Commit c2220e22 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Rafael Monnerat

caddy-frontend: Simplify templates and fill TODO

Where applicable simplify Jinja2 templates by removing Caddy-TODO
and fill or update TODO.rst.
parent 78f3c519
...@@ -2,10 +2,16 @@ Generally things to be done with ``caddy-frontend``: ...@@ -2,10 +2,16 @@ Generally things to be done with ``caddy-frontend``:
* ``apache-ca-certificate`` shall be merged with ``apache-certificate`` * ``apache-ca-certificate`` shall be merged with ``apache-certificate``
* (new) ``type:websocket`` slave * (new) ``type:websocket`` slave
* ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483 * ``type:eventsource``:
* **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
* ``ssl_ca_crt`` * ``ssl_ca_crt``
* ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy) * ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)::
* ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)
RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
* ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)::
RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
* ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store` * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
* ``check-error-on-caddy-log`` like ``check-error-on-apache-log`` * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
* cover test suite like resilient tests for KVM and prove it works the same way as Caddy * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
...@@ -14,6 +20,46 @@ Generally things to be done with ``caddy-frontend``: ...@@ -14,6 +20,46 @@ Generally things to be done with ``caddy-frontend``:
* change ``switch-softwaretype`` to way how ``software/erp5`` does, which will help with dropping jinja2 template for ``caddy-wrapper``, which is workaround for current situation https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_62678 * change ``switch-softwaretype`` to way how ``software/erp5`` does, which will help with dropping jinja2 template for ``caddy-wrapper``, which is workaround for current situation https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_62678
* use `slapos!326 <https://lab.nexedi.com/nexedi/slapos/merge_requests/326>`_ instead of self-developed graceful restart scripts * use `slapos!326 <https://lab.nexedi.com/nexedi/slapos/merge_requests/326>`_ instead of self-developed graceful restart scripts
* move out `test/utils.py` and use it from shared python distribution * move out `test/utils.py` and use it from shared python distribution
* provide various tricks for older browsers::
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
* Implement gzip/defalte on resources::
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
* check, and if needed apply, Apache-like SSL configuration switches::
# SSL Configuration
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
Things which can't be implemented: Things which can't be implemented:
......
...@@ -38,7 +38,7 @@ md5sum = 8d318af17da5631d4242c0d6d1531066 ...@@ -38,7 +38,7 @@ md5sum = 8d318af17da5631d4242c0d6d1531066
[template-caddy-frontend-configuration] [template-caddy-frontend-configuration]
filename = templates/Caddyfile.in filename = templates/Caddyfile.in
md5sum = 5c048a80c2e9374adea0cd647d14b192 md5sum = 924d3bb528f590916552534934c604a2
[template-custom-slave-list] [template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
...@@ -50,11 +50,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b ...@@ -50,11 +50,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = c291422b417a906ee944de17321c0d12 md5sum = b524304177e7854232aa43bed98ddbfd
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
md5sum = 194b1c41ae2edd1528e85bd01eb1f95b md5sum = 5aab4c15189a39837f56d4f442b233c6
[template-log-access] [template-log-access]
filename = templates/template-log-access.conf.in filename = templates/template-log-access.conf.in
......
# Automatically generated # Automatically generated
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
# TODO-Caddy BrowserMatch "Mozilla/2" nokeepalive
# TODO-Caddy BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
# TODO-Caddy downgrade-1.0 force-response-1.0
# TODO-Caddy BrowserMatch "RealPlayer 4\.0" force-response-1.0
# TODO-Caddy BrowserMatch "Java/1\.0" force-response-1.0
# TODO-Caddy BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
# TODO-Caddy BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# TODO-Caddy BrowserMatch "MS FrontPage" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDrive" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# TODO-Caddy BrowserMatch "^gnome-vfs" redirect-carefully
# TODO-Caddy BrowserMatch "^XML Spy" redirect-carefully
# TODO-Caddy BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
# Deflate
# TODO-Caddy AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
# TODO-Caddy BrowserMatch ^Mozilla/4 gzip-only-text/html
# TODO-Caddy BrowserMatch ^Mozilla/4\.0[678] no-gzip
# TODO-Caddy BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
# TODO-Caddy {% if slapparameter_dict.get('apache-ca-certificate') %}
# TODO-Caddy SSLCACertificateFile {{ login_ca_crt }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on
# TODO-Caddy <FilesMatch "\.(cgi|shtml|phtml|php)$">
# TODO-Caddy SSLOptions +StdEnvVars
# TODO-Caddy </FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
# TODO-Caddy SSLProxyCheckPeerCN off
# TODO-Caddy SSLProxyCheckPeerExpire off
import {{frontend_configuration.get('log-access-configuration')}} import {{frontend_configuration.get('log-access-configuration')}}
import {{ slave_configuration_directory }}/*.conf import {{ slave_configuration_directory }}/*.conf
import {{ slave_with_cache_configuration_directory }}/*.conf import {{ slave_with_cache_configuration_directory }}/*.conf
......
...@@ -24,8 +24,6 @@ ...@@ -24,8 +24,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
...@@ -45,8 +43,6 @@ ...@@ -45,8 +43,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
......
...@@ -34,16 +34,10 @@ ...@@ -34,16 +34,10 @@
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on
{% for disabled_cookie in disabled_cookie_list %} {% for disabled_cookie in disabled_cookie_list %}
# TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
{% endfor %} {% endfor %}
{% if prefer_gzip %} {% if prefer_gzip %}
# TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %} {% endif %}
{% if slave_type == 'zope' and backend_url %} {% if slave_type == 'zope' and backend_url %}
...@@ -63,8 +57,6 @@ ...@@ -63,8 +57,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
...@@ -109,8 +101,6 @@ ...@@ -109,8 +101,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
...@@ -130,11 +120,9 @@ ...@@ -130,11 +120,9 @@
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
{% for disabled_cookie in disabled_cookie_list %} {% for disabled_cookie in disabled_cookie_list %}
# TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
{% endfor %} {% endfor %}
{% if prefer_gzip %} {% if prefer_gzip %}
# TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %} {% endif %}
{% if https_only %} {% if https_only %}
...@@ -160,8 +148,6 @@ ...@@ -160,8 +148,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
...@@ -201,8 +187,6 @@ ...@@ -201,8 +187,6 @@
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {% if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {% if 'ssl_proxy_ca_crt' in slave_parameter %}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
{% endif %} {% endif %}
{% else %} {% else %}
insecure_skip_verify insecure_skip_verify
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment