Commit 4ba968e4 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Working implementation

Features:

 * shared place for Caddy configuration
 * gather a lot of parameters for caddy executable, as dislike Apache
   Caddy is configured from command line
 * dummy vhost for example.org
 * challanges (ACME SSL) are disabled
 * bind to interfaces are done per site
 * cache access is dummy, but working
 * /server-status redone in Caddy style
 * antiloris dropped, as this is apache specific
 * apache_custom_http and apache_custom_https
 * dropped not needed leftover access-control-string and protected-path
 * nginx replacement added
 * bin/caddy-wrapper is provided in order to allow parameterization of caddy
   over the network
 * access to log files over http is provided
   * username on log access is consistent, it is not uppercased like it was
     originally on apache-frontend
 * list of TODOs in TODO.rst
parent 97ef6396
Generally things to be done with ``caddy-frontend``:
* ``apache-ca-certificate`` shall be merged with ``apache-certificate``
* (new) ``type:websocket`` slave
* ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483
* ``ssl_ca_crt``
* ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)
* ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)
* ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
* ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
* cover test suite like resilient tests for KVM and prove it works the same way as Caddy
* simplify Jijna2 syntax and drop whitespace control, as it is not needed
* make beautiful (eg. with whitespaces and nice comments) generated files (mostly Jinja2)
* have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones (like ``apache_custom_http`` --> ``caddy_custom_http``)
......@@ -4,7 +4,6 @@
# - "^[" section beginings, copied verbatim
# - lines containing an "=" sign which must fit in the following categorie.
# - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
# But avoid directories, they are not portable.
# Copied verbatim.
# - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
# by the re-generation script.
......@@ -19,7 +18,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e
[template-apache-frontend]
filename = instance-apache-frontend.cfg
md5sum = b6a2c860ea1cd4bc9d185c7108c52d0a
md5sum = 7414a34216db1cce54b38b59fc762141
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
......@@ -27,43 +26,39 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
md5sum = 24e514ad6f15859229db46f24a8cd280
md5sum = 74bfedd670b05eb653804075fa7e0d86
[template-slave-configuration]
filename = templates/custom-virtualhost.conf.in
md5sum = d103143e5d50682bd5ad43117d82e2fa
md5sum = 74275ad73b03114c69f80c8f8ae73374
[template-replicate-publish-slave-information]
filename = templates/replicate-publish-slave-information.cfg.in
md5sum = 665e83d660c9b779249b2179d7ce4b4e
[template-apache-frontend-configuration]
filename = templates/apache.conf.in
md5sum = a56045e7b53ff00ab34d2a8f911fc1a1
[template-caddy-frontend-configuration]
filename = templates/Caddyfile.in
md5sum = a8765b3c3af9f4f4f6437028aa42c58f
[template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
md5sum = 24e514ad6f15859229db46f24a8cd280
md5sum = 74bfedd670b05eb653804075fa7e0d86
[template-not-found-html]
filename = templates/notfound.html
md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-virtualhost]
filename = templates/000.conf.in
md5sum = d98a01182f38868612948c87d5231428
[template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in
md5sum = 7f38084af107034bedefba971abe165c
md5sum = cab1b54a568fb24ed0f409b0f3e5fad2
[template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in
md5sum = 1a1a53d9ac4a1591c017d86850a94796
md5sum = 42a574141f2d8e27669e3848d2e600a1
[template-log-access]
filename = templates/template-log-access.conf.in
md5sum = f85005b430978f3bd24ee7ce11b0e304
md5sum = 82bd8044f51d5b28f8e43b14704c282e
[template-empty]
filename = templates/empty.in
......@@ -73,6 +68,10 @@ md5sum = c2314c3a9c3412a38d14b312d3df83c1
filename = templates/wrapper.in
md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
[template-caddy-wrapper]
filename = templates/caddy-wrapper.in
md5sum = c5816275757124613920078b6bec1caf
[template-trafficserver-records-config]
filename = templates/trafficserver/records.config.jinja2
md5sum = 84baef0a49c9a65e8f2d2ffdb8c1d39c
......@@ -83,20 +82,20 @@ md5sum = 117238225b3fc3c5b5be381815f44c67
[template-nginx-configuration]
filename = templates/nginx.cfg.in
md5sum = 18633ce55e53340efa1ba7693aac4152
md5sum = cdc550b5067f76f1cab24f94178710a4
[template-nginx-eventsource-slave-virtualhost]
filename = templates/nginx-eventsource-slave.conf.in
md5sum = a5186f666acb2f040ede04c91e60408f
md5sum = 7fb09bb130dc463a6736c1f319e798d6
[template-nginx-notebook-slave-virtualhost]
filename = templates/nginx-notebook-slave.conf.in
md5sum = 82d74a7f2aceb2b4a7acc6259291b7f2
md5sum = afa11dda952b2317227e5c72508aeda2
[template-apache-lazy-script-call]
filename = templates/apache-lazy-script-call.sh.in
md5sum = ebe5d3d19923eb812a40019cb11276d8
[template-apache-graceful-script]
filename = templates/apache-graceful-script.sh.in
md5sum = 41299cc64200e7b8217fb9dec20bb8b9
[template-caddy-graceful-script]
filename = templates/caddy-graceful-script.sh.in
md5sum = 455f8765a3afd39fb78562fb9e326c42
......@@ -10,7 +10,6 @@ extends =
../../component/rdiff-backup/buildout.cfg
../../component/trafficserver/buildout.cfg
../../component/nginx/buildout.cfg
../../stack/nodejs.cfg
# Monitoring stack (keep on bottom)
../../stack/monitor/buildout.cfg
......@@ -20,12 +19,10 @@ parts +=
template-apache-frontend
template-apache-replicate
apache
apache-antiloris
dcron
logrotate
rdiff-backup
nginx-push-stream-output
npm-modules
proxy-by-url
http-proxy
......@@ -70,9 +67,9 @@ filename = custom-virtualhost.conf.in
<=download-template
filename = replicate-publish-slave-information.cfg.in
[template-apache-frontend-configuration]
[template-caddy-frontend-configuration]
<=download-template
filename = apache.conf.in
filename = Caddyfile.in
[template-custom-slave-list]
<=download-template
......@@ -82,10 +79,6 @@ filename = apache-default-slave-list.cfg.in
<=download-template
filename = notfound.html
[template-default-virtualhost]
<=download-template
filename = 000.conf.in
[template-default-slave-virtualhost]
<=download-template
filename = default-virtualhost.conf.in
......@@ -102,6 +95,12 @@ filename = template-log-access.conf.in
<=download-template
filename = empty.in
[template-caddy-wrapper]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/caddy-wrapper.in
output = ${buildout:directory}/template-caddy-wrapper.cfg
mode = 0644
[template-wrapper]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/templates/wrapper.in
......@@ -137,9 +136,9 @@ mode = 0644
<=download-template
filename = apache-lazy-script-call.sh.in
[template-apache-graceful-script]
[template-caddy-graceful-script]
<=download-template
filename = apache-graceful-script.sh.in
filename = caddy-graceful-script.sh.in
[template-nginx-eventsource-slave-virtualhost]
<=download-template
......
......@@ -11,9 +11,8 @@ parts =
logrotate-entry-nginx
apache-frontend
switch-apache-softwaretype
frontend-apache-graceful
frontend-caddy-graceful
frontend-nginx-graceful
dynamic-template-default-vh
not-found-html
promise-frontend-apache-configuration
promise-apache-frontend-v4-https
......@@ -123,13 +122,15 @@ configuration.ram-cache-size = 1G
configuration.trafficserver-autoconf-port = 8083
configuration.trafficserver-mgmt-port = 8084
configuration.re6st-verification-url = http://[2001:67c:1254:4::1]/index.html
configuration.enable-http2-by-default = true
configuration.mpm-graceful-shutdown-timeout = 5
[frontend-configuration]
template-log-access = ${template-log-access:target}
log-access-configuration = $${directory:etc}/apache-log-access.conf
apache-directory = ${apache:location}
apache-ipv6 = $${instance-parameter:ipv6-random}
apache-https-port = $${instance-parameter:configuration.port}
caddy-directory = ${caddy:location}
caddy-ipv6 = $${instance-parameter:ipv6-random}
caddy-https-port = $${instance-parameter:configuration.port}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
......@@ -144,23 +145,14 @@ context =
section directory directory
$${:extra-context}
[dynamic-template-default-vh]
< = jinja2-template-base
template = ${template-default-virtualhost:target}
rendered = $${apache-directory:slave-configuration}/000.conf
extensions = jinja2.ext.do
extra-context =
key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port
[software-release-path]
template-empty = ${template-empty:target}
template-slave-configuration = ${template-slave-configuration:target}
template-default-slave-virtualhost = ${template-default-slave-virtualhost:target}
template-cached-slave-virtualhost = ${template-cached-slave-virtualhost:target}
caddy-location = ${caddy:location}
template-nginx-eventsource-slave-virtualhost = ${template-nginx-eventsource-slave-virtualhost:target}
template-nginx-notebook-slave-virtualhost = ${template-nginx-notebook-slave-virtualhost:target}
apache-location = ${apache:location}
[dynamic-custom-personal-template-slave-list]
< = jinja2-template-base
......@@ -168,10 +160,10 @@ template = ${template-slave-list:target}
filename = custom-personal-instance-slave-list.cfg
extensions = jinja2.ext.do
extra-context =
key apache_configuration_directory apache-directory:slave-configuration
key nginx_configuration_directory apache-directory:nginx-slave-configuration
key apache_cached_configuration_directory apache-directory:slave-with-cache-configuration
key slave_with_cache_configuration_directory apache-directory:slave-with-cache-configuration
key apache_configuration_directory caddy-directory:slave-configuration
key nginx_configuration_directory caddy-directory:nginx-slave-configuration
key apache_cached_configuration_directory caddy-directory:slave-with-cache-configuration
key slave_with_cache_configuration_directory caddy-directory:slave-with-cache-configuration
key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port
key nginx_http_port instance-parameter:configuration.plain_nginx_port
......@@ -179,9 +171,10 @@ extra-context =
key public_ipv4 instance-parameter:configuration.public-ipv4
key slave_instance_list instance-parameter:slave-instance-list
key extra_slave_instance_list instance-parameter:configuration.extra_slave_instance_list
key custom_ssl_directory apache-directory:vh-ssl
key apache_log_directory apache-directory:slave-log
key custom_ssl_directory caddy-directory:vh-ssl
key apache_log_directory caddy-directory:slave-log
key local_ipv4 instance-parameter:ipv4-random
key local_ipv6 instance-parameter:ipv6-random
key global_ipv6 slap-network-information:global-ipv6
key varnginx directory:varnginx
key empty_template software-release-path:template-empty
......@@ -191,7 +184,7 @@ extra-context =
key template_eventsource_slave_configuration software-release-path:template-nginx-eventsource-slave-virtualhost
key template_notebook_slave_configuration software-release-path:template-nginx-notebook-slave-virtualhost
raw software_type single-custom-personal
key frontend_lazy_graceful_reload frontend-apache-lazy-graceful:rendered
key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
section logrotate_dict logrotate
section frontend_configuration frontend-configuration
section apache_configuration apache-configuration
......@@ -200,6 +193,12 @@ extra-context =
key promise_directory monitor-directory:promises
key report_directory monitor-directory:reports
raw bin_directory ${buildout:bin-directory}
key login_certificate ca-frontend:cert-file
key login_key ca-frontend:key-file
key login_ca_crt ca-custom-frontend:rendered
key enable_http2_by_default instance-parameter:configuration.enable-http2-by-default
key access_log apache-configuration:access-log
key error_log apache-configuration:error-log
[dynamic-virtualhost-template-slave]
<= jinja2-template-base
......@@ -215,54 +214,63 @@ extra-context =
# Deploy Apache Frontend (new way, no recipe, jinja power)
[dynamic-apache-frontend-template]
< = jinja2-template-base
template = ${template-apache-frontend-configuration:target}
template = ${template-caddy-frontend-configuration:target}
rendered = $${apache-configuration:frontend-configuration}
extra-context =
key httpd_home software-release-path:apache-location
key httpd_mod_ssl_cache_directory apache-directory:mod-ssl
key domain instance-parameter:configuration.domain
key document_root apache-directory:document-root
key httpd_home software-release-path:caddy-location
key httpd_mod_ssl_cache_directory caddy-directory:mod-ssl
key document_root caddy-directory:document-root
key instance_home buildout:directory
key ipv4_addr instance-parameter:ipv4-random
key ipv6_addr instance-parameter:ipv6-random
key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port
key server_admin instance-parameter:configuration.server-admin
key protected_path apache-configuration:protected-path
key access_control_string apache-configuration:access-control-string
key login_certificate ca-frontend:cert-file
key login_key ca-frontend:key-file
key login_ca_crt ca-custom-frontend:rendered
key ca_dir certificate-authority:ca-dir
key ca_crl certificate-authority:ca-crl
key access_log apache-configuration:access-log
key error_log apache-configuration:error-log
key pid_file apache-configuration:pid-file
key slave_configuration_directory apache-directory:slave-configuration
key slave_configuration_directory caddy-directory:slave-configuration
key cached_port apache-configuration:cache-through-port
key ssl_cached_port apache-configuration:ssl-cache-through-port
key slave_with_cache_configuration_directory apache-directory:slave-with-cache-configuration
key slave_with_cache_configuration_directory caddy-directory:slave-with-cache-configuration
section frontend_configuration frontend-configuration
key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port
key local_ipv4 instance-parameter:ipv4-random
key global_ipv6 slap-network-information:global-ipv6
key error_log apache-configuration:error-log
key username slap-parameter:monitor-username
key password slap-parameter:monitor-password
[caddy-wrapper]
< = jinja2-template-base
template = ${template-caddy-wrapper:output}
rendered = $${directory:bin}/caddy-wrapper
mode = 0700
extra-context =
raw caddy ${caddy:output}
key conf dynamic-apache-frontend-template:rendered
key log apache-configuration:error-log
key grace instance-parameter:configuration.mpm-graceful-shutdown-timeout
[apache-frontend]
recipe = slapos.cookbook:wrapper
command-line = ${apache:location}/bin/httpd -f $${dynamic-apache-frontend-template:rendered} -DFOREGROUND
wrapper-path = $${directory:service}/frontend_apache
command-line = $${caddy-wrapper:rendered} -pidfile $${caddy-configuration:pid-file}
wrapper-path = $${directory:service}/frontend_caddy
wait-for-files =
$${ca-frontend:cert-file}
$${ca-frontend:key-file}
[not-found-html]
recipe = slapos.cookbook:symbolic.link
target-directory = $${apache-directory:document-root}
target-directory = $${caddy-directory:document-root}
link-binary =
${template-not-found-html:target}
[apache-directory]
[caddy-directory]
recipe = slapos.cookbook:mkdirectory
document-root = $${directory:srv}/htdocs
slave-configuration = $${directory:etc}/apache-slave-conf.d/
slave-with-cache-configuration = $${directory:etc}/apache-slave-with-cache-conf.d/
slave-configuration = $${directory:etc}/caddy-slave-conf.d/
slave-with-cache-configuration = $${directory:etc}/caddy-slave-with-cache-conf.d/
cache = $${directory:var}/cache
mod-ssl = $${:cache}/httpd_mod_ssl
vh-ssl = $${:slave-configuration}/ssl
......@@ -270,13 +278,11 @@ slave-log = $${directory:log}/httpd
nginx-slave-configuration = $${directory:etc}/nginx-slave-conf.d/
[apache-configuration]
frontend-configuration = $${directory:etc}/apache_frontend.conf
frontend-configuration = $${directory:etc}/Caddyfile
access-log = $${directory:log}/frontend-apache-access.log
error-log = $${directory:log}/frontend-apache-error.log
pid-file = $${directory:run}/httpd.pid
protected-path = /
access-control-string = none
frontend-configuration-verification = ${apache:location}/bin/httpd -Sf $${:frontend-configuration} > /dev/null
frontend-configuration-verification = $${caddy-wrapper:rendered} -validate > /dev/null
frontend-graceful-command = $${:frontend-configuration-verification}; if [ $? -eq 0 ]; then kill -USR1 $(cat $${:pid-file}); fi
# Comunication with ats
......@@ -287,8 +293,8 @@ ssl-cache-through-port = 26012
# Create wrapper for "apachectl conftest" in bin
[configtest]
recipe = slapos.cookbook:wrapper
command-line = ${apache:location}/bin/httpd -f $${directory:etc}/apache_frontend.conf -t
wrapper-path = $${directory:bin}/apache-configtest
command-line = $${caddy-wrapper:rendered} -validate
wrapper-path = $${directory:bin}/caddy-configtest
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
......@@ -314,8 +320,8 @@ crl = $${directory:ca-dir}/crl/
recipe = slapos.cookbook:certificate_authority.request
key-file = $${cadirectory:certs}/apache_frontend.key
cert-file = $${cadirectory:certs}/apache_frontend.crt
executable = $${directory:service}/frontend_apache
wrapper = $${directory:service}/frontend_apache
executable = $${directory:service}/frontend_caddy
wrapper = $${directory:service}/frontend_caddy
key-content = $${instance-parameter:configuration.apache-key}
cert-content = $${instance-parameter:configuration.apache-certificate}
# Put domain name
......@@ -370,7 +376,7 @@ name = apache
log = $${apache-configuration:error-log} $${apache-configuration:access-log}
frequency = daily
rotatep-num = 30
post = $${frontend-apache-lazy-graceful:rendered} &
post = $${frontend-caddy-lazy-graceful:rendered} &
sharedscripts = true
notifempty = true
create = true
......@@ -497,28 +503,29 @@ mode = 700
### End of ATS sections
### Apaches Graceful and promises
[frontend-apache-graceful-bin]
[frontend-caddy-graceful-bin]
< = jinja2-template-base
template = ${template-wrapper:output}
rendered = $${directory:bin}/frontend-apache-safe-graceful
rendered = $${directory:bin}/frontend-caddy-safe-graceful
mode = 0700
extra-context =
key content apache-configuration:frontend-graceful-command
[frontend-apache-graceful]
[frontend-caddy-graceful]
< = jinja2-template-base
template = ${template-apache-graceful-script:target}
rendered = $${directory:etc-run}/frontend-apache-safe-graceful
template = ${template-caddy-graceful-script:target}
rendered = $${directory:etc-run}/frontend-caddy-safe-graceful
mode = 0700
extra-context =
key directory_run directory:run
key directory_etc directory:etc
key apache_graceful_reload_command apache-configuration:frontend-graceful-command
key directory_bin directory:bin
key caddy_graceful_reload_command apache-configuration:frontend-graceful-command
[frontend-apache-lazy-graceful]
[frontend-caddy-lazy-graceful]
< = jinja2-template-base
template = ${template-apache-lazy-script-call:target}
rendered = $${directory:bin}/frontend-apache-lazy-graceful
rendered = $${directory:bin}/frontend-caddy-lazy-graceful
mode = 0700
pid-file = $${directory:run}/lazy-graceful.pid
extra-context =
......@@ -674,9 +681,20 @@ curl_path = ${curl:location}/bin/curl
#######################
# Nginx
#
[nginx-wrapper]
< = jinja2-template-base
template = ${template-caddy-wrapper:output}
rendered = $${directory:bin}/nginx-wrapper
mode = 0700
extra-context =
raw caddy ${caddy:output}
key conf nginx-configuration:output
key log nginx-configuration:error_log
key grace instance-parameter:configuration.mpm-graceful-shutdown-timeout
[nginx-frontend]
recipe = slapos.cookbook:wrapper
command-line = ${nginx-push-stream:location}/sbin/nginx -c $${nginx-configuration:output}
command-line = $${nginx-wrapper:rendered} -pidfile $${nginx-configuration:pid-file}
wrapper-path = $${directory:service}/frontend_nginx
[nginx-configuration]
......@@ -692,10 +710,12 @@ port = $${instance-parameter:configuration.nginx_port}
plain_port = $${instance-parameter:configuration.plain_nginx_port}
worker_processes = 4
worker_connections = 1024
slave-configuration-directory = $${apache-directory:nginx-slave-configuration}
slave-configuration-directory = $${caddy-directory:nginx-slave-configuration}
pid-file = $${directory:run}/nginx.pid
nginx-graceful-command = $${:nginx-configuration-verification}; if [ $? -eq 0 ]; then kill -HUP $(cat $${:pid-file}); fi
nginx-configuration-verification = ${nginx-push-stream:location}/sbin/nginx -t -c $${nginx-configuration:output}
nginx-configuration-verification = $${nginx-wrapper:rendered} -validate
ssl_certificate = $${ca-frontend:cert-file}
ssl_key = $${ca-frontend:key-file}
[frontend-nginx-graceful]
< = jinja2-template-base
......
<VirtualHost *:{{ https_port }}>
ServerName www.example.org
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
ErrorDocument 404 /notfound.html
</VirtualHost>
<VirtualHost *:{{ http_port }}>
ServerName www.example.org
ErrorDocument 404 /notfound.html
</VirtualHost>
\ No newline at end of file
# Automatically generated
# As backend is trusting REMOTE_USER header unset it always
# TODO-Caddy RequestHeader unset REMOTE_USER
# TODO-Caddy <Directory {{ document_root }}>
# TODO-Caddy Require all granted
# TODO-Caddy Options -Indexes
# TODO-Caddy ErrorDocument 404 /notfound.html
# TODO-Caddy RewriteEngine on
# TODO-Caddy RewriteRule ^/?$ notfound.html [R=404,L]
# TODO-Caddy </Directory>
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
# TODO-Caddy BrowserMatch "Mozilla/2" nokeepalive
# TODO-Caddy BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
# TODO-Caddy downgrade-1.0 force-response-1.0
# TODO-Caddy BrowserMatch "RealPlayer 4\.0" force-response-1.0
# TODO-Caddy BrowserMatch "Java/1\.0" force-response-1.0
# TODO-Caddy BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
# TODO-Caddy BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# TODO-Caddy BrowserMatch "MS FrontPage" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDrive" redirect-carefully
# TODO-Caddy BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# TODO-Caddy BrowserMatch "^gnome-vfs" redirect-carefully
# TODO-Caddy BrowserMatch "^XML Spy" redirect-carefully
# TODO-Caddy BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
# Deflate
# TODO-Caddy AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
# TODO-Caddy BrowserMatch ^Mozilla/4 gzip-only-text/html
# TODO-Caddy BrowserMatch ^Mozilla/4\.0[678] no-gzip
# TODO-Caddy BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
# TODO-Caddy {% if slapparameter_dict.get('apache-ca-certificate') %}
# TODO-Caddy SSLCACertificateFile {{ login_ca_crt }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on
# TODO-Caddy <FilesMatch "\.(cgi|shtml|phtml|php)$">
# TODO-Caddy SSLOptions +StdEnvVars
# TODO-Caddy </FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
# TODO-Caddy SSLProxyCheckPeerCN off
# TODO-Caddy SSLProxyCheckPeerExpire off
import {{frontend_configuration.get('log-access-configuration')}}
import {{ slave_configuration_directory }}/*.conf
import {{ slave_with_cache_configuration_directory }}/*.conf
https://[{{ global_ipv6 }}]:{{ https_port }}/, https://{{ local_ipv4 }}:{{ https_port }}/ {
tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }}
status 404 /
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }}
basicauth "{{ username }}" {{ password }} {
"Server Status"
/
}
expvar
pprof
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
http://[{{ global_ipv6 }}]:{{ http_port }}/, http://{{ local_ipv4 }}:{{ http_port }}/ {
bind {{ local_ipv4 }}
status 404 /
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
# TODO-Caddy ErrorDocument 404 /notfound.html
# TODO-Caddy RewriteRule (.*) /notfound.html [R=404,L]
......@@ -9,7 +9,7 @@
{% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%}
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{% set NGINX_TYPE_LIST = ['eventsource', 'notebook'] -%}
{% set generic_instance_parameter_dict = {'cache_access': cache_access,} -%}
{% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
{% set slave_log_dict = {} -%}
{% if extra_slave_instance_list -%}
{% set slave_instance_information_list = [] -%}
......@@ -47,7 +47,6 @@ crl = {{ custom_ssl_directory }}/crl/
{# Loop throught slave list to set up slaves #}
{% for slave_instance in slave_instance_list -%}
{# # Do all set and do upper, so it makes easy to read the file later #}
{% set slave_reference = slave_instance.get('slave_reference') -%}
{% set slave_type = slave_instance.get('type', '') -%}
{% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%}
......@@ -57,10 +56,9 @@ crl = {{ custom_ssl_directory }}/crl/
{% set slave_logrotate_section = slave_reference + "-logs" -%}
{% set slave_password_section = slave_reference + "-password" -%}
{% set slave_ln_section = slave_reference + "-ln" -%}
{% set slave_htaccess_section = slave_reference + '-htaccess' %}
{# extend parts #}
{% do part_list.extend([slave_htaccess_section, slave_ln_section]) -%}
{% do part_list.extend([slave_ln_section]) -%}
{% do part_list.extend([slave_logrotate_section, slave_section_title]) -%}
{% set slave_log_folder = logrotate_dict.get('backup') + '/' + slave_reference + "-logs" -%}
......@@ -74,7 +72,7 @@ crl = {{ custom_ssl_directory }}/crl/
{# Add slave log directory to the slave log access dict #}
{% do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}
{% set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('apache-ipv6') + ']:' + frontend_configuration.get('apache-https-port') + '/' + slave_reference.lower() + '/' %}
{% set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('caddy-ipv6') + ']:' + frontend_configuration.get('caddy-https-port') + '/' + slave_reference.lower() + '/' %}
{% do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
{% do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
{% do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
......@@ -101,16 +99,19 @@ crl = {{ custom_ssl_directory }}/crl/
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%}
{% if not slave_instance.has_key('apache_custom_http') %}
{% if not slave_instance.has_key('apache_custom_http') and not slave_instance.has_key('apache_custom_https') %}
{% do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%}
{% do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
{% endif -%}
[slave-log-directories]
[slave-log-directory-dict]
{{slave_reference}} = {{ slave_log_folder }}
[slave-password]
{{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}
{# Set slave logrotate entry #}
[{{slave_logrotate_section}}]
<= logrotate
......@@ -131,13 +132,6 @@ recipe = slapos.cookbook:generate.password
storage-path = {{apache_configuration_directory}}/.{{slave_reference}}.passwd
bytes = 8
{# Set up htaccess file for slave #}
[{{slave_htaccess_section}}]
recipe = plone.recipe.command
stop-on-error = true
htaccess-path = {{apache_configuration_directory}}/.{{slave_reference}}.htaccess
command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${:htaccess-path} {{ slave_reference }} {{ '${' + slave_password_section + ':passwd}' }}
{# ################################################## #}
{# Set Slave Certificates if needed #}
......@@ -162,6 +156,13 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
{% endif -%}
{% endfor -%}
{#- Set Up Certs #}
{%- do slave_instance.__setitem__('login_certificate', login_certificate) %}
{%- do slave_instance.__setitem__('login_key', login_key) %}
{%- do slave_instance.__setitem__('login_ca_crt', login_ca_crt) %}
{%- do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
{%- do slave_parameter_dict.__setitem__('ssl_crt', login_certificate) %}
{%- do slave_parameter_dict.__setitem__('ssl_key', login_key) %}
{% if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance -%}
{% set cert_title = '%s-crt' % (slave_reference) -%}
{% set key_title = '%s-key' % (slave_reference) -%}
......@@ -320,6 +321,7 @@ extra-context =
{% endfor %}
[slave-log-directories]
<= slave-log-directory-dict
recipe = slapos.cookbook:mkdirectory
{# Define log access #}
......@@ -328,9 +330,19 @@ recipe = slapos.cookbook:mkdirectory
template = {{frontend_configuration.get('template-log-access')}}
rendered = {{frontend_configuration.get('log-access-configuration')}}
extra-context =
section slave_log_directory slave-log-directories
section slave_log_directory slave-log-directory-dict
section slave_password slave-password
raw apache_log_directory {{apache_log_directory}}
raw apache_configuration_directory {{apache_configuration_directory}}
raw local_ipv4 {{ local_ipv4 }}
raw local_ipv6 {{ local_ipv6 }}
raw https_port {{ https_port }}
raw http_port {{ http_port }}
raw global_ipv6 {{ global_ipv6 }}
raw login_certificate {{ login_certificate }}
raw login_key {{ login_key }}
raw access_log {{ access_log }}
raw error_log {{ error_log }}
{# Publish information for the instance #}
[publish-apache-information]
......
#!/bin/sh
RUN_DIR={{ directory_run }}
ETC_DIR={{ directory_etc }}
APACHE_SIGNATURE_FILE=$RUN_DIR/apache_configuration.signature
NAPACHE_SIGNATURE_FILE=$RUN_DIR/napache_configuration.signature
touch $APACHE_SIGNATURE_FILE
sha256sum $ETC_DIR/apache*.conf $ETC_DIR/apache-*.d/*.conf $ETC_DIR/apache-*.d/ssl/*.*key $ETC_DIR/apache-*.d/ssl/*.*crt* | sort -k 66 > $NAPACHE_SIGNATURE_FILE
# If no diff, no restart for now
if diff "$APACHE_SIGNATURE_FILE" "$NAPACHE_SIGNATURE_FILE"; then
echo "Nothing Changed, so nothing to reload"
exit 0
fi
echo "Reloading apache.."
{{ apache_graceful_reload_command }}
mv "$NAPACHE_SIGNATURE_FILE" "$APACHE_SIGNATURE_FILE"
# Apache configuration file for Zope
# Automatically generated
# Basic server configuration
PidFile "{{ pid_file }}"
ServerName {{ domain }}
DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}
{{ "Listen %s:%s" % (ipv4_addr, cached_port) }}
{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port) }}
{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
{% for port in (http_port, https_port) -%}
{{ "Listen %s:%s" % (ip, port) }}
{% endfor -%}
{% endfor -%}
ServerAdmin {{ server_admin }}
TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER
ServerTokens Prod
# Disable TRACE Method
TraceEnable off
# Log configuration
ErrorLog "{{ error_log }}"
LogLevel notice
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
# CustomLog "{{ access_log }}" common
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ access_log }}" combined
<Directory {{ protected_path }}>
Order Deny,Allow
Allow from {{ access_control_string }}
</Directory>
<Directory {{ document_root }}>
Require all granted
Options -Indexes
ErrorDocument 404 /notfound.html
RewriteEngine on
RewriteRule ^/?$ notfound.html [R=404,L]
</Directory>
# List of modules
LoadModule unixd_module {{ httpd_home }}/modules/mod_unixd.so
LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so
LoadModule authz_core_module {{ httpd_home }}/modules/mod_authz_core.so
LoadModule authz_host_module {{ httpd_home }}/modules/mod_authz_host.so
LoadModule authn_core_module {{ httpd_home }}/modules/mod_authn_core.so
LoadModule log_config_module {{ httpd_home }}/modules/mod_log_config.so
LoadModule deflate_module {{ httpd_home }}/modules/mod_deflate.so
LoadModule setenvif_module {{ httpd_home }}/modules/mod_setenvif.so
LoadModule version_module {{ httpd_home }}/modules/mod_version.so
LoadModule proxy_module {{ httpd_home }}/modules/mod_proxy.so
LoadModule proxy_http_module {{ httpd_home }}/modules/mod_proxy_http.so
LoadModule ssl_module {{ httpd_home }}/modules/mod_ssl.so
LoadModule mime_module {{ httpd_home }}/modules/mod_mime.so
LoadModule dav_module {{ httpd_home }}/modules/mod_dav.so
LoadModule dav_fs_module {{ httpd_home }}/modules/mod_dav_fs.so
LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
LoadModule rewrite_module {{ httpd_home }}/modules/mod_rewrite.so
LoadModule headers_module {{ httpd_home }}/modules/mod_headers.so
LoadModule cache_module {{ httpd_home }}/modules/mod_cache.so
LoadModule cache_socache_module {{ httpd_home }}/modules/mod_cache_socache.so
LoadModule socache_shmcb_module {{ httpd_home }}/modules/mod_socache_shmcb.so
LoadModule antiloris_module {{ httpd_home }}/modules/mod_antiloris.so
LoadModule alias_module {{ httpd_home }}/modules/mod_alias.so
LoadModule autoindex_module {{ httpd_home }}/modules/mod_autoindex.so
LoadModule auth_basic_module {{ httpd_home }}/modules/mod_auth_basic.so
LoadModule authz_user_module {{ httpd_home }}/modules/mod_authz_user.so
LoadModule authn_file_module {{ httpd_home }}/modules/mod_authn_file.so
LoadModule filter_module {{ httpd_home }}/modules/mod_filter.so
LoadModule http2_module {{ httpd_home }}/modules/mod_http2.so
LoadModule info_module {{ httpd_home }}/modules/mod_info.so
LoadModule status_module {{ httpd_home }}/modules/mod_status.so
LoadModule reqtimeout_module {{ httpd_home }}/modules/mod_reqtimeout.so
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
{% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %}
Protocols h2 http/1.1
{% endif %}
# Increase IPReadLimit to 10
<IfModule antiloris_module>
# IPReadLimit - Maximum simultaneous connections in READ state per IP address
IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
</IfModule>
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from All
AuthType basic
AuthName "Apache Server Status"
AuthBasicProvider file
AuthUserFile {{ instance_home }}/etc/monitor-htpasswd
Require valid-user
</Location>
ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }}
MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }}
StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }}
ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }}
#MaxRequestsPerChild 0 // Default value is 0
GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }}
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
SSLCertificateFile {{ login_certificate }}
SSLCertificateKeyFile {{ login_key }}
{% if slapparameter_dict.get('apache-ca-certificate') %}
SSLCACertificateFile {{ login_ca_crt }}
{% endif %}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
include {{frontend_configuration.get('log-access-configuration')}}
includeoptional {{ slave_configuration_directory }}/*.conf
includeoptional {{ slave_with_cache_configuration_directory }}/*.conf
ErrorDocument 404 /notfound.html
RewriteRule (.*) /notfound.html [R=404,L]
......@@ -2,50 +2,50 @@
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
# Only accept generic (i.e not Zope) backends on http
<VirtualHost *:{{ cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
SSLProxyEngine on
# TODO-Caddy # Only accept generic (i.e not Zope) backends on http
# TODO-Caddy <VirtualHost *:{{ cached_port }}>
# TODO-Caddy ServerName {{ slave_parameter.get('custom_domain') }}
# TODO-Caddy {%- for server_alias in server_alias_list %}
# TODO-Caddy ServerAlias {{ server_alias }}
# TODO-Caddy {% endfor %}
# TODO-Caddy SSLProxyEngine on
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
</VirtualHost>
<VirtualHost *:{{ ssl_cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
SSLProxyEngine on
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
</VirtualHost>
# TODO-Caddy {% if ssl_proxy_verify -%}
# TODO-Caddy {% if 'ssl_proxy_ca_crt' in slave_parameter -%}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
# TODO-Caddy {% endif %}
# TODO-Caddy # Rewrite part
# TODO-Caddy ProxyPreserveHost On
# TODO-Caddy ProxyTimeout 600
# TODO-Caddy RewriteEngine On
# TODO-Caddy
# TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
# TODO-Caddy </VirtualHost>
# TODO-Caddy <VirtualHost *:{{ ssl_cached_port }}>
# TODO-Caddy ServerName {{ slave_parameter.get('custom_domain') }}
# TODO-Caddy {%- for server_alias in server_alias_list %}
# TODO-Caddy ServerAlias {{ server_alias }}
# TODO-Caddy {% endfor %}
# TODO-Caddy SSLProxyEngine on
# TODO-Caddy
# TODO-Caddy {% if ssl_proxy_verify -%}
# TODO-Caddy {% if 'ssl_proxy_ca_crt' in slave_parameter -%}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# TODO-Caddy {% endif %}
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
# TODO-Caddy {% endif %}
# TODO-Caddy # Rewrite part
# TODO-Caddy ProxyPreserveHost On
# TODO-Caddy ProxyTimeout 600
# TODO-Caddy RewriteEngine On
# TODO-Caddy
# TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
# TODO-Caddy </VirtualHost>
# TODO-Caddy
#!/bin/sh
RUN_DIR={{ directory_run }}
ETC_DIR={{ directory_etc }}
BIN_DIR={{ directory_bin }}
CADDY_SIGNATURE_FILE=$RUN_DIR/caddy_configuration.signature
NCADDY_SIGNATURE_FILE=$RUN_DIR/ncaddy_configuration.signature
touch $CADDY_SIGNATURE_FILE
sha256sum $ETC_DIR/Caddyfile $ETC_DIR/log-access.conf $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE
# If no diff, no restart for now
if diff "$CADDY_SIGNATURE_FILE" "$NCADDY_SIGNATURE_FILE"; then
echo "Nothing Changed, so nothing to reload"
exit 0
fi
echo "Reloading caddy.."
{{ caddy_graceful_reload_command }}
mv "$NCADDY_SIGNATURE_FILE" "$CADDY_SIGNATURE_FILE"
#!${dash-output:dash}
exec {{ caddy }} \
-conf {{ conf }} \
-log {{ log }} \
-http2=true \
-grace {{ grace }}s \
-disable-http-challenge \
-disable-tls-sni-challenge \
"$@"
<VirtualHost *:{{ https_port }}>
{{ slave_parameter.get('apache_custom_https', '') }}
</VirtualHost>
<VirtualHost *:{{ http_port }}>
{{ slave_parameter.get('apache_custom_https', '') }}
</VirtualHost>
{{ slave_parameter.get('apache_custom_http', '') }}
\ No newline at end of file
......@@ -3,171 +3,177 @@
{%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%}
{%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%}
{%- set server_alias_list = slave_parameter.get('server-alias', '').split() -%}
{%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', 'true')).lower() in TRUE_VALUES -%}
{%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default'])).lower() in TRUE_VALUES -%}
{%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() -%}
{%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
{%- set slave_type = slave_parameter.get('type', '') -%}
{%- set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
('SSLCertificateKeyFile', 'path_to_ssl_key'),
('SSLCACertificateFile', 'path_to_ssl_ca_crt'),
('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%}
{%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list -%}
{%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')) %}
{%- set http_host_list = [] %}
{%- set https_host_list = [] %}
{%- for host in host_list %}
{%- do http_host_list.append('http://%s:%s' % (host, http_port)) %}
{%- do https_host_list.append('https://%s:%s' % (host, https_port)) %}
{%- endfor %}
{{ https_host_list|join(', ') }} {
bind {{ local_ipv4 }}
# TODO-Caddy bind {{ local_ipv6 }}
tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{%- if slave_parameter.get('path_to_ssl_ca_crt') %}
clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
{%- endif %}
}
# TODO-Caddy # One Slave two logs
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ slave_parameter.get('access_log') }} {combined}
errors {{ slave_parameter.get('error_log') }}
<VirtualHost *:{{ https_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
ServerAlias {{ slave_parameter.get('custom_domain') }}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
SSLEngine on
SSLProxyEngine on
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
{% endif %}
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
# TODO-Caddy SSLHonorCipherOrder on
{% if enable_h2 %}
Protocols h2 http/1.1
{% endif -%}
{% for key, value in ssl_configuration_list -%}
{% if value in slave_parameter -%}
{{ ' %s' % key }} {{ slave_parameter.get(value) }}
# TODO-Caddy Protocols h2 http/1.1
{% endif -%}
{% endfor -%}
# One Slave two logs
ErrorLog "{{ slave_parameter.get('error_log') }}"
LogLevel notice
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ slave_parameter.get('access_log') }}" combined
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
# TODO-Caddy # Rewrite part
# TODO-Caddy ProxyPreserveHost On
# TODO-Caddy ProxyTimeout 600
# TODO-Caddy RewriteEngine On
{% if disable_via_header %}
Header unset Via
# TODO-Caddy Header unset Via
{% endif -%}
{% if disable_no_cache_header %}
RequestHeader unset Cache-Control
RequestHeader unset Pragma
# TODO-Caddy RequestHeader unset Cache-Control
# TODO-Caddy RequestHeader unset Pragma
{% endif -%}
{%- for disabled_cookie in disabled_cookie_list %}
{{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
# TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
{% endfor -%}
{%- if prefer_gzip %}
RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
# TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}
{% if slave_type == 'zope' -%}
{% if 'default-path' in slave_parameter %}
RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
# TODO-Caddy RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
{% endif -%}
# First, we check if we have a zope backend server
# If so, let's use Virtual Host Monster rewrite
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/VirtualHostBase/https//%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
# TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/VirtualHostBase/https//%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
{% elif slave_type == 'redirect' -%}
RewriteRule (.*) {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L]
# TODO-Caddy RewriteRule (.*) {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L]
{% else -%}
{% if 'default-path' in slave_parameter %}
RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
redir 301 {
if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }}
}
{% endif -%}
RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/$1 [L,P]
{%- if backend_url %}
proxy / {{ backend_url }} {
transparent
{%- if not ssl_proxy_verify %}
insecure_skip_verify
{%- endif %}
}
{%- endif %}
{% endif -%}
</VirtualHost>
}
<VirtualHost *:{{ http_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
ServerAlias {{ slave_parameter.get('custom_domain') }}
{{ http_host_list|join(', ') }} {
bind {{ local_ipv4 }}
# TODO-Caddy bind {{ local_ipv6 }}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
log / {{ slave_parameter.get('access_log') }} {combined}
errors {{ slave_parameter.get('error_log') }}
SSLProxyEngine on
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
# TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
# TODO-Caddy SSLProxyVerify require
# TODO-Caddy #SSLProxyCheckPeerCN on
# TODO-Caddy SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
# TODO-Caddy # Rewrite part
# TODO-Caddy ProxyPreserveHost On
# TODO-Caddy ProxyTimeout 600
{% if disable_via_header %}
Header unset Via
# TODO-Caddy Header unset Via
{% endif -%}
RewriteEngine On
# TODO-Caddy RewriteEngine On
# One Slave two logs
ErrorLog "{{ slave_parameter.get('error_log') }}"
LogLevel notice
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ slave_parameter.get('access_log') }}" combined
# TODO-Caddy # One Slave two logs
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
# Remove "Secure" from cookies, as backend may be https
Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
# TODO-Caddy # Remove "Secure" from cookies, as backend may be https
# TODO-Caddy Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
{% if enable_h2 %}
Protocols h2 http/1.1
# TODO-Caddy Protocols h2 http/1.1
{% endif -%}
{% if disable_no_cache_header %}
RequestHeader unset Cache-Control
RequestHeader unset Pragma
# TODO-Caddy RequestHeader unset Cache-Control
# TODO-Caddy RequestHeader unset Pragma
{% endif -%}
{%- for disabled_cookie in disabled_cookie_list %}
{{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
# TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }}
{% endfor -%}
{%- if prefer_gzip %}
RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
# TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}
# Next line is forbidden and people who copy it will be hanged short
{% if https_only -%}
# Not using HTTPS? Ask that guy over there.
# Dummy redirection to https. Note: will work only if https listens
# on standard port (443).
RewriteCond %{SERVER_PORT} !^{{ https_port }}$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [NC,R,L]
{%- if https_only %}
redir / https://{host}{uri}
{% elif slave_type == 'redirect' -%}
RewriteRule (.*) {{slave_parameter.get('url', '')}}$1 [R,L]
# TODO-Caddy RewriteRule (.*) {{slave_parameter.get('url', '')}}$1 [R,L]
{% elif slave_type == 'zope' -%}
{% if 'default-path' in slave_parameter %}
RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
# TODO-Caddy RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
{% endif -%}
# First, we check if we have a zope backend server
# If so, let's use Virtual Host Daemon rewrite
# We suppose that Apache listens to 80 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
# TODO-Caddy RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
{% else -%}
{% if 'default-path' in slave_parameter %}
RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
redir 301 {
if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }}
}
{% endif -%}
RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
{%- if slave_parameter.get('url', '') %}
proxy / {{ slave_parameter.get('url', '') }} {
transparent
{%- if not ssl_proxy_verify %}
insecure_skip_verify
{%- endif %}
}
{% endif -%}
{% endif -%}
# If nothing exist : put a nice error
# ErrorDocument 404 /notfound.html
# Dadiboom
</VirtualHost>
}
......@@ -11,105 +11,105 @@
('ssl_certificate_key', 'path_to_ssl_key')] -%}
upstream {{ slave_parameter.get('slave_reference') }} {
server {{ upstream }};
}
upstream https_{{ slave_parameter.get('slave_reference') }} {
server {{ https_upstream }};
}
server {
listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
listen {{ local_ipv4 }}:{{ nginx_http_port }};
server_name {{ slave_parameter.get('custom_domain') }};
error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom;
location /pub {
push_stream_publisher;
push_stream_channels_path $arg_id;
# store messages in memory
push_stream_store_messages off;
# Message size limit
# client_max_body_size MUST be equal to client_body_buffer_size or
# you will be sorry.
client_max_body_size 16k;
client_body_buffer_size 16k;
}
location ~ /sub/(.*) {
# activate subscriber mode for this location
add_header "Access-Control-Allow-Origin" "*";
add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
push_stream_subscriber eventsource;
# positional channel path
push_stream_channels_path $1;
# content-type
default_type "text/event-stream; charset=utf-8";
}
}
server {
listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
server_name {{ slave_parameter.get('custom_domain') }};
error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom;
ssl on;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
# TODO-Caddy server {{ upstream }};
# TODO-Caddy
# TODO-Caddy pstream https_{{ slave_parameter.get('slave_reference') }} {
# TODO-Caddy server {{ https_upstream }};
# TODO-Caddy
# TODO-Caddy server {
# TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
# TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_http_port }};
# TODO-Caddy
# TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
# TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
# TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
# TODO-Caddy location /pub {
# TODO-Caddy push_stream_publisher;
# TODO-Caddy push_stream_channels_path $arg_id;
# TODO-Caddy # store messages in memory
# TODO-Caddy push_stream_store_messages off;
# TODO-Caddy
# TODO-Caddy # Message size limit
# TODO-Caddy # client_max_body_size MUST be equal to client_body_buffer_size or
# TODO-Caddy # you will be sorry.
# TODO-Caddy client_max_body_size 16k;
# TODO-Caddy client_body_buffer_size 16k;
# TODO-Caddy
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /sub/(.*) {
# TODO-Caddy # activate subscriber mode for this location
# TODO-Caddy add_header "Access-Control-Allow-Origin" "*";
# TODO-Caddy add_header 'Access-Control-Allow-Credentials' 'false';
# TODO-Caddy add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
# TODO-Caddy add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
# TODO-Caddy
# TODO-Caddy push_stream_subscriber eventsource;
# TODO-Caddy # positional channel path
# TODO-Caddy push_stream_channels_path $1;
# TODO-Caddy
# TODO-Caddy # content-type
# TODO-Caddy default_type "text/event-stream; charset=utf-8";
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy
# TODO-Caddy server {
# TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
# TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
# TODO-Caddy
# TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
# TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
# TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
# TODO-Caddy ssl on;
# TODO-Caddy
# TODO-Caddy ssl_session_timeout 5m;
# TODO-Caddy ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# TODO-Caddy ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
# TODO-Caddy ssl_prefer_server_ciphers on;
# TODO-Caddy ssl_session_cache shared:SSL:10m;
{% for key, value in ssl_configuration_list -%}
{% if value in slave_parameter -%}
{{ ' %s' % key }} {{ slave_parameter.get(value) }};
# TODO-Caddy {{ ' %s' % key }} {{ slave_parameter.get(value) }};
{% endif -%}
{% endfor %}
location /pub {
push_stream_publisher;
push_stream_channels_path $arg_id;
# store messages in memory
push_stream_store_messages off;
# Message size limit
# client_max_body_size MUST be equal to client_body_buffer_size or
# you will be sorry.
client_max_body_size 16k;
client_body_buffer_size 16k;
}
location ~ /sub/(.*) {
# activate subscriber mode for this location
add_header "Access-Control-Allow-Origin" "*";
add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
push_stream_subscriber eventsource;
# positional channel path
push_stream_channels_path $1;
# content-type
default_type "text/event-stream; charset=utf-8";
}
}
# TODO-Caddy location /pub {
# TODO-Caddy push_stream_publisher;
# TODO-Caddy push_stream_channels_path $arg_id;
# TODO-Caddy # store messages in memory
# TODO-Caddy push_stream_store_messages off;
# TODO-Caddy
# TODO-Caddy # Message size limit
# TODO-Caddy # client_max_body_size MUST be equal to client_body_buffer_size or
# TODO-Caddy # you will be sorry.
# TODO-Caddy client_max_body_size 16k;
# TODO-Caddy client_body_buffer_size 16k;
# TODO-Caddy
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /sub/(.*) {
# TODO-Caddy # activate subscriber mode for this location
# TODO-Caddy add_header "Access-Control-Allow-Origin" "*";
# TODO-Caddy add_header 'Access-Control-Allow-Credentials' 'false';
# TODO-Caddy add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
# TODO-Caddy add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
# TODO-Caddy
# TODO-Caddy push_stream_subscriber eventsource;
# TODO-Caddy # positional channel path
# TODO-Caddy push_stream_channels_path $1;
# TODO-Caddy
# TODO-Caddy # content-type
# TODO-Caddy default_type "text/event-stream; charset=utf-8";
# TODO-Caddy }
# TODO-Caddy}
{% endif -%}
......@@ -11,96 +11,96 @@
('ssl_certificate_key', 'path_to_ssl_key')] -%}
upstream {{ slave_parameter.get('slave_reference') }} {
server {{ upstream }};
}
upstream https_{{ slave_parameter.get('slave_reference') }} {
server {{ https_upstream }};
}
server {
listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
listen {{ local_ipv4 }}:{{ nginx_http_port }};
server_name {{ slave_parameter.get('custom_domain') }};
error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom;
location / {
proxy_pass {{ proxy_pass }};
proxy_set_header Host $host;
}
location ~ /api/kernels/ {
proxy_pass {{ proxy_pass }};
proxy_set_header Host $host;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location ~ /terminals/ {
proxy_pass {{ proxy_pass }};
proxy_set_header Host $host;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
}
server {
listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
server_name {{ slave_parameter.get('custom_domain') }};
error_log {{ slave_parameter.get('error_log') }} error;
access_log {{ slave_parameter.get('access_log') }} custom;
ssl on;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
# TODO-Caddy server {{ upstream }};
# TODO-Caddy }
# TODO-Caddy upstream https_{{ slave_parameter.get('slave_reference') }} {
# TODO-Caddy server {{ https_upstream }};
# TODO-Caddy }
# TODO-Caddy server {
# TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
# TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_http_port }};
# TODO-Caddy
# TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
# TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
# TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
# TODO-Caddy location / {
# TODO-Caddy proxy_pass {{ proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /api/kernels/ {
# TODO-Caddy proxy_pass {{ proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy # websocket support
# TODO-Caddy proxy_http_version 1.1;
# TODO-Caddy proxy_set_header Upgrade "websocket";
# TODO-Caddy proxy_set_header Connection "Upgrade";
# TODO-Caddy proxy_read_timeout 86400;
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /terminals/ {
# TODO-Caddy proxy_pass {{ proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy # websocket support
# TODO-Caddy proxy_http_version 1.1;
# TODO-Caddy proxy_set_header Upgrade "websocket";
# TODO-Caddy proxy_set_header Connection "Upgrade";
# TODO-Caddy proxy_read_timeout 86400;
# TODO-Caddy }
# TODO-Caddy }
# TODO-Caddy server {
# TODO-Caddy listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
# TODO-Caddy listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
# TODO-Caddy
# TODO-Caddy server_name {{ slave_parameter.get('custom_domain') }};
# TODO-Caddy
# TODO-Caddy error_log {{ slave_parameter.get('error_log') }} error;
# TODO-Caddy access_log {{ slave_parameter.get('access_log') }} custom;
# TODO-Caddy
# TODO-Caddy ssl on;
# TODO-Caddy
# TODO-Caddy ssl_session_timeout 5m;
# TODO-Caddy ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# TODO-Caddy ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
# TODO-Caddy ssl_prefer_server_ciphers on;
# TODO-Caddy ssl_session_cache shared:SSL:10m;
{% for key, value in ssl_configuration_list -%}
{% if value in slave_parameter -%}
{{ ' %s' % key }} {{ slave_parameter.get(value) }};
# TODO-Caddy {{ ' %s' % key }} {{ slave_parameter.get(value) }};
{% endif -%}
{% endfor %}
location / {
proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host;
}
location ~ /api/kernels/ {
proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location ~ /terminals/ {
proxy_pass {{ https_proxy_pass }};
proxy_set_header Host $host;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
}
# TODO-Caddy location / {
# TODO-Caddy proxy_pass {{ https_proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /api/kernels/ {
# TODO-Caddy proxy_pass {{ https_proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy # websocket support
# TODO-Caddy proxy_http_version 1.1;
# TODO-Caddy proxy_set_header Upgrade "websocket";
# TODO-Caddy proxy_set_header Connection "Upgrade";
# TODO-Caddy proxy_read_timeout 86400;
# TODO-Caddy }
# TODO-Caddy
# TODO-Caddy location ~ /terminals/ {
# TODO-Caddy proxy_pass {{ https_proxy_pass }};
# TODO-Caddy proxy_set_header Host $host;
# TODO-Caddy # websocket support
# TODO-Caddy proxy_http_version 1.1;
# TODO-Caddy proxy_set_header Upgrade "websocket";
# TODO-Caddy proxy_set_header Connection "Upgrade";
# TODO-Caddy proxy_read_timeout 86400;
# TODO-Caddy }
# TODO-Caddy }
{% endif -%}
daemon off; # run in the foreground so supervisord can look after it
worker_processes $${nginx-configuration:worker_processes};
pid $${nginx-configuration:pid-file};
# Dummy site for starting Caddy correctly
https://www.example.org:$${nginx-configuration:port} {
tls $${nginx-configuration:ssl_certificate} $${nginx-configuration:ssl_key}
bind $${nginx-configuration:local_ip}
# TODO-Caddy bind {{ ipv6_addr }}
# Serve an error 204 (No Content) for favicon.ico
status 204 /favicon.ico
status 404 /
}
events {
worker_connections $${nginx-configuration:worker_connections};
# multi_accept on;
http://www.example.org:$${nginx-configuration:plain_port} {
bind $${nginx-configuration:local_ip}
# TODO-Caddy bind {{ ipv6_addr }}
# Serve an error 204 (No Content) for favicon.ico
status 204 /favicon.ico
status 404 /
}
# TODO-Caddy worker_processes $${nginx-configuration:worker_processes};
error_log $${nginx-configuration:error_log};
# TODO-Caddy events {
# TODO-Caddy worker_connections $${nginx-configuration:worker_connections};
# TODO-Caddy # multi_accept on;
# TODO-Caddy }
http {
# TODO-Caddy http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# TODO-Caddy sendfile on;
# TODO-Caddy tcp_nopush on;
# TODO-Caddy tcp_nodelay on;
# TODO-Caddy keepalive_timeout 65;
# TODO-Caddy types_hash_max_size 2048;
# TODO-Caddy server_tokens off;
error_log $${nginx-configuration:error_log};
log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
access_log $${nginx-configuration:access_log} custom;
# TODO-Caddy log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
# TODO-Caddy access_log $${nginx-configuration:access_log} custom;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
default_type application/octet-stream;
# TODO-Caddy default_type application/octet-stream;
ssl_certificate $${ca-frontend:cert-file};
ssl_certificate_key $${ca-frontend:key-file};
# TODO-Caddy ssl_certificate $${ca-frontend:cert-file};
# TODO-Caddy ssl_certificate_key $${ca-frontend:key-file};
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# TODO-Caddy gzip on;
# TODO-Caddy gzip_disable "msie6";
# TODO-Caddy gzip_vary on;
# TODO-Caddy gzip_proxied any;
# TODO-Caddy gzip_comp_level 6;
# TODO-Caddy gzip_buffers 16 8k;
# TODO-Caddy gzip_http_version 1.1;
# TODO-Caddy gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Push stream Settings
##
push_stream_shared_memory_size 32m;
fastcgi_temp_path $${directory:varnginx} 1 2;
uwsgi_temp_path $${directory:varnginx} 1 2;
scgi_temp_path $${directory:varnginx} 1 2;
client_body_temp_path $${directory:varnginx} 1 2;
proxy_temp_path $${directory:varnginx} 1 2;
include $${nginx-configuration:slave-configuration-directory}/*.conf;
server {
listen [$${nginx-configuration:ip}]:$${nginx-configuration:plain_port};
listen $${nginx-configuration:local_ip}:$${nginx-configuration:plain_port};
# TODO-Caddy push_stream_shared_memory_size 32m;
# TODO-Caddy fastcgi_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy uwsgi_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy scgi_temp_path $${directory:varnginx} 1 2;
## Serve an error 204 (No Content) for favicon.ico
location = /favicon.ico {
return 204;
}
# TODO-Caddy client_body_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy proxy_temp_path $${directory:varnginx} 1 2;
# TODO-Caddy }
location / {
root $${apache-directory:document-root};
index notfound.html;
}
}
server {
listen [$${nginx-configuration:ip}]:$${nginx-configuration:port} ssl;
listen $${nginx-configuration:local_ip}:$${nginx-configuration:port} ssl;
ssl on;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
## Serve an error 204 (No Content) for favicon.ico
location = /favicon.ico {
return 204;
}
location / {
root $${apache-directory:document-root};
index notfound.html;
}
}
}
import $${nginx-configuration:slave-configuration-directory}/*.conf
{% for slave, directory in slave_log_directory.iteritems() %}
Alias /{{slave}}/ {{directory}}/
<Directory {{directory}}>
Order Deny,Allow
Deny from env=AUTHREQUIRED
<Files ".??*">
Order Allow,Deny
Deny from all
</Files>
AuthType Basic
AuthName "Log Access {{slave}}"
AuthUserFile "{{ apache_configuration_directory + '/.' + slave.upper() + '.htaccess'}}"
Require user {{slave.upper()}}
Options Indexes FollowSymLinks
Satisfy all
</Directory>
https://[{{ global_ipv6 }}]:{{ https_port }}/{{ slave }}, https://{{ local_ipv4 }}:{{ https_port }}/{{ slave }} {
bind {{ local_ipv4 }}
#bind {{ global_ipv6 }}
root {{directory}}/
browse
tls {{ login_certificate }} {{ login_key }}
basicauth "{{ slave }}" {{ slave_password[slave] }} {
"Log Access {{ slave }}"
/
}
# TODO-Caddy LogLevel notice
# TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
log / {{ access_log }} {combined}
errors {{ error_log }}
}
{% endfor %}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment