An error occurred fetching the project authors.
  1. 20 Feb, 2020 1 commit
  2. 30 Aug, 2019 1 commit
  3. 18 Jul, 2019 1 commit
  4. 15 Apr, 2019 1 commit
  5. 21 Mar, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Adapt to ATS 7 · 7017a46e
      Łukasz Nowak authored
      Adapted configuration and instantiation to ATS 7.
      
      Deployment:
       * traffic_line has been replaced with traffic_ctl
       * access log, of squid style, is ascii instead of binary, to do so
         logging.config is generated
       * ip_allow.config is configured to allow access from any host
       * RFC 5861 (stale content on error or revalidate) is implemented with core
         instead with deprecated plugin
       * trafficserver-autoconf-port renamed to trafficserver-synthetic-port
       * proxy.config.system.mmap_max removed, as it is not used by the system anymore
      
      Tests:
       * As Via header is not returned to the client, it is dropped from the
         tests, instead its existence in the backend is checked.
       * Promise plugin trafficserver-cache-availability.py is re enabled, as
         it is expected to work immediately.
      7017a46e
  6. 13 Mar, 2019 3 commits
    • Łukasz Nowak's avatar
    • Łukasz Nowak's avatar
      caddy-frontend: Implement AIKC · 28a1283d
      Łukasz Nowak authored
      AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered
      by option automatic-internal-kedifa-caucase-csr.
      
      It signs all CSR which match csr_id and certificate from the nodes which needs them.
      28a1283d
    • Łukasz Nowak's avatar
      caddy-frontend: Implement KeDiFa SSL information · bc2b1742
      Łukasz Nowak authored
      Use KeDiFa to store keys, and transmit the url to the requester for master
      and slave partitions.
      
      Download keys on the slave partitions level.
      
      Use caucase to fetch main caucase CA.
      
      kedifa-caucase-url is published in order to have access to it.
      
      Note: caucase is prepended with kedifa, as this is that one.
      
      Use kedifa-csr tool to generate CSR and use caucase-updater macro.
      
      Switch to KeDiFa with SSL Auth and updated goodies.
      
      KeDiFa endpoint URLs are randomised.
      
      Only one (first) user certificate is going to be automatically accepted. This
      one shall be operated by the cluster owner, the requester of frontend master
      partition.
      
      Then he will be able to sign certificates for other users and also for
      services - so each node in the cluster.
      
      Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
      is used for one command generation of extensions in the certificate.
      Note: We could upgrade to openssl 1.1.1 in order to have it really
      simplified (see https://security.stackexchange.com/a/183973 )
      
      Improve CSR readability by creating cluster-identification, which is master
      partition title, and use it as Organization of the CSR.
      
      Reserve slots for data exchange in KeDiFa.
      bc2b1742
  7. 08 Feb, 2019 1 commit
    • Łukasz Nowak's avatar
      caddy-frontend: Fix random 502 EOFs by adding try_duration · 4f168972
      Łukasz Nowak authored
      try_duration and try_interval are Caddy proxy's switches which allow to deal
      with non working backend (https://caddyserver.com/docs/proxy)
      
      The non working backend is the one, to which connection is lost or was not
      possible to make, without sending any data.
      
      The default try_duration=5s and try_interval=250ms are chosen, so that in
      normal network conditions (with all possible problems in the network, like
      lost packets) the browser will have to wait up to 5 seconds to be informed
      that backend is inaccessible or for the request to start being processed,
      but only a bit more than 250ms if Caddy would have to reestablish connection
      to faulty backend.
      
      In order to check it out it is advisable to setup a system, with real backend,
      like apache one, and configure iptables to randomly reject packets to it:
      
        iptables -A INPUT -m statistic --mode random -p tcp --dport <backend_port> \
        --probability 0.05 -j REJECT --reject-with tcp-reset
      
      Using ab or any other tool will results with lot of 502 EOF in the Caddy error
      log and also reported by ab. With this configuration there are no more
      errors visible to the client, which come from the problems on the network
      between Caddy and the backend.
      4f168972
  8. 17 Jan, 2019 1 commit
  9. 14 Nov, 2018 1 commit
  10. 12 Sep, 2018 1 commit
  11. 06 Sep, 2018 4 commits
  12. 06 Aug, 2018 1 commit
  13. 31 Jul, 2018 2 commits
    • Łukasz Nowak's avatar
      caddy-frontend: Drop server-admin · 263413af
      Łukasz Nowak authored
      This option is not advertised and it is not needed at all in Caddy
      configuration.
      263413af
    • Łukasz Nowak's avatar
      caddy-frontend: Modernize profiles · 9d866327
      Łukasz Nowak authored
      Features:
      
       * jinja2 is used to generate instance templates
       * downloads are done the same way for all resources
       * create with shared content for all instance profiles
       * fill in instance-common with shared sections
       * render templates late in order to ease its extenension and development
       * drop not needd duplicated section
       * drop slap-parameter in frontend and replicate template
       * simplify monitor configuration
       * move instance-parameter to instance file
         Thanks to this only one and topmost profile is reponsible for parsing and
         passing through the information which comes from the network
      9d866327