can get Zope to insert https:// before any links. There is a Zope product for this. 1. Log in using SSH2 as user "zope". 2. Go to the Zope site and look for the downloadable product called SSLAbsoluteURL 3. Wget the product into your zope directory. 4. Untar it (tar zxf SSL*) 5. Now we have to move it to the correct place. Type * mv SSLAbsoluteURL zope/lib/python/Products/ 6. Access Zope from your web browser and go to the Management screens logged in as the superuser. 7. Click on the Conrol_Panel folder in the left frame. 8. Click on the Resart Zope button. 9. When Zope comes back on line, go back into the Managment screens and in the right frame select the Properties tab. 10. Add a new property called "SSL" as a Boolean type. 11. Set the SSL value to "ticked".

From now on do not place any objects in the root folder of Zope, rather create sub folders to put things in. SSL doesn't work on the root folder. When you link to anything in these sub folders make sure that the link either starts with https:// or comes from a page already in https:// mode.

That's it folks! Thankyou for tuning in and merry Zope'ing!