[Zope] ZServer ACL

Jack Coates jack@monkeynoodle.org
Wed, 22 Aug 2001 07:53:27 -0700 (PDT)


Only if low usage is expected, the extra overhead of starting through
inetd is a potential problem now that I think about it.


On Tue, 21 Aug 2001 sean.upton@uniontrib.com wrote:

> Are you suggesting that Zope be served through inetd (or, really, one of
> it's replacements)?  That is interesting...
>
> Another thing - Squid runs great on Solaris, according to some things I have
> heard, but you would absolutely need to tweak TCP connection buffers and a
> few other settings.  Solaris 7/8, by default, is tuned to be a workstation,
> not a highly saturated server.  Linux 2.4, on the other hand, should run a
> proxy well without tuning - provided you turn off TCP_ECN. ;)  This is why
> our Squid proxies are Linux on Sun hardware...
>
> Sean
>
> -----Original Message-----
> From: Jack Coates [mailto:jack@monkeynoodle.org]
> Sent: Monday, August 20, 2001 8:23 PM
> To: Todd Hepler
> Cc: zope@zope.org
> Subject: Re: [Zope] ZServer ACL
>
>
> On Mon, 20 Aug 2001, Todd Hepler wrote:
>
> > I'm relatively new to Zope and python.
> >
> > I have Apache with ProxyPass (port 80) set up on the same box as Zope
> > with a VirtualHostMonster (port 8080). I want to make it so that
> > clients cannot "go around" Apache and talk directly to port 8080, so
> > I'm looking for a way to make Zope only accept requests that come from
> > localhost (or a specified IP address). I can't find anything on
> > zope.org related to ACLs of this nature or blocking access to ZServer
> > based on IP address. Any ideas? I dug through the medusa and ZServer
> > code, but the answer isn't jumping out at me.
> >
>
> Sean Upton already gave you some good answers -- but an additional
> important step is to do this is to use Wietse Venema's TCP Wrappers to
> limit access right there on the box.
>
> The internet interface isn't the only unsafe one...
>
> > I'm running Zope 2.4.0 with python 2.1.1 on solaris 2.7.
> >
> > Why would I want this? (you might ask)
> >
> > To scale, I want to be able to turn on caching in Apache, or replace
> > Apache with squid. This won't improve performance if the pages that
> > come out of Zope refer directly to port 8080. The clients would end up
> > "going around" the cache.
> >
>
> You can also put squid in front of the Zope server in a transparent
> acceleration mode -- look on LDP for a HOWTO. (should be valid on
> Solaris).
>
> > I know there are ways to make Zope generate appropriate URLs and thus
> > not go around port 80, but I'm not interested in those solutions here.
> > Even those solutions won't stop someone from hardcoding a reference to
> > port 8080 in one of their pages. I want to simply shut off access to
> > it in the first place so that if someone even tries it, they fail.
> >
> > Thanks,
> > -todd
> >
> --
> Jack Coates
> Monkeynoodle: A Scientific Venture...
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>

-- 
Jack Coates
Monkeynoodle: A Scientific Venture...