[Zope] ZServer ACL
sean.upton@uniontrib.com
sean.upton@uniontrib.com
Tue, 21 Aug 2001 09:02:41 -0700
Are you suggesting that Zope be served through inetd (or, really, one of
it's replacements)? That is interesting...
Another thing - Squid runs great on Solaris, according to some things I have
heard, but you would absolutely need to tweak TCP connection buffers and a
few other settings. Solaris 7/8, by default, is tuned to be a workstation,
not a highly saturated server. Linux 2.4, on the other hand, should run a
proxy well without tuning - provided you turn off TCP_ECN. ;) This is why
our Squid proxies are Linux on Sun hardware...
Sean
-----Original Message-----
From: Jack Coates [mailto:jack@monkeynoodle.org]
Sent: Monday, August 20, 2001 8:23 PM
To: Todd Hepler
Cc: zope@zope.org
Subject: Re: [Zope] ZServer ACL
On Mon, 20 Aug 2001, Todd Hepler wrote:
> I'm relatively new to Zope and python.
>
> I have Apache with ProxyPass (port 80) set up on the same box as Zope
> with a VirtualHostMonster (port 8080). I want to make it so that
> clients cannot "go around" Apache and talk directly to port 8080, so
> I'm looking for a way to make Zope only accept requests that come from
> localhost (or a specified IP address). I can't find anything on
> zope.org related to ACLs of this nature or blocking access to ZServer
> based on IP address. Any ideas? I dug through the medusa and ZServer
> code, but the answer isn't jumping out at me.
>
Sean Upton already gave you some good answers -- but an additional
important step is to do this is to use Wietse Venema's TCP Wrappers to
limit access right there on the box.
The internet interface isn't the only unsafe one...
> I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7.
>
> Why would I want this? (you might ask)
>
> To scale, I want to be able to turn on caching in Apache, or replace
> Apache with squid. This won't improve performance if the pages that
> come out of Zope refer directly to port 8080. The clients would end up
> "going around" the cache.
>
You can also put squid in front of the Zope server in a transparent
acceleration mode -- look on LDP for a HOWTO. (should be valid on
Solaris).
> I know there are ways to make Zope generate appropriate URLs and thus
> not go around port 80, but I'm not interested in those solutions here.
> Even those solutions won't stop someone from hardcoding a reference to
> port 8080 in one of their pages. I want to simply shut off access to
> it in the first place so that if someone even tries it, they fail.
>
> Thanks,
> -todd
>
--
Jack Coates
Monkeynoodle: A Scientific Venture...
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )