Warning

This document hasn't been checked for compatibility with current versions of Plone. Use at your own risk.

Installing Plone with Apache

by Alex Limi last modified Jan 06, 2012 04:42 AM
There are several ways of running Plone together with Apache, but this is the simple, idiot-proof way.

How to run Plone with Apache

For more complex setups, RewriteRules are an alternative. See "VHosts_With_Zope_Default":http://www.zope.org/Members/mwr/VHosts_With_Zope_Default, the "Apache Docs":http://httpd.apache.org/docs/ and "Zope docs":http://www.zope.org/Members/regebro/Zope_and_Apache and the Zope Book chapter on "Virtual Hosting Services":http://zope.org/Documentation/Books/ZopeBook/2_6Edition/VirtualHosting.stx for more information. If youre running Apache 2.x you may want read "Zope behind an Apache 2 webserver":http://www.cheimes.de/opensource/docs/zope-apache2/.

What follows is what 90% of people are using, the standard vanilla way of proxying Plone with Apache and mod_proxy. This works for both Apache 1.3 and 2.0

Prerequisites

You have a Zope instance running on port 8080 on your server. Your domain is me.com. Your Plone site is '/mysite' inside the Zope. You are running Apache with 'mod_proxy' installed. You have created a user with Manager privileges.

You can access your Plone by visiting http://me.com:8080/mysite, but would like it to show up when you go to http://me.com.

The Gentle Giant (aka. VirtualHostMonster)

There is a simple and elegant way of getting this to work. It involves using Apache as a proxy for Plone/Zope, and using a built-in feature of Zope known as the VirtualHostMonster.

Adding the Monster

<span class="discreet">Note that this may not be necessary in the newer versions of Zope - it may already have added one for you, the later versions of Zope do this automatically. It will tell you when you try to add one if you already have one - so no harm is caused by doing the following if you are not sure.</span>

We need to add a VirtualHostMonster to the Zope root (exact one for the whole Zope instance). Log in as a Manager (add an acl user first, be logged in as that user) - on localhost:8080/manage - and choose a VirtualHostMonster from the pulldown on the upper right. You need to fill in an id (means choose an id for the object), such as 'VHM', 'monster' or 'foobar'. This ID has no significance for the rest of the setup, but don't choose an ID that is the same as your site name, obviously. Click on the Add button. A monster icon should appear as one of the items in the root of your Zope site.

Setting up Apache

This is what should be in your httpd.conf (or apache.conf):

<VirtualHost *>
ServerName me.com
ServerAlias www.me.com
ServerAdmin webmaster@me.com
ProxyPass / http://localhost:8080/VirtualHostBase/http/me.com:80/mysite/VirtualHostRoot/
ProxyPassReverse / http://localhost:8080/VirtualHostBase/http/me.com:80/mysite/VirtualHostRoot/
</VirtualHost>

So what does it do? The magic is in the ProxyPass line. Every time your Apache gets a request for me.com, it goes to localhost port 8080, and tells the VirtualHostMonster ('VirtualHostBase') to get the stuff in 'mysite' and make it look like it's coming from me.com port 80. Additionally, The 'VirtualHostRoot' at the end of the 'ProxyPass' lines tell the VirtualHostMonster that this is the root of the site. Simple. :)

Avoiding the use of your web site as a proxy

There is a security issue insofar that if you setup your server just like this &mdash; the default Apache setup will be a public proxy that people can use to cover their traces when accessing other websites. To disable this behavior you could e.g. add a LocationMatch directive to your httpd.conf that denies every request that doesn't start with a slash:

<LocationMatch "^[^/]">
Deny from all
</LocationMatch>

Final step

Restart Apache ('apachectl graceful') and try out your new setup :)

Additional tip

You can also configure Plone to not serve requests coming from remote IPs to stop people from entering 'http://yourservername.com:8080/' and get around Apache. One way to do this is to change zope.conf so that ZServer only listens on 127.0.0.1 and therefore only responds to requests from the Apache proxy. You can also fix it by configuring your firewall to deny requests on any of the Zope ports I guess.

There is no inherent security risk by not doing this, but if you don't want people to be able to get to the Zope port separately, this is a good way of stopping that.

Still having trouble?

Go back and read the Zope Book chapter on "Virtual Hosting Services":http://zope.org/Documentation/Books/ZopeBook/2_6Edition/VirtualHosting.stx and be sure to run all the tests that you encounter along the way.

Contribute

Something wrong or out of date? Anybody can edit or create a new article in the knowledge base. Simply create an account on this site, log in, and click the Edit button to contribute.