RE: [Zope] Major security flaw in Zope 2.3.2
You can just use a squid external redirector (jesred, pyredir, squirm, or custom) to get the same kind of thing out of Squid as you would expect from mod_rewrite; then, that means you are using the same mechanism for Zope virtual hosts as you are for URL rewriting. I'm not sure if Apache buys one anything more in the rewrite dept. The one catch is you likely have to use a custom redirector (or tweak the Python code in pyredir) if you want POST methods to be supported, but this is not too big of a deal. The 2 squid caches in my setup are peers, sharing ICP connections over a dedicated network; I am working on setting up the second peer today. The boxes are balanced by a layer 4 switch (Intel 7140), which is set up for "OPR" mode, which sends incoming packets through the L4 switch, but outgoing packets directly out from the Squid boxes, bypassing the load-balancer. I'm trying to scale this whole infrastructure without creating a lot of latency... The nice thing about this, is that it seems to be very clean conceptually for my company's infrastructure because, as a media company, we publish a lot of material out to the web - from several places: static files, Zope, CF, and PHP stuff. In order to support all that and have caching site wide (not just for Zope), it makes sense in my case to put Squid on the outside of the setup, closest to the user downloading content. Sean -----Original Message----- From: Toby Dickenson [mailto:tdickenson@devmail.geminidataloggers.co.uk] Sent: Thursday, June 07, 2001 3:49 AM To: sean.upton@uniontrib.com Cc: zope@zope.org Subject: Re: [Zope] Major security flaw in Zope 2.3.2 On Wed, 06 Jun 2001 14:05:06 -0700, sean.upton@uniontrib.com wrote:
I've never heard of putting squid _between_ apache and ZServer, but why not put squid on the outside of your system as to not create extra latency?
Ive measured latency at moderate loads... for cache misses the difference is negligible, largely because Zope has a relatively high latency. If you have some pages that are: * uncacheable, and * latency-critical then you could use mod_rewrite to send them directly to Zope (not via squid). The advantages (for me) of putting Apache on the outside are virtual hosting, and using mod_rewrite to pull other back-end servers into Zope's URL namespace.
I think squid is much more advanced than mod_proxy in terms of caching options and raw speed. I am currently setting up a ZEO cluster with nodes running ZServer sitting behind a pair of load-balanced squid caches
Interesting. Are you planning these two Squid's to be independant, or peers? Toby Dickenson tdickenson@geminidataloggers.com
On Thu, 07 Jun 2001 12:59:29 -0700, sean.upton@uniontrib.com wrote: So you have.... /---> PHP /---> Apache+----> Filesystem ----> Squid+----> Zope \---> Others? Where I have..... /----> Filesystem ----> Apache+-----> Squid -----+-> Zope \----------------/
You can just use a squid external redirector (jesred, pyredir, squirm, or custom) to get the same kind of thing out of Squid as you would expect from mod_rewrite; then, that means you are using the same mechanism for Zope virtual hosts as you are for URL rewriting. I'm not sure if Apache buys one anything more in the rewrite dept.
You are right that mod_rewrites capabilities are equivalent to a squid redirector. My configuration actually uses a squid redirector anyway (to dispatch between different Zope servers) so I am paying double the performance penalty :-( Toby Dickenson tdickenson@geminidataloggers.com
participants (2)
-
sean.upton@uniontrib.com -
Toby Dickenson