[Zope] Zope Best Possible Installation
Mon, 16 Jun 2003 16:29:54 +0200
On Friday 13 June 2003 23:11, you wrote:
> Robert Segall wrote:
> > > On Fri, Jun 13, 2003 at 01:15:13AM -0700, Jamie Heilman wrote:
> > > > Zope requires a proxy server which can place limits request length
> > > > for secure operation. If pound doesn't provide them, then pound is
> > > > not suitable where secure operation is required.
> > To set everybody's mind to rest: Pound does set a limit (albeit large -
> > by default almost 16K) on the size of a request. In addition only
> > "correctly formed" requests (as per RFC) are passed to the back-end
> > servers.
> > In practice this means that Pound routinely rejects (for example)
> > Nimda-style requests - see the log files for "Bad request" messages.
> > Clarification: "request size" means the size of the request _string_, not
> > the total size of an HTTP request. There is no limit on the total size of
> > the _data_ (in a POST request, for example) that a client can send to a
> > server.
> No, no, request size means the whole request, I'm the one who used
> that term, and thats what I ment. Request header length limits are
> all well and good, and as of 2.6 Zope even has some of its own:
> http://collector.zope.org/Zope/606 Nevertheless header limits are not
> sufficient by themselves, body length limits are requisite for
> reliable operation. ZServer will read an entire POST request into
> memory, so without a protective proxy it is trivial for a client to
> run the Zope process into the rlimit or worse. If Pound does not
> provide this protection then Pound is not suitable where secure (read
> as: reliable) operation is required.
Thanks for the clarification. That kind of limit is scheduled for the next
official release of Pound - feel free to download
http://www.apsis.ch/pound/Pound-current.tgz if you want to give it a
try. I'd greatly appreciate your feedback on it.
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904