- 26 Mar, 2019 13 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Thomas Gambier authored
-
Guillaume Hervier authored
- Use `xz-utils` component for log file compression - Fix some stacks and software releases to use the logrotate stack instead of re-creating it: - `software/caddy-frontend` - `stack/resilient` /reviewed-on nexedi/slapos!508
-
Killian Lufau authored
-
Thomas Gambier authored
-
Guillaume Hervier authored
-
Guillaume Hervier authored
-
Guillaume Hervier authored
-
Guillaume Hervier authored
-
Thomas Gambier authored
Use xz instead of gzip. Also put the cron script in etc/service instead of etc/run (to have the "cron-on-watch" process)
-
Killian Lufau authored
Building Bison 3.3.2 now requires automake.
-
- 25 Mar, 2019 8 commits
-
-
Killian Lufau authored
-
Killian Lufau authored
OpenVPN fails to build on Debian testing because net-tools is no longer provided by default. /reviewed-on !534
-
Killian Lufau authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
Vincent Pelletier authored
-
- 22 Mar, 2019 1 commit
-
-
Jérome Perrin authored
in apache frontend, we have been using: ``` LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined ``` The %l is (from mod_log_config docs): Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set On. In the case of apache frontend, it was always a - . This is missing in caddy frontend and our existing log processing tools (apachedex) cannot be used on frontend logs since we switched to Caddy. /reviewed-on !530
-
- 21 Mar, 2019 6 commits
-
-
Łukasz Nowak authored
dict in headers is smallcase, so it was never working in reality.
-
Łukasz Nowak authored
Added assertion which proves that the ATS is serving stale content in case if the backend does not work, according to RFC5861. It is beleived that stale-while-revalidate will work the same way, but it is much harder to test, thus it is not done directly.
-
Łukasz Nowak authored
Adapted configuration and instantiation to ATS 7. Deployment: * traffic_line has been replaced with traffic_ctl * access log, of squid style, is ascii instead of binary, to do so logging.config is generated * ip_allow.config is configured to allow access from any host * RFC 5861 (stale content on error or revalidate) is implemented with core instead with deprecated plugin * trafficserver-autoconf-port renamed to trafficserver-synthetic-port * proxy.config.system.mmap_max removed, as it is not used by the system anymore Tests: * As Via header is not returned to the client, it is dropped from the tests, instead its existence in the backend is checked. * Promise plugin trafficserver-cache-availability.py is re enabled, as it is expected to work immediately.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
- 18 Mar, 2019 2 commits
-
-
Thomas Gambier authored
as suggested by Jerome on b26ae6b3
-
Łukasz Nowak authored
-
- 15 Mar, 2019 1 commit
-
-
Thomas Gambier authored
old URL doesn't exist anymore
-
- 14 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Do not change any defaults regarding 1.9, 1.10 and 1.11.
-
Łukasz Nowak authored
Usually the slapos.core on nodes is installed with slapos.libnetworkcache, so do the same for testing environment, so shacache can be used during installation.
-
- 13 Mar, 2019 6 commits
-
-
Łukasz Nowak authored
It is better to have automation similar to previous implementation by default.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered by option automatic-internal-kedifa-caucase-csr. It signs all CSR which match csr_id and certificate from the nodes which needs them.
-
Łukasz Nowak authored
csr_id is exposed over HTTPS with short living self signed certificate, which is transmitted via SlapOS Master. Thanks to this, it is possible to match csr_id with certificate of given partition and take decision if it shall be signed or not. This is "quite secure" apporach, a bit better than blidny trusting what CSR to sign in KeDiFa. The bootstrap information, which is short living (certificates are valid for 5 days), resides in SlapOS Master. The csr_id is not directly known to SlapOS Master, and shall be consumed as fast as possible by frontend cluster operator in order to sign CSR appearing in KeDiFa caucase. The known possible attack vector requires that attacker knows caucased HTTP listening port and can hijack HTTPS traffic to the csr_id-url to get the human approve his own csr_id. The second is hoped to be overcomed by publishing certificate of this endpoint via SlapOS Master. Unfortunately caucase-updater prefix is directly used to find real CSR, as the one generated is just a template for rerequest, thus csr_id would be different from really used by caucase-updater.
-