[Zope-dev] Re: Virtual Hosting in 2.2 - a Bestiary of Buglets

Evan Simpson evan@4-am.com
Tue, 5 Sep 2000 10:10:33 -0400 

From: Itamar Shtull-Trauring <itamar@maxnm.com>
>  Problem 1: HTTP and HTTPS (more of a proxypass issue)
> =======================================================
> I want to be able to serve both http and https versions of a site from
> Apache.  Problem is, because of the way proxying works, there is no way
for
> Zope to know if it is origially being accessed via http or https.  My
> solution? Add a folder in top level of Zope called "ssl".  If we see our
> path as proxied by Apache is /ssl/websites/example, we know we are being
> accessed via SSL.  Because of the magic of acquisition, this works, but
it's
> still an ugly hack, and slows things down.

If you think that's an ugly hack, you'll probably hate what I do ;-)  I have
Apache RewriteRules that look like these:

RewriteRule ^/(.*) http://localhost:8080/_proxy/http/%{HTTP_HOST}/example/$1
[P,L]

(with https instead of http in secure virtual hosts, of course)

...and an Access Rule in my root folder (stack is the traversal stack):

if stack and stack[-1] == '_proxy':
  stack.pop()
  base = "%s://%s" % (stack.pop(), stack.pop())
  request.setURL(base=base)
  request.set('SiteRootPATH', '/')

Finally, I have blank SiteRoots in my site folders.

>  Problem 2: ZCatalog
> =====================
> All the objects in /websites/example are being catalogged with paths such
as
> /websites/example/folder/myObject.  However, when I gets the objects path
> using getpath(), it's not adjusted based on the virtual hosting settings -
> it's still /websites/example/folder/myObject, not /folder/myObject as it
> should be.

This is one of the many ZCatalog problems that Chris P. is now valiantly
tackling.

>  Problem 3: Management interface
> =================================
> The breadcrumbs in the folder management screen (e.g. "/ folder1 /
> folder2"), still show the "/ websites / example", with links, when using
the
> virtual hosting.  That is, the managemnt interface shows folders that we
are
> not supposed to be able to access when we are using virtual hosting.

As Chris Withers points out, this is due to deprecated data passed in calls
to tabs_path_info.  I'll see that it gets fixed.

>  Problem 4: Access to other virtual hosts (security issue?)
> ============================================================
> When using virtual hosting, it is still possible to access the /websites
> folder for example, using acquistion.  So I can view the contents of one
> website from the other: www.example.com/websites/example2, and
> www.example2.com/websites/example.

Unless this is a real security concern for you, and can't be address within
the standard Zope security framework, I wouldn't worry about it.  As you
noticed, the optional 'hard' parameter to setVirtualRoot was a weak stab in
this direction, but I never spent enough time on it to really get it
working.  That would involve (at least) providing some kind of replacement
Application instance to root acquisition in.

Cheers,

Evan @ digicool & 4-am