[Zope] Cobalt RAQ3, Zope, SSL, FastCGI - A how to

Blandford, Simon [BSS Audio UK] Simon.Blandford@bss.co.uk
Tue, 7 Aug 2001 16:14:29 +0100


For anyone who may need it, here is a howto to get Zope working via SSL on a
RAQ3. I found that the Proxy Server method has some problems and is not
compatible with some Zope products. The FastCGI method has worked flawlessly
with all the products which I have installed on it in the last few months.
Enjoy...

The comments expressed in this email are my own and not necessarily those of
my employer. 



Installing Zope

First you need to create a user called Zope as it is not wise to run Zope as
root for all sorts of reasons.

   1. Log in to the Cobalt as root using an SSH2 client.
   2. Type
          * adduser zope
   3. Then type
          * passwd zope
   4. Enter the zope user password, write it down and don't forget it.
   5. Start a new SSL2 session but this time log in as user "zope".
   6. In your local browser go to the Zope website http://www.zope.org .
   7. Find the lastest stable Linux distribution and find the URL for the
binary download, copy the URL of the .tgz file to your clipboard.
   8. Back in your zope SSL2 session, type
          * wget
          * ,spacebar, then press shift-insert key. This should paste the
URL after wget. Press return.
   9. This should now download Zope directly onto the Cobalt.
  10. Type
          * tar zxf *.tgz
          * ln -s zope
          * ,press the TAB key, then spacebar then continue by typing
          * zope
          * ,then press return,
          * cd zope
          * ./install
  11. Make a careful note of your admin when it is displayed password
otherwise you will be stuffed.
  12. Now to test our shiney new Zope installation, type
          * ./start
  13. After a pause it should come up with some encouraging words to say
it's running.
  14. Point your web browser at your Cobalt server and add :8080 at the end
of the URL and you should see the Zope screen of life!
  15. Go to the link saying Management screens, you should see a kind of
directory structure.
  16. Click on the folder called acl_users.
  17. Click on Add.
  18. Enter a name, like "support" or "superuser", enter a strong password
and select the Role as being Manager.
  19. Click on Add.
  20. From now on, log in as this manager rather than admin.
  21. On the left frame, click on the folder called Control Panel.
  22. Shut down the Zope server with the button provided.

----------------------------------------------------------

 UK2NET say that we should not mess with Apache or Sendmail in terms of
re-compiling or upgrading the packages. As FastCGI  is not included as
standard how do we add it? Fortunately, modules can be added to Apache as
modules, or DSOs, as they are refered to.

   1. First we need to log on as root with SSH2, like we did in the previous
Installing Zope phase.
   2. Next we type
          * cd /usr/local/src
   3. Point your web browser at the website http://www.fastcgi.com/ and copy
the link location of the mod_fastCGI .tgz file.
   4. Now in your root SSH2 session type wget then shift-insert and download
that file.
   5. Type (you may get some obscure warning when using apxs about it not
finding Apache. I found this not to be a problem)
          * tar zxf mod*
          * cd mod_*_*
          * apxs -o mod_fastcgi.so -c *.c
          * apxs -i -a -n fastcgi mod_fastcgi.so
   6. Now we need to edit the main http.conf file. To do this type
          * pico /etc/httpd/conf/httpd.conf
   7. Scroll down until you see a line starting "LoadModule fastcgi_module"
and make it say

LoadModule fastcgi_module     /usr/lib/apache/mod_fastcgi.so

   8. Scroll down until you see a line starting "AddModule mod_fastcgi.c".
Just to check it's there!
   9. Scroll down to a line

# Listen: Allows you to bind Apache to specific IP addresses and/or

      and just before it insert the following...

#
# Modified by <ME> xx/x/xx for Zope via FCGI
#
FastCgiIpcDir /tmp
FastCgiExternalServer    /home/sites/site1/web/Zope \
                         -socket zope.soc \
                         -pass-header Authorization
<Location /Zope>
SetHandler fastcgi-script
</Location>


This assumes you want your Zope stuff to appear on the first website (site1)
under a sub directory called "Zope". If not then change
/home/sites/site1/web/Zope to something more appropriate. To find out what
site number your site is, have a look at /home/sites and do an "ln -l". You
will see that the directories for the sites are acutally soft links to
site1, site2 etc.

   1. Press CTRL-O then CRTL-X to save the file and exit Pico.
   2. Type the following to restart Apache
          * /etc/rc.d/init.d/httpd restart

Hopefully you got no errors and if you type ps -aux you get some entries
with /usr/sbin/httpd in them.

-----------------------------------------------------------------------


Zope to Apache

OK, we are going to do two things here. One is to get Zope to use FastCGI
and the other is to get Zope to run as Zope but called from root as a
background process. This will pave the way to the next step of getting zope
to run as a daemon automatically. I am assuming that >= Zope 2.4 was
installed.

   1. Log in as root.
   2. Type
          * cd /home/zope/zope
          * pico startd
   3. In this blank file enter the following...

#! /bin/sh
reldir=`dirname $0`
INST_HOME=`cd $reldir; pwd`
export INST_HOME
exec /home/zope/zope/bin/python \
     $INST_HOME/z2.py \
     -F /tmp/zope.soc  \
     -w - \
     -D "$@" \
     -u zope &


   1. Press CTRL-O then CRTL-X to save and exit pico.
   2. Type
          * chmod 755 startd
   3. Now we test it. Type
          * ./startd

All being well after a few tens of seconds Zope should start and be visible
under whatever your first Cobalt site name is under the sub directory Zope
e.g. http://www.freddy.com/Zope. The start file also supresses access to
Zope on port 8080 with the -w - command so you can now only access it from
Apache.

Now we stop it by going to the Control Panel in Zope and shutting Zope down.

--------------------------------------------------------------------------



Making Zope run as a daemon

It is quite dangerous to add start-up scripts as they can easily hose Linux
and prevent it from re-booting. This can be rescued on a desktop PC but when
your Cobalt server is sat at an ISP with no other link to you than the
internet, then making it un-bootable isn't really an option! However, we can
test the start/stop script before making it part of the system. I also
modified the script I found on the web for Zope by putting in a time out so
that if Zope doesn't start for any reason the script doesn't just sit there
forever waiting for it.

   1. Log in as root
   2. Type pico /etc/rc.d/init.d/zope
   3. Copy from this page and then paste (SHIFT-INSERT) into pico the
following script...


#!/bin/bash
#
#       /etc/rc.d/init.d/zope
#
# Starts the zope daemon - by Markoer
#
# processname: zope

# Source function library.
. /etc/rc.d/init.d/functions

case "$1" in
  start)
   # Check if zope is already running
   if [ ! -f /var/lock/subsys/zope ] ; then
      echo -n 'Starting zope daemon: '
      /home/zope/zope/startd 2> /dev/null
      i=0
      while [ $i -lt 90 ]; do
         [ -f /home/zope/zope/var/Z2.pid ] && break
         sleep 1 && echo -n "."
         let i=i+1
       done
      if [ $i -ge 90 ] ; then
         echo "Time out."
         exit 1
      else
         cat /home/zope/zope/var/Z2.pid > /var/lock/subsys/zope
         touch /var/lock/subsys/zope
         cat /home/zope/zope/var/Z2.pid > /var/run/zope.pid
         touch /var/run/zope
         echo " OK"
      fi
   else
      echo "zope already running."
   fi
   echo
   ;;
  stop)
   echo -n 'Stopping zope daemon: '
   [ -f /home/zope/zope/var/Z2.pid ] && kill `cat
/home/zope/zope/var/Z2.pid`
       rm -f /var/lock/subsys/zope
      rm -f /home/zope/zope/var/Z2.pid
      rm -f /home/zope/zope/var/pcgi.soc
      rm -f /home/zope/zope/var/Data.fs.lock
      rm -f /home/zope/zope/var/zProcessManager.pid
      echo " OK"
   echo
   ;;
  reload|restart)
   $0 stop
   $0 start
   ;;
  status)
    if [ -f /home/zope/zope/var/Z2.pid ] ; then
      cat /home/zope/zope/var/Z2.pid > /var/lock/subsys/zope
      touch /var/lock/subsys/zope
      cat /home/zope/zope/var/Z2.pid > /var/run/zope.pid
      touch /var/run/zope
      echo "zope (pid `head -1 /var/run/zope.pid`) is running..."
   else
      echo "zope not running."
   fi
        ;;
  *)
   echo "Usage: /etc/rc.d/init.d/zope {start|stop|restart|reload|status}"
   exit 1
esac



   1. Type
          * chmod 755 /etc/rc.d/init.d/zope
   2. Now we test it. Type
          * /etc/rc.d/init.d/zope restart

Yes, that's right, restart. After a few seconds it should acknowlege that
Zope has started, otherwise it will either time out after 90 seconds or
appear to start immediately.

OK, we've proved our point so just type

          * /etc/rc.d/init.d/zope stop

Note that if Zope doesn't compile it just won't start but you won't know
why. If you add a Zope product and it breaks Zope you will have to just use
the start and stop commands in the /home/zope/zope directory as user "zope"
and get Zope running on port 8080 to see the compile error messages. Once it
is OK you can start zope as a daemon again.

If all has gone well so far we are ready to build zope into the run levels
so that it gets started and stopped with the other daemons.

Type the following lines, or better still, copy and past them
(paste=SHIFT-INSERT) into your root SSH2 session...

          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc0.d/K78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc1.d/K78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc2.d/S78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc3.d/S78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc4.d/S78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc5.d/S78zope
          * ln -s /etc/rc.d/init.d/zope /etc/rc.d/rc6.d/K78zope

Now reboot your server via the Cobalt admin web interface and pray! You
should see Zope running when the server comes back up.

----------------------------------------------------------------------------
-

Set up SSL

There are three modivations for making Zope work through Apache on Zope,

   1. To get Zope to listen on Port 80 instead of 8080,
   2. To get Zope integrated into an Apache web site,
   3. To get the advantages of Apache features such as SSL.

First it might be an idea to get SSL working on Apache. This is done through
the standard Server and Site administration pages as per the instruction
manual. I used a self-generated certificate because I am not using the
server for credit card transactions and I am not paying £££ just to make a
silly browser warning message disappear. SSL is simply being used to protect
usernames, passwords and against casual eavesdroppers. This site is an
extranet.

When the site has SSL enabled you should find that you can access Zope via
http:// or https://. Once in https:// mode any links in the page will
automatically have https:// in them if they are to the same site. This is
the way Cobalt/Apache does things. If we want to enforce SSL then we can get
Zope to insert https:// before any links. There is a Zope product for this.

   1. Log in using SSH2 as user "zope".
   2. Go to the Zope site and look for the downloadable product called
SSLAbsoluteURL
   3. Wget the product into your zope directory.
   4. Untar it (tar zxf SSL*)
   5. Now we have to move it to the correct place. Type
          * mv SSLAbsoluteURL zope/lib/python/Products/
   6. Access Zope from your web browser and go to the Management screens
logged in as the superuser.
   7. Click on the Conrol_Panel folder in the left frame.
   8. Click on the Resart Zope button.
   9. When Zope comes back on line, go back into the Managment screens and
in the right frame select the Properties tab.
  10. Add a new property called "SSL" as a Boolean type.
  11. Set the SSL value to "ticked".

>From now on do not place any objects in the root folder of Zope, rather
create sub folders to put things in. SSL doesn't work on the root folder.
When you link to anything in these sub folders make sure that the link
either starts with https:// or comes from a page already in https:// mode.

That's it folks!

Thankyou for tuning in and merry Zope'ing!