Trustable X-Forwarded-For in ERP5 SR

See merge request !769

Trustable X-Forwarded-For in ERP5 SR
See merge request !769
d1dfde38 · Kazuhiko Shiozaki · d9ca2e38 · 468d8148 · d1dfde38 · d1dfde38
Commit d1dfde38 authored Jun 16, 2020 by Kazuhiko Shiozaki
13 changed files
--- a/component/apache/apache-backend.conf.in
+++ b/component/apache/apache-backend.conf.in
@@ -23,14 +23,14 @@
 #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
 #       "ssl-session-cache": "<folder_path>",
 #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  The path given to "SSLCACertificatePath" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
+ #       "ca-cert-dir": "<directory_path>",
 #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
 #       #  empty)
- #       "crl": "<file_path>",
+ #       "crl-dir": "<directory_path>",
 #
 #       #  The path given to "ErrorLog"
 #       "error-log": "<file_path>",
@@ -69,7 +69,7 @@
 #  From to `backend-list`:
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
@@ -83,6 +83,8 @@
 #  For more details, refer to
 #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}
+{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
+{% set crl_dir = parameter_dict.get('crl-dir') -%}
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule authz_core_module modules/mod_authz_core.so
@@ -133,15 +135,17 @@ SSLProxyEngine On

 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
-{% if parameter_dict['ca-cert'] -%}
+# Drop incoming X-Forwarded-For without valid client authentication
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
+{% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-{%   if parameter_dict['crl'] -%}
+SSLCACertificatePath {{ ca_cert_dir }}
+{%   if crl_dir -%}
 SSLCARevocationCheck chain
-SSLCARevocationFile {{ parameter_dict['crl'] }}
-{%-   endif %}
-{%- endif %}
+SSLCARevocationPath {{ crl_dir }}
+{%   endif -%}
+{% endif -%}

 ErrorLog "{{ parameter_dict['error-log'] }}"
 # Default apache log format with request time in microsecond at the end
@@ -161,11 +165,9 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
  SSLEngine on
-{% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication -%}
+{%     do assert(ca_cert_dir) -%}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

@@ -183,11 +185,9 @@ Listen {{ ip }}:{{ port }}
 <VirtualHost {{ ip }}:{{ port }}>
  SSLEngine on
  Timeout 3600
-{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication -%}
+{%     do assert(ca_cert_dir) -%}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined


--- a/component/apache/buildout.hash.cfg
+++ b/component/apache/buildout.hash.cfg
@@ -14,5 +14,5 @@
 # not need these here).
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = bb8c175a93336f0e1838fd47225426f9
+md5sum = 5c6d6aacc092b23a02e1c6f4d51e8127

--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -84,7 +84,8 @@
        "software-url": {
          "description": "Front-end's software type. If this parameter is empty, no front-end instance is requested. Else, sla-dict must specify 'frontend' which is a special value matching all frontends (e.g. {\"instance_guid=bar\": [\"frontend\"]}).",
          "default": "",
-          "type": "string"
+          "type": "string",
+          "format": "uri"
        },
        "domain": {
          "description": "The domain name to request front-end to respond as.",
@@ -225,7 +226,8 @@
    "cloudooo-url": {
      "description": "Format conversion service URL",
      "pattern": "^https?://",
-      "type": "string"
+      "type": "string",
+      "format": "uri"
    },
    "cloudooo-retry-count": {
      "description": "Define retry count for cloudooo in network error case in test",
@@ -453,10 +455,21 @@
        "ssl": {
          "description": "HTTPS certificate generation parameters",
          "properties": {
+            "frontend-caucase-url-list": {
+              "title": "Frontend Caucase URL List",
+              "description": "List of URLs of caucase service of frontend groups to authenticate access from them.",
+              "type": "array",
+              "items": {
+                "type": "string",
+                "format": "uri"
+              },
+              "uniqueItems": true
+            },
            "caucase-url": {
              "title": "Caucase URL",
              "description": "URL of caucase service to use. If not set, global setting will be used.",
-              "type": "string"
+              "type": "string",
+              "format": "uri"
            },
            "csr": {
              "title": "csr",

--- a/software/erp5/test/test/test_balancer.py
+++ b/software/erp5/test/test/test_balancer.py
+from . import ERP5InstanceTestCase
+from . import setUpModule
+from slapos.testing.utils import findFreeTCPPort
+
+from BaseHTTPServer import HTTPServer
+from BaseHTTPServer import BaseHTTPRequestHandler
+import OpenSSL.SSL
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+import hashlib
+import json
+import multiprocessing
+import os
+import requests
+import shutil
+import subprocess
+import tempfile
+import time
+
+setUpModule  # pyflakes
+
+class TestHandler(BaseHTTPRequestHandler):
+  def do_GET(self):
+    self.send_response(200)
+    self.send_header("Content-Type", "application/json")
+    response = {
+      'Path': self.path,
+      'Incoming Headers': self.headers.dict
+    }
+    response = json.dumps(response, indent=2)
+    self.end_headers()
+    self.wfile.write(response)
+
+class TestFrontendXForwardedFor(ERP5InstanceTestCase):
+  http_server_process = None
+  frontend_caucase_dir = None
+  frontend_caucased_process = None
+  backend_caucase_dir = None
+  backend_caucased_process = None
+
+  @classmethod
+  def getInstanceSoftwareType(cls):
+    return 'balancer'
+
+  @classmethod
+  def setUpClass(cls):
+    # start a dummy web server echoing headers.
+    http_server_port = findFreeTCPPort(cls._ipv4_address)
+    server = HTTPServer(
+      (cls._ipv4_address, http_server_port),
+      TestHandler)
+    cls.http_server_process = multiprocessing.Process(
+      target=server.serve_forever, name='HTTPServer')
+    cls.http_server_process.start()
+    cls.http_server_netloc = '%s:%s' % (cls._ipv4_address, http_server_port)
+
+    # start a caucased and generate a valid client certificate.
+    cls.computer_partition_root_path = os.path.abspath(os.curdir)
+    cls.frontend_caucase_dir = tempfile.mkdtemp()
+    frontend_caucased_dir = os.path.join(cls.frontend_caucase_dir, 'caucased')
+    os.mkdir(frontend_caucased_dir)
+    frontend_user_dir = os.path.join(cls.frontend_caucase_dir, 'user')
+    os.mkdir(frontend_user_dir)
+    frontend_service_dir = os.path.join(cls.frontend_caucase_dir, 'service')
+    os.mkdir(frontend_service_dir)
+    frontend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
+    cls.frontend_caucased_url = 'http://' + frontend_caucased_netloc
+
+    cls.user_certificate = frontend_user_key = os.path.join(frontend_user_dir, 'client.key.pem')
+    frontend_user_csr = os.path.join(frontend_user_dir, 'client.csr.pem')
+
+    key = rsa.generate_private_key(
+      public_exponent=65537,
+      key_size=2048,
+      backend=default_backend()
+    )
+    with open(frontend_user_key, 'wb') as f:
+      f.write(key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+      ))
+
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, u'user'),
+    ])).sign(key, hashes.SHA256(), default_backend())
+    with open(frontend_user_csr, 'wb') as f:
+      f.write(csr.public_bytes(serialization.Encoding.PEM))
+
+    cls.software_release_root_path = os.path.join(
+       cls.slap._software_root,
+       hashlib.md5(cls.getSoftwareURL()).hexdigest(),
+    )
+    caucased_path = os.path.join(cls.software_release_root_path, 'bin', 'caucased')
+    caucase_path = os.path.join(cls.software_release_root_path, 'bin', 'caucase')
+    cls.frontend_caucased_process = subprocess.Popen(
+      [
+        caucased_path,
+        '--db', os.path.join(frontend_caucased_dir, 'caucase.sqlite'),
+        '--server-key', os.path.join(frontend_caucased_dir, 'server.key.pem'),
+        '--netloc', frontend_caucased_netloc,
+        '--service-auto-approve-count', '1',
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    for _ in range(10):
+      try:
+        if requests.get(cls.frontend_caucased_url).status_code == 200:
+          break
+      except Exception:
+        pass
+      time.sleep(1)
+    else:
+      raise RuntimeError, 'caucased failed to start.'
+
+    cau_args = [
+      caucase_path,
+      '--ca-url', cls.frontend_caucased_url,
+      '--ca-crt', os.path.join(frontend_user_dir, 'service-ca-crt.pem'),
+      '--crl', os.path.join(frontend_user_dir, 'service.crl'),
+      '--user-ca-crt', os.path.join(frontend_user_dir, 'user-ca-crt.pem'),
+      '--user-crl', os.path.join(frontend_user_dir, 'user.crl'),
+    ]
+
+    cas_args = [
+      caucase_path,
+      '--ca-url', cls.frontend_caucased_url,
+      '--ca-crt', os.path.join(frontend_service_dir, 'service-ca-crt.pem'),
+      '--crl', os.path.join(frontend_service_dir, 'service.crl'),
+      '--user-ca-crt', os.path.join(frontend_service_dir, 'user-ca-crt.pem'),
+      '--user-crl', os.path.join(frontend_service_dir, 'user.crl'),
+    ]
+
+    caucase_process = subprocess.Popen(
+      cau_args + [
+        '--mode', 'user',
+        '--send-csr', frontend_user_csr,
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    result = caucase_process.communicate()
+    print result
+    csr_id = result[0].split()[0]
+
+    subprocess.check_call(
+      cau_args + [
+        '--mode', 'user',
+        '--get-crt', csr_id, frontend_user_key,
+      ],
+    )
+
+    cls.client_certificate = frontend_service_key = os.path.join(frontend_service_dir, 'crt.pem')
+    frontend_service_csr = os.path.join(frontend_service_dir, 'csr.pem')
+
+    key = rsa.generate_private_key(
+      public_exponent=65537,
+      key_size=2048,
+      backend=default_backend()
+    )
+    with open(frontend_service_key, 'wb') as f:
+      f.write(key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+      ))
+
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, u'service'),
+    ])).sign(key, hashes.SHA256(), default_backend())
+    with open(frontend_service_csr, 'wb') as f:
+      f.write(csr.public_bytes(serialization.Encoding.PEM))
+
+    caucase_process = subprocess.Popen(
+      cas_args + [
+        '--send-csr', frontend_service_csr,
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    result = caucase_process.communicate()
+    csr_id = result[0].split()[0]
+
+    for _ in range(10):
+      if not subprocess.call(
+        cas_args + [
+          '--get-crt', csr_id, frontend_service_key,
+        ],
+      ) == 0:
+        break
+      else:
+        time.sleep(1)
+    else:
+      raise RuntimeError, 'getting service certificate failed.'
+
+    # start a caucased and server certificate.
+    cls.backend_caucase_dir = tempfile.mkdtemp()
+    backend_caucased_dir = os.path.join(cls.backend_caucase_dir, 'caucased')
+    os.mkdir(backend_caucased_dir)
+    backend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
+    cls.backend_caucased_url = 'http://' + backend_caucased_netloc
+    cls.backend_caucased_process = subprocess.Popen(
+      [
+        caucased_path,
+        '--db', os.path.join(backend_caucased_dir, 'caucase.sqlite'),
+        '--server-key', os.path.join(backend_caucased_dir, 'server.key.pem'),
+        '--netloc', backend_caucased_netloc,
+        '--service-auto-approve-count', '1',
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    for _ in range(10):
+      try:
+        if requests.get(cls.backend_caucased_url).status_code == 200:
+          break
+      except Exception:
+        pass
+      time.sleep(1)
+    else:
+      raise RuntimeError, 'caucased failed to start.'
+
+    super(TestFrontendXForwardedFor, cls).setUpClass()
+
+  @classmethod
+  def getInstanceParameterDict(cls):
+    return {
+      '_': json.dumps({
+        'tcpv4-port': 3306,
+        'computer-memory-percent-threshold': 100,
+        # XXX what is this ? should probably not be needed here
+        'name': cls.__name__,
+        'monitor-passwd': 'secret',
+        'apachedex-configuration': '',
+        'apachedex-promise-threshold': 100,
+        'haproxy-server-check-path': '/',
+        'zope-family-dict': {
+          'default': ['dummy_http_server'],
+          'default-auth': ['dummy_http_server'],
+        },
+        'dummy_http_server': [[cls.http_server_netloc, 1, False]],
+        'backend-path-dict': {
+          'default': '/',
+          'default-auth': '/',
+        },
+        'ssl-authentication-dict': {
+          'default': False,
+          'default-auth': True,
+        },
+        'ssl': {
+          'caucase-url': cls.backend_caucased_url,
+          'frontend-caucase-url-list': [cls.frontend_caucased_url],
+        },
+      })
+    }
+
+  @classmethod
+  def _cleanup(cls, snapshot_name):
+    if cls.http_server_process:
+      cls.http_server_process.terminate()
+    if cls.frontend_caucased_process:
+      cls.frontend_caucased_process.terminate()
+    if cls.frontend_caucase_dir:
+      shutil.rmtree(cls.frontend_caucase_dir)
+    if cls.backend_caucased_process:
+      cls.backend_caucased_process.terminate()
+    if cls.backend_caucase_dir:
+      shutil.rmtree(cls.backend_caucase_dir)
+
+    super(TestFrontendXForwardedFor, cls)._cleanup(snapshot_name)
+
+  def test_x_forwarded_for_added_when_verified_connection(self):
+    for backend in ('default', 'default-auth'):
+      balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])[backend]
+      result = requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        cert=self.client_certificate,
+        verify=False,
+      ).json()
+      self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+
+  def test_x_forwarded_for_stripped_when_not_verified_connection(self):
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
+    result = requests.get(
+      balancer_url,
+      headers={'X-Forwarded-For': '1.2.3.4'},
+      verify=False,
+    ).json()
+    self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
+    with self.assertRaises(OpenSSL.SSL.Error):
+      requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        verify=False,
+      )
--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
@@ -23,14 +23,14 @@
 #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
 #       "ssl-session-cache": "<folder_path>",
 #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  The path given to "SSLCACertificatePath" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
+ #       "ca-cert-dir": "<directory_path>",
 #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
 #       #  empty)
- #       "crl": "<file_path>",
+ #       "crl-dir": "<directory_path>",
 #
 #       #  The path given to "ErrorLog"
 #       "error-log": "<file_path>",
@@ -69,7 +69,7 @@
 #  From to `backend-list`:
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
@@ -83,6 +83,8 @@
 #  For more details, refer to
 #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}
+{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
+{% set crl_dir = parameter_dict.get('crl-dir') -%}
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule authz_core_module modules/mod_authz_core.so
@@ -103,7 +105,7 @@ LoadModule headers_module modules/mod_headers.so
 LoadModule deflate_module modules/mod_deflate.so
 LoadModule filter_module modules/mod_filter.so

-AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
+AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm

 PidFile "{{ parameter_dict['pid-file'] }}"
 ServerAdmin admin@
@@ -133,17 +135,16 @@ SSLProxyEngine On

 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
-{% if parameter_dict['ca-cert'] -%}
+{% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-{%   if not parameter_dict['shared-ca-cert'] %}
-{%     if parameter_dict['crl'] -%}
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
+SSLCACertificatePath {{ ca_cert_dir }}
+{%   if crl_dir -%}
 SSLCARevocationCheck chain
-SSLCARevocationFile {{ parameter_dict['crl'] }}
-{%-     endif %}
-{%-   endif %}
-{%- endif %}
+SSLCARevocationPath {{ crl_dir }}
+{%   endif -%}
+{% endif -%}

 ErrorLog "{{ parameter_dict['error-log'] }}"
 # Default apache log format with request time in microsecond at the end
@@ -163,12 +164,8 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
  SSLEngine on
-{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
+{% if enable_authentication and ca_cert_dir -%}
  SSLVerifyClient require
-  # Custom block we use for now different parameters.
-  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
-  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

@@ -186,11 +183,8 @@ Listen {{ ip }}:{{ port }}
 <VirtualHost {{ ip }}:{{ port }}>
  SSLEngine on
  Timeout 3600
-{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication and ca_cert_dir -%}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

@@ -204,4 +198,4 @@ Listen {{ ip }}:{{ port }}
  RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
 {%   endfor -%}
 </VirtualHost>
-{% endfor -%}
+{% endfor -%}
\ No newline at end of file
--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -18,8 +18,8 @@ md5sum = 2ef0ddc206c6b0982a37cfc21f23e423

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = ef86e09e44ac67a9b15939df0ab4a466
+md5sum = d10a5ddfffa67b8ca01b3e38315bae2f

 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 48f086ce1acffca7bab942b43d856fb7
+md5sum = a169c1d6b0f2636f21f180e8a0b52137
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -2,6 +2,7 @@
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend_caucase_url_list', []) -%}
 {% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
@@ -28,8 +29,8 @@ mode = 644
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
     crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${apache-conf-ssl:ca-cert}',
-     crl_path='${apache-conf-ssl:crl}',
+     ca_path='${directory:srv}/caucase-updater/ca.crt',
+     crl_path='${directory:srv}/caucase-updater/crl.pem',
     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
@@ -37,6 +38,69 @@ mode = 644
     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
 {% do section('caucase-updater') -%}
+{% do section('caucase-updater-promise') -%}
+
+{% set frontend_caucase_url_hash_list = [] -%}
+{% for frontend_caucase_url in frontend_caucase_url_list -%}
+{%   set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
+{%   do frontend_caucase_url_hash_list.append(hash) -%}
+{%   set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
+{{   caucase.updater(
+       prefix='caucase-updater-%s' % hash,
+       buildout_bin_directory=parameter_dict['bin-directory'],
+       updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
+       url=frontend_caucase_url,
+       data_dir=data_dir,
+       ca_path='%s/ca.crt' % data_dir,
+       crl_path='%s/crl.pem' % data_dir,
+       on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
+       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+     )}}
+{%   do section('caucase-updater-%s' % hash) -%}
+{% endfor -%}
+
+{% if frontend_caucase_url_hash_list -%}
+[caucase-updater-housekeeper]
+recipe = collective.recipe.template
+output = ${directory:bin}/caucase-updater-housekeeper
+mode = 700
+input =
+  inline:
+  #!${buildout:executable}
+  import glob
+  import os
+  import subprocess
+  hash_list = {{ repr(frontend_caucase_url_hash_list) }}
+  crt_list = ['%s.crt' % e for e in hash_list]
+  crl_list = ['%s.crl' % e for e in hash_list]
+{% if shared_ca_path -%}
+  crt_list.append('{{ shared_ca_path }}/cacert.pem')
+  crl_list.append('{{ shared_ca_path }}/crl')
+{% endif -%}
+  for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
+    if os.path.basename(path) not in crt_list:
+      os.unlink(path)
+  for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
+    if os.path.basename(path) not in crl_list:
+      os.unlink(path)
+  for hash in hash_list:
+    crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
+    crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
+    crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
+    crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
+    if os.path.isfile(crt) and not os.path.islink(crt_link):
+      os.symlink(crt, crt_link)
+    if os.path.isfile(crl) and not os.path.islink(crl_link):
+      os.symlink(crl, crl_link)
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
+
+[caucase-updater-housekeeper-run]
+recipe = plone.recipe.command
+command = ${caucase-updater-housekeeper:output}
+update-command = ${:command}
+{% endif -%}

 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
@@ -123,8 +187,27 @@ key = ${directory:apache-conf}/apache.pem
 # XXX caucase certificate is not supported by caddy for now
 caucase-cert = ${directory:apache-conf}/apache-caucase.crt
 caucase-key = ${directory:apache-conf}/apache-caucase.pem
-ca-cert =  ${directory:apache-conf}/ca.crt
-crl = ${directory:apache-conf}/crl.pem
+{% if frontend_caucase_url_list -%}
+depends = ${caucase-updater-housekeeper-run:recipe}
+ca-cert-dir = ${directory:apache-ca-cert-dir}
+crl-dir = ${directory:apache-crl-dir}
+{%- endif %}
+
+[simplefile]
+< = jinja2-template-base
+template = inline:{{ '{{ content }}' }}
+
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+
+[{{  section(section_name) }}]
+< = simplefile
+rendered = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}

 [apache-ssl]
 {% if ssl_parameter_dict.get('key') -%}
@@ -154,13 +237,10 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+{% if frontend_caucase_url_list -%}
 # Client x509 auth
-ca-cert = ${apache-conf-ssl:ca-cert}
-crl = ${apache-conf-ssl:crl}
-
-{% if shared_ca_path -%}
-shared-ca-cert = {{ shared_ca_path }}/cacert.pem
-shared-crl = {{ shared_ca_path }}/crl 
+ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
+crl-dir = ${apache-conf-ssl:crl-dir}
 {%- endif %}

 [apache-conf]
@@ -186,8 +266,8 @@ input = inline:
  kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"

 [{{ section('apache-promise') }}]
-# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
 <= monitor-promise-base
+# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
 module = check_port_listening
 name = apache.py
 config-hostname = {{ ipv4 }}
@@ -228,6 +308,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
+{% if frontend_caucase_url_list -%}
+apache-ca-cert-dir = ${:apache-conf}/ssl.crt
+apache-crl-dir = ${:apache-conf}/ssl.crl
+{% endif -%}
 bin = ${buildout:directory}/bin
 etc = ${buildout:directory}/etc
 services = ${:etc}/run

--- a/stack/caucase/README.rst
+++ b/stack/caucase/README.rst
@@ -72,7 +72,7 @@ Client
  
  This script allows you to re-issue a CSR using a locally-generated private key.

-.. topic:: ``updater(prefix, buildout_bin_directory, updater_path, url, data_dir, crt_path, ca_path, crl_path, key_path=None, on_renew=None, max_sleep=None, mode='service', template_csr_pem=None, openssl=None)``
+.. topic:: ``updater(prefix, buildout_bin_directory, updater_path, url, data_dir, ca_path, crl_path, crt_path=None, key_path=None, on_renew=None, max_sleep=None, mode='service', template_csr_pem=None, openssl=None)``

  - ``<prefix>``: Creates ``<updater>`` executable file to start ``caucase-updater``, and ``<data_dir>`` directory for its data storage needs.
  

--- a/stack/caucase/buildout.hash.cfg
+++ b/stack/caucase/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [caucase-jinja2-library]
 filename = caucase.jinja2.library
-md5sum = 9a7247cdb2ee1d66c074b0660c54713f
+md5sum = 2e7e61bb0cf41c28d6d811a0283cf03e
--- a/stack/caucase/caucase.jinja2.library
+++ b/stack/caucase/caucase.jinja2.library
@@ -43,9 +43,9 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
  updater_path,
  url,
  data_dir,
-  crt_path,
  ca_path,
  crl_path,
+  crt_path=None,
  key_path=None,
  on_renew=None,
  max_sleep=None,
@@ -59,24 +59,25 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
 recipe = slapos.cookbook:mkdirectory
 data-dir = {{ data_dir }}

-{% if template_csr_pem or template_csr -%}
+{% if crt_path %}
+{%   if template_csr_pem or template_csr -%}
 [{{ prefix }}-provided-csr-content]
-{%   if template_csr_pem %}
+{%     if template_csr_pem %}
 content = {{ dumps(template_csr_pem) }}
-{%   elif template_csr %}
+{%     elif template_csr %}
 content = {{ template_csr }}
-{%   endif %}
+{%     endif %}
 [{{ prefix }}-provided-csr]
 recipe = slapos.recipe.template:jinja2
 mode = 644
-{%   if template_csr_pem %}
+{%     if template_csr_pem %}
 template = inline:{{ '{{ content }}' }}
 rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
 context = key content {{ prefix }}-provided-csr-content:content
-{%   elif template_csr %}
+{%     elif template_csr %}
 template = {{ '${' + prefix }}-provided-csr-content:content}
 rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
-{%   endif %}
+{%     endif %}
 {{   rerequest(
       prefix=prefix ~ '-csr',
       buildout_bin_directory=buildout_bin_directory,
@@ -84,12 +85,13 @@ rendered = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
       csr='${:csr}',
       key=key_path,
 )}}
-{%- else -%}
+{%-   else -%}
 [{{ prefix }}-csr]
 recipe = plone.recipe.command
 command = '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
-{%- endif %}
+{%-   endif %}
 csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
+{%- endif %}

 [{{ prefix }}]
 recipe = slapos.cookbook:wrapper
@@ -98,8 +100,8 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
  --ca-url '{{ url }}'
  --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
  --mode '{{ mode }}'
-  --csr '${ {{- prefix }}-csr:csr}'
-  --crt '{{ crt_path }}'
+  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
+  --crt '{{ crt_path }}' {%- endif %}
  --ca '{{ ca_path }}'
  --crl '{{ crl_path }}'
  {% if key_path %}--key '{{ key_path }}' {%- endif %}

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -70,7 +70,7 @@ md5sum = cc19560b9400cecbd23064d55c501eec

 [template]
 filename = instance.cfg.in
-md5sum = f0f3b18f9963b137e366752886591fc3
+md5sum = 328ea2bb5f2bff18f8be8c541c01f260

 [monitor-template-dummy]
 filename = dummy.cfg
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 6851e0c28a025bd26a4d3450204ae335
+md5sum = 0097e49b5bd7ad4978c722c1cdd27d6c

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -2,6 +2,7 @@
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -27,8 +28,8 @@ mode = 644
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
     crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${apache-conf-ssl:ca-cert}',
-     crl_path='${apache-conf-ssl:crl}',
+     ca_path='${directory:srv}/caucase-updater/ca.crt',
+     crl_path='${directory:srv}/caucase-updater/crl.pem',
     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
@@ -38,6 +39,64 @@ mode = 644
 {% do section('caucase-updater') -%}
 {% do section('caucase-updater-promise') -%}

+{% set frontend_caucase_url_hash_list = [] -%}
+{% for frontend_caucase_url in frontend_caucase_url_list -%}
+{%   set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
+{%   do frontend_caucase_url_hash_list.append(hash) -%}
+{%   set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
+{{   caucase.updater(
+       prefix='caucase-updater-%s' % hash,
+       buildout_bin_directory=parameter_dict['bin-directory'],
+       updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
+       url=frontend_caucase_url,
+       data_dir=data_dir,
+       ca_path='%s/ca.crt' % data_dir,
+       crl_path='%s/crl.pem' % data_dir,
+       on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
+       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+     )}}
+{%   do section('caucase-updater-%s' % hash) -%}
+{% endfor -%}
+
+{% if frontend_caucase_url_hash_list -%}
+[caucase-updater-housekeeper]
+recipe = collective.recipe.template
+output = ${directory:bin}/caucase-updater-housekeeper
+mode = 700
+input =
+  inline:
+  #!${buildout:executable}
+  import glob
+  import os
+  import subprocess
+  hash_list = {{ repr(frontend_caucase_url_hash_list) }}
+  crt_list = ['%s.crt' % e for e in hash_list]
+  crl_list = ['%s.crl' % e for e in hash_list]
+  for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
+    if os.path.basename(path) not in crt_list:
+      os.unlink(path)
+  for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
+    if os.path.basename(path) not in crl_list:
+      os.unlink(path)
+  for hash in hash_list:
+    crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
+    crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
+    crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
+    crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
+    if os.path.isfile(crt) and not os.path.islink(crt_link):
+      os.symlink(crt, crt_link)
+    if os.path.isfile(crl) and not os.path.islink(crl_link):
+      os.symlink(crl, crl_link)
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
+
+[caucase-updater-housekeeper-run]
+recipe = plone.recipe.command
+command = ${caucase-updater-housekeeper:output}
+update-command = ${:command}
+{% endif -%}
+
 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
 {% set zope_virtualhost_monster_backend_dict = {} %}
@@ -123,8 +182,27 @@ key = ${directory:apache-conf}/apache.pem
 # XXX caucase certificate is not supported by caddy for now
 caucase-cert = ${directory:apache-conf}/apache-caucase.crt
 caucase-key = ${directory:apache-conf}/apache-caucase.pem
-ca-cert =  ${directory:apache-conf}/ca.crt
-crl = ${directory:apache-conf}/crl.pem
+{% if frontend_caucase_url_list -%}
+depends = ${caucase-updater-housekeeper-run:recipe}
+ca-cert-dir = ${directory:apache-ca-cert-dir}
+crl-dir = ${directory:apache-crl-dir}
+{%- endif %}
+
+[simplefile]
+< = jinja2-template-base
+template = inline:{{ '{{ content }}' }}
+
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+
+[{{  section(section_name) }}]
+< = simplefile
+rendered = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}

 [apache-ssl]
 {% if ssl_parameter_dict.get('key') -%}
@@ -154,9 +232,11 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+{% if frontend_caucase_url_list -%}
 # Client x509 auth
-ca-cert = ${apache-conf-ssl:ca-cert}
-crl = ${apache-conf-ssl:crl}
+ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
+crl-dir = ${apache-conf-ssl:crl-dir}
+{%- endif %}

 [apache-conf]
 < = jinja2-template-base
@@ -209,6 +289,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
+{% if frontend_caucase_url_list -%}
+apache-ca-cert-dir = ${:apache-conf}/ssl.crt
+apache-crl-dir = ${:apache-conf}/ssl.crl
+{% endif -%}
 bin = ${buildout:directory}/bin
 etc = ${buildout:directory}/etc
 services = ${:etc}/run

--- a/stack/erp5/instance.cfg.in
+++ b/stack/erp5/instance.cfg.in
@@ -72,6 +72,7 @@ filename = instance-balancer.cfg
 extra-context =
    section parameter_dict dynamic-template-balancer-parameters
    import itertools itertools
+    import hashlib hashlib
 import-list =
    file caucase context:caucase-jinja2-library