Notes on a More Secure Plone Deployment

Read-only Public Site

Making your public site read-only will prevent even a compromised site from taking any damage--even if a malicious user does somehow gain access, they can't save any different data to the database.

There are a few ways to do this:

• Zope Replication Services(ZRS) allow you replicate a read-write backend private server to a read-only public facing site
• You can also use RelStorage for you zeoserver. Then use the replication facilities provided by some RDMSs to replicate to a read-only zeoserver on the public site.
• It is also possible to have read-only zeo clients connected to a read-write zeo server.
• zeoraid might even be an option(never tried it)

One thing to note is that there are some cases where Plone will try to write on read unfortunately. To get around this, I create a before commit event handler in a policy product to abort every transaction when the server is read-only. It's kind of hackish but a necessary evil to prevent a user from getting a nasty ReadOnly database error thrown at them. It would look something like:

from zope.component import adapter
from ZPublisher.interfaces import IPubBeforeCommit
import App.config
import transaction
configuration = App.config.getConfiguration()
readonly = configuration.read_only_database

@adapter(IPubBeforeCommit)
def abortTransactionOnReadOnly(event):
  if readonly:
    transaction.abort()
 

Rewrite Login URLs

You can also rewrite login urls on the public site to restrict anyone from seeing a login form. Just do normal rewrites at your proxy server.

Urls you'll want to rewrite are:

• /manage
• /login
• /logged_out
• /require_login
• /acl_users

This will prevent anyone from seeing a login form and an unauthorized page.