diff --git a/software/apache-frontend/common.cfg b/software/apache-frontend/common.cfg index 53b2972b6baa8a0a937cdde88fc1898afebd6638..57e9478956cf19d1aa9f604cc8c36cd48bc191d6 100644 --- a/software/apache-frontend/common.cfg +++ b/software/apache-frontend/common.cfg @@ -65,7 +65,7 @@ mode = 0644 [template-apache-frontend] recipe = slapos.recipe.template url = ${:_profile_base_location_}/instance-apache-frontend.cfg -md5sum = cd5a385c44d56b4d13392eba4e938969 +md5sum = f65456f704a32c43822b1efefc7ae4b7 output = ${buildout:directory}/template-apache-frontend.cfg mode = 0644 @@ -78,7 +78,7 @@ mode = 0644 [template-slave-list] recipe = slapos.recipe.build:download url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in -md5sum = 1fe76dde85c488e94baf8510775ebcaf +md5sum = 588cbae0ac6fdb65ae97d1c90c8d53cf mode = 640 [template-slave-configuration] @@ -102,7 +102,7 @@ mode = 640 [template-apache-cached-configuration] recipe = slapos.recipe.build:download url = ${:_profile_base_location_}/templates/apache_cached.conf.in -md5sum = 116271eafe80309a99203fd8a11a4558 +md5sum = a1c744e48b465a63c2d6f0f384466013 mode = 640 [template-rewrite-cached] @@ -133,7 +133,13 @@ mode = 640 [template-default-slave-virtualhost] recipe = slapos.recipe.build:download url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in -md5sum = 5dbfd59f9316b8a629f9f098a1cc1c72 +md5sum = aed0077ee82aaa7fbd2b7e84ce5fbd69 +mode = 640 + +[template-cached-slave-virtualhost] +recipe = slapos.recipe.build:download +url = ${:_profile_base_location_}/templates/cached-virtualhost.conf.in +md5sum = b1fd5f2b94f026ccca5ff47167015f23 mode = 640 [template-log-access] diff --git a/software/apache-frontend/instance-apache-frontend.cfg b/software/apache-frontend/instance-apache-frontend.cfg index 5d4353e284f1aabff03d22726617f5b91ec0c991..bf8b4d29cbbbcc5a400fc8f75e4316ce42480e62 100644 --- a/software/apache-frontend/instance-apache-frontend.cfg +++ b/software/apache-frontend/instance-apache-frontend.cfg @@ -159,6 +159,8 @@ filename = custom-personal-instance-slave-list.cfg extensions = jinja2.ext.do extra-context = key apache_configuration_directory apache-directory:slave-configuration + key apache_cached_configuration_directory apache-directory:slave-with-cache-configuration + key cached_port apache-configuration:cache-through-port key http_port instance-parameter:configuration.plain_http_port key https_port instance-parameter:configuration.port key public_ipv4 instance-parameter:configuration.public-ipv4 @@ -172,7 +174,7 @@ extra-context = raw empty_template ${template-empty:target} raw template_custom_slave_configuration ${template-slave-configuration:target} raw template_default_slave_configuration ${template-default-slave-virtualhost:target} - raw template_rewrite_cached ${template-rewrite-cached:target} + raw template_cached_slave_configuration ${template-cached-slave-virtualhost:target} raw software_type single-custom-personal section logrotate_dict logrotate section frontend_configuration frontend-configuration @@ -297,6 +299,7 @@ extra-context = key access_log apache-configuration:cache-access-log key error_log apache-configuration:cache-error-log key pid_file apache-configuration:cache-pid-file + key slave_with_cache_configuration_directory apache-directory:slave-with-cache-configuration key apachecachedmap_path apache-configuration:cached-rewrite-file [apache-cached] @@ -317,6 +320,7 @@ link-binary = recipe = slapos.cookbook:mkdirectory document-root = $${directory:srv}/htdocs slave-configuration = $${directory:etc}/apache-slave-conf.d/ +slave-with-cache-configuration = $${directory:etc}/apache-slave-with-cache-conf.d/ cache = $${directory:var}/cache mod-ssl = $${:cache}/httpd_mod_ssl vh-ssl = $${:slave-configuration}/ssl diff --git a/software/apache-frontend/instance-slave-apache-input-schema.json b/software/apache-frontend/instance-slave-apache-input-schema.json index ba8ea04a8a78eaf0ef036e3f3d261a5ea0c98732..c4592575960ad6d28391ea6520e37d3240bb3a96 100644 --- a/software/apache-frontend/instance-slave-apache-input-schema.json +++ b/software/apache-frontend/instance-slave-apache-input-schema.json @@ -72,6 +72,21 @@ "enum": ["false", "true"] }, + "ssl-proxy-verify": { + "title": "Verify Backend Certificates", + "description": "If set to true, Backend Certificates are checked", + "type": "string", + "default": "false", + "enum": ["false", "true"] + }, + + "ssl_proxy_ca_crt": { + "title": "SSL Backend Authority's Certificate", + "description": "SSL Certificate Authority of the backen (to be used with ssl-proxy-verify)", + "type": "string", + "default": "" + }, + "enable_cache": { "title": "Enable Cache", "description": "If set to true, the cache is used", @@ -88,6 +103,14 @@ "enum": ["false", "true"] }, + "disable-via-header": { + "title": "Disable 'Via' headers from cache", + "description": "If set to true, via headers will be disabled", + "type": "string", + "default": "false", + "enum": ["false", "true"] + }, + "prefer-gzip-encoding-to-backend": { "title": "Prefer gzip Encoding for Backend", "description": "If set to true, if a request is made with accept encoding 'gzip', only that one will be transferred to the backend", diff --git a/software/apache-frontend/templates/apache-custom-slave-list.cfg.in b/software/apache-frontend/templates/apache-custom-slave-list.cfg.in index 2d953fc63ed273deab1a9b940ccf407158fcb10c..eff0df4425c5bd10677615787b339db015dfee54 100644 --- a/software/apache-frontend/templates/apache-custom-slave-list.cfg.in +++ b/software/apache-frontend/templates/apache-custom-slave-list.cfg.in @@ -12,7 +12,6 @@ {% endif -%} [jinja2-template-base] recipe = slapos.recipe.template:jinja2 -rendered = {{ apache_configuration_directory }}/${:filename} extra-context = context = key eggs_directory buildout:eggs-directory @@ -31,6 +30,7 @@ context = {% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%} {% set slave_parameter_dict = generic_instance_parameter_dict.copy() -%} {% set slave_publish_dict = {} -%} +{% set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %} {% do part_list.append(slave_section_title) -%} ############################ @@ -98,7 +98,7 @@ command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${ #### Set Slave Certificates if needed # Set ssl certificates for each slave -{% for cert_name in ('ssl_key', 'ssl_crt', 'ssl_ca_crt', 'ssl_csr')-%} +{% for cert_name in ('ssl_key', 'ssl_crt', 'ssl_ca_crt', 'ssl_csr', 'ssl_proxy_ca_crt')-%} {% if cert_name in slave_instance -%} {% set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) -%} {% set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) -%} @@ -136,20 +136,24 @@ extra-context = raw http_port {{ http_port }} {{ '\n' }} +# The slave use cache +{% if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%} +{% do slave_instance.__setitem__('custom_domain', slapparameter_dict.get('domain')) -%} +{% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%} +{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%} +{% endif -%} # Set apache configuration value for slave -[{{ ('slave-instance-%s-configuration' % slave_reference) }}] -{% set apache_custom_http = ((slave_instance.get('apache_custom_http', '')) % slave_parameter_dict) -%} -{% set apache_custom_https = ((slave_instance.get('apache_custom_https', '')) % slave_parameter_dict) -%} +[{{ slave_configuration_section_name }}] +{% set apache_custom_http = ((slave_instance.pop('apache_custom_http', '')) % slave_parameter_dict) -%} +{% set apache_custom_https = ((slave_instance.pop('apache_custom_https', '')) % slave_parameter_dict) -%} apache_custom_http = {{ dumps(apache_custom_http) }} apache_custom_https = {{ dumps(apache_custom_https) }} +{% for key, value in slave_instance.iteritems() -%} +{{ key }} = {{ dumps(value) }} +{% endfor %} {{ '\n' }} -# The slave use cache -{% if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%} -{% do cached_server_dict.__setitem__(slave_instance.get('domain'), slave_instance.get('url')) -%} -{% endif -%} - # Publish information {% do slave_publish_dict.update(**{'slave-reference':slave_instance.get('slave_reference'), 'public-ipv4':public_ipv4, 'log-access': slave_log_access_url}) %} @@ -163,15 +167,16 @@ apache_custom_https = {{ dumps(apache_custom_https) }} # The slave use cache # Next line is forbidden and people who copy it will be hanged short -{% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%} +{% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%} {% if enable_cache -%} -{% do cached_server_dict.__setitem__(slave_instance.get('custom_domain'), slave_instance.get('url')) -%} +{% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%} {% do slave_instance.__setitem__('url', cache_access) -%} +{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%} {% endif -%} {% do part_list.append(slave_section_title) -%} -[{{ ('slave-instance-%s-configuration' % slave_reference) }}] +[{{ slave_configuration_section_name }}] {% for key, value in slave_instance.iteritems() -%} {{ key }} = {{ dumps(value) }} {% endfor %} @@ -181,10 +186,10 @@ apache_custom_https = {{ dumps(apache_custom_https) }} < = jinja2-template-base template = {{ template_default_slave_configuration }} filename = {{ '%s.conf' % slave_reference }} - +rendered = {{ apache_configuration_directory }}/${:filename} extensions = jinja2.ext.do extra-context = - section slave_parameter {{ 'slave-instance-%s-configuration' % slave_reference }} + section slave_parameter {{ slave_configuration_section_name }} raw https_port {{ https_port }} raw http_port {{ http_port }} {{ '\n' }} @@ -193,6 +198,25 @@ extra-context = {% endif -%} +############################ +### Prepare virtualhost for slaves using cache + +{% for slave_reference, slave_configuration_section_name in cached_server_dict.iteritems() %} +{% set cached_slave_configuration_section_title = '%s-cached-virtualhost' % slave_reference %} +{% do part_list.append(cached_slave_configuration_section_title) -%} +[{{ cached_slave_configuration_section_title }}] +< = jinja2-template-base +template = {{ template_cached_slave_configuration }} +filename = {{ '%s.conf' % slave_reference }} +rendered = {{ apache_cached_configuration_directory }}/${:filename} +extensions = jinja2.ext.do +extra-context = + section slave_parameter {{ slave_configuration_section_name }} + raw cached_port {{ cached_port }} +{{ '\n' }} +{% endfor %} + + ############################ #### Publish Slave Information @@ -239,18 +263,6 @@ slave-instance-information-list = {{ json_module.dumps(slave_instance_informatio {% endif -%} monitor_url = {{ monitor_url }} -{% do part_list.append('cached-rewrite-rules') -%} -[cached-rewrite-rules] -< = jinja2-template-base -template = {{ template_rewrite_cached }} -rendered = {{ rewrite_cached_configuration }} -extra-context = - import json_module json - key server_dict rewrite-rules:rules - -[rewrite-rules] -rules = {{ dumps(cached_server_dict) }} - [buildout] parts += {% for part in part_list -%} diff --git a/software/apache-frontend/templates/apache_cached.conf.in b/software/apache-frontend/templates/apache_cached.conf.in index 823af972532540852df2db143ef8d44ec9bb5487..ad04f2346c568cea42e981d64a7d829a489b4081 100644 --- a/software/apache-frontend/templates/apache_cached.conf.in +++ b/software/apache-frontend/templates/apache_cached.conf.in @@ -116,18 +116,10 @@ SSLHonorCipherOrder on SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off -# Only accept generic (i.e not Zope) backends on http -<VirtualHost *:{{ cached_port }}> - SSLProxyEngine on - # Rewrite part - ProxyPreserveHost On - ProxyTimeout 600 - RewriteEngine On - - RewriteMap apachemapcached txt:{{ apachecachedmap_path }} - RewriteCond ${apachemapcached:%{SERVER_NAME}} >"" - RewriteRule ^/(.*)$ ${apachemapcached:%{SERVER_NAME}}/$1 [L,P] - - # If nothing exist : put a nice error - ErrorDocument 404 /notfound.html -</VirtualHost> +NameVirtualHost *:{{ cached_port }} + +include {{ slave_with_cache_configuration_directory }}/*.conf + +ErrorDocument 404 /notfound.html +RewriteRule (.*) /notfound.html [R=404,L] + diff --git a/software/apache-frontend/templates/cached-virtualhost.conf.in b/software/apache-frontend/templates/cached-virtualhost.conf.in new file mode 100644 index 0000000000000000000000000000000000000000..e6fdb7e6f174feaf387a39d9ded1ae856f6610d1 --- /dev/null +++ b/software/apache-frontend/templates/cached-virtualhost.conf.in @@ -0,0 +1,23 @@ +{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} +# Only accept generic (i.e not Zope) backends on http +<VirtualHost *:{{ cached_port }}> + ServerName {{ slave_parameter.get('custom_domain') }} + SSLProxyEngine on + +{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} +{% if ssl_proxy_verify -%} +{% if 'ssl_proxy_ca_crt' in slave_parameter -%} + SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} +{% endif %} + SSLProxyVerify require + #SSLProxyCheckPeerCN on + SSLProxyCheckPeerExpire on +{% endif %} + # Rewrite part + ProxyPreserveHost On + ProxyTimeout 600 + RewriteEngine On + + RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P] + +</VirtualHost> diff --git a/software/apache-frontend/templates/default-virtualhost.conf.in b/software/apache-frontend/templates/default-virtualhost.conf.in index 74a6dedbcb5aa8a3b4c00bcc81092b6dd56775b8..54dbe2d73610a440c14e24c9128d7d1a8c21318e 100644 --- a/software/apache-frontend/templates/default-virtualhost.conf.in +++ b/software/apache-frontend/templates/default-virtualhost.conf.in @@ -1,5 +1,6 @@ {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} {% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%} +{% set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%} <VirtualHost *:{{ https_port }}> @@ -15,6 +16,15 @@ SSLEngine on SSLProxyEngine on +{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} +{% if ssl_proxy_verify -%} +{% if 'ssl_proxy_ca_crt' in slave_parameter -%} + SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} +{% endif %} + SSLProxyVerify require + #SSLProxyCheckPeerCN on + SSLProxyCheckPeerExpire on +{% endif %} SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on @@ -40,6 +50,9 @@ # Rewrite part ProxyPreserveHost On ProxyTimeout 600 +{% if disable_via_header %} + Header unset Via +{% endif -%} RewriteEngine On {% if disable_no_cache_header %} @@ -88,9 +101,21 @@ {% endif %} SSLProxyEngine on +{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} +{% if ssl_proxy_verify -%} +{% if 'ssl_proxy_ca_crt' in slave_parameter -%} + SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} +{% endif %} + SSLProxyVerify require + #SSLProxyCheckPeerCN on + SSLProxyCheckPeerExpire on +{% endif %} # Rewrite part ProxyPreserveHost On ProxyTimeout 600 +{% if disable_via_header %} + Header unset Via +{% endif -%} RewriteEngine On # One Slave two logs