Installing Plone with Apache

There are several ways of running Plone together with Apache, but this is the simple, idiot-proof way.

How to run Plone with Apache

For more complex setups, RewriteRules are an alternative. See VHosts_With_Zope_Default, the Apache Docs and Zope docs and the Zope Book chapter on Virtual Hosting Services for more information. If youre running Apache 2.x you may want read Zope behind an Apache 2 webserver.

What follows is what 90% of people are using, the standard vanilla way of proxying Plone with Apache and mod_proxy. This works for both Apache 1.3 and 2.0

Prerequisites

You have a Zope instance running on port 8080 on your server. Your domain is me.com. Your Plone site is /mysite inside the Zope. You are running Apache with mod_proxy installed. You have created a user with Manager privileges.

You can access your Plone by visiting http://me.com:8080/mysite, but would like it to show up when you go to http://me.com.

The Gentle Giant (aka. VirtualHostMonster)

There is a simple and elegant way of getting this to work. It involves using Apache as a proxy for Plone/Zope, and using a built-in feature of Zope known as the VirtualHostMonster.

Adding the Monster

Note that this may not be necessary in the newer versions of Zope - it may already have added one for you, the later versions of Zope do this automatically. It will tell you when you try to add one if you already have one - so no harm is caused by doing the following if you are not sure.

We need to add a VirtualHostMonster to the Zope root (exact one for the whole Zope instance). Log in as a Manager (add an acl user first, be logged in as that user) - on localhost:8080/manage - and choose a VirtualHostMonster from the pulldown on the upper right. You need to fill in an id (means choose an id for the object), such as VHM, monster or foobar. This ID has no significance for the rest of the setup, but don't choose an ID that is the same as your site name, obviously. Click on the Add button. A monster icon should appear as one of the items in the root of your Zope site.

Setting up Apache

This is what should be in your httpd.conf (or apache.conf):

    <VirtualHost *>
    ServerName me.com
    ServerAlias www.me.com
    ServerAdmin webmaster@me.com
    ProxyPass / http://localhost:8080/VirtualHostBase/http/me.com:80/mysite/VirtualHostRoot/
    ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/me.com:80/mysite/VirtualHostRoot/
    </VirtualHost>

So what does it do? The magic is in the ProxyPass line. Every time your Apache gets a request for me.com, it goes to localhost port 8080, and tells the VirtualHostMonster (VirtualHostBase) to get the stuff in mysite and make it look like it's coming from me.com port 80. Additionally, The VirtualHostRoot at the end of the ProxyPass lines tell the VirtualHostMonster that this is the root of the site. Simple. :)

Avoiding the use of your web site as a proxy

There is a security issue insofar that if you setup your server just like this — the default Apache setup will be a public proxy that people can use to cover their traces when accessing other websites. To disable this behavior you could e.g. add a LocationMatch directive to your httpd.conf that denies every request that doesn't start with a slash:

    <LocationMatch "^[^/]">
    Deny from all
    </LocationMatch>

Final step

Restart Apache (apachectl graceful) and try out your new setup :)

Additional tip

You can also configure Plone to not serve requests coming from remote IPs to stop people from entering http://yourservername.com:8080/ and get around Apache. One way to do this is to change zope.conf so that ZServer only listens on 127.0.0.1 and therefore only responds to requests from the Apache proxy. You can also fix it by configuring your firewall to deny requests on any of the Zope ports I guess.

There is no inherent security risk by not doing this, but if you don't want people to be able to get to the Zope port separately, this is a good way of stopping that.

Still having trouble?

Go back and read the Zope Book chapter on Virtual Hosting Services and be sure to run all the tests that you encounter along the way.

ProxyPassReverse, SSL, subdirectories and mod_rewrite

Posted by unset at May 20, 2006 08:41 PM
This article was great and, with a few others, served as the basis for getting Plone and Zope up and running behind Apache. However, there were a few stumbling blocks for me so I wanted to add some comments:

* ProxyPassReverse is unnecessary: This directive tells Apache to rewrite URLs on pages going back through the proxy and is used to fix embedded links that would otherwise be broken. However, when using the VirtualHostMonster, this is redundant.

* Integrating SSL with mod_proxy: There's another how-tos on SSL, but it's easy enough to add to the above steps. You can use SSL with mod_proxy by adding the line:

  ProxyPass / http://localhost:8080/[…]/

By changing http to https and the port from 80 to 443 in the VirtualHostBase, the VirtualHostMonster will use SSL.

* Putting Zope/Plone behind a subdirectory: All of the documentation I've seen has only been how to set up Plone behind Apache so the only site served is the Plone site. However, on my server I wanted to integrate Plone with existing content without adding a new virtual host for Plone. There are two ways to do this. If you want to expose all of Zope behind a subdirectory, you can use Zope's "Inside-out hosting". This tells the VirtualHostMonster to add a directory to the output path but to ignore it when navigating the Zope site. For example:

  ProxyPass /zope/ http://localhost:8080/[…]/

will expose all of Zope at https://me.com/zope/. The first argument to ProxyPass ("/zope") tells Apache that you're proxying all URLs that begin with "/zope/". The parts of the path after VirtualHostRoot beginning with "_vh_" are ignored by Zope when navigating the site but added to URLs when rewritten by the VirtualHostMonster. This solves the problem of Zope returning URLs like "https://me.com/manage" when they should be "https://me.com/zope/manage".

Alternatively, you can go straight to your Plone instance:

  ProxyPass /mysite/ http://localhost:8080/[…]/

This will rewrite things so the URL "https://me.com/mysite/" goes directly to the Plone instance "mysite".

* mod_rewrite: Other how-tos mention mod_rewrite instead of mod_proxy. mod_rewrite is very cool, but it doesn't add anything over the mod_proxy steps above.

Faking DNS for testing

Posted by Mikko Ohtamaa at Jun 28, 2006 12:01 AM
If you are migrating from an old site to a new site running Plone and DNS address is pointing to the old server, you can still test your virtual host monster before going live. You can fake DNS address to point to the new server locally. The oldskool way to do is add your site address to etc/hosts file on your local machine. This file is looked up before doing any DNS queries.

On Windows, this file is C:\Windows\System32\drivers\etc\hosts

On Linux, this file is /etc/hosts

Use the ZOPE management port!

Posted by Andrew Potts at Aug 28, 2007 08:32 PM
Don't fall for the mistake I made; the port you specify in the Apache ProxyPass directive is the ZOPE management port, not the Plone HTTP port. I know it says that in the documentation, but it's an easy mistake to make for a newbie like me and it cost me 3 hours!

Can't login

Posted by Gregorio Casero at Jan 14, 2008 12:13 PM
Hi. First of all, thanks for the tutorial. I've followed this steps, and I could reach my Plone site through Apache (http://xx.xx.com:8081/Plone is http://now xx.xx.com/Plone)
However, I can't login. When I try to do that, I get the next error from Apache:

[...]
The proxy server could not handle the request POST /aliado/login_form.

Reason: Error reading from remote server
[...]
Error 502
xx.xx.com
01/14/08 12:43:41
Apache/2.2.6 (Win32) DAV/2 mod_ssl/2.2.6 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.4

My httpd.conf VirtualHost config is:

<VirtualHost *>
ServerName xx.xx.com
ServerAdmin mail@gmail.com
ProxyPass /Plone http://localhost:8081/[…]/

#I've tried both with and without the next line:
ProxyPassReverse /Plone http://localhost:8081/[…]/

#I've tried both with and without the next block:
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

</VirtualHost>


any help?

400 errors when hitting URLs containing spaces

Posted by Sean Fulmer at Apr 19, 2008 03:04 AM
In certain situations involving mod_rewrite, mod_proxy, and Zope you might see 400 BadRequest errors if you visit URLs containing spaces. Of course, nobody in their right mind creates content with spaces in the URLs, but unfortunately in the ZMI, we've got things like "News Item" and "Large Plone Folder" in portal_types that *do* contain spaces in the URL.

If you bump into that problem, you can get around it with something like this:

RewriteMap escape int:escape
...
RewriteEngine On
RewriteRule ^($|.*) \
http://127.0.0.1:8081/VirtualHostBase/\
http/%{SERVER_NAME}:80/VirtualHostRoot/${escape:$1} [L,P]

More info available at:
http://matthewwhitworth.com/[…]/
http://blog.buro9.com/[…]/