[Zope] SSL and Apache
Paul Winkler
pw_lists at slinkp.com
Thu Jan 11 16:44:12 EST 2007
On Thu, Jan 11, 2007 at 12:25:26PM -0500, JPenny at ykksnap-america.com wrote:
> zope-bounces at zope.org wrote on 01/11/2007 12:07:37 PM:
>
> > Hi,
> >
> > I am writing a thesis about the security of Zope and have these
> > questions. I am wondering if this is the right place to ask.
> >
> > Is Zope behind Apache the only solution to provide SSL connection to
> Zope?
>
> No, but it is the most common setup. Zope is believed to be very secure,
> but it has had, in no way, the amount of exposure, and thus
> battle-hardening
> that Apache has.
>
> Moreover using another web server in front of Zope has other benefits --
> 1) Static content can usually be displayed faster using a system tuned
> for static content, rather than one tuned for dynamic content.
> 2) URL-rewriting makes it possible to transparently distribute site
> site content to multiple Zope versions or multiple machines.
> 3) In some circumstances, the front-end webserver can provide caching
> services, reducing the load on the Zope portion.
I would add 4) the front-end server can provide "sanitizing" of
requests from buggy or malicious clients.
A search of the mail archives will find many people advising the same
thing. I recently experienced it myself. I wasted a lot of time
recently trying to find out why Zope was leaking memory on XML-RPC
requests *only* from a certain client. The leak was small, but under
load, Zope would exhaust the system's memory after a few days. I could
never determine the cause, nor could I provoke the leak with other
clients.
Then one day, the client switched from one Java XML-RPC library (an
old version of the Apache xmlrpc library) to another (Redstone I
think), and immediately the symptom stopped. Zope's memory usage
became quite stable. Nothing else was changed.
A good, battle-tested reverse proxy in front of Zope should help
protect against that kind of thing.
--
Paul Winkler
http://www.slinkp.com
More information about the Zope
mailing list