Various security aspects to Zope as an Internet HTTPD server ... [ I am on the Digest, so please respond directly ] [ to me @ mailto:b.j.smith@ieee.org,bjs@crc.com ] I am looking at using Zope as a corporate Internet HTTPD service (i.e. as the main service people hit on the Internet). I am a Zope newbie, but have installed and used it on the port (i.e. 9673, NOT integrated with Apache). I have an idea of my basic configuration along with some security-oriented questions. Proposed configuration: ----------------------- A. Two servers, one in a DMZ behind a firewall and one on the internal corporate network, also behind the firewall (but on a different port not accessable from the outside). B. Users would ONLY UPLOAD TO THE INTERNAL network server. Then, at an X periodical, the internal server's contents would be copied to the external server. So even if the external server's HTTPD site/contents are cracked/replaced, the data will be overwritten ever X minutes with the clean/internal version (very simple to do -- something the FBI should have take note of ;-). C. Not sure if I should keep Zope on its own port (9673, with a simple redirect from Apache on port 80 (//sitename -> //sitename:9673) or integrate it with Apache (security is the issue here). D. Looking to use OpenBSD/i386 as the OS (on both systems, or at least the external server in the firewall DMZ). Questions: ---------- 1. Since Zope runs as a user-level service, does that make it any more secure than Apache? Or is it more securite to integrate it as a bunch of cgi-bin scripts under Apache? Or does anyone see even a more secure setup? 2. Available SSL support? Or is that the commercial Medusa (Zope+SSL) product from Digital creations? 3. Anyone got Zope running under OpenBSD/i386? I really am aiming for the OpenBSD avenue since they are the best when it comes to finding security holes (don't need slick console-side interfaces like with Linux/FreeBSD/NT). If it runs under FreeBSD, it should run under OpenBSD, but just wanted to see if anyone was running it under OpenBSD (or FreeBSD for that matter). Thanx in advance ... -- Bryan "The BS" Smith Software Engineer FL-based Aerospace Company and OpenSource developer/consultant P.S. As a side-note, there are those FrontPage 98 wennies out there who "just-have-to-have" the FP98 extensions on the Apache server. Does that not create a security risk? I (as well as PCWeek) have found using Amaya (the W3C standard HTML 4.0 WYSIWYG) much better and combined with Zope's built-in upload functionality (is that via the HTTP 1.1 protocol??? as well as 2.0 WebDAV support), there is NO REASON to have to support M$'s proprietary extensions on the same server as Zope. Any comments here??? I think even they are SOL on FP2000 since it REQUIRES an NT Server for publishing (no more Apache support?). Bryan J. Smith mailto:b.j.smith@ieee.org,bjs@crc.com Software Engineer http://www.SmithConcepts.com/legal.html =========================================================== "Microsoft's efforts to position Windows NT as an embedded operating system remind one of an elephant entering a track meet." -- PC Week's Peter Coffee