An error occurred fetching the project authors.
  1. 17 Jul, 2020 2 commits
    • Łukasz Nowak's avatar
      caddy-frontend: Setup backend client auth · 3be5f4ce
      Łukasz Nowak authored
      By default do not offer authentication certificate, the switch
      authenticate-to-backend can be used on cluster or slave level to control
      this feature.
      3be5f4ce
    • Łukasz Nowak's avatar
      caddy-frontend: Put haproxy just before the backend · ec3d4ae9
      Łukasz Nowak authored
      This is needed in order to provide future support for client certificates
      to the backend.
      
      Also it means that haproxy is used in all cases, with or without cache, and as
      a result the "cached" version of caddy is dropped.
      
      Let haproxy setup maxconn by itself, as it's wise enough.
      
      Also trust that it'll detect and use proper limits, instead enforcing them in
      the shell with ulimit trick (ulimit -n $(ulimit -Hn)).
      
      As empty server alias can impact the configuration, add proper test for
      checking it.
      ec3d4ae9
  2. 22 Jun, 2020 2 commits
  3. 04 May, 2020 1 commit
  4. 09 Oct, 2019 1 commit
  5. 28 Aug, 2019 1 commit
  6. 18 Jul, 2019 1 commit
  7. 19 Jun, 2019 1 commit
  8. 14 Jun, 2019 1 commit
  9. 23 Apr, 2019 2 commits
  10. 12 Apr, 2019 1 commit
  11. 13 Mar, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Implement KeDiFa SSL information · bc2b1742
      Łukasz Nowak authored
      Use KeDiFa to store keys, and transmit the url to the requester for master
      and slave partitions.
      
      Download keys on the slave partitions level.
      
      Use caucase to fetch main caucase CA.
      
      kedifa-caucase-url is published in order to have access to it.
      
      Note: caucase is prepended with kedifa, as this is that one.
      
      Use kedifa-csr tool to generate CSR and use caucase-updater macro.
      
      Switch to KeDiFa with SSL Auth and updated goodies.
      
      KeDiFa endpoint URLs are randomised.
      
      Only one (first) user certificate is going to be automatically accepted. This
      one shall be operated by the cluster owner, the requester of frontend master
      partition.
      
      Then he will be able to sign certificates for other users and also for
      services - so each node in the cluster.
      
      Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
      is used for one command generation of extensions in the certificate.
      Note: We could upgrade to openssl 1.1.1 in order to have it really
      simplified (see https://security.stackexchange.com/a/183973 )
      
      Improve CSR readability by creating cluster-identification, which is master
      partition title, and use it as Organization of the CSR.
      
      Reserve slots for data exchange in KeDiFa.
      bc2b1742
  12. 29 Jan, 2019 1 commit
  13. 06 Dec, 2018 1 commit
  14. 20 Nov, 2018 1 commit
  15. 03 Sep, 2018 3 commits
  16. 12 Jul, 2018 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Implement caddy_custom* · 95376d5d
      Łukasz Nowak authored
      caddy_custom_http and caddy_custom_https are implemented and exposed
      instead of apache_custom_http and apache_custom_https, but with backward
      compatbility for the latter form from apache-frontend.
      
      In TODO mark missing usage of custom http found during work on this commit.
      95376d5d
  17. 28 Jun, 2018 1 commit