[Zope] Reasons for Apache?? SSL?? (was "Running Mailman CGI under Zope ZServer")

Cees de Groot cg@cdegroot.com
18 Nov 2000 11:26:36 +0100


Joachim Werner <joe@iuveno.de> said:
>Apache can then also be used to serve
>static parts of your web site, like large documents or images. Also, Apache
>can be used to cache Zope requests. 
>
I use Squid, not Apache as a reverse web proxy in front of Zope. I did a bit
of testing, and you can very well serve your static content from Zope in this
setup - I am planning to assign caching control properties to parts of the 
document structure and make Zope 'kick' Squid for a refresh when cached 
documents are edited. Initial experiments got me 500 requests per second
on cached documents - Zope wasn't touched at all. 

>Regarding your problem: Set up a simple packet filter firewall (most Linux
>distros have scripts for that, e.g. SuSE has "firewals") and don't allow
>access to port 8080.
>
Something like
% ipchains -A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
should totally block port 8080. If you work from 1.2.3.4, you can do:
% ipchains -I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
and your machine is the only one that can get to this port. If you want
to have this done automagically, create /etc/ipchains.conf:

% cat >/etc/ipchains.conf <<EOF
-I input -S 1.2.3.4/32 -d 0/0 8080 -p tcp -j ACCEPT
-A input -S 0/0 -d 0/0 8080 -p tcp -j REJECT
EOF

and execute '/sbin/ipchains-restore </etc/ipchains.conf' from
/etc/rc.d/boot.local (or similar).

Disclaimers: I haven't tested these rules; you should have a kernel that does
packet filtering; you're not worth the root password if you let someone else
tell you firewalling rules without understanding /exactly/ what they do ;-)


-- 
Cees de Groot               http://www.cdegroot.com     <cg@cdegroot.com>
GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD  1986 F303 937F E098 9E8B