Commit edf2c72a authored by Łukasz Nowak's avatar Łukasz Nowak

Revert "caddy-frontend: Enable (experimental) QUIC

This reverts commit 8e24f3ab.

QUIC has issues with client certificate authentication, detected by chance.
parent 1b0b6b93
...@@ -61,6 +61,7 @@ Generally things to be done with ``caddy-frontend``: ...@@ -61,6 +61,7 @@ Generally things to be done with ``caddy-frontend``:
* reduce the time of configuration validation (in ``instance-apache-frontend.cfg`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_ * reduce the time of configuration validation (in ``instance-apache-frontend.cfg`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_
* drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_ * drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_
* use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_ * use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_
* ensure `QUIC <https://en.wikipedia.org/wiki/QUIC>`_ is used by caddy
Things which can't be implemented: Things which can't be implemented:
......
...@@ -70,7 +70,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8 ...@@ -70,7 +70,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
[template-caddy-wrapper] [template-caddy-wrapper]
filename = templates/caddy-wrapper.in filename = templates/caddy-wrapper.in
md5sum = 60780c1d3b6898eaec94fd0a0049da55 md5sum = c5816275757124613920078b6bec1caf
[template-trafficserver-records-config] [template-trafficserver-records-config]
filename = templates/trafficserver/records.config.jinja2 filename = templates/trafficserver/records.config.jinja2
......
...@@ -5,7 +5,6 @@ exec {{ caddy }} \ ...@@ -5,7 +5,6 @@ exec {{ caddy }} \
-log {{ log }} \ -log {{ log }} \
-http2=true \ -http2=true \
-grace {{ grace }}s \ -grace {{ grace }}s \
-quic \
-disable-http-challenge \ -disable-http-challenge \
-disable-tls-sni-challenge \ -disable-tls-sni-challenge \
"$@" "$@"
...@@ -67,31 +67,8 @@ else: ...@@ -67,31 +67,8 @@ else:
# response_code difference # response_code difference
if IS_CADDY: if IS_CADDY:
no_backend_response_code = 404 no_backend_response_code = 404
COMMON_HEADERS = {
'Content-type': 'application/json',
'Alt-Svc': 'quic=":11443"; ma=2592000; v="39"',
'Set-Cookie': 'secured=value;secure, nonsecured=value'}
COMMON_HEADERS_VARY_GZIP = COMMON_HEADERS.copy()
COMMON_HEADERS_VARY_GZIP.update({
'Content-Encoding': 'gzip',
'Vary': 'Accept-Encoding'})
COMMON_HEADERS_VARY_GZIP_AGE = COMMON_HEADERS_VARY_GZIP.copy()
COMMON_HEADERS_VARY_GZIP_AGE.update({
'Age': '0'
})
else: else:
no_backend_response_code = 502 no_backend_response_code = 502
COMMON_HEADERS = {
'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value'}
COMMON_HEADERS_VARY_GZIP = COMMON_HEADERS.copy()
COMMON_HEADERS_VARY_GZIP.update({
'Content-Encoding': 'gzip',
'Vary': 'Accept-Encoding'})
COMMON_HEADERS_VARY_GZIP_AGE = COMMON_HEADERS_VARY_GZIP.copy()
COMMON_HEADERS_VARY_GZIP_AGE.update({
'Age': '0'
})
caddy_custom_https = '''# caddy_custom_https_filled_in_accepted caddy_custom_https = '''# caddy_custom_https_filled_in_accepted
https://caddycustomhttpsaccepted.example.com:%%(https_port)s { https://caddycustomhttpsaccepted.example.com:%%(https_port)s {
...@@ -876,44 +853,6 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -876,44 +853,6 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
'secured=value;secure, nonsecured=value' 'secured=value;secure, nonsecured=value'
) )
@skipIf(not IS_CADDY, 'Caddy only')
def test_url_quic(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'url'].copy()
self.assertLogAccessUrlWithPop(parameter_dict, 'url')
self.assertEqual(
parameter_dict,
{
'domain': 'url.example.com',
'replication_number': '1',
'url': 'http://url.example.com',
'site_url': 'http://url.example.com',
'secure_access': 'https://url.example.com',
'public-ipv4': utils.LOCAL_IPV4,
}
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
utils.der2pem(result.peercert),
open('wildcard.example.com.crt').read())
self.assertEqualResultJson(result, 'Path', '/test-path')
try:
j = result.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual(
result.headers['Alt-Svc'], 'quic=":11443"; ma=2592000; v="39"'
)
# TODO: As soon as curl will have QUIC support it will be used to check
# how well QUIC works https://github.com/curl/curl/wiki/QUIC
@skipIf(IS_CADDY, 'Feature postponed') @skipIf(IS_CADDY, 'Feature postponed')
def test_url_ipv6_access(self): def test_url_ipv6_access(self):
parameter_dict = self.slave_connection_parameter_dict_dict[ parameter_dict = self.slave_connection_parameter_dict_dict[
...@@ -1525,7 +1464,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -1525,7 +1464,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS {'Age': '0', 'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value'}
) )
result_http = self.fakeHTTPResult( result_http = self.fakeHTTPResult(
...@@ -1547,7 +1487,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -1547,7 +1487,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS {'Age': '0', 'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value'}
) )
def test_enable_cache_ssl_proxy_verify_unverified(self): def test_enable_cache_ssl_proxy_verify_unverified(self):
...@@ -1844,7 +1785,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -1844,7 +1785,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS_VARY_GZIP_AGE {'Age': '0', 'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
) )
result_direct = self.fakeHTTPResult( result_direct = self.fakeHTTPResult(
...@@ -1935,7 +1878,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -1935,7 +1878,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS_VARY_GZIP_AGE {'Age': '0', 'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
) )
try: try:
...@@ -1984,7 +1929,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -1984,7 +1929,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS_VARY_GZIP_AGE {'Age': '0', 'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
) )
def test_enable_http2_false(self): def test_enable_http2_false(self):
...@@ -2026,7 +1973,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -2026,7 +1973,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS_VARY_GZIP {
'Vary': 'Accept-Encoding',
'Content-Type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip',
}
) )
self.assertFalse( self.assertFalse(
...@@ -2071,7 +2023,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -2071,7 +2023,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS_VARY_GZIP {
'Vary': 'Accept-Encoding',
'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Content-Encoding': 'gzip',
}
) )
self.assertTrue( self.assertTrue(
...@@ -2201,7 +2158,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -2201,7 +2158,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS {
'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value'
}
) )
result_http = self.fakeHTTPResult( result_http = self.fakeHTTPResult(
...@@ -2274,7 +2234,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -2274,7 +2234,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
self.assertEqual( self.assertEqual(
headers, headers,
COMMON_HEADERS {
'Content-type': 'application/json',
'Set-Cookie': 'secured=value;secure, nonsecured=value'
}
) )
result_http = self.fakeHTTPResult( result_http = self.fakeHTTPResult(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment