{#- SERVER_POLLUTED_KEY_LIST is a list of keys which comes from various SlapOS Master implementations, which mix request and publish keys on each slave information -#}
{%- set SERVER_POLLUTED_KEY_LIST = ['connection-parameter-hash', 'timestamp', 'slave_title', 'slap_software_type'] -%}
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{#- Allow to pass only some parameters to frontend nodes #}
...
...
@@ -22,6 +20,66 @@
'authenticate-to-backend',
]
%}
{#- SlapOS Master (but not slapproxy!) merges slave's instance and connection parameters, so the slave information passed to nodes have to be limited only to instance related keys #}
{#- Note: As a result, this feature is very hard to be tested with slapproxy, as it does not pollute the slave information, this kind of whitelist is implemented #}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA = [
'authenticate-to-backend',
'backend-connect-retries',
'backend-connect-timeout',
'ciphers',
'custom_domain',
'default-path',
'disable-no-cache-request',
'disable-via-header',
'disabled-cookie-list',
'enable-http2',
'enable_cache',
'health-check',
'health-check-authenticate-to-failover-backend',
'health-check-failover-https-url',
'health-check-failover-https-url-netloc-list',
'health-check-failover-ssl-proxy-ca-crt',
'health-check-failover-ssl-proxy-verify',
'health-check-failover-url',
'health-check-failover-url-netloc-list',
'health-check-fall',
'health-check-http-method',
'health-check-http-path',
'health-check-http-version',
'health-check-interval',
'health-check-rise',
'health-check-timeout',
'https-only',
'https-url',
'https-url-netloc-list',
'monitor-ipv4-test',
'monitor-ipv6-test',
'path',
'prefer-gzip-encoding-to-backend',
'request-timeout',
'server-alias',
'ssl-proxy-verify',
'ssl_ca_crt',
'ssl_crt',
'ssl_key',
'ssl_proxy_ca_crt',
'strict-transport-security',
'strict-transport-security-preload',
'strict-transport-security-sub-domains',
'type',
'url',
'url-netloc-list',
'virtualhostroot-http-port',
'virtualhostroot-https-port',
'websocket-path-list',
'websocket-transparent',
]
%}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL = [
'slave_reference',
]
%}
{%- set FRONTEND_NODE_SLAVE_PASSED_KEY_LIST = FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_SCHEMA + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST_INTERNAL %}
{% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
{% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %}
{# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #}
...
...
@@ -258,9 +316,12 @@ context =
{% endif %}
{% if len(slave_error_list) == 0 %}
{# Cleanup slave from not needed keys which come from implementation of SlapOS Master #}
{% set authorized_slave = slave.copy() %}
{% for key in SERVER_POLLUTED_KEY_LIST %}
{% do authorized_slave.pop(key, None) %}
{# Send only controlled information about the slave to node #}
{% set authorized_slave = {} %}
{% for key in FRONTEND_NODE_SLAVE_PASSED_KEY_LIST + FRONTEND_NODE_SLAVE_PASSED_KEY_LIST %}
{% if key in slave %}
{% do authorized_slave.__setitem__(key, slave[key]) %}
{% endif %}
{% endfor %}
{% do authorized_slave_list.append(authorized_slave) %}