[Zope] Reasons for Apache?? SSL?? (was "Running Mailman CGI under Zope ZServer")
Cees de Groot
cg@cdegroot.com
18 Nov 2000 11:26:36 +0100
Joachim Werner <joe@iuveno.de> said:
>Apache can then also be used to serve
>static parts of your web site, like large documents or images. Also, Apache
>can be used to cache Zope requests.
>
I use Squid, not Apache as a reverse web proxy in front of Zope. I did a bit
of testing, and you can very well serve your static content from Zope in this
setup - I am planning to assign caching control properties to parts of the
document structure and make Zope 'kick' Squid for a refresh when cached
documents are edited. Initial experiments got me 500 requests per second
on cached documents - Zope wasn't touched at all.
>Regarding your problem: Set up a simple packet filter firewall (most Linux
>distros have scripts for that, e.g. SuSE has "firewals") and don't allow
>access to port 8080.
>
Something like
% ipchains -A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
should totally block port 8080. If you work from 1.2.3.4, you can do:
% ipchains -I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
and your machine is the only one that can get to this port. If you want
to have this done automagically, create /etc/ipchains.conf:
% cat >/etc/ipchains.conf <<EOF
-I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
-A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
EOF
and execute '/sbin/ipchains-restore </etc/ipchains.conf' from
/etc/rc.d/boot.local (or similar).
Disclaimers: I haven't tested these rules; you should have a kernel that does
packet filtering; you're not worth the root password if you let someone else
tell you firewalling rules without understanding /exactly/ what they do ;-)
--
Cees de Groot http://www.cdegroot.com <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD 1986 F303 937F E098 9E8B