Contact Us

outline.txt

Managing your Plone Sites in Windows

Plone needs to be used with a high performance web server and probably a proxy server. What are our choices?

The most popular deployment scenario involves running Plone on a linux box with Apache server. This offers many advantages. You gain the advantages of a UNIX control environment as well as the wide availability of open source tools. Apache server, for example, contains many free configurable modules and log analyzers. The typical hosting company might have a LAMP (Linux, Apache, Mysql, Php) hosting environment already set up, even if it offers a python hosting plan.

In the meantime, enterprise networks are still (for the most part) Windows-based. Workers still use Windows desktops and laptops (though Macs and Ubuntu has certainly made significant inroads over the last few years). Company administrators usually have substantial background and experience configuring servers in a Windows environment and connecting them to users and groups with Active Directory. In addition, a large number of third party tools have emerged to assist system administrators in routine tasks. Many of these administrators are comfortable configuring Internet Information Services (IIS) and integrating different kinds of websites under IIS. For these kinds of organizations, being able to integrate well with the rest of the Windows corporate network is an important criteria for selecting a CMS.


This article shows how a system administrator could configure multiple sites in a Windows enterprise environment using a commercial product called Enfold Proxy. Enfold Proxy is a lightweight plugin to IIS that lets you handle Plone sites more easily. These paper will contrast the different approaches, look at how Enfold Proxy uses built-in functionality of IIS and do a little "showing off" of the the tool's user-friendly control-panel. Note: this is not an open source product, and it is not free (it costs a few hundred dollars, depending on your support plan). The goal of this article is to show how a Microsoft administrator could manage and configure several Plone sites from Windows (even if the Zope clients are running from Linux machines).


Plone Toolchain: Linux vs. Windows



The Plone toolchain can be complex and require manual configuration and customization.

First, there is Plone. Relatively speaking, that is the easy part.
Then, you need a front end web server like Apache to receive requests and forward them to Plone.
Apache requires some modules for working with Plone:
mod_proxy or mod_rewrite is needed to redirect/rewrite URLs.
mod_proxy_balancer is needed to enable load balancing among Zope clients,
mod_NTLM is required to handle NTLM authentication (an Windows authentication protocol)
You have to use regular expressions or rewrites to translate different HTTP requests for different hosts.
Finally, you need a caching server like Varnish or Squid to cache web resources.


Enfold Proxy can do that in one product.

Plone (i.e., your Zope clients) can run on either a Windows or a Linux server.
IIS Web Server serves as the front end for Plone. Enfold Proxy takes advantage of IIS's built in capability to do proxying and caching.
You use the control panel GUI tool to configure "proxy definitions" for each IIS Internet host.
Each proxy definition lets you configure cache and set up load balancing
Although not involved in Windows authentication, Enfold Proxy makes it possible for IIS to handle it.
Each proxy definition lets you use the GUI to exclude certain directories from IIS so another web application can handle it ( you can type www.myplonesite.com/wordpress, and Enfold Proxy will let IIS hand it off to a virtual host running PHP).


Setting Up Virtual Hosts in IIS

In many respects, setting up virtual hosts is the same in Apache and IIS, except that in IIS you use a series of dialog boxes instead of a configuration file.

IIS 6 version (and above)let you set up multiple IIS servers. As a general practice, you should create a new IIS web server for each Internet host you use. For example, if you wish to host two separate Internet hosts (i.e., www.myplonesite.com and backupplone.mysite.com), you should set up 2 separate IIS web servers. You do this by selecting New Server on the right click menu.

/create_new_iissite.png

Next you configure the host headers on each IIS web server to correspond to the Internet host you want for your website.

iis_set_host_header_first.png

The next step is to launch the Enfold Proxy control panel. (Since Enfold Proxy operates whenever IIS is running, you do not actually need to start it--you merely need to launch the control panel).

Things to do before Creating a Proxy Definition

1. Configure your first IIS host
2. Verify that your IIS host resolves correctly.
3. Make sure Plone or Enfold Server is running correctly




Create a proxy definition. A proxy definition


A proxy definition is a set of instructions specific about how Enfold Proxy should proxy (or redirect or cache) http requests from one IIS host. Generally, with one important exception (see Multiple Domains with only one IIS site), you declare your hosts in IIS and use "proxy definitions" to connect these hosts with Plone sites on Enfold Server.

Enfold Proxy originally arose out of the need to simplify the URL mapping process within Plone in a Windows environment. However, because Enfold Proxy is essentially a plugin for IIS (it is an ISAPI filter for IIS), you can use Proxy Definitions to wrap a non-Plone site into a Plone site and vice-versa. That makes it easy to integrate a java application or Django application together with a Plone site together under the same domain.

For instance you could use EP to set up these mappings:

www.funsite1.com (and recursive URL web directories) could be used to serve Plone content. www.funsite1.com/payroll could be used to serve a java servlet you added inside IIS. www.funsite1.com/media/ could be used to serve videos (from a media server you added to IIS).

When should you NOT create a proxy definition? Exactly one proxy definition should correspond to one IIS site. You should not need a second proxy definition to point to the same IIS site.

encontrol_sites.png


basic settings on front page
proxydefinitionbasic.png

Next you need to click to the latest tab to associate with an IIS site

sitedropdown.png
(The initial site created by IIS is called Default Web site, but in IIS you can give a website any name you want.

3. Restart any Zope client(s) you have modified by choosing the Start|Stop option on the left panel.
4. Open the EP Configuration Tool. Click the folder on the left panel Proxies. Choose Add a Proxy Definition . Give your proxy definition any name you want.
5. Adjust the basic settings if necessary. By default, the new host comes with the most common defaults:

Local host= /
Virtual host root = /Plone

These settings will cause the root (/) of your URL to go to the Plone site automatically created within your Zope client. The Plone site object should be visible inside the Zope Management Interface (ZMI). Change these values when necessary. You can verify the value for Virtual host root by logging into the ZMI application root and verifying that a folder corresponds to this value already exists. For more, see Using the ZMI.

6. Add the Virtual Host that corresponds to your management port of your Zope client. The virtual host can be an IP address or a resolvable host. Examples: 127.0.0.1:8080, 192.168.1.150:8080, localhost:8080
7. In your Proxy Definition, select the Site tab on the top. When you come to that screen, you will see a dropdown screen for the Site screen. Choose the IIS site which is serving the host/domain you will be using. For this, we shall use Default Web Site (which uses the www.originalfunsite.com host headers).

images/sitedropdown.png

8. After you press save for the last time, you will be able to see a "virtual folder" appear under the IIS which this proxy definition will be matched with.

images/iis_plone_virtual_folder.png

Note: This proxy definition you created or edited in Enfold Proxy will not take effect until you see the _plone folder. EP will automatically make sure this virtual folder exists in the IIS whenever you save or update your Proxy Definition.If you do not see the folder which says _plone, make sure to try these things:

* refresh the web site by typing F5 or using the Refresh icon the toolbar (in most cases this is sufficient).
* restart the specific IIS site
* restart the IIS server entirely.
* make a minor edit to the proxy definition and press Save again (you can undo this later).

To host multiple sites, you would create another IIS site, and then create a separate IIS proxy definition and link them (as mentioned above).



Extending Basic Features
Load Balancing on the same ZEO server
verify that they can be load balanced

Adding or Subtracting Load-Balancing Clients

After you create a proxy definition for your host, you can add load-balancing clients with one step: add another entry in the Virtual host field. This Virtual host field is located on the Basic tab of your proxy definition. (The balancing tab of your proxy definition contains additional options related to load balancing).

Here are examples of Virtual Hosts to include in your proxy definition (on the Basic tab). All formats listed here are acceptable:

localhost:8080
localhost:8090
192.168.1.150:8080
192.168.1.151:8080
www.enfoldsystems.com:8080

Notes:

1. In most cases, these URLs will be a Zope client.
2. Omit the http:// prefix.
3. Always include the port number.
4. You can use IP addresses and/or host names.
5. Load balancing will not work unless you have 2 or more Virtual hosts listed here.

After you push save, load balancing should work immediately.

To remove a client from load balancing, delete the appropriate line in the Virtual Host field.

Even though load balancing provides a kind of insurance policy against failures, you still need a monitoring tool like Big Brother to make sure individual machines are online. A load-balanced cluster might have four virtual hosts/Zope clients and still work if three of them go offline. But if you are never notified about this occurrence, you would be at risk if the fourth goes offline also.


Caching/Purging


Enable Cache in your Proxy Definition

By default, when you create a proxy definition in EP, caching is enabled. However, you might need to change your settings to suit your hardware.

See a description of each cache setting.

Enfold Proxy will keep a lot of "stale" cached files inside the cache directory corresponding to a specific proxy definition. These stale cache files will accumulate in the cache directory until it approaches the maximum cache size. That is actually a good thing. In Chasseur, for example, a lot of content is cached for one hour. After one hour (or even after five years), whenever the browser requests the same resource, EP will check with Plone and ask, "is this stale item still valid?" Plone will give one of two responses. Either:

* Plone will reply, "it's still good." (In this case, EP will return the stale item to the browser and update its own records to indicate that this stale cache is now valid. This process is called, revalidating the cache). The HTTP headers to the user will say: X-Cache: HIT from www.originalfunsite.com
* Plone will reply, "Nope. That's an outdated version." (In this case, Enfold Server or Plone will send the updated version to Enfold Proxy, which will pass it on to the browser and also replace the outdated version with the newer version). X-Cache: MISS from www.originalfunsite.com .

Enfold Proxy now has an easy button in its interface purge cached items for proxy definition(s).
Next Step: Verify that Your Cache Settings are in Effect

To verify that caching is taking place, look for this line in your HTTP response header: X-Cache: HIT from www.originalfunsite.com

* If you see X-Cache: HIT, then yes, caching is occurring.
* If you see X-Cache: MISS, then this particular item was NOT cached.

Generally HIT's indicate successful caching.

Keep in mind that X-Cache: MISS is not always a bad thing. For example, if logged in as an administrator, many resources will not be cached on purpose. It's best to test as an anonymous web surfer (i.e., someone who is not logged in). If an item contains a modification, then a MISS reply is mandatory. Also, object-based caching (like XSLT caching )doesn't modify these headers, so EP can be properly caching XSLT pages and still be sending out X-Cache: MISS headers.

Careful: When testing, it's a good idea to use two different browsers. In Browser A (such as Internet Explorer), log in as Admin. In Browser B (i.e., Firefox), log in as anonymous or as a logged in user. It's also important to clear cache the right way and even to close the browser entirely (if you don't, the http headers you see won't be accurate). Consult the troubleshooting checklist for caching.

To see the HTTP headers directly, see Tools for Viewing Headers . You should probably pick two or three sample items to check for headers. Anything will do, but at least one should be a graphic and one should be a Zope page (such as http://www.originalfunsite.com/events ). In Chasseur, the maximum age is

Cache-Control: max-age=3600 X-Cache: HIT from www.originalfunsite.com

Optimize Cache Settings and Measure Caching Performance

Many of your cache settings can be tweaked in whatever Plone product you are using to cache web items. The CacheFu Plone product, for example, offers a lot of fine-grained controls and the ability to create caching rules.

But EP also offers some cache settings to tweak.

Here are some default settings for each proxy definition as set by Enfold Proxy:

* Maximum Size of the Cache: 10 gigabytes for each proxy definition
* Maximum number of items in the cache for each proxy definition: 50,000
* Maximum size of an item which can be cached: 100K
* Default-Age: 0

The main thing you can adjust here is storage amount and item size. The larger the storage amount you have, the more cacheable items EP can keep at once. Increasing maximum item size is recommended if your Plone server returns a lot of web items (which is not the same thing as "web pages") over 100K. If the maximum is increased to a very large size, this will also consume RAM on the machine with EP. Also, when you cache larger files, that will cause the maximum size of the cache to fill up more quickly. Theoretically, if your cache directory for your proxy definition is always at maximum and the hit percentage is declining, that could indicate you need to increase your maximum here.

Default-age=0 will cause EP to store cacheable items in the cache and always check to make sure if it is current before serving cached content to the browser. (This is the default and generally recommended). Even so, EP will not cache an item which is forbidden to be cached (according to Plone or whatever Plone Product is setting these commands).

If you check Enfold Proxy's cache.log messages for your proxy definition (and set the log level to Information), you will see every minute or so some statistics about caching:

2008-02-18 10:31:45,250|cache.host originalfunsite|STATS|3500|2856|Cache statistics:
gets: 88, hits: 65 (33 validated), misses: 23 (0 uncachable)
hitrate: 73% (58% excluding validations)
size: 1943668 bytes, 324 items

The most important number here is the 58% in parenthesis. It refers to requests that EP returned without forwarding it to Enfold Server or Plone (thus resulting in the most time-saving). The 73% number includes those occasions when the item was stale and EP needed to make a conditional request to Enfold Server/Plone. So 15% (i.e., 73-58) is the percentage of times when EP had to revalidate stale cache by checking with Enfold Server or Plone. These revalidation requests generally do not result in significant time savings, so for all practical purposes the only number you need to worry about is the number in parenthesis.
The cache directory

The proxy allows you to configure the directory where cached items are stored for a particular proxy definition.

1. Open EP configuration tool
2. Select your proxy definition. Select the Caching tab.
3. Leave this blank if you want your cache directory to exist under the application directory. The directory will be created if it does not exist. If you wish to put your cache files elsewhere, you should copy the complete path to the directory here (e.g., C:\My Documents\proxy definition 1\cache).

IIS must be restarted before a change to this option will take effect, and be sure to read the directory and filename options section to setup the permissions on the directory.

When you change the cache_directory, the old cache is not migrated to the new location (i.e., the old cache remains and a new empty cache is created at the new location.)

Migrating your cache to a different place:

1. Stop IIS.
2. Move the cache directory into a new location.
3. Copy the absolute path into the Cache Directory field of your proxy definition.
4. restart IIS.

(See tutorial about clearing browser cache and how cache works).


PURGE is a specialized HTTP command. This command is comprehensible to proxy servers like Squid, Varnish and Enfold Proxy; it orders the proxy server to evict the item from cache so future requests will fetch a fresh new copy. On the machine with Enfold Proxy, files will essentially be deleted from C:\Program Files\Enfold Proxy\cache\host www.originalfunsite.com\data .

Important: Purging will not work if you have set the Aggressive caching profile in Enfold Server.
Purging from a Remote Machine

Enfold Proxy (EP) has controls to prevent purging commands from being issued by anyone. Generally, before you can do any purging, you need to explicitly declare which I.P. addresses are allowed to issue a PURGE command.

To do this, go to Settings --> Caching purge sources and type the I.P. address of any computer which will issue a PURGE command. At minimum, you need to type the IP address corresponding to your Plone or Enfold Server. This is required if you are going to run a PURGE command from within a Plone product. If you intend using a local command-line tool (like cURL) along with a remote Plone server, you must include the I.P. addresses of both the localhost (127.0.0.1) and the Plone host.

Note In many cases, it is necessary to type in 2 IP addresses here. First, 127.0.0.1 (which is localhost) and second, the actual IP address of your machine (such as 192.168.1.1). If you are testing when logged on as a domain user on the machine itself, sometimes IIS will treat domain requests as coming from outside the machine itself. If you are unsure which IP address is making the PURGE request, examine your IIS HTTP access logs and verify the IP address which made the PURGE request.

Special Note about Windows authentication (NTLM) and Purging. Enfold Server (ES) lets you use NTLM authentication to automatically log users in. If you are using NTLM with Enfold Server, you might not be able to run purge commands successfully. This is a known bug with Enfold Proxy 4.

In Enfold Proxy (EP), there are four ways to purge the cache.

1. use the Purge button within Enfold Proxy. (recommended)
2. use the portal_squid tool within the ZMI (helpful for purging one specific URL only).
3. use a command line utility like cURL or Telnet to issue a PURGE command (which the proxy server can understand) for a specific URL.
4. do it from within a Plone caching product (like CacheFu or CMFSquidTool).
5. include a Python script to purge cache content when an item is republished.

This topic will discuss the advantages and disadvantages of each method.

Integrating Plone Sites with other sites.

purgingsuccess.png


Integrating Plone Content with Non-Plone Content


































cachelog




To enable NTLM (a user authentication protocol for Windows users), you need mod_NTLM.
To enable caching, you need a caching server such as Varnish or Squid.


Configuring proxypass can be difficult/complicated, especially if you are dealing with multiple virtual hosts.
Configuring load balancing in Apache can be slightly confusing as well.
Configuring a caching server is a fairly complex undertaking and requires an in depth knowledge of how to configure the right options.


All these are certainly doable and managable by the right person, and after initial configuration, things may just work. But troubleshooting may require advanced knowledge, and it

Enfold Proxy provides a Windows-based tool for managing these tasks. It has a user-friendly GUI and can do these things:

1. Can rewrite URL's/proxy URLs for multiple Zope clients on other machines.
2. Can do load balancing for multiple Zope clients
3. It can manage Zope clients running on a Windows box or a Linux box.
4. It can do caching within IIS and lets you tweak cache settings
5. It lets you purge cache with a simple mouseclick
6. Simplifies the process of integrating Plone content and non-Plone content on the same domain or host



* Simplifies the process of associating Plone sites with IIS sites
* Supports Enfold Server 3x, 4x and Plone 2.x and 3.x
* Simplifies the process of integrating Plone content and non-Plone content on the same domain or host
* Uses caching to speed up Plone performance (note: to use this feature, you must first install a Plone caching product. )
* Supports load balancing with multiple Zope clients to provide extra reliability in the event one Zope client goes offline.
* Supports caching of XSLT pages generated in Plone.
* Improved performance from previous versions (See release notes)





It has a GUI front-end,It works within IIS and It can:


1. manage virtual hosts

Then, to work with Apache web server, mod_proxy needs to Apache requires certain modules to be installed.
Second, there is Apache





Plone has often been deployed in a
Plone has typically been used with Apache server on Linux.

Plone has taken off much faster





toolchain
telephone booth





Ma


Running your Plone on Linux/Apache



Managing apache


This document is
the purpose is not really to provide an extensive how to



1. integrates with IIS.

2. integrates with Windows security

3. purge cache via the desktop tool

4. integrating Plone with nonplone

5. multiple domains

6. IIS vista?

7.



The Apache solution



proxy
extremely lightweight





Proxy Features


Enfold has a GUI tool that simplifies