rapid-cdn: Handle correctly wildcard domains

While generating haproxy configuration (including it's CRT list) the specific order of entries is used, so that wildcard domains end up last. Thanks to this they work as a catch-all and allow specific domain to take precedence. Care is taken to support *.example.example.com and *.example.com situation - so tree like possibility of wildcards. Anonymous in-place ACL are used per each domain, instead of per-shared instance grouping in order to avoid situation like *.example.com and example.com having single ACL, thus resulting with catch-all kicking in too fast. For the precision in the haproxy configuration and simplifcation of the regular expressions the -m reg is used, so that host_only can be applied, which also lowercases the hostname. Notes: * test00cluster_request_instance_parameter_dict changed due to sorting slaves in test's requestSlaves * the test infrastructure has been improved to assure repetition of the situation * tests in TestSlaveHostHaproxyClash are asserting that correct domain AND that specific certificate have been used while serving given frontend configuration

rapid-cdn: Handle correctly wildcard domains
While generating haproxy configuration (including it's CRT list) the specific order of entries is used, so that wildcard domains end up last. Thanks to this they work as a catch-all and allow specific domain to take precedence. Care is taken to support *.example.example.com and *.example.com situation - so tree like possibility of wildcards. Anonymous in-place ACL are used per each domain, instead of per-shared instance grouping in order to avoid situation like *.example.com and example.com having single ACL, thus resulting with catch-all kicking in too fast. For the precision in the haproxy configuration and simplifcation of the regular expressions the -m reg is used, so that host_only can be applied, which also lowercases the hostname. Notes: * test00cluster_request_instance_parameter_dict changed due to sorting slaves in test's requestSlaves * the test infrastructure has been improved to assure repetition of the situation * tests in TestSlaveHostHaproxyClash are asserting that correct domain AND that specific certificate have been used while serving given frontend configuration
a039c8cf · Łukasz Nowak · cfd38dbe · a039c8cf · a039c8cf · a039c8cf
Commit a039c8cf authored Sep 28, 2023 by Łukasz Nowak
13 changed files
--- a/software/rapid-cdn/buildout.hash.cfg
+++ b/software/rapid-cdn/buildout.hash.cfg
@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08

 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
+md5sum = b75e42233c1b7bdd5f21971ed8907efc

 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in
@@ -38,11 +38,11 @@ md5sum = cba4d995962f7fbeae3f61c9372c4181

 [template-frontend-haproxy-configuration]
 _update_hash_filename_ = templates/frontend-haproxy.cfg.in
-md5sum = eef9712c6fe4d62b570b9059157c67ea
+md5sum = fc68a825c656bde0ae69a936936b0478

 [template-frontend-haproxy-crt-list]
 _update_hash_filename_ = templates/frontend-haproxy-crt-list.in
-md5sum = 238760d48d2875f087ad2d784e2a8fcd
+md5sum = 2f3f75773eb879b97d1ff5e04486591c

 [template-not-found-html]
 _update_hash_filename_ = templates/notfound.html
@@ -50,7 +50,7 @@ md5sum = d56e2cfab274cbbbe5b387f2f6e417df

 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = b4b55d931249f11e4e1256afeb74b503
+md5sum = 6457064905f818f21e3733eb4278a580

 [template-empty]
 _update_hash_filename_ = templates/empty.in

--- a/software/rapid-cdn/instance-slave-list.cfg.in
+++ b/software/rapid-cdn/instance-slave-list.cfg.in
 {%- set kedifa_updater_mapping = [] %}
 {%- set cached_server_dict = {} %}
-{%- set backend_slave_list = [] %}
-{%- set frontend_slave_list = [] %}
+{%- set backend_slave_dict = {} %}
+{%- set frontend_slave_dict = {} %}
 {%- set part_list = [] %}
 {%- set cache_port = frontend_haproxy_configuration.get('cache-port') %}
 {%- set cache_access = "http://%s:%s/HTTP" % (instance_parameter_dict['ipv4-random'], cache_port) %}
@@ -228,7 +228,8 @@ context =
 {%-   do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
 {%-   do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
 {%-   do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
-{%-   set host_list = slave_instance.get('server-alias', '').split() %}
+{%-   do slave_instance.__setitem__('server-alias', slave_instance.get('server-alias', '').split()) %}
+{%-   set host_list = slave_instance['server-alias'] %}
 {%-   if slave_instance.get('custom_domain') not in host_list %}
 {%-     do host_list.append(slave_instance.get('custom_domain')) %}
 {%-   endif %}
@@ -385,9 +386,9 @@ local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
 {#-   ###############################  #}
 {#-   Prepare Slave Information        #}
 {%-   do slave_instance_information_list.append(slave_publish_dict) %}
-{%-   do frontend_slave_list.append(slave_instance) %}
+{%-   do frontend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
 {%-   if slave_type != 'redirect' %}
-{%-     do backend_slave_list.append(slave_instance) %}
+{%-     do backend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
 {%-   endif %}
 {%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}

@@ -477,14 +478,30 @@ output = ${:file}

 ##<Frontend haproxy>
 [frontend-haproxy-slave-list]
-list = {{ dumps(sorted(frontend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
+dict = {{ dumps(frontend_slave_dict) }}
+{%- set slave_instance_hostname_frontend_order = [] %}
+{%- for slave_instance in frontend_slave_dict.values() %}
+{%-   for hostname in slave_instance['host_list'] %}
+{%-     if '*' in hostname %}
+{%-       set order_value = hostname.count('.') %}
+{%-     else %}
+{%-       set order_value = 1000 %}
+{%-     endif %}
+{%-     do slave_instance_hostname_frontend_order.append({
+  'index': order_value,
+  'hostname': hostname,
+  'slave_reference': slave_instance['slave_reference']}) %}
+{%-   endfor  %}
+{%- endfor %}
+order = {{ dumps(slave_instance_hostname_frontend_order) }}

 [frontend-haproxy-crt-list]
 <= jinja2-template-base
 template = {{ template_frontend_haproxy_crt_list }}
 rendered = ${frontend-haproxy-config:crt-list}
 extra-context =
-  key frontend_slave_list frontend-haproxy-slave-list:list
+  key frontend_slave_dict frontend-haproxy-slave-list:dict
+  key frontend_slave_order frontend-haproxy-slave-list:order
  section configuration frontend-haproxy-config

 [frontend-haproxy-configuration]
@@ -492,7 +509,8 @@ extra-context =
 template = {{ template_frontend_haproxy_configuration }}
 rendered = ${frontend-haproxy-config:file}
 extra-context =
-  key frontend_slave_list frontend-haproxy-slave-list:list
+  key frontend_slave_dict frontend-haproxy-slave-list:dict
+  key frontend_slave_order frontend-haproxy-slave-list:order
  key crt_list frontend-haproxy-crt-list:rendered
  section configuration frontend-haproxy-config

@@ -512,9 +530,25 @@ autocert-directory = {{ frontend_directory['autocert'] }}
 < = jinja2-template-base
 url = {{ template_backend_haproxy_configuration }}
 output = ${backend-haproxy-config:file}
-backend_slave_list = {{ dumps(sorted(backend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
+backend_slave_dict = {{ dumps(backend_slave_dict) }}
+{%- set slave_instance_hostname_backend_order = [] %}
+{%- for slave_instance in backend_slave_dict.values() %}
+{%-   for hostname in slave_instance['host_list'] %}
+{%-     if '*' in hostname %}
+{%-       set order_value = hostname.count('.') %}
+{%-     else %}
+{%-       set order_value = 1000 %}
+{%-     endif %}
+{%-     do slave_instance_hostname_backend_order.append({
+  'index': order_value,
+  'hostname': hostname,
+  'slave_reference': slave_instance['slave_reference']}) %}
+{%-   endfor  %}
+{%- endfor %}
+order = {{ dumps(slave_instance_hostname_backend_order) }}
 extra-context =
-  key backend_slave_list :backend_slave_list
+  key backend_slave_dict :backend_slave_dict
+  key backend_slave_order :order
  section configuration backend-haproxy-config

 [backend-haproxy-config]

--- a/software/rapid-cdn/templates/backend-haproxy.cfg.in
+++ b/software/rapid-cdn/templates/backend-haproxy.cfg.in
@@ -17,30 +17,20 @@ defaults
  default-server init-addr last,libc,none

 {%- set SCHEME_PREFIX_MAPPING = { 'http': 'http_backend', 'https': 'https_backend'} %}
-{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
-{#-   wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
+{%- macro frontend_entry(slave_reference, hostname, slave_instance, scheme) %}
 {%-   if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %}
-{%-     set matched = {'count': 0} %}
-{%-     for host in slave_instance['host_list'] %}
-{#-       Match up to the end or optional port (starting with ':') #}
-{#-       Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
-{%-       if wildcard and host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-# match wildcard {{ host }}
-  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
-{%-       elif not wildcard and not host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i ^{{ host }}($|:.*)
-{%-       endif %}
-{%-     endfor %}
-{%-     if matched['count'] > 0 %}
-{%-       if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
-  acl is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }} nbsrv({{ slave_instance['slave_reference'] }}-{{ scheme }}) eq 0
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} ! is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }}-failover if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-{%-       else %}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-{%-       endif %}
+{%-     if hostname.startswith('*') %}
+{%-       set matcher = '' ~ hostname[2:] ~ '$' %}
+{%-     else %}
+{%-       set matcher = '^' ~ hostname ~ '$' %}
+{%-     endif %}
+{%-     set acl = '{ req.hdr(host),host_only -m reg ' ~ matcher ~ ' }' %}
+{%-     if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
+  acl is_failover_{{ slave_reference }}_{{ scheme }} nbsrv({{ slave_reference }}-{{ scheme }}) eq 0
+  use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }} ! is_failover_{{ slave_reference }}_{{ scheme }}
+  use_backend {{ slave_reference }}-{{ scheme }}-failover if {{ acl }} is_failover_{{ slave_reference }}_{{ scheme }}
+{%-     else %}
+  use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }}
 {%-     endif %}
 {%-   endif %}
 {%- endmacro %}
@@ -62,11 +52,8 @@ frontend http-backend
  http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
  # setup Date
  http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', False) }}
-{%- endfor %}
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', True) }}
+{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'http') -}}
 {%- endfor %}

 frontend https-backend
@@ -75,14 +62,12 @@ frontend https-backend
  http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
  # setup Date
  http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', False) }}
+{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'https') -}}
 {%- endfor %}
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', True) }}
-{% endfor %}

-{%- for slave_instance in backend_slave_list %}
+{%- for slave_reference in sorted(backend_slave_dict) %}
+{%-   set slave_instance = backend_slave_dict[slave_reference] %}
 {%-   for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
 {%-     set info_dict = slave_instance[prefix] %}
 {%-     if info_dict['hostname'] and info_dict['port'] %}

--- a/software/rapid-cdn/templates/frontend-haproxy-crt-list.in
+++ b/software/rapid-cdn/templates/frontend-haproxy-crt-list.in
-{%- for slave in frontend_slave_list %}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{%-   set slave = frontend_slave_dict[entry['slave_reference']] %}
 {%-   set entry_list = [] %}
 {%-   set sslbindconf = [] %}
 {#-   <crtfile> #}
@@ -9,7 +10,7 @@
 {%-   do sslbindconf.append(slave['alpn']) %}
 {%-   do entry_list.append('[' + ' '.join(sslbindconf) + ']') %}
 {#-   <snifilter> #}
-{%-   do entry_list.extend(slave['host_list']) %}
+{%-   do entry_list.append(entry['hostname']) %}
 {{-    ' '.join(entry_list) }}
 {% endfor -%}
 # Fallback to default certificate

--- a/software/rapid-cdn/templates/frontend-haproxy.cfg.in
+++ b/software/rapid-cdn/templates/frontend-haproxy.cfg.in
@@ -23,30 +23,14 @@ defaults
  default-server init-addr last,libc,none

 {%- set SCHEME_PREFIX_MAPPING = { 'http': 'backend-http-info', 'https': 'backend-https-info'} %}
-{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
-{#-   wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
-{#-   if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] #}
-{%-     set host_list = (slave_instance.get('server-alias') or  '').split() %}
-{%-     if slave_instance.get('custom_domain') not in host_list %}
-{%-       do host_list.append(slave_instance.get('custom_domain')) %}
-{%-     endif %}
-{%-     set matched = {'count': 0} %}
-{%-     for host in host_list %}
-{#-       Match up to the end or optional port (starting with ':') #}
-{#-       Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
-{%-       if wildcard and host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-# match wildcard {{ host }}
-  acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
-{%-       elif not wildcard and not host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-  acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i ^{{ host }}($|:.*)
-{%-       endif %}
-{%-     endfor %}
-{%-     if matched['count'] > 0 %}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}
-{%-     endif %}
-{#-   endif #}
+
+{%- macro frontend_entry(slave_reference, hostname, scheme) %}
+{%-   if hostname.startswith('*') %}
+{%-     set matcher = hostname[2:] %}
+{%-   else %}
+{%-     set matcher = '^' ~ hostname %}
+{%-   endif %}
+  use_backend {{ slave_reference }}-{{ scheme }} if { req.hdr(host),host_only -m reg {{ matcher }}$ }
 {%- endmacro %}

 {%- macro frontend_common() %}
@@ -68,11 +52,8 @@ frontend http-frontend
  bind {{ configuration['local-ipv4'] }}:{{ configuration['http-port'] }}
  bind {{ configuration['global-ipv6'] }}:{{ configuration['http-port'] }}
 {{ frontend_common() }}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', False) }}
-{%- endfor %}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', True) }}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'http') -}}
 {%- endfor %}
  default_backend BACKEND_NOT_FOUND

@@ -84,16 +65,14 @@ frontend https-frontend
  bind quic6@{{ configuration['global-ipv6'] }}:{{ configuration['https-port'] }} ssl crt-list {{ crt_list }} alpn h3
 {%- endif %}
 {{ frontend_common() }}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', False) }}
-{%- endfor %}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', True) }}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'https') -}}
 {%- endfor %}
  default_backend BACKEND_NOT_FOUND

 # Backends
-{%- for slave_instance in frontend_slave_list %}
+{%- for slave_reference in sorted(frontend_slave_dict) %}
+{%-   set slave_instance = frontend_slave_dict[slave_reference] %}
 {%-   for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
 {%-     set info_dict = slave_instance.get(prefix, slave_instance.get('backend-http-info')) %}
 backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
@@ -189,7 +168,7 @@ backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
 {%-       endif %} {# if 'hostname' in info_dict and 'port' in info_dict #}
 {%-     endif %} {# if scheme == 'http' and slave_instance['https-only'] #}
 {%-   endfor %} {# for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() #}
-{%- endfor %} {# for slave_instance in frontend_slave_list #}
+{%- endfor %} {# for slave_reference in sorted(frontend_slave_dict) #}

 backend BACKEND_NOT_FOUND
  {#- a bit hacky but working way to provide default CDN's 404 #}

--- a/software/rapid-cdn/test/test.py
+++ b/software/rapid-cdn/test/test.py
@@ -1292,7 +1292,9 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):

  @classmethod
  def requestSlaves(cls):
-    for slave_reference, partition_parameter_kw in list(
+    # Note: List is sorted here, so that tests which want slaves
+    #       ordered by their slave_reference are stable
+    for slave_reference, partition_parameter_kw in sorted(
      cls.getSlaveParameterDictDict().items()):
      software_url = cls.getSoftwareURL()
      software_type = cls.getInstanceSoftwareType()
@@ -6577,49 +6579,83 @@ class TestSlaveHostHaproxyClash(SlaveHttpFrontendTestCase, TestDataMixin):

  @classmethod
  def getSlaveParameterDictDict(cls):
-    # Note: The slaves are specifically constructed to have an order which
-    #       is triggering the problem. Slave list is sorted in many places,
-    #       and such slave configuration will result with them begin seen
-    #       by backend haproxy configuration in exactly the way seen below
-    #       Ordering it here will not help at all.
+    # Note: Slave list is ordered by it's reference, so that requestSlaves
+    #       will result in an order, which will hit the bugs covered here:
+    #        * the most wildcard domain is requested first
+    #        * then the more specific wildcard comes
+    #        * in the end specific slaves are there
    return {
-      'wildcard': {
-        'url': cls.backend_url + 'wildcard',
+      '01wildcard': {
+        'url': cls.backend_url + '01wildcard',
+        'custom_domain': '*.example.com',
+        'server-alias': 'example.com',
+      },
+      '02wildcard': {
+        'url': cls.backend_url + '02wildcard',
        'custom_domain': '*.alias1.example.com',
+        'server-alias': 'alias1.example.com',
+      },
+      '03zspecific': {
+        'url': cls.backend_url + '03zspecific',
+        'custom_domain': 'zspecific.example.com',
      },
-      'zspecific': {
-        'url': cls.backend_url + 'zspecific',
+      '04zspecific': {
+        'url': cls.backend_url + '04zspecific',
        'custom_domain': 'zspecific.alias1.example.com',
      },
    }

  def test(self):
+    _, wildcard_key, _, wildcard_crt = createSelfSignedCertificate([
+      '*.example.com'])
+    _, wildcard_alias1_key, _, wildcard_alias1_crt = \
+        createSelfSignedCertificate([
+          '*.alias1.example.com'])
+    _, zspecific_key, _, zspecific_crt = createSelfSignedCertificate([
+      'zspecific.example.com'])
+    _, zspecific_alias1_key, _, zspecific_alias1_crt = \
+        createSelfSignedCertificate([
+          'zspecific.alias1.example.com'])
+
+    def uploadCertificate(key, certificate):
+      auth = mimikra.get(
+        self.current_generate_auth,
+        verify=self.kedifa_caucase_ca_certificate_file)
+      self.assertEqual(http.client.CREATED, auth.status_code)
+      data = certificate + key
+      upload = mimikra.put(
+        self.current_upload_url + auth.text,
+        data=data,
+        verify=self.kedifa_caucase_ca_certificate_file)
+      self.assertEqual(http.client.CREATED, upload.status_code)
+
    self.assertSlaveBase(
-      'wildcard', hostname='*.alias1')
+      '01wildcard', hostname='*')
+    uploadCertificate(wildcard_key, wildcard_crt)
    self.assertSlaveBase(
-      'zspecific', hostname='zspecific.alias1')
-
-    result_wildcard = fakeHTTPSResult(
-      'other.alias1.example.com',
-      'test-path',
-      headers={
-        'Timeout': '10',  # more than default backend-connect-timeout == 5
-        'Accept-Encoding': 'gzip',
-      }
-    )
-    self.assertEqual(self.certificate_pem, result_wildcard.certificate)
-    self.assertEqualResultJson(result_wildcard, 'Path', '/wildcard/test-path')
+      '02wildcard', hostname='*.alias1')
+    uploadCertificate(wildcard_alias1_key, wildcard_alias1_crt)
+    self.assertSlaveBase(
+      '03zspecific', hostname='zspecific')
+    uploadCertificate(zspecific_key, zspecific_crt)
+    self.assertSlaveBase(
+      '04zspecific', hostname='zspecific.alias1')
+    uploadCertificate(zspecific_alias1_key, zspecific_alias1_crt)
+    self.runKedifaUpdater()

-    result_specific = fakeHTTPSResult(
-      'zspecific.alias1.example.com',
-      'test-path',
-      headers={
-        'Timeout': '10',  # more than default backend-connect-timeout == 5
-        'Accept-Encoding': 'gzip',
-      }
-    )
-    self.assertEqual(self.certificate_pem, result_specific.certificate)
-    self.assertEqualResultJson(result_specific, 'Path', '/zspecific/test-path')
+    def assertResult(hostname, path, certificate):
+      result_wildcard = fakeHTTPSResult(
+        hostname,
+        'test-path',
+      )
+      self.assertEqual(certificate, result_wildcard.certificate)
+      self.assertEqualResultJson(
+        result_wildcard, 'Path', '/%s/test-path' % (path,))
+    assertResult('www.example.com', '01wildcard', wildcard_crt)
+    assertResult('www.alias1.example.com', '02wildcard', wildcard_alias1_crt)
+    assertResult('zspecific.example.com', '03zspecific', zspecific_crt)
+    assertResult(
+      'zspecific.alias1.example.com', '04zspecific', zspecific_alias1_crt)


 class TestPassedRequestParameter(HttpFrontendTestCase):

--- a/software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00cluster_request_instance_parameter_dict.txt
--- a/software/rapid-cdn/test/test_data/test.TestSlave.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlave.test00cluster_request_instance_parameter_dict.txt
--- a/software/rapid-cdn/test/test_data/test.TestSlaveHealthCheck.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlaveHealthCheck.test00cluster_request_instance_parameter_dict.txt
@@ -14,19 +14,6 @@
    "slap_software_release_url": "@@00getSoftwareURL@@",
    "slap_software_type": "RootSoftwareInstance",
    "slave_instance_list": [
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-disabled",
-        "slave_title": "_health-check-disabled",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "health-check": true,
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-default",
-        "slave_title": "_health-check-default",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
      {
        "health-check": true,
        "health-check-http-method": "CONNECT",
@@ -49,6 +36,19 @@
        "slave_title": "_health-check-custom",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
+      {
+        "health-check": true,
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_health-check-default",
+        "slave_title": "_health-check-default",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_health-check-disabled",
+        "slave_title": "_health-check-disabled",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
      {
        "enable_cache": true,
        "health-check": true,
@@ -66,32 +66,32 @@
      },
      {
        "health-check": true,
-        "health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
-        "health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
-        "health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
-        "health-check-http-path": "/health-check-failover-url",
+        "health-check-authenticate-to-failover-backend": true,
+        "health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
+        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
+        "health-check-http-path": "/health-check-failover-url-auth-to-backend",
        "health-check-interval": 1,
        "health-check-timeout": 1,
        "https-only": false,
        "https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-netloc-list",
-        "slave_title": "_health-check-failover-url-netloc-list",
+        "slave_reference": "_health-check-failover-url-auth-to-backend",
+        "slave_title": "_health-check-failover-url-auth-to-backend",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
      },
      {
        "health-check": true,
-        "health-check-authenticate-to-failover-backend": true,
-        "health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
-        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
-        "health-check-http-path": "/health-check-failover-url-auth-to-backend",
+        "health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
+        "health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
+        "health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
+        "health-check-http-path": "/health-check-failover-url",
        "health-check-interval": 1,
        "health-check-timeout": 1,
        "https-only": false,
        "https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-auth-to-backend",
-        "slave_title": "_health-check-failover-url-auth-to-backend",
+        "slave_reference": "_health-check-failover-url-netloc-list",
+        "slave_title": "_health-check-failover-url-netloc-list",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
      },
      {
@@ -109,27 +109,27 @@
      },
      {
        "health-check": true,
-        "health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
        "health-check-failover-ssl-proxy-verify": true,
        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
-        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
+        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
        "health-check-interval": 1,
        "health-check-timeout": 1,
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
-        "slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
+        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
+        "slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
      {
        "health-check": true,
+        "health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
        "health-check-failover-ssl-proxy-verify": true,
        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
-        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
+        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
        "health-check-interval": 1,
        "health-check-timeout": 1,
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
-        "slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
+        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
+        "slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      }
    ],

--- a/software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00cluster_request_instance_parameter_dict.txt
@@ -14,19 +14,35 @@
    "slap_software_release_url": "@@00getSoftwareURL@@",
    "slap_software_type": "RootSoftwareInstance",
    "slave_instance_list": [
+      {
+        "custom_domain": "*.example.com",
+        "server-alias": "example.com",
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_01wildcard",
+        "slave_title": "_01wildcard",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
+      },
      {
        "custom_domain": "*.alias1.example.com",
+        "server-alias": "alias1.example.com",
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_02wildcard",
+        "slave_title": "_02wildcard",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
+      },
+      {
+        "custom_domain": "zspecific.example.com",
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_wildcard",
-        "slave_title": "_wildcard",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
+        "slave_reference": "_03zspecific",
+        "slave_title": "_03zspecific",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
      },
      {
        "custom_domain": "zspecific.alias1.example.com",
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_zspecific",
-        "slave_title": "_zspecific",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
+        "slave_reference": "_04zspecific",
+        "slave_title": "_04zspecific",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
      }
    ],
    "timestamp": "@@TIMESTAMP@@"
@@ -41,15 +57,27 @@
      "monitor-password": "@@monitor-password@@",
      "monitor-username": "admin",
      "slave-list": [
+        {
+          "custom_domain": "*.example.com",
+          "server-alias": "example.com",
+          "slave_reference": "_01wildcard",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
+        },
        {
          "custom_domain": "*.alias1.example.com",
-          "slave_reference": "_wildcard",
-          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
+          "server-alias": "alias1.example.com",
+          "slave_reference": "_02wildcard",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
+        },
+        {
+          "custom_domain": "zspecific.example.com",
+          "slave_reference": "_03zspecific",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
        },
        {
          "custom_domain": "zspecific.alias1.example.com",
-          "slave_reference": "_zspecific",
-          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
+          "slave_reference": "_04zspecific",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
        }
      ]
    },
@@ -69,7 +97,7 @@
      "cluster-identification": "testing partition 0",
      "domain": "example.com",
      "enable-http3": "false",
-      "extra_slave_instance_list": "[{\"custom_domain\": \"*.alias1.example.com\", \"slave_reference\": \"_wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/wildcard\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/zspecific\"}]",
+      "extra_slave_instance_list": "[{\"custom_domain\": \"*.example.com\", \"server-alias\": \"example.com\", \"slave_reference\": \"_01wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard\"}, {\"custom_domain\": \"*.alias1.example.com\", \"server-alias\": \"alias1.example.com\", \"slave_reference\": \"_02wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard\"}, {\"custom_domain\": \"zspecific.example.com\", \"slave_reference\": \"_03zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_04zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific\"}]",
      "frontend-name": "caddy-frontend-1",
      "http3-port": "443",
      "kedifa-caucase-url": "http://[@@_ipv6_address@@]:15090",
@@ -81,7 +109,7 @@
      "plain_http_port": "11080",
      "port": "11443",
      "request-timeout": "12",
-      "slave-kedifa-information": "{\"_wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@?auth=\"}, \"_zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@?auth=\"}}"
+      "slave-kedifa-information": "{\"_01wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@?auth=\"}, \"_02wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@?auth=\"}, \"_03zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@?auth=\"}, \"_04zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@?auth=\"}}"
    },
    "full_address_list": [],
    "instance_title": "caddy-frontend-1",

--- a/software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00file_list_log.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00file_list_log.txt
@@ -8,12 +8,18 @@ T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
 T-2/var/log/expose-csr.log
 T-2/var/log/frontend-haproxy.log
-T-2/var/log/httpd/_wildcard_access_log
-T-2/var/log/httpd/_wildcard_backend_log
-T-2/var/log/httpd/_wildcard_frontend_log
-T-2/var/log/httpd/_zspecific_access_log
-T-2/var/log/httpd/_zspecific_backend_log
-T-2/var/log/httpd/_zspecific_frontend_log
+T-2/var/log/httpd/_01wildcard_access_log
+T-2/var/log/httpd/_01wildcard_backend_log
+T-2/var/log/httpd/_01wildcard_frontend_log
+T-2/var/log/httpd/_02wildcard_access_log
+T-2/var/log/httpd/_02wildcard_backend_log
+T-2/var/log/httpd/_02wildcard_frontend_log
+T-2/var/log/httpd/_03zspecific_access_log
+T-2/var/log/httpd/_03zspecific_backend_log
+T-2/var/log/httpd/_03zspecific_frontend_log
+T-2/var/log/httpd/_04zspecific_access_log
+T-2/var/log/httpd/_04zspecific_backend_log
+T-2/var/log/httpd/_04zspecific_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

--- a/software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00cluster_request_instance_parameter_dict.txt
--- a/software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test00cluster_request_instance_parameter_dict.txt
+++ b/software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test00cluster_request_instance_parameter_dict.txt
@@ -15,35 +15,6 @@
    "slap_software_release_url": "@@00getSoftwareURL@@",
    "slap_software_type": "RootSoftwareInstance",
    "slave_instance_list": [
-      {
-        "enable_cache": true,
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_master",
-        "slave_title": "_ssl_from_master",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_master_kedifa_overrides",
-        "slave_title": "_ssl_from_master_kedifa_overrides",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_slave",
-        "slave_title": "_ssl_from_slave",
-        "ssl_crt": "@@ssl_from_slave_certificate_pem@@",
-        "ssl_key": "@@ssl_from_slave_key_pem@@",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_slave_kedifa_overrides",
-        "slave_title": "_ssl_from_slave_kedifa_overrides",
-        "ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
-        "ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
      {
        "custom_domain": "customdomainsslcrtsslkey.example.com",
        "slap_software_type": "RootSoftwareInstance",
@@ -63,6 +34,15 @@
        "ssl_key": "@@customdomain_ca_key_pem@@",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_ca_crt_does_not_match",
+        "slave_title": "_ssl_ca_crt_does_not_match",
+        "ssl_ca_crt": "@@ca.certificate_pem@@",
+        "ssl_crt": "@@certificate_pem@@",
+        "ssl_key": "@@key_pem@@",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
      {
        "slap_software_type": "RootSoftwareInstance",
        "slave_reference": "_ssl_ca_crt_garbage",
@@ -73,12 +53,32 @@
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
      {
+        "enable_cache": true,
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_ca_crt_does_not_match",
-        "slave_title": "_ssl_ca_crt_does_not_match",
-        "ssl_ca_crt": "@@ca.certificate_pem@@",
-        "ssl_crt": "@@certificate_pem@@",
-        "ssl_key": "@@key_pem@@",
+        "slave_reference": "_ssl_from_master",
+        "slave_title": "_ssl_from_master",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_master_kedifa_overrides",
+        "slave_title": "_ssl_from_master_kedifa_overrides",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_slave",
+        "slave_title": "_ssl_from_slave",
+        "ssl_crt": "@@ssl_from_slave_certificate_pem@@",
+        "ssl_key": "@@ssl_from_slave_key_pem@@",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_slave_kedifa_overrides",
+        "slave_title": "_ssl_from_slave_kedifa_overrides",
+        "ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
+        "ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
      {
@@ -90,17 +90,17 @@
      },
      {
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_type-notebook-ssl_from_slave",
-        "slave_title": "_type-notebook-ssl_from_slave",
-        "ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
-        "ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
+        "slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
+        "slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
        "type": "notebook",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },
      {
        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
-        "slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
+        "slave_reference": "_type-notebook-ssl_from_slave",
+        "slave_title": "_type-notebook-ssl_from_slave",
+        "ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
+        "ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
        "type": "notebook",
        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
      },