Commit 0b606475 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Stabilise cached access

While reading templates/cached-virtualhost.conf.in it seems, that
SSL-enabled host shall be exposed, but this is not true -- it is
connecting to SSL backend, but listening on non-SSL.

In order to stabilise this add assertsion to test_enable_cache
which access cached ports directly and show its functionality, thus
resolving added TODO.
parent a097f33f
Generally things to be done with ``caddy-frontend``:
* **CRITICAL** fix templates/cached-virtualhost.conf.in SSL-enabled hosts with proper test
* ``apache-ca-certificate`` shall be merged with ``apache-certificate``
* (new) ``type:websocket`` slave
* ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483
......
......@@ -54,7 +54,7 @@ md5sum = 9568465d1c1423343f7b043c8345f917
[template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in
md5sum = eafc7e73d7fe47ba9930343bcb876d63
md5sum = 811b4fca0668b84655372687f234ee81
[template-log-access]
filename = templates/template-log-access.conf.in
......
......@@ -2,15 +2,15 @@
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list -%}
{%- set http_host_list = [] %}
{%- set https_host_list = [] %}
{%- set http_backend_host_list = [] %}
{%- set https_backend_host_list = [] %}
{%- for host in host_list %}
{%- do http_host_list.append('http://%s:%s' % (host, cached_port)) %}
{%- do https_host_list.append('http://%s:%s' % (host, ssl_cached_port)) %}
{%- do http_backend_host_list.append('http://%s:%s' % (host, cached_port)) %}
{%- do https_backend_host_list.append('http://%s:%s' % (host, ssl_cached_port)) %}
{%- endfor %}
# Only accept generic (i.e not Zope) backends on http
{{ http_host_list|join(', ') }} {
{{ http_backend_host_list|join(', ') }} {
bind {{ local_ipv4 }}
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
......@@ -33,12 +33,11 @@
}
}
{{ https_host_list|join(', ') }} {
{{ https_backend_host_list|join(', ') }} {
bind {{ local_ipv4 }}
{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 /
{%- endif %}
## tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }}
proxy / {{ slave_parameter.get('https_backend_url', '') }} {
# As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER
......
......@@ -1727,6 +1727,42 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
'Set-Cookie': 'secured=value;secure, nonsecured=value'}
)
result_direct = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
port=26011)
self.assertEqualResultJson(result_direct, 'Path', '/test-path')
try:
j = result_direct.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result_direct.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual(
result_direct.headers['Set-Cookie'],
'secured=value;secure, nonsecured=value'
)
result_direct_https_backend = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
port=26012)
self.assertEqualResultJson(
result_direct_https_backend, 'Path', '/test-path')
try:
j = result_direct_https_backend.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (
result_direct_https_backend.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual(
result_direct_https_backend.headers['Set-Cookie'],
'secured=value;secure, nonsecured=value'
)
def test_enable_cache_disable_no_cache_request(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'enable_cache-disable-no-cache-request']
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment