[Zope] Major security flaw in Zope 2.3.2

sean.upton@uniontrib.com sean.upton@uniontrib.com
Thu, 07 Jun 2001 12:59:29 -0700 

You can just use a squid external redirector (jesred, pyredir, squirm, or
custom) to get the same kind of thing out of Squid as you would expect from
mod_rewrite; then, that means you are using the same mechanism for Zope
virtual hosts as you are for URL rewriting.  I'm not sure if Apache buys one
anything more in the rewrite dept.  The one catch is you likely have to use
a custom redirector (or tweak the Python code in pyredir) if you want POST
methods to be supported, but this is not too big of a deal.

The 2 squid caches in my setup are peers, sharing ICP connections over a
dedicated network; I am working on setting up the second peer today.  The
boxes are balanced by a layer 4 switch (Intel 7140), which is set up for
"OPR" mode, which sends incoming packets through the L4 switch, but outgoing
packets directly out from the Squid boxes, bypassing the load-balancer.  I'm
trying to scale this whole infrastructure without creating a lot of
latency...

The nice thing about this, is that it seems to be very clean conceptually
for my company's infrastructure because, as a media company, we publish a
lot of material out to the web - from several places: static files, Zope,
CF, and PHP stuff.  In order to support all that and have caching site wide
(not just for Zope), it makes sense in my case to put Squid on the outside
of the setup, closest to the user downloading content.

Sean

-----Original Message-----
From: Toby Dickenson [mailto:tdickenson@devmail.geminidataloggers.co.uk]
Sent: Thursday, June 07, 2001 3:49 AM
To: sean.upton@uniontrib.com
Cc: zope@zope.org
Subject: Re: [Zope] Major security flaw in Zope 2.3.2


On Wed, 06 Jun 2001 14:05:06 -0700, sean.upton@uniontrib.com wrote:

>I've never heard of putting squid _between_ apache and ZServer, but why not
>put squid on the outside of your system as to not create extra latency?

Ive measured latency at moderate loads... for cache misses the
difference is negligible, largely because Zope has a relatively high
latency.

If you have some pages that are:
* uncacheable, and
* latency-critical
then you could use mod_rewrite to send them directly to Zope (not via
squid).


The advantages (for me) of putting Apache on the outside are virtual
hosting, and using mod_rewrite to pull other back-end servers into
Zope's URL namespace.

>I think squid is much more advanced than mod_proxy in terms of caching
>options and raw speed.  I am currently setting up a ZEO cluster with nodes
>running ZServer sitting behind a pair of load-balanced squid caches

Interesting. Are you planning these two Squid's to be independant, or
peers?




Toby Dickenson
tdickenson@geminidataloggers.com