[Zope] SiteAccess, Set Access Rule, Proxy, ReWrite or Virtual Host Monster

Evan Simpson evan@4-am.com
Sat, 3 Mar 2001 11:10:59 -0600 

From: "Peter Bengtsson" <peter@grenna.net>
> There seems to be many ways to connect a domain name to a folder in Zope
> without :8080 in the URL.
> All I care about is being able to have access to REMOTE_ADDR in my
> application and the hiding of "ugly URLs".
[snip]
> Which one of all the things mentioned in my subject line is the most
common
> and "modern"? I see that there are a lot of How-To's using various
> techniques, but I can't tell which one the pros recommend.

When I first needed virtual host support in Zope 2.x, SiteRoots were the
simplest way I could think of to encapsulate virtual host root behavior.
Access Rules were necessary if I wanted to redirect different host names to
different folders without using Apache's virtual host support.  Together,
they worked for me, so I stopped there and released them as the SiteAccess
Product.

Since I designed tools rather than a simple drop-in solution, people had to
figure out how to best apply those tools, and several of them helpfully
wrote HowTos.  It has become painfully obvious over time, though, that
Access Rules are more complicated and dangerous than many users are ready to
deal with, and SiteRoots are too blunt a tool.

In particular, Access Rules and SiteRoots trigger whether you want them to
or not, and I've had to tell many a panicked email correspondent how to
disable one or the other (put _SUPPRESS_ACCESSRULE or _SUPPRESS_SITEROOT in
the right place in your URL) because they were locked out of their Zope.

Just before SiteAccess was brought into the core, in Zope 2.3, I came up
with the idea for Virtual Host Monsters.  They are intended to be the
drop-in solution that everyone always wanted.  They are totally inert unless
you use specially-rewritten URLs, so they can't lock you out of Zope.  They
don't require (or allow, yet) any sort of configuration.  You simply take
your existing Apache RewriteRule or ProxyPass directive and add a few path
elements.

Here are some example Apache directives, before and after adapting them for
use with a Virtual Host Monster:

# Simple HTTP front-ends
BEFORE: ProxyPass / http://localhost:8080/
- AFTER: ProxyPass /
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/

BEFORE: RewriteRule ^/(.*) http://localhost:8080/$1 [P,L]
- AFTER: RewriteRule ^/(.*)
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/$1 [P,L]

# Simple HTTPS front-ends
BEFORE: ProxyPass / http://localhost:8080/
- AFTER: ProxyPass /
http://localhost:8080/VirtualHostBase/https/www.hostname.com:443/

BEFORE: RewriteRule ^/(.*) http://localhost:8080/$1 [P,L]
- AFTER: RewriteRule ^/(.*)
http://localhost:8080/VirtualHostBase/https/www.hostname.com:443/$1 [P,L]

# Apache virtual host in a Zope sub-folder
BEFORE: ProxyPass / http://localhost:8080/host1
- AFTER: ProxyPass /
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/host1/Virtual
HostRoot

BEFORE: RewriteRule ^/(.*) http://localhost:8080/host1/$1 [P,L]
- AFTER: RewriteRule ^/(.*)
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/host1/Virtual
HostRoot/$1 [P,L]

# Entire Zope in an Apache sub-folder
BEFORE: ProxyPass /subZope http://localhost:8080/
- AFTER: ProxyPass /subZope
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/VirtualHostRo
ot/_vh_subZope

BEFORE: RewriteRule ^/subZope(.*) http://localhost:8080$1 [P,L]
- AFTER: RewriteRule ^/subZope(.*)
http://localhost:8080/VirtualHostBase/http/www.hostname.com:80/VirtualHostRo
ot/_vh_subZope$1 [P,L]

==========

REMOTE_ADDR is a much tougher nut to crack.  It isn't derived from anything
in the REQUEST headers.  It is determined at the ZServer level, from the IP
address of the actual connection.   If that connection is always coming from
an Apache proxy on localhost, REMOTE_ADDR will always be 127.0.0.1.

There are patches available, as you found, to make Apache's REMOTE_ADDR
available to Zope, but this behavior isn't supported by ZServer (it doesn't
look for HTTP_VIA).  What we really want is to create a standard mod_zope,
to take care of this and any other Apache integration issues.

Cheers,

Evan @ digicool & 4-am