[Zope] SSL and Apache

[Paul Winkler]

On Thu, Jan 11, 2007 at 12:25:26PM -0500, JPenny at ykksnap-america.com wrote:
> zope-bounces at zope.org wrote on 01/11/2007 12:07:37 PM:
> 
> > Hi,
> > 
> > I am writing a thesis about the security of Zope and have these
> > questions. I am wondering if this is the right place to ask.
> > 
> > Is Zope behind Apache the only solution to provide SSL connection to 
> Zope?
> 
> No, but it is the most common setup.  Zope is believed to be very secure,
> but it has had, in no way, the amount of exposure, and thus 
> battle-hardening
> that Apache has.
> 
> Moreover using another web server in front of Zope has other benefits --
>   1)  Static content can usually be displayed faster using a system tuned
>       for static content, rather than one tuned for dynamic content.
>   2)  URL-rewriting makes it possible to transparently distribute site
>       site content to multiple Zope versions or multiple machines.
>   3)  In some circumstances, the front-end webserver can provide caching
>       services, reducing the load on the Zope portion.

I would add 4) the front-end server can provide "sanitizing" of
requests from buggy or malicious clients.

A search of the mail archives will find many people advising the same
thing. I recently experienced it myself. I wasted a lot of time
recently trying to find out why Zope was leaking memory on XML-RPC
requests *only* from a certain client. The leak was small, but under
load, Zope would exhaust the system's memory after a few days. I could
never determine the cause, nor could I provoke the leak with other
clients.

Then one day, the client switched from one Java XML-RPC library (an
old version of the Apache xmlrpc library) to another (Redstone I
think), and immediately the symptom stopped. Zope's memory usage
became quite stable. Nothing else was changed.

A good, battle-tested reverse proxy in front of Zope should help
protect against that kind of thing.

--

Paul Winkler
http://www.slinkp.com