Why do we want to run Zope behind Apache?
- We want to host multiple content management frameworks e.g. IIS webs, Zope (Plone), Cold Fusion among others.
- Use Apache to cache sites, to serve pages quicker.
- To put protective security and indirection in place to reduce exposure to attacks, exploits etc.
- To minimise licensing problems and to provide flexibility in how we configure and deploy our network.
- We want logs generated simply in a common Web analysis format.
Apache as a simple proxy
This gets us comfortable using Apache as a proxy server by familiarising us with configuring Apache and loading modules. For Apache 2 in Apache httpd.conf, uncomment
mod_proxy, proxy_http_module. These modules are !DSOs (Dynamic Shared Objects), and enable the proxy functionality. Restart the Apache service to load them, example below from httpd.conf:
# uncomment mod_proxy as required. LoadModule proxy_module modules/mod_proxy.so # uncomment mod_proxy_http as required. LoadModule proxy_http_module modules/mod_proxy_http.so
This configuration only uses Apache to organise multiple web servers in a simple way. We do not use Apache to host as such, more as an index or address book linking us to the other web servers which are running on other machines, or on the same machine but on different ports. In the case below both Zope and Apache are installed on the same server. Apache on port 80, Zope on port 8080. Setup a simple proxy in your Apache httpd.conf similar to the example below.:
# Put a proxy pass statement below. # This serves the the page available at localhost:8080 # from http://localhost/first_link # Any !URLs on on this page will however point the client # to the port the second web server is available on, e.g. # a relative link to '/new_link/' from http://localhost/first_link # will go to from http://localhost:8080/first_link/new_link ProxyPass /first_link http://localhost:8080/ ProxyPassReverse /first_link http://localhost:8080/
- B. It is said that simple proxy servers are dangerous, we are told we must ensure we secure our server by disabling anonymous forward proxy as below in
httpd.conf(I would like to be able to test how this block works some how, presumably this means trying to exploit anonymous forward proxy servers?).:
# we need the following to stop our proxy server being used for anonymous proxy <LocationMatch "^[^/]"> Deny from all </LocationMatch>
- B. The Apache documentation seems to indicate that
ProxyRequests Offappears to be the correct setting to disallow anonymous forward proxy (see Apache.org for details):
Restart your Apache service and browse http://localhost, you should see the site served on 8080. You'll note that all links from this page point directly to http://localhost:8080/, the problem here is that the outside client browsing the website must have access to the server and port serving the site you have proxied, which isn't what we want for a public site.
Apache plus VirtualHostMonster as a complete proxy
AKA The Gentle Giant (Plone.org,). By using a Virtual Host Monster built into Zope with Apache's proxy functionality we can present an entire Zope web from port 80 when it is actually served on a port that isn't accessible from the outside. Also call this protective proxy server.
We approach this two ways, setup a Zope Virtual Host Monster (VHM), then use Apache's rewrite rules to serve up pages from Zope. Go to VirtualHostMonster for instructions on how to add and test the running of a Virtual Host Monster:
# Instructions adapted from http://plone.org/documentation/howto/HowToRunPloneWithApache # Probably don't need the '<VirtualHost> tags, works without. # <VirtualHost *:80> ProxyPass / http://localhost:8080/VirtualHostBase/http/me.com:80/Plone/VirtualHostRoot/ ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/me.com:80/Plone/VirtualHostRoot/ </VirtualHost>
Every time your Apache gets a request for /, it goes to localhost port 8080, and tells VirtualHostMonster to get the stuff in
Plone and make it look like it's coming from me.com port 80. Additionally, The !VirtualHostRoot at the end of the !ProxyPass lines tell the VirtualHostMonster that this is the root of the site.
As a foot note, we can also use the proxy rules to force requests to old paths such as /STAFF/ to direct the request to /Members/. This can be used to maintain old !URLs which have been bookmarked over the years. The example below works nicely to redirect requests to mis.ucd.ie/STAFF/ to the new location in mis.ucd.ie/Members/ where the content from the old STAFF directory is available in the new Members folder:
ProxyPass /STAFF/ http://localhost:8081/VirtualHostBase/http/localhost:80/Plone/VirtualHostRoot/Members/
Don't make the mistake however of putting the rule after the rule for
/ otherwise it will never be processed.
Apache using !ReWriteRules
(ref post from Aaron Bookvich on Running Plone behind Apache firstname.lastname@example.org) You can use either !ModProxy & !ReWriteRules (n.b. !ReWriteRules use the proxy modules as it happens). Both methods deliver similar results. The plone instance for this site is "Plone".:
mod_rewrite: RewriteEngine On RewriteRule ^/(.*) http://127.0.0.1:8080/VirtualHostBase/http/mis.ucd.ie:80/Plone/VirtualHostRoot/$1 [L,P] mod_proxy: ProxyPass / http://localhost:8080/VirtualHostBase/http/mis.ucd.ie:80/Plone/VirtualHostRoot/ ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/http/mis.ucd.ie:80/Plone/VirtualHostRoot/