Hello, Is anyone tried to access Zope 2.9 via SSL? I've tried m2crypto, but this doesn't work with the newest zope. And I've tried to use stunnel, but I'm stuck with some problems - I cannot find the way to force zope to use https://xxx urls with choosen stunnel port number. The easiest way is to use Apache, but I have reasons to not go that way. Any clues? Best regards, Janusz
Janusz Zamecki wrote:
Hello,
Is anyone tried to access Zope 2.9 via SSL? I've tried m2crypto, but this doesn't work with the newest zope. And I've tried to use stunnel, but I'm stuck with some problems - I cannot find the way to force zope to use https://xxx urls with choosen stunnel port number.
The easiest way is to use Apache, but I have reasons to not go that way.
Any clues?
"Adding a SSL server (HTTPS) to Zope-2.9.0" http://www.zope.org/Members/lerouxa/zopehttps/ has been released yesterday. Michael -- http://zope.org/Members/d2m http://planetzope.org
Janusz Zamecki wrote:
Is anyone tried to access Zope 2.9 via SSL? I've tried m2crypto, but this doesn't work with the newest zope.
*sigh* m2crypto needs a bullet in its brain. Use Apache (doing the SSL) in frotn of Zope, that's the standard and safest way to do it...
And I've tried to use stunnel,
Ugh!
The easiest way is to use Apache, but I have reasons to not go that way.
They better be good... care to tell us what they are? cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On Wed February 15 2006 02:42, Janusz Zamecki wrote:
The easiest way is to use Apache, but I have reasons to not go that way.
If you don't want big Apache, lighttpd is small and has made a good SSL front-end proxy to Zope for me. http://www.lighttpd.net/ -- Ron
Ron Bickers wrote:
On Wed February 15 2006 02:42, Janusz Zamecki wrote:
The easiest way is to use Apache, but I have reasons to not go that way.
If you don't want big Apache, lighttpd is small and has made a good SSL front-end proxy to Zope for me.
How many millions of people use this a day? SSL is not something you want to use unless the server has been really well battle tested... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On Thu February 16 2006 03:31, you wrote:
How many millions of people use this a day?
I have no idea. Far less than use Apache, of course, but the number appears to be growing steadily. http://trac.lighttpd.net/trac/wiki/PoweredByLighttpd has a short list of those that bothered to add their names, but that doesn't mean a whole lot and it doesn't say anything at all about the SSL implementation.
SSL is not something you want to use unless the server has been really well battle tested...
Both lighty and Apache use OpenSSL. I'm using it and haven't seen any battlefield casualties so far. ;-) Apache has its share of (even recent) security issues, including some related to mod_ssl. Lighty seems to be fitting well for those that need a smaller, simpler server, which is why I mentioned it. I'll leave it as an exercise for the interested to determine if they want to use it. -- Ron
Ron Bickers wrote:
Both lighty and Apache use OpenSSL.
Good point ;-)
I'm using it and haven't seen any battlefield casualties so far. ;-) Apache has its share of (even recent) security issues, including some related to mod_ssl.
Honestly, I see that as a good thing! It's a bit like the old "macs never get exploited" argument, it's not because there aren't exploits there, it's because not enough people use them for someone to stumble across them ;-)
Lighty seems to be fitting well for those that need a smaller, simpler server, which is why I mentioned it. I'll leave it as an exercise for the interested to determine if they want to use it.
True, and simplicity does often make for more security and so, while I'd stick with Apache for the reasons already mentioned, I retract my comment about lighttpd... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
On 2/16/06, Ron Bickers <rbickers-list-zope2@logicetc.com> wrote:
On Thu February 16 2006 03:31, you wrote:
How many millions of people use this a day?
I have no idea. Far less than use Apache, of course, but the number appears to be growing steadily.
The netcraft survey for February counted 21699 instances of lighttpd; Zope was counted 41656 times: http://survey.netcraft.com/Reports/200602/ The numbers are those seen by Netcraft during January. -- Martijn Pieters
On Fri February 17 2006 04:32, Martijn Pieters wrote:
The netcraft survey for February counted 21699 instances of lighttpd; Zope was counted 41656 times:
http://survey.netcraft.com/Reports/200602/
The numbers are those seen by Netcraft during January.
Lighttpd is barely three years old. It'll be interesting to see where these numbers are in another year. I noticed that my lighttpd server that proxies to Zope responds as Zope/ZServer, not lighttpd. If I recall, Apache said Apache. There must be many more Zopes than netcraft shows, right? -- Ron
On 2/17/06, Ron Bickers <rbickers-list-zope2@logicetc.com> wrote:
I noticed that my lighttpd server that proxies to Zope responds as Zope/ZServer, not lighttpd. If I recall, Apache said Apache. There must be many more Zopes than netcraft shows, right?
No, Zope behind Apache with ProxyPass also reports as Zope: $ HEAD www.pareto.nl 200 OK [...] Server: Zope/(Zope 2.8.5-final, python 2.3.5, linux2) ZServer/1.1 Plone/Unknown [...] Still, there are many intranet Zope sites, and Zope sites set up behind Apache and other servers in other ways (FastCGI, or simply not at the root of a site URL) for Netcraft to not count them as Zope setups, true. For example, Boston.com bakes their Zope-managed content to the filesystem and has several tiers of Apache and Squid servers serving their content: $ HEAD www.boston.com 200 OK [...] Server: Apache/2.0.47 (Unix) [...] $HEAD cache.boston.com/bonzai-fba/Globe_Photo/2006/02/17/1140170041_8639-1.jpg 200 OK [...] Via: 1.1 arn.xpc-mii.net (MIIxpc/4.7 UNVERIFIED_CACHE_HIT Fri, 17 Feb 2006 10:16:21 GMT) Via: 1.1 ics_server.xpc-mii.net (ICS 2.2.64.208) [...] Server: Apache/1.3.14 (Unix) [...] -- Martijn Pieters
On Fri February 17 2006 05:19, Martijn Pieters wrote:
On 2/17/06, Ron Bickers <rbickers-list-zope2@logicetc.com> wrote:
I noticed that my lighttpd server that proxies to Zope responds as Zope/ZServer, not lighttpd. If I recall, Apache said Apache. There must be many more Zopes than netcraft shows, right?
No, Zope behind Apache with ProxyPass also reports as Zope:
Ok. I thought it was reporting Apache for me before, but I don't recall for sure. Does using mod_rewrite with [P] report the same? -- Ron
Ron Bickers schrieb:
On Fri February 17 2006 05:19, Martijn Pieters wrote: ... Ok. I thought it was reporting Apache for me before, but I don't recall for sure. Does using mod_rewrite with [P] report the same?
Yes, and its working internally identically :-) Apache as frontend proxy returning apache must be a common urban legend. This pops up from time to time albeit its so easy to check and make sure ;-) Regards Tino
On Fri February 17 2006 14:05, Tino Wildenhain wrote:
Apache as frontend proxy returning apache must be a common urban legend. This pops up from time to time albeit its so easy to check and make sure ;-)
Except that I don't have Apache installed anymore. :-) I know at one time it did not report Zope, but that may have been way back before I was using mod_proxy. I see that the ozzope.org Plone site reports Apache. So they must not be using mod_proxy, yes? -- Ron
Ron Bickers wrote:
Except that I don't have Apache installed anymore. :-) I know at one time it did not report Zope, but that may have been way back before I was using mod_proxy.
I see that the ozzope.org Plone site reports Apache. So they must not be using mod_proxy, yes?
Porbably both using (Fast/P)CGI... yurch! Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (6)
-
Chris Withers -
Janusz Zamecki -
Martijn Pieters -
Michael Haubenwallner -
Ron Bickers -
Tino Wildenhain