An error occurred fetching the project authors.
  1. 08 May, 2019 1 commit
  2. 06 May, 2019 2 commits
  3. 23 Apr, 2019 3 commits
  4. 18 Apr, 2019 2 commits
  5. 17 Apr, 2019 1 commit
  6. 16 Apr, 2019 1 commit
  7. 15 Apr, 2019 1 commit
  8. 12 Apr, 2019 6 commits
    • Łukasz Nowak's avatar
      caddy-frontend: Re-do zero-SSL BBB · 1d271f4d
      Łukasz Nowak authored
      Instead of complex architecture in the profiles, reuse kedifa-updater
      capability to do backward compatibility certificate management thanks to its
      fall-back mechanism.
      
      kedifa-updater uses state file to know, if it ever succeed to download
      certificate from KeDiFa, and so it really makes it that pushing at least once
      certificate to KeDiFa, even if it is sometimes unresponsive, will switch to
      it.
      
      Fallback certificate is used, thus each slave listens immediately on HTTP and
      HTTPS. Thanks to this, asynchronous updates do not need to communicate with
      slapos node instance, and slapos node instance does not care about the
      certificates anymore.
      1d271f4d
    • Łukasz Nowak's avatar
      caddy-frontend: Pick up kedifa with async updater · 25902c06
      Łukasz Nowak authored
      Instead of fetching certificates on each slapos node instance use new
      kedifa-updater, which is a tool to asynchronously fetch certificates and
      has a hook to reload the server in case if new certificate is available.
      
      custom_ssl_directory is NOT BBB
      25902c06
    • Łukasz Nowak's avatar
      caddy-frontend: Sort slave list during processing · eb33377c
      Łukasz Nowak authored
      This mostly useful during tests to have stable results, especially when
      some slaves are rejected.
      
      This change is expected to be no-op during normal run.
      
      Note: The slave rejection system does not guarantee any ordering, as the sort
            order can change, because of parameters can reorder slaves. Thus, even
            if slave A was requested before slave B, and they conflict each other,
            slave A can be rejected instead of "expected" slave B.
      eb33377c
    • Łukasz Nowak's avatar
      caddy-frontend: Keep certificate and key in one file · 6f3eafe0
      Łukasz Nowak authored
      This is consistent across usage in caddy-frontend and allow better reusage.
      6f3eafe0
    • Łukasz Nowak's avatar
      341df23f
    • Łukasz Nowak's avatar
      fix "caddy-frontend: Drop not needed apache references" · f27a120e
      Łukasz Nowak authored
      Section was not renamed in buildout.hash.cfg
      f27a120e
  9. 26 Mar, 2019 1 commit
  10. 22 Mar, 2019 1 commit
    • Jérome Perrin's avatar
      caddy: use same log format as apache · 5c23e132
      Jérome Perrin authored
      in apache frontend, we have been using:
      
      ```
      LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
      ```
      
      The %l is (from mod_log_config docs): Remote logname (from identd, if
      supplied). This will return a dash unless mod_ident is present and
      IdentityCheck is set On.
      
      In the case of apache frontend, it was always a - . This is missing in
      caddy frontend and our existing log processing tools (apachedex) cannot
      be used on frontend logs since we switched to Caddy.
      
      /reviewed-on !530
      5c23e132
  11. 21 Mar, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Adapt to ATS 7 · 7017a46e
      Łukasz Nowak authored
      Adapted configuration and instantiation to ATS 7.
      
      Deployment:
       * traffic_line has been replaced with traffic_ctl
       * access log, of squid style, is ascii instead of binary, to do so
         logging.config is generated
       * ip_allow.config is configured to allow access from any host
       * RFC 5861 (stale content on error or revalidate) is implemented with core
         instead with deprecated plugin
       * trafficserver-autoconf-port renamed to trafficserver-synthetic-port
       * proxy.config.system.mmap_max removed, as it is not used by the system anymore
      
      Tests:
       * As Via header is not returned to the client, it is dropped from the
         tests, instead its existence in the backend is checked.
       * Promise plugin trafficserver-cache-availability.py is re enabled, as
         it is expected to work immediately.
      7017a46e
  12. 13 Mar, 2019 6 commits
    • Łukasz Nowak's avatar
      caddy-frontend: Switch AIKC to default true · a198be7f
      Łukasz Nowak authored
      It is better to have automation similar to previous implementation by
      default.
      a198be7f
    • Łukasz Nowak's avatar
    • Łukasz Nowak's avatar
    • Łukasz Nowak's avatar
      caddy-frontend: Implement AIKC · 28a1283d
      Łukasz Nowak authored
      AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered
      by option automatic-internal-kedifa-caucase-csr.
      
      It signs all CSR which match csr_id and certificate from the nodes which needs them.
      28a1283d
    • Łukasz Nowak's avatar
      caddy-frontend: Expose csr_id over HTTPS · 7c5c99b1
      Łukasz Nowak authored
      csr_id is exposed over HTTPS with short living self signed certificate,
      which is transmitted via SlapOS Master. Thanks to this, it is possible to
      match csr_id with certificate of given partition and take decision if it shall
      be signed or not.
      
      This is "quite secure" apporach, a bit better than blidny trusting what CSR
      to sign in KeDiFa. The bootstrap information, which is short living
      (certificates are valid for 5 days), resides in SlapOS Master. The csr_id
      is not directly known to SlapOS Master, and shall be consumed as fast as
      possible by frontend cluster operator in order to sign CSR appearing in
      KeDiFa caucase. The known possible attack vector requires that attacker knows
      caucased HTTP listening port and can hijack HTTPS traffic to the csr_id-url
      to get the human approve his own csr_id. The second is hoped to be overcomed
      by publishing certificate of this endpoint via SlapOS Master.
      
      Unfortunately caucase-updater prefix is directly used to find real CSR, as the
      one generated is just a template for rerequest, thus csr_id would be different
      from really used by caucase-updater.
      7c5c99b1
    • Łukasz Nowak's avatar
      caddy-frontend: Implement KeDiFa SSL information · bc2b1742
      Łukasz Nowak authored
      Use KeDiFa to store keys, and transmit the url to the requester for master
      and slave partitions.
      
      Download keys on the slave partitions level.
      
      Use caucase to fetch main caucase CA.
      
      kedifa-caucase-url is published in order to have access to it.
      
      Note: caucase is prepended with kedifa, as this is that one.
      
      Use kedifa-csr tool to generate CSR and use caucase-updater macro.
      
      Switch to KeDiFa with SSL Auth and updated goodies.
      
      KeDiFa endpoint URLs are randomised.
      
      Only one (first) user certificate is going to be automatically accepted. This
      one shall be operated by the cluster owner, the requester of frontend master
      partition.
      
      Then he will be able to sign certificates for other users and also for
      services - so each node in the cluster.
      
      Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
      is used for one command generation of extensions in the certificate.
      Note: We could upgrade to openssl 1.1.1 in order to have it really
      simplified (see https://security.stackexchange.com/a/183973 )
      
      Improve CSR readability by creating cluster-identification, which is master
      partition title, and use it as Organization of the CSR.
      
      Reserve slots for data exchange in KeDiFa.
      bc2b1742
  13. 08 Mar, 2019 1 commit
  14. 07 Mar, 2019 3 commits
  15. 01 Mar, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Publish only active slaves from main partition · 9714a74c
      Łukasz Nowak authored
      As some of the nodes can lag behind, the system can be in state, that those
      nodes will send inactive (also destroyed) slave publish information. Before
      publishing it to master, check if each of slaves is really present on master.
      
      Tasks:
      
       - [x] prove it really works on simulated environment
       - [x] check impact on massive simulated environment
       - [x] cover with a test (optionally)
       - [ ] check test results with this change
      
      /reviewed-on !519
      9714a74c
  16. 28 Feb, 2019 1 commit
  17. 10 Feb, 2019 2 commits
  18. 08 Feb, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Fix random 502 EOFs by adding try_duration · 4f168972
      Łukasz Nowak authored
      try_duration and try_interval are Caddy proxy's switches which allow to deal
      with non working backend (https://caddyserver.com/docs/proxy)
      
      The non working backend is the one, to which connection is lost or was not
      possible to make, without sending any data.
      
      The default try_duration=5s and try_interval=250ms are chosen, so that in
      normal network conditions (with all possible problems in the network, like
      lost packets) the browser will have to wait up to 5 seconds to be informed
      that backend is inaccessible or for the request to start being processed,
      but only a bit more than 250ms if Caddy would have to reestablish connection
      to faulty backend.
      
      In order to check it out it is advisable to setup a system, with real backend,
      like apache one, and configure iptables to randomly reject packets to it:
      
        iptables -A INPUT -m statistic --mode random -p tcp --dport <backend_port> \
        --probability 0.05 -j REJECT --reject-with tcp-reset
      
      Using ab or any other tool will results with lot of 502 EOF in the Caddy error
      log and also reported by ab. With this configuration there are no more
      errors visible to the client, which come from the problems on the network
      between Caddy and the backend.
      4f168972
  19. 17 Jan, 2019 1 commit
  20. 16 Jan, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Correctly fix prefer-gzip-encoding-to-backend · c1595bae
      Łukasz Nowak authored
      Because of misleading tests (Accept-Encoding with gzip was always set by
      requests, fixed in "caddy-frontend/test: Workaround requests issue with
      Accept-Encoding") the original commit "Fix/caddy frontend prefer gzip type
      zope" did not really fixed the issue for type:zope backend.
      c1595bae
  21. 10 Jan, 2019 1 commit
  22. 04 Jan, 2019 1 commit
  23. 02 Jan, 2019 1 commit