home contents changes options help subscribe edit (external edit)

last edited 3 years ago by Dave Turvene

Overview

About a week ago I set up a new Pentium-D server to run Zope 2.8.4 and Plone 2.2 behind an Apache SSL proxy. I used the same Apache, Zope, Plone configuration that has been running successfully on my Toshiba PIII laptop.

I performed the Setup below and successfully tested with HTTP. After converting the Apache rewrite rules to use HTTPS, I observed that several operations that performed well under HTTP did not succeed under HTTPS.

I strongly suspected Python or Zope as the culprit, but after three days of stepping through Python and Zope code, I upgraded to Apache 2.2.0 and the problems went away. It is a weird problem, pointing towards Zope, but occurring in Apache 2.0.X. I can only surmise that there is a subtle mismatch using Apache 2.0.X on a Fedora Core 4 64-bit machine. I also had unusually trouble building/installing Apache 2.0.X, which I did not have using Apache 2.2.0.

Setup

  • Hardware/OS

    Dell 9100 Pentium-D running Fedora Core 4 x86_64 distribution

  • Apache

    Apache 2.0.54 or 2.0.55, with rewrite rules proxying to ZOPE. See the the rewrite rules in http://plone.org/documentation/how-to/apache-ssl

  • Zope 2.8.4-final, Plone 2.2, Python 2.4.1

    I started with Zope 2.8.2 and Python 2.3.5 but gradually upgraded in an attempt to find the correct recipe. Also, Zope 2.8.4 is the most recent Plone-compatible release. Python 2.4.1 is the standard FC4 distribution and, based on web searching, appears to be used by many Plone implementations.

Recreate Bug

  1. Fresh Zope instance. Link Plone 2.1.1 into $INSTANCE_HOME/Products.
  2. Setup Apache configuration to use HTTPS towards the network, rewriting to Zope as HTTP on port 8080.
  3. Go to ZMI and run 'Add Plone Site'
  4. Go to ZMI and click to <portal>/portal_actions (or http://<site>/<portal>/portal_actions/manage), edit an action and save.
  5. The Plone site will return a ValueError? warning

Debugging root cause

  1. Put a breakpoint in ZPublisher.__init__ and restart zope

  2. Refresh suspicious page

  3. At breakpoint, display response and check for completeness. The most obvious problem is some of the form input names (e.g. 'name_%d' or 'id_%d') are missing.

    I used an HTTP session to confirm the correct request and response. The requests are equivalent under HTTP and HTTPS while the responses, while both are well-formed, are significantly different. The initial request is correctly generated by editToolsActions.dtml when rendering the page but some data are missing in the form response.

    I saw the following exception in the error log when performing Recreate Bug under HTTPS:

    2005-12-14T00:14:54 ERROR Zope.SiteErrorLog
https://www.bogus.com/p1/portal_actions/changeActions
Traceback (most recent call last):
File "/opt/zope/lib/python/ZPublisher/Publish.py", line 113, in publish
    request, bind=1)
File "/opt/zope/lib/python/ZPublisher/mapply.py", line 88, in mapply
if debug is not None: return debug(object,args,context)
File "/opt/zope/lib/python/ZPublisher/Publish.py", line 40, in call_object
result=apply(object,args) # Type s<cr> to step into published object.
File "/opt/zope/lib/python/Products/CMFCore/ActionProviderBase.py",
line 202, in changeActions
actions.append( self._extractAction( properties, index ) )
File "/opt/zope/lib/python/Products/CMFCore/ActionProviderBase.py", line 310,
in _extractAction
   raise ValueError('A title is required.')
ValueError: A title is required.

Solution

  1. Retrieve Apache 2.2.0 from http://httpd.apache.org

  2. Build Apache using instructions from the shell script below:

    #!/bin/sh
# Configure Apache 2.2.0 for building.  This file should be
# run from the httpd source root: /usr/local/src/httpd-2.2.0.
# First modify it for the desired log files and destination
# path.
#
# Notes:
# 1) Couldn't get --enable-ssl=shared to work properly, link
# it statically
# 2) Must have --enable-proxy to get all the proxy submodules
# After this, check config output to make sure no errors and
# all modules (especially ssl, proxy, proxy_http, proxy_connect)
# are added.
# 3) If rebuilding with a new module, remove the
# prefix directory before running so ./configure picks up the
# correct libtool instance.
#
# Then run (-j2 uses both cores, making the compile go
# a lot faster)
#   make -j2 > make.051219 2>&1
#   make install
#
./configure --prefix=/usr/local/apache2.2 \
--enable-ssl=static \
--enable-proxy \
--enable-mods-shared=all | tee config.051219

  3. Install apache and restart:

    apachectl -f <apache.conf> -k start

  4. Confirm the procedure in Recreate Bug no longer occurs.

Not a 64bit problem --Dave Turvene, Wed, 24 May 2006 11:07:13 -0700 reply

After posting this, I've seen several instances of this problem on i386 boxes. There is an issue between Zope and Apache 2.0.54 (55?) SSL. I believe there is a patch for the Apache 2.0 line to fix this. However, I have been running 2.2 for over five months and see no reason to downgrade.



subject:
  ( 34 subscribers )