Zope and Apache on RedHat 6.1

Created by . Last modified on 2003/08/01.

Author: Miklos Nemeth, nemeth@iqsoft.hu
Last modified: 2000.1.7

Why use Zope with Apache?

Zope installation is extremelly simple if you use ZServer. But if you want to use Zope with Apache, the installation procedure might be a nightmare. I fight nearly a half day to install Zope with Apache. This document describes the steps I used to install my Zope with my Apache.

Apache is mandatory if you want to build an SSL-secured website. ZServer does not support SSL at the moment. Apache is the number 1 webserver of the world and provides much more services than ZServer.

The configuration

I used RedHat 6.1, Apache 1.3.9 installed the standard RedHat way: (1) httpd.conf in /etc/httpd/conf, (2) document root directory: /home/httpd (owned by root) (3) the user/grout to run httpd: nobody/nobody (4) port: 80 (5) startup/shutdown script: /etc/rc.d/init.d/httpd

The first phase is to install Zope

1. Change (ie. su) to root, and cd to /usr/local.
2. Extract the Zope distribution file: tar xfz Zope-2.1.1-linux2-x86.tgz
3. cd to Zope-2.1.1-linux2-x86
4. run $ ./install -u nobody -g nobody If you do not specify "-u nobody and -g nobody" install will not set correctly the ownership of some files and directories. nobody/nobody will be set as the user for the files Zope.cgi, access, start, stop and the var directory and its contents.
5. Try to remember (ie. jot down to a safe place) the password of the user "superuser". The password is printed on the screen by install.
6. Copy the Zope.cgi into the directory /home/httpd/cgi-bin with "cp -p":cp -p Zope.cgi /home/httpd/cgi-bin. The -p option of the cp command is very important. The Zope.cgi should be owned by nobody even in the /home/httpd/cgi-bin directory.
7. Start ZServer as nobody (if you are logged in as root): su nobody start. ZServer will use ports 8080, 8021, 8099. If these ports are in use on your system, you should explicitly specify port numbers for the start script (see the z2.py options -P, -w, -f, -m). It is crucial not to start ZServer as root, otherwise it creates the var/pcgi.soc file as root, and pcgi-wrapper (see later) will not have permission to open it as it will be run as nobody by Apache. You do not have to specify -p for the start script: PCGI is enabled by default. If you want to have some info about the available parameters for start, have a look at z2.py (start invokes the z2.py module). Later you may edit the start script as suggested by the "Gotchas for Zope Beginners" HOWTO.
8. If you later wishes to stop ZServer, open a new terminal and invoke: su nobody /usr/local/Zope-2.1.1-linux2-x86/stop.

Editing /etc/httpd/conf/httpd.conf

The second phase is to edit /etc/httpd/conf/httpd.conf to force Apache passing authentication data to Zope.cgi

1. As root edit httpd.conf, and add to the end the following lines:

   RewriteEngine on
   RewriteCond %{HTTP:Authorization} ^(.*)
   RewriteRule ^/Zope(.*) /home/httpd/cgi-bin/Zope.cgi$1
   [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
   

   The RewriteRule directives must be placed on a single line. For more info see "Gotchas for Zope Beginners".
2. Restart (as root) your Apache server by: /etc/rc.d/init.d/httpd restart
3. Start Netscape and type the URL: http://localhost/Zope. You will see the "Welcome to Zope" page. Click on the "management screen" link.
4. You will be asked for a username and password. Type in "superuser" and the password you have jot down during the Zope install. If the user name and password are correct you will have the main Zope management page.
5. You may connect to the management page directly by using the URL: http://localhost/Zope/manage.
6. Notice that the root folder of your Zope site will be named Zope
7. You may also connect to ZServer directly (avoiding PCGI): http://localhost:8080/manage. In this case the root folder will be unnamed.
8. Make sure ExecCGI option is specified for your directory. By default RedHat has the required setting for the directory /home/httpd/cgi-bin (see /etc/httpd/conf/access.conf):

   <Directory /home/httpd/cgi-bin>
   AllowOverride None
   Options ExecCGI
   </Directory>
   However if you change your setting makes sure you have ExecCGI defined.
   For example here is Guy Davis's (davis@arc.ab.ca) settings:
   <Directory "/home/httpd/cgi-bin">
       AllowOverride None
       Options ExecCGI
       Order allow,deny
       Allow from all
   </Directory>
   

Why the user nobody?

When Apache (ie. httpd) is started as root it opens the privileged ports (80, 443 (SSL)), opens the log files, and then stops acting as the potentially dangerous root and become nobody (as specified in httpd.conf). All CGI programs/scripts will be run as nobody. The Zope.cgi (see below) is also run by nobody. The simplest configuration is to run Zope as nobody, too. If you are an experienced UNIX administrator, and you understand how Apache and PCGI works, you may invent more complicated setups.

What is this Zope.cgi, and how does it work?

Zope.cgi is an executable file, but it is not a shell script to be executed by sh. If you look at the first line you will understand the trick: #!/usr/local/Zope-2.1.1-linux2-x86/pcgi/pcgi-wrapper That is, Zope.cgi will be run by pcgi-wrapper, when Apache starts Zope.cgi (as nobody -- remember!), if an URL requests to do so. pcgi-wrapper parses the content of Zope.cgi and tries to connect to a running server. An important directive is PCGI_SOCKET_FILE which points to /usr/local/Zope-2.1.1-linux2-x86/var/pcgi.soc. This file is used as a communication medium between pcgi-wrapper (invoked by Apache) and ZServer (started by the start script). Each time pcgi-wrapper started (as a normal CGI program) it connects to ZServer via the pcgi.soc socket file, transfers the HTTP request to ZServer, waits for the respose and returns data back to the Apache server. Note that ZServer is started once and runs forever, but PCGI is started each time a Zope request is received by Apache.

Some hints from once newbies who eventually managed to configure PCGI

• Milos Prudek (prudek@nembv.cz)
  "I did not run the installation from the start, because I do not use precompiled binaries. I just run thru it and found this:
  1. although I chowned Zope installation tree to nobody, I always started zope as root 2. Zope.cgi was owned by root instead of nobody.
  3. I was always starting Zope with "python z2.py" instead of "./start""
• Guy Davis (davis@arc.ab.ca) - "I added ExecCGI and it is working fine now."

Why to use PCGI?

ZServer does not support SSL, which may be an important requirement in your case. Apache supports SSL (Apache+SSL or mod_ssl), and thus Zope may be used in secured communication with the help of PCGI.

However, Zope 2.1.1 supports FastCGI, which may provide better performace than PCGI. There is a mod_pcgi2 Apache module available, which may deserve a look. And there is a third solution based on proxying HTTP request to Zope using Apache's proxy directives (eg. ProxyPass): see www.zope.org/Members/anser/apache_zserver/.

What are the shortcomings of PCGI?

• PCGI is run as a normal CGI program. Every time a HTTP request is sent to the Zope server a pcgi-wrapper process is spawned for running Zope.cgi.
• The Zope server must be installed on the same host as the Apache server, because currently PCGI does not support remote communication.

Because of these shortcomings of PCGI, using PCGI should be regarded as obsolete in production environments you should use the other ways of Apache-ZServer communications (FastCGI, mod_pcgi2 and HTTP proxying).

Other invaluable documents

• How-To: Gotchas for Zope Beginners (by jens)
• How-To: Zope/Apache Virtual Host HOWTO (by jec)
• How-To: www.zope.org/Members/michel/HowTos/ApacheRewriting
• How-To: Apache+zope+fastcgi (www.zope.org/Members/kedai/apache_zope_fcgi).
• How-To: Apache + ZServer complete solution (www.zope.org/Members/anser/apache_zserver/).