Hello,

Being rather new to both zope and pound, and am setting up my site which
should partly (in particular, the zope management interface) be
accessible via SSL only. I have configured a listener on the 443 port
which forwards to the zope backend, and am now experiencing the effects
described in the README, namely, the URLs generated by zope contain the
http protocol, not https.

I looked into the information available on this topic, and found the
statement:
	"finally, for version 2.7 or later you can set it in zope.conf"

Unfortunately, reading this and the zope.conf comments did not clear
things up sufficiently for me. I can see from zope.conf how to setup
another HTTP server, but there is no indication that (or how) this would
change the beahvior with regard to generated URLs. Maybe someone can
fill me in:

- what configuration do I have to do in zope.conf to setup a HTTPS
server that will generate the correct URLs?
- do I really need to start 2 pound instances as mentioned on the
website, or would it be enough to keep my pound lister with that zope
server as the backend?

BTW, I am running zope 2.8.6.

additionally, I would like to ask whether there are any reasons for not
having pound interface directly to the zope instances, but rather add an
intermediate apache. I personally like to keep things simple, and the
pound/zope combination looks like an ideal and minimal match (in fact,
it seems ideal for any other appserver setup as well)

thanks,
Christian Sell

Hello,

I'll add a little more details, after having read up more from other
threads in this mailing list.

My goal is to keep my current setup with 1 pound as frontend to 2 zeo
clients. I would like to serve both HTTP and HTTPS through the same
instances.

I have found that one can add new HTTP servers in zope.conf. I have
patched the datatypes.py and component.xml files to add a parameter
"https_on", which sets the corresponding variable in cgi_env for that
handler. This can then be configured in zope.conf as:

<http-server>
  address 8080
</http-server>
<http-server>
  address 8081
  https_on true
</http-server>

if I am correct, this should give me 2 HTTP handlers per zope instance
which I can then interface to my pound frontend as usual.

I have  not yet tested this, so I'd be grateful for comments
Christian

Christian Sell wrote:[...]

Christian Sell wrote:
[...]

I'm running Zope 2.7, and all I did was adding a ListenHTTPS block in
pound.cfg:

#v+

ListenHTTPS
  Address 1.2.3.4
  Port 443
  Cert "/etc/pound/zope.pem"
  AddHeader "HTTPS: ON"
  Service
    URL ".*"
    Backend
      Address 127.0.0.1
      Port 8080
    End
  End
End

#v-

and then patch .../ZPublisher/HTTPRequest.py to recognize the
HTTP_HTTPS variable (I'm not sure if this step i necessary):

#v+

  elif have_env('HTTP_HTTPS') and (
    environ['HTTP_HTTPS'] == "on" or environ['HTTP_HTTPS'] == "ON"):
      protocol = 'https'

#v-

Pound is listening to ports 80 (http) and 443 (https), zope is
listening on 127.0.0.1:8080 only.

Cheers,

--
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/

not bad. sonds like a solution that does not even require any additional
 ports or backend definitions. I'll try it out..

thanks,
Christian

Klaus Alexander Seistrup wrote:[...][...][...]

ok, I've tried this and it works perfectly until now. Let me mention
that the patch to the HTTPRequest *is* indeed necessary.

Based on my experience so far I consider this the best solution for the
"absolue HTTPS URL problem", as it does not consume any additional
resources and is quite simple to configure.

Christian

Christian Sell wrote:[...][...]
>>>   server that will generate the correct URLs?
>>> - do I really need to start 2 pound instances as mentioned on the
>>>   website, or would it be enough to keep my pound lister with that
>>>   zope server as the backend?
>>>
>>> BTW, I am running zope 2.8.6.[...][...]

Christian Sell wrote:
[...]

Great!

Now, if only pound could do IPv6...

Cheers,

--
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/

On Mon, 2006-03-06 at 09:21 +0100, Klaus Alexander Seistrup wrote:[...]

What makes you think it can't? I can assure you there is nothing in the
code that is IPv4 specific - and as far as I know it should work as it
is.

In any case I would be grateful if you told us what problems you ran
into.[...]

Robert Segall wrote:
[...][...]

I guess the problem is that there is nothing IPv6-specific code in
pound.  No AF_INET6, no PF_INET6, no sin6_family, no in6_addr, etc... 
And even if I change all *_INET instances to *_INET6 (disclaimer: I
don't know how to do IPv6 socket stuff) pound still says:

#v+
06/Mar/2006 12:56:23 +0100: Unknown Listener address "::"
#v-

Is anyone successfully using pound on Ipv6?

Cheers,

--
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/

On Mon, 2006-03-06 at 13:06 +0100, Klaus Alexander Seistrup wrote:[...]

I suppose we could add INET6 to the code, though doing it portably is
non-trivial. The question, as always, is if it would be worth the
effort. Who else considers IPv6 support a high-priority item?[...]

Not me :)


-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Monday, March 06, 2006 2:09 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] pound, zope and SSL

On Mon, 2006-03-06 at 13:06 +0100, Klaus Alexander Seistrup wrote:[...]

I suppose we could add INET6 to the code, though doing it portably is
non-trivial. The question, as always, is if it would be worth the
effort. Who else considers IPv6 support a high-priority item?[...]

Robert Segall wrote:
[...][...]

My guess is that it will be a popular feature among Zope
administrators.  For reasons I cannot fathom, Zope doesn't seem to be
able to do IPv6 by itself (the socket module, however, can do IPv6 out
of the box), so currently one way of displaying a Zope site on IPv6 is
by using Apache2 as a frontend.  I'd prefer to use Pound as a frontend
for Zope, rather than Apache2, so please count me in.

Cheers,

--
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/

On Mon, 2006-03-06 at 15:26 +0100, Klaus Alexander Seistrup wrote:[...]

Interesting argument that, but the question remains: how widespread is
IPv6 deployment? We have seen precious little of it here.[...]

Robert Segall wrote:
[...]

IPv6 is pretty widespread in Asia.  I'm unsure how widespread IPv6 is
in the rest of the world, but one thing's for sure: the forest will
never turn green if all the trees are waiting for the others to burst
into leaves.

Personally I'm using IPv6 for dns, mail and news, and I would like to
include http also...

Cheers,

--
Klaus Alexander Seistrup
Copenhagen · Denmark
http://magnetic-ink.dk/