{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} {%- set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%} {%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%} {%- set server_alias_list = slave_parameter.get('server-alias', '').split() -%} {%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default'])).lower() in TRUE_VALUES -%} {%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} {%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() -%} {%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%} {%- set slave_type = slave_parameter.get('type', '') -%} {%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list -%} {%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')) %} {%- set http_host_list = [] %} {%- set https_host_list = [] %} {%- for host in host_list %} {%- do http_host_list.append('http://%s:%s' % (host, http_port)) %} {%- do https_host_list.append('https://%s:%s' % (host, https_port)) %} {%- endfor %} {{ https_host_list|join(', ') }} { bind {{ local_ipv4 }} # TODO-Caddy bind {{ local_ipv6 }} tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { {%- if slave_parameter.get('path_to_ssl_ca_crt') %} clients {{ slave_parameter.get('path_to_ssl_ca_crt') }} {%- endif %} } # TODO-Caddy # One Slave two logs # TODO-Caddy LogLevel notice # TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined log / {{ slave_parameter.get('access_log') }} {combined} errors {{ slave_parameter.get('error_log') }} {% if ssl_proxy_verify -%} {% if 'ssl_proxy_ca_crt' in slave_parameter -%} # TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} {% endif %} # TODO-Caddy SSLProxyVerify require # TODO-Caddy #SSLProxyCheckPeerCN on # TODO-Caddy SSLProxyCheckPeerExpire on {% endif %} # TODO-Caddy SSLProtocol all -SSLv2 -SSLv3 # TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 # TODO-Caddy SSLHonorCipherOrder on {% if enable_h2 %} # TODO-Caddy Protocols h2 http/1.1 {% endif -%} # TODO-Caddy # Rewrite part # TODO-Caddy ProxyTimeout 600 {% if disable_via_header %} # TODO-Caddy Header unset Via {% endif -%} {% if disable_no_cache_header %} # TODO-Caddy RequestHeader unset Cache-Control # TODO-Caddy RequestHeader unset Pragma {% endif -%} {%- for disabled_cookie in disabled_cookie_list %} # TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }} {% endfor -%} {%- if prefer_gzip %} # TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip" {% endif %} {% if slave_type == 'zope' and backend_url %} proxy / {{ backend_url }} { transparent } {% if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {% endif -%} rewrite { regexp (.*) to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} } {% elif slave_type == 'redirect' -%} # TODO-Caddy RewriteRule (.*) {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L] {% else -%} {% if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {% endif -%} {%- if backend_url %} proxy / {{ backend_url }} { transparent {%- if not ssl_proxy_verify %} insecure_skip_verify {%- endif %} } {%- endif %} {% endif -%} } {{ http_host_list|join(', ') }} { bind {{ local_ipv4 }} # TODO-Caddy bind {{ local_ipv6 }} log / {{ slave_parameter.get('access_log') }} {combined} errors {{ slave_parameter.get('error_log') }} {% if ssl_proxy_verify -%} {% if 'ssl_proxy_ca_crt' in slave_parameter -%} # TODO-Caddy SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} {% endif %} # TODO-Caddy SSLProxyVerify require # TODO-Caddy #SSLProxyCheckPeerCN on # TODO-Caddy SSLProxyCheckPeerExpire on {% endif %} # TODO-Caddy # Rewrite part # TODO-Caddy ProxyTimeout 600 {% if disable_via_header %} # TODO-Caddy Header unset Via {% endif -%} # TODO-Caddy # One Slave two logs # TODO-Caddy LogLevel notice # TODO-Caddy LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined # TODO-Caddy # Remove "Secure" from cookies, as backend may be https # TODO-Caddy Header edit Set-Cookie "(?i)^(.+);secure$" "$1" {% if enable_h2 %} # TODO-Caddy Protocols h2 http/1.1 {% endif -%} {% if disable_no_cache_header %} # TODO-Caddy RequestHeader unset Cache-Control # TODO-Caddy RequestHeader unset Pragma {% endif -%} {%- for disabled_cookie in disabled_cookie_list %} # TODO-Caddy {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }} {% endfor -%} {%- if prefer_gzip %} # TODO-Caddy RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip" {% endif %} {%- if https_only %} redir / https://{host}{uri} {% elif slave_type == 'redirect' -%} # TODO-Caddy RewriteRule (.*) {{slave_parameter.get('url', '')}}$1 [R,L] {% elif slave_type == 'zope' and backend_url %} proxy / {{ backend_url }} { transparent } {% if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {% endif -%} rewrite { regexp (.*) to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} } {% else -%} {% if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {% endif -%} {%- if slave_parameter.get('url', '') %} proxy / {{ slave_parameter.get('url', '') }} { transparent {%- if not ssl_proxy_verify %} insecure_skip_verify {%- endif %} } {% endif -%} {% endif -%} # If nothing exist : put a nice error # ErrorDocument 404 /notfound.html # Dadiboom }