Commit 4ba968e4 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Working implementation

Features:

 * shared place for Caddy configuration
 * gather a lot of parameters for caddy executable, as dislike Apache
   Caddy is configured from command line
 * dummy vhost for example.org
 * challanges (ACME SSL) are disabled
 * bind to interfaces are done per site
 * cache access is dummy, but working
 * /server-status redone in Caddy style
 * antiloris dropped, as this is apache specific
 * apache_custom_http and apache_custom_https
 * dropped not needed leftover access-control-string and protected-path
 * nginx replacement added
 * bin/caddy-wrapper is provided in order to allow parameterization of caddy
   over the network
 * access to log files over http is provided
   * username on log access is consistent, it is not uppercased like it was
     originally on apache-frontend
 * list of TODOs in TODO.rst
parent 97ef6396
Generally things to be done with ``caddy-frontend``:
* ``apache-ca-certificate`` shall be merged with ``apache-certificate``
* (new) ``type:websocket`` slave
* ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483
* ``ssl_ca_crt``
* ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)
* ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)
* ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
* ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
* cover test suite like resilient tests for KVM and prove it works the same way as Caddy
* simplify Jijna2 syntax and drop whitespace control, as it is not needed
* make beautiful (eg. with whitespaces and nice comments) generated files (mostly Jinja2)
* have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones (like ``apache_custom_http`` --> ``caddy_custom_http``)
...@@ -4,7 +4,6 @@ ...@@ -4,7 +4,6 @@
# - "^[" section beginings, copied verbatim # - "^[" section beginings, copied verbatim
# - lines containing an "=" sign which must fit in the following categorie. # - lines containing an "=" sign which must fit in the following categorie.
# - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file # - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
# But avoid directories, they are not portable.
# Copied verbatim. # Copied verbatim.
# - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported # - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
# by the re-generation script. # by the re-generation script.
...@@ -19,7 +18,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e ...@@ -19,7 +18,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e
[template-apache-frontend] [template-apache-frontend]
filename = instance-apache-frontend.cfg filename = instance-apache-frontend.cfg
md5sum = b6a2c860ea1cd4bc9d185c7108c52d0a md5sum = 7414a34216db1cce54b38b59fc762141
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
...@@ -27,43 +26,39 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913 ...@@ -27,43 +26,39 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913
[template-slave-list] [template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
md5sum = 24e514ad6f15859229db46f24a8cd280 md5sum = 74bfedd670b05eb653804075fa7e0d86
[template-slave-configuration] [template-slave-configuration]
filename = templates/custom-virtualhost.conf.in filename = templates/custom-virtualhost.conf.in
md5sum = d103143e5d50682bd5ad43117d82e2fa md5sum = 74275ad73b03114c69f80c8f8ae73374
[template-replicate-publish-slave-information] [template-replicate-publish-slave-information]
filename = templates/replicate-publish-slave-information.cfg.in filename = templates/replicate-publish-slave-information.cfg.in
md5sum = 665e83d660c9b779249b2179d7ce4b4e md5sum = 665e83d660c9b779249b2179d7ce4b4e
[template-apache-frontend-configuration] [template-caddy-frontend-configuration]
filename = templates/apache.conf.in filename = templates/Caddyfile.in
md5sum = a56045e7b53ff00ab34d2a8f911fc1a1 md5sum = a8765b3c3af9f4f4f6437028aa42c58f
[template-custom-slave-list] [template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
md5sum = 24e514ad6f15859229db46f24a8cd280 md5sum = 74bfedd670b05eb653804075fa7e0d86
[template-not-found-html] [template-not-found-html]
filename = templates/notfound.html filename = templates/notfound.html
md5sum = f20d6c3d2d94fb685f8d26dfca1e822b md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-virtualhost]
filename = templates/000.conf.in
md5sum = d98a01182f38868612948c87d5231428
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = 7f38084af107034bedefba971abe165c md5sum = cab1b54a568fb24ed0f409b0f3e5fad2
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
md5sum = 1a1a53d9ac4a1591c017d86850a94796 md5sum = 42a574141f2d8e27669e3848d2e600a1
[template-log-access] [template-log-access]
filename = templates/template-log-access.conf.in filename = templates/template-log-access.conf.in
md5sum = f85005b430978f3bd24ee7ce11b0e304 md5sum = 82bd8044f51d5b28f8e43b14704c282e
[template-empty] [template-empty]
filename = templates/empty.in filename = templates/empty.in
...@@ -73,6 +68,10 @@ md5sum = c2314c3a9c3412a38d14b312d3df83c1 ...@@ -73,6 +68,10 @@ md5sum = c2314c3a9c3412a38d14b312d3df83c1
filename = templates/wrapper.in filename = templates/wrapper.in
md5sum = 8cde04bfd0c0e9bd56744b988275cfd8 md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
[template-caddy-wrapper]
filename = templates/caddy-wrapper.in
md5sum = c5816275757124613920078b6bec1caf
[template-trafficserver-records-config] [template-trafficserver-records-config]
filename = templates/trafficserver/records.config.jinja2 filename = templates/trafficserver/records.config.jinja2
md5sum = 84baef0a49c9a65e8f2d2ffdb8c1d39c md5sum = 84baef0a49c9a65e8f2d2ffdb8c1d39c
...@@ -83,20 +82,20 @@ md5sum = 117238225b3fc3c5b5be381815f44c67 ...@@ -83,20 +82,20 @@ md5sum = 117238225b3fc3c5b5be381815f44c67
[template-nginx-configuration] [template-nginx-configuration]
filename = templates/nginx.cfg.in filename = templates/nginx.cfg.in
md5sum = 18633ce55e53340efa1ba7693aac4152 md5sum = cdc550b5067f76f1cab24f94178710a4
[template-nginx-eventsource-slave-virtualhost] [template-nginx-eventsource-slave-virtualhost]
filename = templates/nginx-eventsource-slave.conf.in filename = templates/nginx-eventsource-slave.conf.in
md5sum = a5186f666acb2f040ede04c91e60408f md5sum = 7fb09bb130dc463a6736c1f319e798d6
[template-nginx-notebook-slave-virtualhost] [template-nginx-notebook-slave-virtualhost]
filename = templates/nginx-notebook-slave.conf.in filename = templates/nginx-notebook-slave.conf.in
md5sum = 82d74a7f2aceb2b4a7acc6259291b7f2 md5sum = afa11dda952b2317227e5c72508aeda2
[template-apache-lazy-script-call] [template-apache-lazy-script-call]
filename = templates/apache-lazy-script-call.sh.in filename = templates/apache-lazy-script-call.sh.in
md5sum = ebe5d3d19923eb812a40019cb11276d8 md5sum = ebe5d3d19923eb812a40019cb11276d8
[template-apache-graceful-script] [template-caddy-graceful-script]
filename = templates/apache-graceful-script.sh.in filename = templates/caddy-graceful-script.sh.in
md5sum = 41299cc64200e7b8217fb9dec20bb8b9 md5sum = 455f8765a3afd39fb78562fb9e326c42
...@@ -10,7 +10,6 @@ extends = ...@@ -10,7 +10,6 @@ extends =
../../component/rdiff-backup/buildout.cfg ../../component/rdiff-backup/buildout.cfg
../../component/trafficserver/buildout.cfg ../../component/trafficserver/buildout.cfg
../../component/nginx/buildout.cfg
../../stack/nodejs.cfg ../../stack/nodejs.cfg
# Monitoring stack (keep on bottom) # Monitoring stack (keep on bottom)
../../stack/monitor/buildout.cfg ../../stack/monitor/buildout.cfg
...@@ -20,12 +19,10 @@ parts += ...@@ -20,12 +19,10 @@ parts +=
template-apache-frontend template-apache-frontend
template-apache-replicate template-apache-replicate
apache apache
apache-antiloris
dcron dcron
logrotate logrotate
rdiff-backup rdiff-backup
nginx-push-stream-output
npm-modules npm-modules
proxy-by-url proxy-by-url
http-proxy http-proxy
...@@ -70,9 +67,9 @@ filename = custom-virtualhost.conf.in ...@@ -70,9 +67,9 @@ filename = custom-virtualhost.conf.in
<=download-template <=download-template
filename = replicate-publish-slave-information.cfg.in filename = replicate-publish-slave-information.cfg.in
[template-apache-frontend-configuration] [template-caddy-frontend-configuration]
<=download-template <=download-template
filename = apache.conf.in filename = Caddyfile.in
[template-custom-slave-list] [template-custom-slave-list]
<=download-template <=download-template
...@@ -82,10 +79,6 @@ filename = apache-default-slave-list.cfg.in ...@@ -82,10 +79,6 @@ filename = apache-default-slave-list.cfg.in
<=download-template <=download-template
filename = notfound.html filename = notfound.html
[template-default-virtualhost]
<=download-template
filename = 000.conf.in
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
<=download-template <=download-template
filename = default-virtualhost.conf.in filename = default-virtualhost.conf.in
...@@ -102,6 +95,12 @@ filename = template-log-access.conf.in ...@@ -102,6 +95,12 @@ filename = template-log-access.conf.in
<=download-template <=download-template
filename = empty.in filename = empty.in
[template-caddy-wrapper]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/caddy-wrapper.in
output = ${buildout:directory}/template-caddy-wrapper.cfg
mode = 0644
[template-wrapper] [template-wrapper]
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/wrapper.in url = ${:_profile_base_location_}/templates/wrapper.in
...@@ -137,9 +136,9 @@ mode = 0644 ...@@ -137,9 +136,9 @@ mode = 0644
<=download-template <=download-template
filename = apache-lazy-script-call.sh.in filename = apache-lazy-script-call.sh.in
[template-apache-graceful-script] [template-caddy-graceful-script]
<=download-template <=download-template
filename = apache-graceful-script.sh.in filename = caddy-graceful-script.sh.in
[template-nginx-eventsource-slave-virtualhost] [template-nginx-eventsource-slave-virtualhost]
<=download-template <=download-template
......
<VirtualHost *:{{ https_port }}>
ServerName www.example.org
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
ErrorDocument 404 /notfound.html
</VirtualHost>
<VirtualHost *:{{ http_port }}>
ServerName www.example.org
ErrorDocument 404 /notfound.html
</VirtualHost>
\ No newline at end of file
# Automatically generated
# As backend is trusting REMOTE_USER header unset it always
# TODO-Caddy RequestHeader unset REMOTE_USER
# TODO-Caddy <Directory {{ document_root }}>
# TODO-Caddy Require all granted
# TODO-Caddy Options -Indexes
# TODO-Caddy ErrorDocument 404 /notfound.html
# TODO-Caddy RewriteEngine on
# TODO-Caddy RewriteRule ^/?$ notfound.html [R=404,L]
# TODO-Caddy </Directory>
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
# TODO-Caddy BrowserMatch "Mozilla/2" nokeepalive
# TODO-Caddy BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
# TODO-Caddy downgrade-1.0 force-response-1.0
# TODO-Caddy BrowserMatch "RealPlayer 4\.0" force-response-1.0
# TODO-Caddy BrowserMatch "Java/1\.0" force-response-1.0
# TODO-Caddy BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
# TODO-Caddy BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# TODO-Caddy BrowserMatch "MS FrontPage" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDrive" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# TODO-Caddy BrowserMatch "^gnome-vfs" redirect-carefully
# TODO-Caddy BrowserMatch "^XML Spy" redirect-carefully
# TODO-Caddy BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
# Deflate
# TODO-Caddy AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
# TODO-Caddy BrowserMatch ^Mozilla/4 gzip-only-text/html
# TODO-Caddy BrowserMatch ^Mozilla/4\.0[678] no-gzip
# TODO-Caddy BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
# TODO-Caddy {% if slapparameter_dict.get('apache-ca-certificate') %}
# TODO-Caddy SSLCACertificateFile {{ login_ca_crt }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on
# TODO-Caddy <FilesMatch "\.(cgi|shtml|phtml|php)$">
# TODO-Caddy SSLOptions +StdEnvVars
# TODO-Caddy </FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
# TODO-Caddy SSLProxyCheckPeerCN off
# TODO-Caddy SSLProxyCheckPeerExpire off
import {{frontend_configuration.get('log-access-configuration')}}
import {{ slave_configuration_directory }}/*.conf
import {{ slave_with_cache_configuration_directory }}/*.conf
https://[{{ global_ipv6 }}]:{{ https_port }}/, https://{{ local_ipv4 }}:{{ https_port }}/ {
tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }}
status 404 /
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }}
basicauth "{{ username }}" {{ password }} {
"Server Status"
/
}
expvar
pprof
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
http://[{{ global_ipv6 }}]:{{ http_port }}/, http://{{ local_ipv4 }}:{{ http_port }}/ {
bind {{ local_ipv4 }}
status 404 /
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
# TODO-Caddy ErrorDocument 404 /notfound.html
# TODO-Caddy RewriteRule (.*) /notfound.html [R=404,L]
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
{% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%} {% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%}
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{% set NGINX_TYPE_LIST = ['eventsource', 'notebook'] -%} {% set NGINX_TYPE_LIST = ['eventsource', 'notebook'] -%}
{% set generic_instance_parameter_dict = {'cache_access': cache_access,} -%} {% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
{% set slave_log_dict = {} -%} {% set slave_log_dict = {} -%}
{% if extra_slave_instance_list -%} {% if extra_slave_instance_list -%}
{% set slave_instance_information_list = [] -%} {% set slave_instance_information_list = [] -%}
...@@ -47,7 +47,6 @@ crl = {{ custom_ssl_directory }}/crl/ ...@@ -47,7 +47,6 @@ crl = {{ custom_ssl_directory }}/crl/
{# Loop throught slave list to set up slaves #} {# Loop throught slave list to set up slaves #}
{% for slave_instance in slave_instance_list -%} {% for slave_instance in slave_instance_list -%}
{# # Do all set and do upper, so it makes easy to read the file later #}
{% set slave_reference = slave_instance.get('slave_reference') -%} {% set slave_reference = slave_instance.get('slave_reference') -%}
{% set slave_type = slave_instance.get('type', '') -%} {% set slave_type = slave_instance.get('type', '') -%}
{% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%} {% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%}
...@@ -57,10 +56,9 @@ crl = {{ custom_ssl_directory }}/crl/ ...@@ -57,10 +56,9 @@ crl = {{ custom_ssl_directory }}/crl/
{% set slave_logrotate_section = slave_reference + "-logs" -%} {% set slave_logrotate_section = slave_reference + "-logs" -%}
{% set slave_password_section = slave_reference + "-password" -%} {% set slave_password_section = slave_reference + "-password" -%}
{% set slave_ln_section = slave_reference + "-ln" -%} {% set slave_ln_section = slave_reference + "-ln" -%}
{% set slave_htaccess_section = slave_reference + '-htaccess' %}
{# extend parts #} {# extend parts #}
{% do part_list.extend([slave_htaccess_section, slave_ln_section]) -%} {% do part_list.extend([slave_ln_section]) -%}
{% do part_list.extend([slave_logrotate_section, slave_section_title]) -%} {% do part_list.extend([slave_logrotate_section, slave_section_title]) -%}
{% set slave_log_folder = logrotate_dict.get('backup') + '/' + slave_reference + "-logs" -%} {% set slave_log_folder = logrotate_dict.get('backup') + '/' + slave_reference + "-logs" -%}
...@@ -74,7 +72,7 @@ crl = {{ custom_ssl_directory }}/crl/ ...@@ -74,7 +72,7 @@ crl = {{ custom_ssl_directory }}/crl/
{# Add slave log directory to the slave log access dict #} {# Add slave log directory to the slave log access dict #}
{% do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %} {% do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}
{% set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('apache-ipv6') + ']:' + frontend_configuration.get('apache-https-port') + '/' + slave_reference.lower() + '/' %} {% set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('caddy-ipv6') + ']:' + frontend_configuration.get('caddy-https-port') + '/' + slave_reference.lower() + '/' %}
{% do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %} {% do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
{% do slave_publish_dict.__setitem__('slave-reference', slave_reference) %} {% do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
{% do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %} {% do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
...@@ -101,16 +99,19 @@ crl = {{ custom_ssl_directory }}/crl/ ...@@ -101,16 +99,19 @@ crl = {{ custom_ssl_directory }}/crl/
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%} {% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%} {% endif -%}
{% if not slave_instance.has_key('apache_custom_http') %} {% if not slave_instance.has_key('apache_custom_http') and not slave_instance.has_key('apache_custom_https') %}
{% do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%} {% do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
{% endif -%} {% endif -%}
[slave-log-directories] [slave-log-directory-dict]
{{slave_reference}} = {{ slave_log_folder }} {{slave_reference}} = {{ slave_log_folder }}
[slave-password]
{{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}
{# Set slave logrotate entry #} {# Set slave logrotate entry #}
[{{slave_logrotate_section}}] [{{slave_logrotate_section}}]
<= logrotate <= logrotate
...@@ -131,13 +132,6 @@ recipe = slapos.cookbook:generate.password ...@@ -131,13 +132,6 @@ recipe = slapos.cookbook:generate.password
storage-path = {{apache_configuration_directory}}/.{{slave_reference}}.passwd storage-path = {{apache_configuration_directory}}/.{{slave_reference}}.passwd
bytes = 8 bytes = 8
{# Set up htaccess file for slave #}
[{{slave_htaccess_section}}]
recipe = plone.recipe.command
stop-on-error = true
htaccess-path = {{apache_configuration_directory}}/.{{slave_reference}}.htaccess
command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${:htaccess-path} {{ slave_reference }} {{ '${' + slave_password_section + ':passwd}' }}
{# ################################################## #} {# ################################################## #}
{# Set Slave Certificates if needed #} {# Set Slave Certificates if needed #}
...@@ -162,6 +156,13 @@ value = {{ dumps(slave_instance.get(cert_name)) }} ...@@ -162,6 +156,13 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
{% endif -%} {% endif -%}
{% endfor -%} {% endfor -%}
{#- Set Up Certs #}
{%- do slave_instance.__setitem__('login_certificate', login_certificate) %}
{%- do slave_instance.__setitem__('login_key', login_key) %}
{%- do slave_instance.__setitem__('login_ca_crt', login_ca_crt) %}
{%- do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
{%- do slave_parameter_dict.__setitem__('ssl_crt', login_certificate) %}
{%- do slave_parameter_dict.__setitem__('ssl_key', login_key) %}
{% if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance -%} {% if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance -%}
{% set cert_title = '%s-crt' % (slave_reference) -%} {% set cert_title = '%s-crt' % (slave_reference) -%}
{% set key_title = '%s-key' % (slave_reference) -%} {% set key_title = '%s-key' % (slave_reference) -%}
...@@ -320,6 +321,7 @@ extra-context = ...@@ -320,6 +321,7 @@ extra-context =
{% endfor %} {% endfor %}
[slave-log-directories] [slave-log-directories]
<= slave-log-directory-dict
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
{# Define log access #} {# Define log access #}
...@@ -328,9 +330,19 @@ recipe = slapos.cookbook:mkdirectory ...@@ -328,9 +330,19 @@ recipe = slapos.cookbook:mkdirectory
template = {{frontend_configuration.get('template-log-access')}} template = {{frontend_configuration.get('template-log-access')}}
rendered = {{frontend_configuration.get('log-access-configuration')}} rendered = {{frontend_configuration.get('log-access-configuration')}}
extra-context = extra-context =
section slave_log_directory slave-log-directories section slave_log_directory slave-log-directory-dict
section slave_password slave-password
raw apache_log_directory {{apache_log_directory}} raw apache_log_directory {{apache_log_directory}}
raw apache_configuration_directory {{apache_configuration_directory}} raw apache_configuration_directory {{apache_configuration_directory}}
raw local_ipv4 {{ local_ipv4 }}
raw local_ipv6 {{ local_ipv6 }}
raw https_port {{ https_port }}
raw http_port {{ http_port }}
raw global_ipv6 {{ global_ipv6 }}
raw login_certificate {{ login_certificate }}
raw login_key {{ login_key }}
raw access_log {{ access_log }}
raw error_log {{ error_log }}
{# Publish information for the instance #} {# Publish information for the instance #}
[publish-apache-information] [publish-apache-information]
......
#!/bin/sh
RUN_DIR={{ directory_run }}
ETC_DIR={{ directory_etc }}
APACHE_SIGNATURE_FILE=$RUN_DIR/apache_configuration.signature
NAPACHE_SIGNATURE_FILE=$RUN_DIR/napache_configuration.signature
touch $APACHE_SIGNATURE_FILE
sha256sum $ETC_DIR/apache*.conf $ETC_DIR/apache-*.d/*.conf $ETC_DIR/apache-*.d/ssl/*.*key $ETC_DIR/apache-*.d/ssl/*.*crt* | sort -k 66 > $NAPACHE_SIGNATURE_FILE
# If no diff, no restart for now
if diff "$APACHE_SIGNATURE_FILE" "$NAPACHE_SIGNATURE_FILE"; then
echo "Nothing Changed, so nothing to reload"
exit 0
fi
echo "Reloading apache.."
{{ apache_graceful_reload_command }}
mv "$NAPACHE_SIGNATURE_FILE" "$APACHE_SIGNATURE_FILE"
# Apache configuration file for Zope
# Automatically generated
# Basic server configuration
PidFile "{{ pid_file }}"
ServerName {{ domain }}
DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}
{{ "Listen %s:%s" % (ipv4_addr, cached_port) }}
{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port) }}
{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
{% for port in (http_port, https_port) -%}
{{ "Listen %s:%s" % (ip, port) }}
{% endfor -%}
{% endfor -%}
ServerAdmin {{ server_admin }}
TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER
ServerTokens Prod
# Disable TRACE Method
TraceEnable off
# Log configuration
ErrorLog "{{ error_log }}"
LogLevel notice
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
# CustomLog "{{ access_log }}" common
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ access_log }}" combined
<Directory {{ protected_path }}>
Order Deny,Allow
Allow from {{ access_control_string }}
</Directory>
<Directory {{ document_root }}>
Require all granted
Options -Indexes
ErrorDocument 404 /notfound.html
RewriteEngine on
RewriteRule ^/?$ notfound.html [R=404,L]
</Directory>
# List of modules
LoadModule unixd_module {{ httpd_home }}/modules/mod_unixd.so
LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so
LoadModule authz_core_module {{ httpd_home }}/modules/mod_authz_core.so
LoadModule authz_host_module {{ httpd_home }}/modules/mod_authz_host.so
LoadModule authn_core_module {{ httpd_home }}/modules/mod_authn_core.so
LoadModule log_config_module {{ httpd_home }}/modules/mod_log_config.so
LoadModule deflate_module {{ httpd_home }}/modules/mod_deflate.so
LoadModule setenvif_module {{ httpd_home }}/modules/mod_setenvif.so
LoadModule version_module {{ httpd_home }}/modules/mod_version.so
LoadModule proxy_module {{ httpd_home }}/modules/mod_proxy.so
LoadModule proxy_http_module {{ httpd_home }}/modules/mod_proxy_http.so
LoadModule ssl_module {{ httpd_home }}/modules/mod_ssl.so
LoadModule mime_module {{ httpd_home }}/modules/mod_mime.so
LoadModule dav_module {{ httpd_home }}/modules/mod_dav.so
LoadModule dav_fs_module {{ httpd_home }}/modules/mod_dav_fs.so
LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
LoadModule rewrite_module {{ httpd_home }}/modules/mod_rewrite.so
LoadModule headers_module {{ httpd_home }}/modules/mod_headers.so
LoadModule cache_module {{ httpd_home }}/modules/mod_cache.so
LoadModule cache_socache_module {{ httpd_home }}/modules/mod_cache_socache.so
LoadModule socache_shmcb_module {{ httpd_home }}/modules/mod_socache_shmcb.so
LoadModule antiloris_module {{ httpd_home }}/modules/mod_antiloris.so
LoadModule alias_module {{ httpd_home }}/modules/mod_alias.so
LoadModule autoindex_module {{ httpd_home }}/modules/mod_autoindex.so
LoadModule auth_basic_module {{ httpd_home }}/modules/mod_auth_basic.so
LoadModule authz_user_module {{ httpd_home }}/modules/mod_authz_user.so
LoadModule authn_file_module {{ httpd_home }}/modules/mod_authn_file.so
LoadModule filter_module {{ httpd_home }}/modules/mod_filter.so
LoadModule http2_module {{ httpd_home }}/modules/mod_http2.so
LoadModule info_module {{ httpd_home }}/modules/mod_info.so
LoadModule status_module {{ httpd_home }}/modules/mod_status.so
LoadModule reqtimeout_module {{ httpd_home }}/modules/mod_reqtimeout.so
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
{% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %}
Protocols h2 http/1.1
{% endif %}
# Increase IPReadLimit to 10
<IfModule antiloris_module>
# IPReadLimit - Maximum simultaneous connections in READ state per IP address
IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
</IfModule>
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from All
AuthType basic
AuthName "Apache Server Status"
AuthBasicProvider file
AuthUserFile {{ instance_home }}/etc/monitor-htpasswd
Require valid-user
</Location>
ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }}
MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }}
StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }}
ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }}
#MaxRequestsPerChild 0 // Default value is 0
GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }}
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
SSLCertificateFile {{ login_certificate }}
SSLCertificateKeyFile {{ login_key }}
{% if slapparameter_dict.get('apache-ca-certificate') %}
SSLCACertificateFile {{ login_ca_crt }}
{% endif %}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
include {{frontend_configuration.get('log-access-configuration')}}
includeoptional {{ slave_configuration_directory }}/*.conf
includeoptional {{ slave_with_cache_configuration_directory }}/*.conf
ErrorDocument 404 /notfound.html
RewriteRule (.*) /notfound.html [R=404,L]
...@@ -2,50 +2,50 @@ ...@@ -2,50 +2,50 @@
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %} {% set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} {% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
# Only accept generic (i.e not Zope) backends on http # TODO-Caddy # Only accept generic (i.e not Zope) backends on http
<VirtualHost *:{{ cached_port }}> # TODO-Caddy <VirtualHost *:{{ cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }} # TODO-Caddy ServerName {{ slave_parameter.get('custom_domain') }}
{%- for server_alias in server_alias_list %} # TODO-Caddy {%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }} # TODO-Caddy ServerAlias {{ server_alias }}
{% endfor %} # TODO-Caddy {% endfor %}
SSLProxyEngine on # TODO-Caddy SSLProxyEngine on
{% if ssl_proxy_verify -%} # TODO-Caddy {% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%} # TODO-Caddy {% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} # TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %} # TODO-Caddy {% endif %}
SSLProxyVerify require # TODO-Caddy SSLProxyVerify require
#SSLProxyCheckPeerCN on # TODO-Caddy #SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on # TODO-Caddy SSLProxyCheckPeerExpire on
{% endif %} # TODO-Caddy {% endif %}
# Rewrite part # TODO-Caddy # Rewrite part
ProxyPreserveHost On # TODO-Caddy ProxyPreserveHost On
ProxyTimeout 600 # TODO-Caddy ProxyTimeout 600
RewriteEngine On # TODO-Caddy RewriteEngine On
# TODO-Caddy
RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P] # TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
</VirtualHost> # TODO-Caddy </VirtualHost>
<VirtualHost *:{{ ssl_cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
SSLProxyEngine on
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
</VirtualHost>
# TODO-Caddy <VirtualHost *:{{ ssl_cached_port }}>
# TODO-Caddy ServerName {{ slave_parameter.get('custom_domain') }}
# TODO-Caddy {%- for server_alias in server_alias_list %}
# TODO-Caddy ServerAlias {{ server_alias }}
# TODO-Caddy {% endfor %}
# TODO-Caddy SSLProxyEngine on
# TODO-Caddy
# TODO-Caddy {% if ssl_proxy_verify -%}
# TODO-Caddy {% if 'ssl_proxy_ca_crt' in slave_parameter -%}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
# TODO-Caddy {% endif %}
# TODO-Caddy # Rewrite part
# TODO-Caddy ProxyPreserveHost On
# TODO-Caddy ProxyTimeout 600
# TODO-Caddy RewriteEngine On
# TODO-Caddy
# TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
# TODO-Caddy </VirtualHost>
# TODO-Caddy
#!/bin/sh
RUN_DIR={{ directory_run }}
ETC_DIR={{ directory_etc }}
BIN_DIR={{ directory_bin }}
CADDY_SIGNATURE_FILE=$RUN_DIR/caddy_configuration.signature
NCADDY_SIGNATURE_FILE=$RUN_DIR/ncaddy_configuration.signature
touch $CADDY_SIGNATURE_FILE
sha256sum $ETC_DIR/Caddyfile $ETC_DIR/log-access.conf $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE
# If no diff, no restart for now
if diff "$CADDY_SIGNATURE_FILE" "$NCADDY_SIGNATURE_FILE"; then
echo "Nothing Changed, so nothing to reload"
exit 0
fi
echo "Reloading caddy.."
{{ caddy_graceful_reload_command }}
mv "$NCADDY_SIGNATURE_FILE" "$CADDY_SIGNATURE_FILE"
#!${dash-output:dash}
exec {{ caddy }} \
-conf {{ conf }} \
-log {{ log }} \
-http2=true \
-grace {{ grace }}s \
-disable-http-challenge \
-disable-tls-sni-challenge \
"$@"
<VirtualHost *:{{ https_port }}>
{{ slave_parameter.get('apache_custom_https', '') }} {{ slave_parameter.get('apache_custom_https', '') }}
</VirtualHost> {{ slave_parameter.get('apache_custom_http', '') }}
\ No newline at end of file
<VirtualHost *:{{ http_port }}>
{{ slave_parameter.get('apache_custom_https', '') }}
</VirtualHost>
...@@ -11,105 +11,105 @@ ...@@ -11,105 +11,105 @@
('ssl_certificate_key', 'path_to_ssl_key')] -%} ('ssl_certificate_key', 'path_to_ssl_key')] -%}
upstream {{ slave_parameter.get('slave_reference') }} { # TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
server {{ upstream }}; # TODO-Caddy server {{ upstream }};
} # TODO-Caddy
upstream https_{{ slave_parameter.get('slave_reference') }} { # TODO-Caddy pstream https_{{ slave_parameter.get('slave_reference') }} {
server {{ https_upstream }}; # TODO-Caddy server {{ https_upstream }};
} # TODO-Caddy
server { # TODO-Caddy server {
listen [{{ global_ipv6 }}]:{{ nginx_http_port }}; # TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
listen {{ local_ipv4 }}:{{ nginx_http_port }}; # TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_http_port }};
# TODO-Caddy
server_name {{ slave_parameter.get('custom_domain') }}; # TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
error_log {{ slave_parameter.get('error_log') }} error; # TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom; # TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
location /pub { # TODO-Caddy location /pub {
push_stream_publisher; # TODO-Caddy push_stream_publisher;
push_stream_channels_path $arg_id; # TODO-Caddy push_stream_channels_path $arg_id;
# store messages in memory # TODO-Caddy # store messages in memory
push_stream_store_messages off; # TODO-Caddy push_stream_store_messages off;
# TODO-Caddy
# Message size limit # TODO-Caddy # Message size limit
# client_max_body_size MUST be equal to client_body_buffer_size or # TODO-Caddy # client_max_body_size MUST be equal to client_body_buffer_size or
# you will be sorry. # TODO-Caddy # you will be sorry.
client_max_body_size 16k; # TODO-Caddy client_max_body_size 16k;
client_body_buffer_size 16k; # TODO-Caddy client_body_buffer_size 16k;
# TODO-Caddy
} # TODO-Caddy }
# TODO-Caddy
location ~ /sub/(.*) { # TODO-Caddy location ~ /sub/(.*) {
# activate subscriber mode for this location # TODO-Caddy # activate subscriber mode for this location
add_header "Access-Control-Allow-Origin" "*"; # TODO-Caddy add_header "Access-Control-Allow-Origin" "*";
add_header 'Access-Control-Allow-Credentials' 'false'; # TODO-Caddy add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS'; # TODO-Caddy add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'; # TODO-Caddy add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
# TODO-Caddy
push_stream_subscriber eventsource; # TODO-Caddy push_stream_subscriber eventsource;
# positional channel path # TODO-Caddy # positional channel path
push_stream_channels_path $1; # TODO-Caddy push_stream_channels_path $1;
# TODO-Caddy
# content-type # TODO-Caddy # content-type
default_type "text/event-stream; charset=utf-8"; # TODO-Caddy default_type "text/event-stream; charset=utf-8";
} # TODO-Caddy }
# TODO-Caddy
} # TODO-Caddy
server { # TODO-Caddy server {
listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl; # TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl; # TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
# TODO-Caddy
server_name {{ slave_parameter.get('custom_domain') }}; # TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
error_log {{ slave_parameter.get('error_log') }} error; # TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom; # TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
ssl on; # TODO-Caddy ssl on;
# TODO-Caddy
ssl_session_timeout 5m; # TODO-Caddy ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # TODO-Caddy ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5'; # TODO-Caddy ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on; # TODO-Caddy ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # TODO-Caddy ssl_session_cache shared:SSL:10m;
{% for key, value in ssl_configuration_list -%} {% for key, value in ssl_configuration_list -%}
{% if value in slave_parameter -%} {% if value in slave_parameter -%}
{{ ' %s' % key }} {{ slave_parameter.get(value) }}; # TODO-Caddy {{ ' %s' % key }} {{ slave_parameter.get(value) }};
{% endif -%} {% endif -%}
{% endfor %} {% endfor %}
location /pub { # TODO-Caddy location /pub {
push_stream_publisher; # TODO-Caddy push_stream_publisher;
push_stream_channels_path $arg_id; # TODO-Caddy push_stream_channels_path $arg_id;
# store messages in memory # TODO-Caddy # store messages in memory
push_stream_store_messages off; # TODO-Caddy push_stream_store_messages off;
# TODO-Caddy
# Message size limit # TODO-Caddy # Message size limit
# client_max_body_size MUST be equal to client_body_buffer_size or # TODO-Caddy # client_max_body_size MUST be equal to client_body_buffer_size or
# you will be sorry. # TODO-Caddy # you will be sorry.
client_max_body_size 16k; # TODO-Caddy client_max_body_size 16k;
client_body_buffer_size 16k; # TODO-Caddy client_body_buffer_size 16k;
# TODO-Caddy
} # TODO-Caddy }
# TODO-Caddy
location ~ /sub/(.*) { # TODO-Caddy location ~ /sub/(.*) {
# activate subscriber mode for this location # TODO-Caddy # activate subscriber mode for this location
add_header "Access-Control-Allow-Origin" "*"; # TODO-Caddy add_header "Access-Control-Allow-Origin" "*";
add_header 'Access-Control-Allow-Credentials' 'false'; # TODO-Caddy add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS'; # TODO-Caddy add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since'; # TODO-Caddy add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
# TODO-Caddy
push_stream_subscriber eventsource; # TODO-Caddy push_stream_subscriber eventsource;
# positional channel path # TODO-Caddy # positional channel path
push_stream_channels_path $1; # TODO-Caddy push_stream_channels_path $1;
# TODO-Caddy
# content-type # TODO-Caddy # content-type
default_type "text/event-stream; charset=utf-8"; # TODO-Caddy default_type "text/event-stream; charset=utf-8";
} # TODO-Caddy }
} # TODO-Caddy}
{% endif -%} {% endif -%}
...@@ -11,96 +11,96 @@ ...@@ -11,96 +11,96 @@
('ssl_certificate_key', 'path_to_ssl_key')] -%} ('ssl_certificate_key', 'path_to_ssl_key')] -%}
upstream {{ slave_parameter.get('slave_reference') }} { # TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
server {{ upstream }}; # TODO-Caddy server {{ upstream }};
} # TODO-Caddy }
upstream https_{{ slave_parameter.get('slave_reference') }} { # TODO-Caddy upstream https_{{ slave_parameter.get('slave_reference') }} {
server {{ https_upstream }}; # TODO-Caddy server {{ https_upstream }};
} # TODO-Caddy }
server { # TODO-Caddy server {
listen [{{ global_ipv6 }}]:{{ nginx_http_port }}; # TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
listen {{ local_ipv4 }}:{{ nginx_http_port }}; # TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_http_port }};
# TODO-Caddy
server_name {{ slave_parameter.get('custom_domain') }}; # TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
error_log {{ slave_parameter.get('error_log') }} error; # TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom; # TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
location / { # TODO-Caddy location / {
proxy_pass {{ proxy_pass }}; # TODO-Caddy proxy_pass {{ proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
} # TODO-Caddy }
# TODO-Caddy
location ~ /api/kernels/ { # TODO-Caddy location ~ /api/kernels/ {
proxy_pass {{ proxy_pass }}; # TODO-Caddy proxy_pass {{ proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
# websocket support # TODO-Caddy # websocket support
proxy_http_version 1.1; # TODO-Caddy proxy_http_version 1.1;
proxy_set_header Upgrade "websocket"; # TODO-Caddy proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade"; # TODO-Caddy proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400; # TODO-Caddy proxy_read_timeout 86400;
} # TODO-Caddy }
# TODO-Caddy
location ~ /terminals/ { # TODO-Caddy location ~ /terminals/ {
proxy_pass {{ proxy_pass }}; # TODO-Caddy proxy_pass {{ proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
# websocket support # TODO-Caddy # websocket support
proxy_http_version 1.1; # TODO-Caddy proxy_http_version 1.1;
proxy_set_header Upgrade "websocket"; # TODO-Caddy proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade"; # TODO-Caddy proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400; # TODO-Caddy proxy_read_timeout 86400;
} # TODO-Caddy }
} # TODO-Caddy }
server { # TODO-Caddy server {
listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl; # TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl; # TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
# TODO-Caddy
server_name {{ slave_parameter.get('custom_domain') }}; # TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
error_log {{ slave_parameter.get('error_log') }} error; # TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom; # TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
ssl on; # TODO-Caddy ssl on;
# TODO-Caddy
ssl_session_timeout 5m; # TODO-Caddy ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # TODO-Caddy ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5'; # TODO-Caddy ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on; # TODO-Caddy ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; # TODO-Caddy ssl_session_cache shared:SSL:10m;
{% for key, value in ssl_configuration_list -%} {% for key, value in ssl_configuration_list -%}
{% if value in slave_parameter -%} {% if value in slave_parameter -%}
{{ ' %s' % key }} {{ slave_parameter.get(value) }}; # TODO-Caddy {{ ' %s' % key }} {{ slave_parameter.get(value) }};
{% endif -%} {% endif -%}
{% endfor %} {% endfor %}
location / { # TODO-Caddy location / {
proxy_pass {{ https_proxy_pass }}; # TODO-Caddy proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
} # TODO-Caddy }
# TODO-Caddy
location ~ /api/kernels/ { # TODO-Caddy location ~ /api/kernels/ {
proxy_pass {{ https_proxy_pass }}; # TODO-Caddy proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
# websocket support # TODO-Caddy # websocket support
proxy_http_version 1.1; # TODO-Caddy proxy_http_version 1.1;
proxy_set_header Upgrade "websocket"; # TODO-Caddy proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade"; # TODO-Caddy proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400; # TODO-Caddy proxy_read_timeout 86400;
} # TODO-Caddy }
# TODO-Caddy
location ~ /terminals/ { # TODO-Caddy location ~ /terminals/ {
proxy_pass {{ https_proxy_pass }}; # TODO-Caddy proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host; # TODO-Caddy proxy_set_header Host $host;
# websocket support # TODO-Caddy # websocket support
proxy_http_version 1.1; # TODO-Caddy proxy_http_version 1.1;
proxy_set_header Upgrade "websocket"; # TODO-Caddy proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade"; # TODO-Caddy proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400; # TODO-Caddy proxy_read_timeout 86400;
} # TODO-Caddy }
} # TODO-Caddy }
{% endif -%} {% endif -%}
daemon off; # run in the foreground so supervisord can look after it # Dummy site for starting Caddy correctly
https://www.example.org:$${nginx-configuration:port} {
worker_processes $${nginx-configuration:worker_processes}; tls $${nginx-configuration:ssl_certificate} $${nginx-configuration:ssl_key}
pid $${nginx-configuration:pid-file}; bind $${nginx-configuration:local_ip}
# TODO-Caddy bind {{ ipv6_addr }}
# Serve an error 204 (No Content) for favicon.ico
status 204 /favicon.ico
status 404 /
}
events { http://www.example.org:$${nginx-configuration:plain_port} {
worker_connections $${nginx-configuration:worker_connections}; bind $${nginx-configuration:local_ip}
# multi_accept on; # TODO-Caddy bind {{ ipv6_addr }}
# Serve an error 204 (No Content) for favicon.ico
status 204 /favicon.ico
status 404 /
} }
# TODO-Caddy worker_processes $${nginx-configuration:worker_processes};
error_log $${nginx-configuration:error_log}; # TODO-Caddy events {
# TODO-Caddy worker_connections $${nginx-configuration:worker_connections};
# TODO-Caddy # multi_accept on;
# TODO-Caddy }
http { # TODO-Caddy http {
## ##
# Basic Settings # Basic Settings
## ##
sendfile on; # TODO-Caddy sendfile on;
tcp_nopush on; # TODO-Caddy tcp_nopush on;
tcp_nodelay on; # TODO-Caddy tcp_nodelay on;
keepalive_timeout 65; # TODO-Caddy keepalive_timeout 65;
types_hash_max_size 2048; # TODO-Caddy types_hash_max_size 2048;
server_tokens off; # TODO-Caddy server_tokens off;
error_log $${nginx-configuration:error_log}; # TODO-Caddy log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time'; # TODO-Caddy access_log $${nginx-configuration:access_log} custom;
access_log $${nginx-configuration:access_log} custom;
# server_names_hash_bucket_size 64; # server_names_hash_bucket_size 64;
# server_name_in_redirect off; # server_name_in_redirect off;
default_type application/octet-stream; # TODO-Caddy default_type application/octet-stream;
ssl_certificate $${ca-frontend:cert-file}; # TODO-Caddy ssl_certificate $${ca-frontend:cert-file};
ssl_certificate_key $${ca-frontend:key-file}; # TODO-Caddy ssl_certificate_key $${ca-frontend:key-file};
## ##
# Gzip Settings # Gzip Settings
## ##
gzip on; # TODO-Caddy gzip on;
gzip_disable "msie6"; # TODO-Caddy gzip_disable "msie6";
gzip_vary on; # TODO-Caddy gzip_vary on;
gzip_proxied any; # TODO-Caddy gzip_proxied any;
gzip_comp_level 6; # TODO-Caddy gzip_comp_level 6;
gzip_buffers 16 8k; # TODO-Caddy gzip_buffers 16 8k;
gzip_http_version 1.1; # TODO-Caddy gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # TODO-Caddy gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
## ##
# Push stream Settings # Push stream Settings
## ##
push_stream_shared_memory_size 32m; # TODO-Caddy push_stream_shared_memory_size 32m;
fastcgi_temp_path $${directory:varnginx} 1 2;
uwsgi_temp_path $${directory:varnginx} 1 2;
scgi_temp_path $${directory:varnginx} 1 2;
client_body_temp_path $${directory:varnginx} 1 2;
proxy_temp_path $${directory:varnginx} 1 2;
include $${nginx-configuration:slave-configuration-directory}/*.conf;
server {
listen [$${nginx-configuration:ip}]:$${nginx-configuration:plain_port};
listen $${nginx-configuration:local_ip}:$${nginx-configuration:plain_port};
# TODO-Caddy fastcgi_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy uwsgi_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy scgi_temp_path $${directory:varnginx} 1 2;
## Serve an error 204 (No Content) for favicon.ico # TODO-Caddy client_body_temp_path $${directory:varnginx} 1 2;
location = /favicon.ico { # TODO-Caddy proxy_temp_path $${directory:varnginx} 1 2;
return 204; # TODO-Caddy }
}
location / { import $${nginx-configuration:slave-configuration-directory}/*.conf
root $${apache-directory:document-root};
index notfound.html;
}
}
server {
listen [$${nginx-configuration:ip}]:$${nginx-configuration:port} ssl;
listen $${nginx-configuration:local_ip}:$${nginx-configuration:port} ssl;
ssl on;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
## Serve an error 204 (No Content) for favicon.ico
location = /favicon.ico {
return 204;
}
location / {
root $${apache-directory:document-root};
index notfound.html;
}
}
}
{% for slave, directory in slave_log_directory.iteritems() %} {% for slave, directory in slave_log_directory.iteritems() %}
Alias /{{slave}}/ {{directory}}/ https://[{{ global_ipv6 }}]:{{ https_port }}/{{ slave }}, https://{{ local_ipv4 }}:{{ https_port }}/{{ slave }} {
<Directory {{directory}}> bind {{ local_ipv4 }}
Order Deny,Allow #bind {{ global_ipv6 }}
Deny from env=AUTHREQUIRED root {{directory}}/
<Files ".??*"> browse
Order Allow,Deny tls {{ login_certificate }} {{ login_key }}
Deny from all basicauth "{{ slave }}" {{ slave_password[slave] }} {
</Files> "Log Access {{ slave }}"
AuthType Basic /
AuthName "Log Access {{slave}}" }
AuthUserFile "{{ apache_configuration_directory + '/.' + slave.upper() + '.htaccess'}}" # TODO-Caddy LogLevel notice
Require user {{slave.upper()}} # TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
Options Indexes FollowSymLinks log / {{ access_log }} {combined}
Satisfy all errors {{ error_log }}
</Directory> }
{% endfor %} {% endfor %}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment