Zope and Pound
Pound is a small reverse proxy that is able to encrypt connections with SSL (via OpenSSL?). It is currently available for Linux here: http://www.apsis.ch/pound/
Pound can be used to
- Enable SSL
- Loadbalance over multiple ZeoInstances?
- Restrict/Redirect access to certain pages with
UrlGroupstatements. This can e.g. be used to redirect all access to pictures to a dedicated picture server.
A simple ssl setup
A possible setup is:
| ZEO-Server <- MZ
| / \
| Zeo-Client_1 Zeo-Client_2 <- MZ
| \ /
| Firewall
| |
| Pound <- DMZ
|
| MZ: Militarized zone
| DMZ: De-Militarized zone
Firewalls with routing rules can be placed between every component. In the above example only the pound machine is public. ( I,lafferty, have currently a setup with all of the above on one machine successfully ) A simple way to achieve SSL (HTTPS) and normal HTTP on Port 80 is to run a ZEOClient? (Connected to a ZEOServer?) on IP 1 normally on Port 80 and another ZEOClient? on Port 8080 on IP 2 with the zope.conf option:
<cgi-environment>
HTTPS on
</cgi-environment>
Your Pound config then looks like:
ListenHTTPS *,443 /path/to/server.pem
UrlGroup ".*"
BackEnd IP 2,8080,1
EndGroup
You might need to run 2 pounds on your public Pound Machine to route the IP 1 of the Port 80 ZEOClient? into the DMZ. The second pound config might then look like:
ListenHTTP *,80
UrlGroup ".*/manage"
# Block managementscreen access on port 80. It is only allowed with SSL
EndGroup
UrlGroup ".*"
BackEnd IP 1,9080,1
EndGroup
With the first UrlGroup statement access to the management screens is blocked via HTTP and only allowed via HTTPS.
If no backend server is reachable by pound it presents a (customizable) 503 error page (Service temporarily not available). Backend Servers are polled every few seconds. This polling frequency is also customizable.
A loadbalancing setup
work in progress
thanks -- Fri, 12 Nov 2004 01:56:06 -0800 reply
This is much easier than configuring apache for setting up my ssl-plone website!