An error occurred fetching the project authors.
- 08 May, 2019 1 commit
-
-
Łukasz Nowak authored
Each time new slave appears the kedifa-updater has to be run immediately, in order for certificates to be properly setup. Otherwise caddy can be left in non-runnable state until next kedifa-updater would run again.
-
- 06 May, 2019 2 commits
-
-
Łukasz Nowak authored
caddy-frontend master partition does not implement any promise in etc/promise, all is migrated to etc/plugin
-
Łukasz Nowak authored
caddy-frontend-is-running-actual-software-release promise is not needed anymore, as hash-files are used.
-
- 23 Apr, 2019 3 commits
-
-
Łukasz Nowak authored
By default whole slave makes websocket connection to the backend. With websocket-path, only the path has websocket style connections, the rest is standard HTTP.
-
Łukasz Nowak authored
There is no need anymore to have two processes for normal and nginx slaves, as nginx ones are served by caddy anyway. Also inform the requester that type:eventsource is not implemented.
-
Łukasz Nowak authored
Differences between tls and non-tls are minimal, so simplify the generation as much as possible with simple tls switch. It seems more readable than creating Jinja2 macros, which would be used only twice.
-
- 18 Apr, 2019 2 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Since Caddy v0.11.4 it is possible to disable log rotation, thus disable it and rely purely on SlapOS defined log rotation. See https://github.com/mholt/caddy/releases/tag/v0.11.4
-
- 17 Apr, 2019 1 commit
-
-
Jérome Perrin authored
When there are no shared instances, the file was empty, but caddy refuses to start when using an import statement on an empty file, with this error: ``` Error during parsing: Could not read tokens while importing .../etc/log-access.conf: EOF ``` /reviewed-on !545
-
- 16 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
This also means that caddy source is fetched directly from upstream, as all required fixes has been incorporated into the upstream. Since https://github.com/mholt/caddy/releases/tag/v0.11.4 TLS-SNI challenge is replaced by ACME TLS-ALPN challenge, so switch has changed. Drop direct usage of gowork for now, in order to have caddy built using go module, support for gowork with go modules might come later. /reviewed-on !544
-
- 15 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
This reverts commit 7993ff81. Custom configuration checks are hard to be trusted, as they can impact too many aspects of running frontend. Frontend administrator knows the risks of custom configuration, and shall take proper care. /reviewed-on nexedi/slapos!543
-
- 12 Apr, 2019 6 commits
-
-
Łukasz Nowak authored
Instead of complex architecture in the profiles, reuse kedifa-updater capability to do backward compatibility certificate management thanks to its fall-back mechanism. kedifa-updater uses state file to know, if it ever succeed to download certificate from KeDiFa, and so it really makes it that pushing at least once certificate to KeDiFa, even if it is sometimes unresponsive, will switch to it. Fallback certificate is used, thus each slave listens immediately on HTTP and HTTPS. Thanks to this, asynchronous updates do not need to communicate with slapos node instance, and slapos node instance does not care about the certificates anymore.
-
Łukasz Nowak authored
Instead of fetching certificates on each slapos node instance use new kedifa-updater, which is a tool to asynchronously fetch certificates and has a hook to reload the server in case if new certificate is available. custom_ssl_directory is NOT BBB
-
Łukasz Nowak authored
This mostly useful during tests to have stable results, especially when some slaves are rejected. This change is expected to be no-op during normal run. Note: The slave rejection system does not guarantee any ordering, as the sort order can change, because of parameters can reorder slaves. Thus, even if slave A was requested before slave B, and they conflict each other, slave A can be rejected instead of "expected" slave B.
-
Łukasz Nowak authored
This is consistent across usage in caddy-frontend and allow better reusage.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Section was not renamed in buildout.hash.cfg
-
- 26 Mar, 2019 1 commit
-
-
Thomas Gambier authored
-
- 22 Mar, 2019 1 commit
-
-
Jérome Perrin authored
in apache frontend, we have been using: ``` LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined ``` The %l is (from mod_log_config docs): Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set On. In the case of apache frontend, it was always a - . This is missing in caddy frontend and our existing log processing tools (apachedex) cannot be used on frontend logs since we switched to Caddy. /reviewed-on !530
-
- 21 Mar, 2019 1 commit
-
-
Łukasz Nowak authored
Adapted configuration and instantiation to ATS 7. Deployment: * traffic_line has been replaced with traffic_ctl * access log, of squid style, is ascii instead of binary, to do so logging.config is generated * ip_allow.config is configured to allow access from any host * RFC 5861 (stale content on error or revalidate) is implemented with core instead with deprecated plugin * trafficserver-autoconf-port renamed to trafficserver-synthetic-port * proxy.config.system.mmap_max removed, as it is not used by the system anymore Tests: * As Via header is not returned to the client, it is dropped from the tests, instead its existence in the backend is checked. * Promise plugin trafficserver-cache-availability.py is re enabled, as it is expected to work immediately.
-
- 13 Mar, 2019 6 commits
-
-
Łukasz Nowak authored
It is better to have automation similar to previous implementation by default.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered by option automatic-internal-kedifa-caucase-csr. It signs all CSR which match csr_id and certificate from the nodes which needs them.
-
Łukasz Nowak authored
csr_id is exposed over HTTPS with short living self signed certificate, which is transmitted via SlapOS Master. Thanks to this, it is possible to match csr_id with certificate of given partition and take decision if it shall be signed or not. This is "quite secure" apporach, a bit better than blidny trusting what CSR to sign in KeDiFa. The bootstrap information, which is short living (certificates are valid for 5 days), resides in SlapOS Master. The csr_id is not directly known to SlapOS Master, and shall be consumed as fast as possible by frontend cluster operator in order to sign CSR appearing in KeDiFa caucase. The known possible attack vector requires that attacker knows caucased HTTP listening port and can hijack HTTPS traffic to the csr_id-url to get the human approve his own csr_id. The second is hoped to be overcomed by publishing certificate of this endpoint via SlapOS Master. Unfortunately caucase-updater prefix is directly used to find real CSR, as the one generated is just a template for rerequest, thus csr_id would be different from really used by caucase-updater.
-
Łukasz Nowak authored
Use KeDiFa to store keys, and transmit the url to the requester for master and slave partitions. Download keys on the slave partitions level. Use caucase to fetch main caucase CA. kedifa-caucase-url is published in order to have access to it. Note: caucase is prepended with kedifa, as this is that one. Use kedifa-csr tool to generate CSR and use caucase-updater macro. Switch to KeDiFa with SSL Auth and updated goodies. KeDiFa endpoint URLs are randomised. Only one (first) user certificate is going to be automatically accepted. This one shall be operated by the cluster owner, the requester of frontend master partition. Then he will be able to sign certificates for other users and also for services - so each node in the cluster. Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line is used for one command generation of extensions in the certificate. Note: We could upgrade to openssl 1.1.1 in order to have it really simplified (see https://security.stackexchange.com/a/183973 ) Improve CSR readability by creating cluster-identification, which is master partition title, and use it as Organization of the CSR. Reserve slots for data exchange in KeDiFa.
-
- 08 Mar, 2019 1 commit
-
-
Łukasz Nowak authored
Unfortunately slave_title was put by mistake, it supposed to be slave_reference.
-
- 07 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
Use safe JSON serialisation/deserialisation, as otherwise unusual slave_references can lead to issues and also character case is not kept. Also care about case of log access user, which was undetected since slave_reference in tests were always lowercase.
-
Łukasz Nowak authored
This reverts commit 1f91f19d. Unfortunately due to way how profiles are mangled by jinja2, in some cases the strings are becoming lowercased, so it just does not work. It was not caught by tests, as no test has uppercase slave.
-
Łukasz Nowak authored
slave_title is dangerous, as it can contain any characters; it supposed to be slave_reference.
-
- 01 Mar, 2019 1 commit
-
-
Łukasz Nowak authored
As some of the nodes can lag behind, the system can be in state, that those nodes will send inactive (also destroyed) slave publish information. Before publishing it to master, check if each of slaves is really present on master. Tasks: - [x] prove it really works on simulated environment - [x] check impact on massive simulated environment - [x] cover with a test (optionally) - [ ] check test results with this change /reviewed-on !519
-
- 28 Feb, 2019 1 commit
-
-
Alain Takoudjou authored
-
- 10 Feb, 2019 2 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
- 08 Feb, 2019 1 commit
-
-
Łukasz Nowak authored
try_duration and try_interval are Caddy proxy's switches which allow to deal with non working backend (https://caddyserver.com/docs/proxy) The non working backend is the one, to which connection is lost or was not possible to make, without sending any data. The default try_duration=5s and try_interval=250ms are chosen, so that in normal network conditions (with all possible problems in the network, like lost packets) the browser will have to wait up to 5 seconds to be informed that backend is inaccessible or for the request to start being processed, but only a bit more than 250ms if Caddy would have to reestablish connection to faulty backend. In order to check it out it is advisable to setup a system, with real backend, like apache one, and configure iptables to randomly reject packets to it: iptables -A INPUT -m statistic --mode random -p tcp --dport <backend_port> \ --probability 0.05 -j REJECT --reject-with tcp-reset Using ab or any other tool will results with lot of 502 EOF in the Caddy error log and also reported by ab. With this configuration there are no more errors visible to the client, which come from the problems on the network between Caddy and the backend.
-
- 17 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
One of solutions for random 502 errors from caddy is to fully disable HTTP2 protocol ( https://github.com/mholt/caddy/issues/1080 ) We run Caddy with HTTP2 enabled by default, as we can enable/disable it per each slave, but in some environments it might be just better to fully avoid HTTP2 codepaths in Caddy. /reviewed-on nexedi/slapos!495
-
- 16 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
Because of misleading tests (Accept-Encoding with gzip was always set by requests, fixed in "caddy-frontend/test: Workaround requests issue with Accept-Encoding") the original commit "Fix/caddy frontend prefer gzip type zope" did not really fixed the issue for type:zope backend.
-
- 10 Jan, 2019 1 commit
-
-
Thomas Gambier authored
-
- 04 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
/reviewed-on !489
-
- 02 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
Just asserting Location header is not enough, as http status code value is important for the implementation, so assert for its value. Also fix https-only redirect status code value, which supposed to be FOUND, not default MOVED_PERMANENTLY. /reviewed-on nexedi/slapos!485
-