Actions sur le document

Zope

Filed Under:

Zope

Du vrac sur Zope

Installation d'Apache avec port 80 et 443 sur la même machine et le même serveur apache

Installation des paquets nécessaires

Pour les utilisateurs de Mandriva, tapez dans un terminal en root :

# urpmi apache2 apache2-common apache2-devel apache2-manual apache2-modules apache2-conf apache2-mod_ssl

Pour les utilisateurs de Fedora, tapez dans un terminal en root :

# yum install httpd httpd-devel httpd-manual mod_ssl

Pour les utilisateurs de Debian, tapez dans un terminal en root :

# apt-get install apache2 apache2-common apache2-doc

# a2enmod ssl

Génération des certificats pour Apache

openssl req -config /etc/pki/tls/openssl.cnf -new -out kwa29.csr

openssl rsa -in privkey.pem -out kwa29.key
openssl x509 -in kwa29.csr -out kwa29.crt -req -signkey kwa29.key -days 3650

openssl x509 -in kwa29.crt -out kwa29.der.crt -outform DER

Ce qui nous donne un beau certificat valable pour 10 ans.

Intégration dans Apache

Rajouter NameVirtualHost *:443 et Listen 443

Ensuite au niveau du VirtualHost

# Secure management screens
RewriteCond %{REQUEST_URI} ^(.*)/manage(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/login(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/account_(.*) [OR]
RewriteCond %{REQUEST_URI} ^(.*)/join_form$
RewriteRule ^/(.*) https://kwa29.com/$1 [R=permanent,L]

# Rewrite rules for normal zope browsing
RewriteCond %{HTTP_HOST} ^.*:80$
# Normalize URLs by removing trailing /'s
RewriteRule ^/(.*)/$ http://127.0.0.1:3128/http/%{SERVER_NAME}/80/$1 [L,P]
# Pass all other urls straight through
RewriteRule ^/(.*)$ http://127.0.0.1:3128/http/%{SERVER_NAME}/80/$1 [L,P]

Puis la définition compléte pour le 443

<VirtualHost *:443>
ServerName kwa29.com
ProxyRequests Off
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine On
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl/kwa29.crt
SSLCertificateKeyFile /etc/httpd/ssl/kwa29.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:3128/https/%{SERVER_NAME}/443/$1 [L,P]
</VirtualHost>

Cela permet de passer le site complet en http et https.

La grande utilité se trouve au niveau de l'authentification Apache car nous basculons automatiquement en https lorsqu'on se loggue. Magique les RewriteCond.

Apprendre à programmer Day 23

Filed Under: Zope

Mise en place d'un serveur ZEO et d'un client ZEO sur la même machine.

Benchmark du site sans ZEO

kwa29@DJKWA ~> ab -n 100 -c 25 http://kwa29.com/front-page

Concurrency Level:      25
Time taken for tests:   15.795205 seconds
Complete requests:      100
Failed requests:        1
   (Connect: 0, Length: 1, Exceptions: 0)
Write errors:           0
Total transferred:      2684981 bytes
HTML transferred:       2623101 bytes
Requests per second:    6.33 [#/sec] (mean)
Time per request:       3948.801 [ms] (mean)
Time per request:       157.952 [ms] (mean, across all concurrent requests)
Transfer rate:          166.00 [Kbytes/sec] received

Pour commencer je rapelle que le site utilise Zope 2.9.3 avec un caching Squid/CacheFu et Apache en frontal.

J'ai coupé mon serveur Zope (normal me direz vous)

Création du serveur ZEO

mkzeoinstance.py path no_port

kwa29@DJKWA ~/Zope/Zope-2.9.3> ./bin/mkzeoinstance.py /home/kwa29/Zope/Zope-2.9.3/zs14080 14080

Création de 2 clients ZEO

mkzopeinstance.py --dir=

kwa29@DJKWA ~/Zope/Zope-2.9.3> ./bin/mkzopeinstance.py --dir=zc14180
kwa29@DJKWA ~/Zope/Zope-2.9.3> ./bin/mkzopeinstance.py --dir=zc14280

Il nous reste à configurer les clients donc dans le zc14180/etc/zope.conf et zc14280/etc/zope.conf
On commente le zodb_db main et on laisse le zodb_db temporary comme suit :

#<zodb_db main>
# Main FileStorage database
#    <filestorage>
#      path $INSTANCE/var/Data.fs
#    </filestorage>
#    mount-point /
#</zodb_db>

<zodb_db temporary>
    # Temporary storage database (for sessions)
    <temporarystorage>
      name temporary storage for sessioning
    </temporarystorage>
    mount-point /temp_folder
    container-class Products.TemporaryFolder.TemporaryContainer
</zodb_db>

On n'oublie pas de modifier le port http et ftp (pour ceux qui l'utilise) dans mon cas et pour le 1er client cela donne :

<http-server>
# valid keys are "address" and "force-connection-close"
address 14180
# force-connection-close on
</http-server>

Et pour finir, la définition du client ZEO

# ZEO client storage:
#
<zodb_db main>
   mount-point /
   <zeoclient>
      server localhost:14080
      storage 1
      name zeostorage
      var $INSTANCE/var
   </zeoclient>
</zodb_db>

Et la même pour le deuxième client zc14280
Bien il est temps de tester ce petit monde. Alors qui on démarre en premier : la logique voudrait le serveur et ensuite les clients mais en réalité cela a peu d'importance (les client vérifie à intervalle régulier la connection au serveur)
Sans la connection au serveur on a droit à un bô :

WARNING ZEO.zrpc (4955) CW: error connecting to ('localhost', 14080): ECONNREFUSED

Et après avoir démarré le serveur ZEO on a droit au message suivant

INFO Zope Ready to handle requests

On teste sur http://localhost:14180/

Bien nous avons vu que le serveur ZEO gére les data.fs et le client les Products mais comment le faire pour tout les clients sans avoir à faire des copier/coller.
La solution que j'utilise se base sur des liens symboliques. Sachant que j'ai mis tous les clients et le serveur dans le même répertoire.
J'ai simplement déplacé par mv le répertoire Products du premier client ensuite dans le répertoire de ce même client j'ai réalisé le lien symbolique.
Pour le deuxième client, on supprime le répertoire et on fait le lien symbolique tout simplement.

Il nous reste ensuite à mettre tout ce petit monde au démarrage

On boot

Pour le ZEO Serveur
J'ai rajouter le user dans zeo.conf comme suit :

program $INSTANCE/bin/runzeo
socket-name $INSTANCE/etc/zeo.zdsock
daemon true
user kwa29
forever false
backoff-limit 10
exit-codes 0, 2
directory $INSTANCE
default-to-interactive true

Ensuite un lien symbolique dans le repertoire /etc/rc.d/init.d, un chkconfig --add et basta (zeoctl contient déjà les directives pour chkconfig)

Pour les ZEO Clients
modifier le effective-user dans le zope.conf de chaque client afin de coller avec votre configuration
J'ai légérement modifié le fichier zopectl afin de coller pour le chkconfig comme suit :

#! /bin/sh
# Startup script for Zope
#
# chkconfig: - 80 20
# description: Zope on 14280 port
#
# config: $instance/etc/zope.conf

# Source function library.
. /etc/init.d/functions

PYTHON="/usr/bin/python"
ZOPE_HOME="/home/kwa29/Zope-2.9.3"
INSTANCE_HOME="/home/kwa29/Zope-2.9.3/zc14280"
CONFIG_FILE="/home/kwa29/Zope-2.9.3/zc14280/etc/zope.conf"
SOFTWARE_HOME="/home/kwa29/Zope-2.9.3/lib/python"
PYTHONPATH="$SOFTWARE_HOME"
export PYTHONPATH INSTANCE_HOME SOFTWARE_HOME

ZDCTL="$SOFTWARE_HOME/Zope2/Startup/zopectl.py"

exec "$PYTHON" "$ZDCTL" -C "$CONFIG_FILE" "$@"

Ensuite j'ai fais un lien symbolique dans le repertoire /etc/rc.d/init.d, un chkconfig --add et ceux pour chaque client ZEO

Benchmark du site avec ZEO

kwa29@DJKWA ~> ab -n 100 -c 25 http://kwa29.com/front-page

Concurrency Level:      25
Time taken for tests:   16.931743 seconds
Complete requests:      100
Failed requests:        0
Write errors:           0
Total transferred:      2690376 bytes
HTML transferred:       2628030 bytes
Requests per second:    5.91 [#/sec] (mean)
Time per request:       4232.936 [ms] (mean)
Time per request:       169.317 [ms] (mean, across all concurrent requests)
Transfer rate:          155.15 [Kbytes/sec] received

Apprendre à programmer Day 21

Filed Under: Zope

Aujourd'hui réflexion et mise en place de cache ainsi que des statistiques par awstats.

Documentation utilisé :

http://plone.org/documentation/how-to/simple-zope-clustering-with-squid-and-pound

http://longsleep.org/howto/squidawstats

http://longsleep.org/howto/squidwithzopeandesi

Serveur sous Fedora Core 4

Configuration et installation d'apache

yum install httpd mod_ssl mod_python mod_security mod_dav_svn

Mon fichier httpd.conf

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       150
MaxRequestsPerChild 4000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers         2
MaxClients         150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild 0
</IfModule>

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#

Listen 192.168.100.2:80
#Listen 192.168.100.2:443
#
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

# Commenter pour eviter une attaque
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so

# Déactivation du CGI
#LoadModule cgi_module modules/mod_cgi.so

#
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf

#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On
#
ServerAdmin djkwa29@xxxxxxx

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName www.example.com:80
#ServerName kwa29.servebeer.com
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off
#
# To enable a cache of proxied content, uncomment the following lines.
# See http://httpd.apache.org/docs-2.0/mod/mod_cache.html for more details.
#

<IfModule mod_disk_cache.c>
   CacheEnable disk /
   CacheRoot "/var/cache/mod_proxy"
</IfModule>
<IfModule mod_deflate.c>
    #SetOutputFilter DEFLATE
    DeflateFilterNote ratio

    BrowserMatch ^Mozilla/4 gzip-only-text/html

    # Netscape 4.06-4.08 have some more problems
    BrowserMatch ^Mozilla/4\.0[678] no-gzip

    # MSIE masquerades as Netscape, but it is fine
    # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

    # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
    # the above regex won't work. You can use the following
    # workaround to get the desired effect:
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|Z)$ no-gzip dont-vary
    SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar|bin)$ no-gzip dont-vary
    SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
    SetEnvIfNoCase Request_URI /(?:file|download)$ no-gzip dont-vary
    SetEnvIfNoCase Request_URI (?:image_large|image_medium|image_small)$ no-gzip dont-vary

    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
</IfModule>

Ainsi que les fichiers connexes :

mod_security.conf

LoadModule security_module modules/mod_security.so

<IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis
    SecAuditEngine RelevantOnly
    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On
    # Unicode encoding check
    SecFilterCheckUnicodeEncoding On
    # Only allow bytes from this range
    SecFilterForceByteRange 1 255
    # Cookie format checks.
    SecFilterCheckCookieFormat On
    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Default action set
    #SecFilterDefaultAction "deny,log,status:406"
    SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"

    # Web Proxy GET Request
    SecFilter "^GET (http|https|ftp)\:/"
    # Web Proxy HEAD Request
    SecFilter "^HEAD (http|https|ftp)\:/"
    # Proxy POST Request
    SecFilter "^POST (http|https|ftp)\:/"
    # Proxy CONNECT Request
    SecFilterSelective THE_REQUEST "^CONNECT "
    # Only accept request encodings we know how to handle.
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    #SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"
    # Restrict which request methods can be used
    #SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
    # Restrict protocol versions.
    SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
    # Require Content-Length to be provided with every POST request.
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    # Don't accept transfer encodings we know we don't know how to handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    ## -- PHP attacks --------------------
    SecFilterSignatureAction "log,deny,msg:'PHP attack'"
    # Possible code execution attack (targets valid PHP streams constructs)
    SecFilterSelective ARGS_NAMES "^php:/"
    # phpBB attack
    SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

    ## -- SQL Injection Attacks --------------------
    SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
    # Generic
    SecFilterSelective ARGS "delete[[:space:]]+from"
    SecFilterSelective ARGS "drop[[:space:]]+database"
    SecFilterSelective ARGS "drop[[:space:]]+table"
    SecFilterSelective ARGS "drop[[:space:]]+column"
    SecFilterSelective ARGS "drop[[:space:]]+procedure"
    SecFilterSelective ARGS "create[[::space:]]+table"
    #SecFilterSelective ARGS "update.+set.+="
    SecFilterSelective ARGS "insert[[:space:]]+into.+values"
    #SecFilterSelective ARGS "select.+from"
    SecFilterSelective ARGS "bulk[[:space:]]+insert"
    #SecFilterSelective ARGS "union.+select"
    SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
    SecFilterSelective ARGS "alter[[:space:]]+table"
    #SecFilterSelective ARGS "or 1=1--'"
    #SecFilterSelective ARGS "'.+--"

    # MySQL
    SecFilterSelective ARGS "into[[:space:]]+outfile"
    SecFilterSelective ARGS "load[[:space:]]+data
    SecFilterSelective ARGS "/\*.+\*/"

    ## -- Command execution --------------------
    SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
    #SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
    #SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
    #SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
    # Common windows extensions that could be bad, comment out what you can use
    SecFilterSelective REQUEST_URI "(\.cmd|\.bat|\.htw|\.ida|\.idq|\.htr|\.idc|\.printer|\.ini|\.pol|\.dat|\.cfg|\.idx|\.dll|\.inf|\.mdb|\.mde|\.msi|\.reg|\.scr)"

</IfModule>

python.conf

LoadModule python_module modules/mod_python.so

# Override type-map handler for /var/www/manual
<Directory "/var/www/manual/mod/mod_python">
        <Files *.html>
                SetHandler default-handler
        </Files>
</Directory>

trac.conf

<LocationMatch /cgi-bin/trac\.f?cgi>
&n

Sections

Outils personnels