Zrs configuration details

I just need an advice!

In the zrs configuration bellow the idea is to use nginx/varnish to route the end users to client2 and client3 and the content maintainers to client1.

Does it make sense to have the replicate-to port shared as zeo-address by client2 and client3?

[zeoserver]
<= zeoserver_base
recipe = plone.recipe.zeoserver
zeo-address = 127.0.0.1:9100
replicate-to = 127.0.0.1:9101

[client1]
<= client_base
recipe = plone.recipe.zope2instance
zeo-address = ${zeoserver:zeo-address}
http-address = 9080

[client2]
<= client_base
recipe = plone.recipe.zope2instance
zeo-address = ${zeoserver:replicate-to}
read-only = True
http-address = 9081

[client3]
<= client_base
recipe = plone.recipe.zope2instance
zeo-address = ${zeoserver:replicate-to}
read-only = True
http-address = 9082

I'm afraid that doesn't work that way as sometimes GET requests produce writes on the ZODB.

why are you trying to do so? security or performance concerns?

  1. security
    the "read only" clients will be available on Internet
    the other client will be available only on our INTRANET and with no VARNISH in front it.

  2. AND performance although I can not evaluate the gain.

In fact I did not get this... What is about?

AFAIK you can't use read-only clients on Plone because there are GET requests that write to the database: a typical example of this is the creation of image scales on the fly when they are needed; I learned this the hard way many years ago.

you can secure your instances on a different way; for instance, you can remove the authentication cookies in you front end proxies on request coming from the outside world. that's pretty easy in Varnish, for instance:

if (req.http.Cookie) {
    unset req.http.Cookie;
}

for performance, scalability and better use of resources I prefer not to separate instances to serve content for anonymous and authenticated users, but that's because the sites we host have limited resources; for me having a lot of underutilized instances makes no sense.

at the end of the day in our sites we have found the following:

  • backend instances are mostly used by crawlers
  • requests for anonymous users are mostly served by Varnish
  • request for authenticated users are the most expensive

we use a slave ZEO server just to avoid downtimes when the master server is unavailable, and also to have a copy of the database that is in sync all the time.