Re: [Zope] ftp and virtual hosting question
At 18:36 11/03/2002 -0500, Jiann-Ming Su wrote:
I've configured virtual hosting with zope and apache per http://www.zope.org/Members/anser/apache_zserver. How do I configure zope so that users for each virtual host ftp right into the virtual host folder? Thanks for any tips.
If I understand your question, you are asking how to set up Apache to transparently proxy FTP connections to a Zope server, presumably with the objective of hiding the Zope FTP service behind Apache in the same way that you are hiding the Zope HTTP service. Most of the published stuff about proxying Zope with Apache is about transparent proxying of HTTP requests to Zope and isn't, in my view, applicable to proxying FTP. I am fairly certain you cannot use ProxyPass/RewriteRule based transparent proxying by Apache for what you want. In this transparent proxying mode the ProxyPass/RewriteRule will only see HTTP requests. That would mean you had to get Apache to do something something like rewriting the incoming HTTP URLs to the Apache server to FTP URLs it passes to the Zope server. The problem is that I do not think that Apache can handle converting between the protocols in this way, dealing with the different reponses involved etc. In a brief experiment with my Apache (version 1.3.14) the Apache child process crashes when I just try rewriting an incoming HTTP URL to an outgoing FTP URL with a RewriteRule; you may have a better experience if you try it. You could configure your Apache server as a full, non-transparent, proxy server using 'ProxyRequest on' and use related directives to control its proxying activity. Then with the client browsers configured to explicitly direct FTP requests to the Zope server to the Apache proxy server, you could put the Zope FTP service behind the Apache-acting-as-a-full-blown-proxy server. This approach would also allow an otherwise unaddressable Zope server to be reached by clients, i.e. as long as Apache can access the Zope server it doesn't matter if the Zope server is not directly reachable or addressable by the client. But I suspect this is not what you are trying to achieve and may well mess up your user's browser proxy set up. There are ways of dealing with this but its all getting a touch complicated given where we started from I guess it all depends on what you need to achieve and the price you are willing to pay in terms of effort. Best of luck.
-- Jiann-Ming Su jsu2@emory.edu 404-712-2603 Development Team Systems Administrator General Libraries Systems Division
On Tue, 2002-03-12 at 14:08, Richard Barrett wrote:
At 18:36 11/03/2002 -0500, Jiann-Ming Su wrote:
I've configured virtual hosting with zope and apache per http://www.zope.org/Members/anser/apache_zserver. How do I configure zope so that users for each virtual host ftp right into the virtual host folder? Thanks for any tips.
Apache and proxypass may not be the best route for you to research. Your best bet (if you are using linux, that is:) is to forward the incoming ftp traffic to the ftp port used by zserver (8021, on my laptop). This means you get to play around with IP Masquerade and other kernel networking schtuff: http://www.linux.com/howto/IP-Masquerade-HOWTO-6.html#Forwarders .. but it still may not solve your virtual-ftp problem. Maybe you could investigate a combination of ProFTPd virtual ftp hosts? Or, depending on your needs, you could use ProFTPd to dump uploads into a directory that is accessed from Zope via either ExternalFile or ExtFile products, and then automate the 'upload' from filesystem to ZODB. http://www.proftpd.org/ Finally, you could also try WebDAV. Apache does translate WebDAV well through mod_dav, so you could try using apache VirtualHost and point it to certain directories on the WebDAV port of zserver (8081 on my laptop). I think WebDAV rocks the house (uses SSL too if you want it). That would be the first route of research for me; but your customers may demand ftp. Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp. http://www.openssh.org/ Hey, with a title like mine, I gotta say it. -;^>= -- Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
OFFTOPIC. On Tue, Mar 12, 2002 at 02:43:14PM +0100, Mitch Pirtle wrote:
Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp.
I disagree. You can run ftp-over-securechannel. But FTP is still better tham scp (if you menat scp). FTP, for example, supports "reget" - i.e. it can to restore (continue) aborted download. Scp cannot do it. Oleg. -- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 02:43:14PM +0100, Mitch Pirtle wrote:
Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp.
I disagree. You can run ftp-over-securechannel. But FTP is still better tham scp (if you menat scp). FTP, for example, supports "reget" - i.e. it can to restore (continue) aborted download. Scp cannot do it.
rsync ? bye, Jerome Alet
On Tue, Mar 12, 2002 at 03:05:42PM +0100, Jerome Alet wrote:
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 02:43:14PM +0100, Mitch Pirtle wrote:
Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp.
I disagree. You can run ftp-over-securechannel. But FTP is still better tham scp (if you menat scp). FTP, for example, supports "reget" - i.e. it can to restore (continue) aborted download. Scp cannot do it.
rsync ?
Possible, but what are benefits of rsync over FTP? Oleg. -- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 03:05:42PM +0100, Jerome Alet wrote:
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 02:43:14PM +0100, Mitch Pirtle wrote:
Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp.
I disagree. You can run ftp-over-securechannel. But FTP is still better tham scp (if you menat scp). FTP, for example, supports "reget" - i.e. it can to restore (continue) aborted download. Scp cannot do it.
rsync ?
Possible, but what are benefits of rsync over FTP?
tunnelling over ssh or native rsync protocol transparent compression more easily scriptable ... hth. Jerome Alet
On Tue, Mar 12, 2002 at 03:14:26PM +0100, Jerome Alet wrote:
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 03:05:42PM +0100, Jerome Alet wrote:
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 02:43:14PM +0100, Mitch Pirtle wrote:
Ftp is a bad habit, like smoking cheap cigarettes. Move up to a big fat cigar, scp.
I disagree. You can run ftp-over-securechannel. But FTP is still better tham scp (if you menat scp). FTP, for example, supports "reget" - i.e. it can to restore (continue) aborted download. Scp cannot do it.
rsync ?
Possible, but what are benefits of rsync over FTP?
tunnelling over ssh or native rsync protocol transparent compression more easily scriptable
FTP, on the other hand, has the advantages: 1. Interactiveness (directory listing). 2. Well-established. 3. Simple to implement. 4. Already there (in the Zope :) Oleg. -- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 03:14:26PM +0100, Jerome Alet wrote:
tunnelling over ssh or native rsync protocol transparent compression more easily scriptable
FTP, on the other hand, has the advantages:
1. Interactiveness (directory listing).
ssh user@remote ls remote_directory or : rsync -e ssh user@remote:remote_directory
2. Well-established.
depends on what you need to do, for most end users ftp is all we can ask to them, unfortunately...
3. Simple to implement.
I don't know.
4. Already there (in the Zope :)
You're right with this one. The biggest advantage IMHO, with rsync is that it doesn't need any new port opened if you tunnel it through ssh, so it's easier to secure a box. so the same ssh port will give you both complete remote control of the box and the rsync possibilities. bye, Jerome Alet
Jerome Alet wrote:
On Tue, 12 Mar 2002, Oleg Broytmann wrote:
On Tue, Mar 12, 2002 at 03:14:26PM +0100, Jerome Alet wrote:
tunnelling over ssh or native rsync protocol transparent compression more easily scriptable
FTP, on the other hand, has the advantages:
1. Interactiveness (directory listing).
ssh user@remote ls remote_directory
or :
rsync -e ssh user@remote:remote_directory
2. Well-established.
depends on what you need to do, for most end users ftp is all we can ask to them, unfortunately...
Do you know winscp I'm guessing you talk about mswin endusers here: http://winscp.vse.cz/eng/ cheers, oliver
[snip]
FTP, on the other hand, has the advantages:
1. Interactiveness (directory listing). 2. Well-established. 3. Simple to implement. 4. Already there (in the Zope :)
Oleg.
FTP has it's share of problems too. Is your FTP server (i.e., Zope) behind a firewall? Are your clients on a different network (like mine are) and behind their own firewall? Are you using active or passive FTP at the server? Can your clients use either? If your clients are all on the same network as your Zope server then everything can be fairly simple, but trying to secure your network and allow FTP access via the internet can be difficult. Also, FTP sends all password information in clear text. Unfortunately, just about every (so called) WYSIWYG HTML editor supports FTP. I have great hopes for webdav. The interactiveness is nice, but as someone else pointed out, FTP isn't the only way to get that. FTP is well established. So is telnet. That doesn't mean that I allow telnet connections into my network. FTP can be simple to implement, especially on nearly all Linux boxes. This is actually part of the problem. WUFTP (which Redhat ships with) is seriously broken in terms of security. ProFTPd is better, is easy to configure for anyone familiar with Apache, and supports virtual hosting, but it's still not a perfect FTP solution. Zope does have a built in FTP daemon, but I don't let any of my non-internal users connect to it. I'm also not aware of a way to tunnel FTP through SSH. It's the nature of the protocol (multiple ports are used for a single client connection). Admittedly, I haven't tried very hard. If it is possible, I doubt I'd be able to get my users to use it (who are all used to 'publish' in Frontpage). Webdav (with SSL) looks very promising. If I thought I could get my users to learn to use scp that would be good too. Jeff
On Tue, 12 Mar 2002, Richard Barrett wrote:
The problem is that I do not think that Apache can handle converting between the protocols in this way, dealing with the different reponses involved etc. In a brief experiment with my Apache (version 1.3.14) the Apache child process crashes when I just try rewriting an incoming HTTP URL to an outgoing FTP URL with a RewriteRule; you may have a better experience if you try it.
Actually, I wasn't expecting Apache to proxy ftp requests. I didn't know if there was a way for a Zope user to ftp into his "home" directory. That is, if I have an acl_uers/ folder in /VirtualHost/Host1, how do I get a defined user for Host1 to ftp directly into /VirtualHost/Host1? Right now, I have to authenticate through the acl_users/ in the root folder, which gives me access to a bunch of other folders as well. -- Jiann-Ming Su jsu2@emory.edu 404-712-2603 Development Team Systems Administrator General Libraries Systems Division
participants (7)
-
jeffr@odeon.net -
Jerome Alet -
Jiann-Ming Su -
Mitch Pirtle -
Oleg Broytmann -
Oliver Bleutgen -
Richard Barrett