1. 03 Dec, 2020 11 commits
    • Jérome Perrin's avatar
      stack/erp5: remove httpd and use haproxy instead · 66e85146
      Jérome Perrin authored
      Two main differences of haproxy are file format for certificates and logs.
      
      HAProxy also uses certificates in PEM format, but it expect its own server
      certificate and the key to be in the same file (although recent version seems
      to accept separate files, we don't use this now) and the CRL and CA certificates
      also all together in the same file.
      We change to use the same file for certificate and key and for CA and CRL, in
      the updater script we we build PEM files by containing all CA certificates and
      all CRL together.
      Also, since haproxy needs to be reloaded when certificate change, we run it in
      master-worker mode, with a pid file so that we can signal it to reload.
      
      For the logs, since haproxy does not log to file, we introduce a rsyslogd to
      log to a file. The log format is same as with httpd, except that timing are not
      in microseconds but in milliseconds - this did not seem to be configurable.
      This is a problem for apachedex reports on log, for that we plan to use an
      updated version of apachedex with support for `%{ms}T` for durations.
      
      HAProxy is configured with same timeouts, except:
       - "connect" timeout has been increased a bit (from 5 to 10s), because the
         comment "The connection should be immediate on LAN" was no longer true, now
         that haproxy is accessed from frontend.
       - the server entries for testrunner are a very long timeout (8h) because some
         ERP5 functional tests exceeed the 305s timeout.
      
      The SSL configuration is with current "modern" config from https://ssl-config.mozilla.org/
      
      Tests have been modified a bit, because haproxy uses HTTP/2.0 and not 1.1
      like httpd was doing several haproxy features (keep alive and gzip
      compression) are only available when backend uses HTTP/1.1, so we adjusted
      tests to use a 1.1 backend.
      
      There was also differences with logs, because of the time being in milliseconds.
      
      TestPublishedURLIsReachableMixin._checkERP5IsReachable was also updated, it
      was working by chance because when accessed behind httpd->haproxy->zope, zope
      was producing a redirect URL that was the URL of haproxy, which could be
      resolved by chance. This test was updated to access zope with a path that
      contains VirtualHostMonster magic, as the shared frontend ( with "zope" software
      type) is supposed to set.
      
      This should hopefuly solve the "502 Proxy Error" that we are observing with httpd.
      66e85146
    • Jérome Perrin's avatar
      software/slapos-master: copy haproxy.cfg.in · c82ad114
      Jérome Perrin authored
      This profile will change in stack/erp5 and in erp5 haproxy will also play the
      role of apache, but in slapos-master we will keep both apache and haproxy for
      a while.
      c82ad114
    • Jérome Perrin's avatar
    • Jérome Perrin's avatar
      software/erp5/test: make TestAccessLog.test_access_log_format more robust · f13bd84e
      Jérome Perrin authored
      There can be a short delay after the request until the request is logged, so
      wait a bit more before inspecting the log.
      
      There can be lines from requests made in previous tests, so make sure to only
      read the last line.
      f13bd84e
    • Jérome Perrin's avatar
      software/erp5/test: Make the "slow server" from test reply in 2 seconds · 32058a62
      Jérome Perrin authored
      Since haproxy checks backend is up at an inteval or 3 seconds with a timeout
      of 3 seconds, it can happen that the server reply in a bit more of 3 seconds
      and haproxy mark it as down.
      
      By using a shorter response time in test, we can achieve the same test coverage
      without this race condition and test runs a bit faster.
      32058a62
    • Jérome Perrin's avatar
      software/erp5/test: check that cert and key can be passed as instance parameter · 11ba673a
      Jérome Perrin authored
      Since we don't use caucase yet, it's necessary to make sure this feature is
      not lost.
      11ba673a
    • Jérome Perrin's avatar
      software/erp5/test: rename CaucaseClientCertificate to CaucaseCertificate · 3364174a
      Jérome Perrin authored
      This resource is just a certificate, not necessary a certificate to use as
      client.
      3364174a
    • Jérome Perrin's avatar
      software/erp5/test: make forwarded for test more relaxed · ac7b74e4
      Jérome Perrin authored
      The test expecting that X-Forwarded-For is empty can also accept the
      case where X-Forwarded-For header is not present.
      ac7b74e4
    • Nicolas Wavrant's avatar
      postfix: version up · be655d15
      Nicolas Wavrant authored
      Further work by Vincent Pelletier:
      - do not enable openldap dependency, we do not need such advanced features
        (yet ?)
      - refresh noroot.patch
      - if we this component is to reference m4, then it should extend it
      be655d15
    • Vincent Pelletier's avatar
      component/logrotate: Version up to 3.17.0 . · b362488c
      Vincent Pelletier authored
      Fixes FTBFS on gcc 10.
      b362488c
    • Vincent Pelletier's avatar
      0f727e18
  2. 02 Dec, 2020 10 commits
  3. 01 Dec, 2020 11 commits
  4. 30 Nov, 2020 8 commits