caddy-frontend: Implement backend with own CA verification

f7a525ea · Łukasz Nowak · Łukasz Nowak · 8a999d74 · f7a525ea · f7a525ea
Commit f7a525ea authored Dec 06, 2018 by Łukasz Nowak Committed by Łukasz Nowak Dec 06, 2018
9 changed files
--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
@@ -13,7 +13,6 @@ Generally things to be done with ``caddy-frontend``:
 * ``type:eventsource``:

   * **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
- * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug `#1550 <https://github.com/mholt/caddy/issues/1550>`_, proposed solution `just adding your CA to the system's trust store`
 * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
 * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
 * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones:

--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 395ea5b3389e26a57dad0f91cd458630
+md5sum = f9d0e64b4aae205c7bb941f5c1c27876

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -62,11 +62,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b

 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 73bc8abae6aadc3ce55662c3d821b363
+md5sum = b7879a40ed7f8a49b764c82e7283811f

 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
-md5sum = 7cbcadc295860821ac9d3aaa3cca72c5
+md5sum = c64f8ac7ec439460877ce5a5c5ccf1f7

 [template-log-access]
 filename = templates/template-log-access.conf.in

--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
@@ -537,7 +537,7 @@ mode = 700
 template = {{ parameter_dict['template_graceful_script'] }}
 rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
 mode = 0700
-path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt
+path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt ${caddy-directory:vh-ssl}/*.proxy_ca_crt
 sha256sum = {{ parameter_dict['sha256sum'] }}
 signature_file = ${directory:run}/caddy_graceful_signature
 extra-context =

--- a/software/caddy-frontend/instance-slave-caddy-input-schema.json
+++ b/software/caddy-frontend/instance-slave-caddy-input-schema.json
@@ -131,12 +131,12 @@
    },
    "ssl-proxy-verify": {
      "default": "false",
-      "description": "[NOT Implemented] If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
+      "description": "If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
      "enum": [
        "false",
        "true"
      ],
-      "title": "[NOT Implemented] Verify Backend Certificates",
+      "title": "Verify Backend Certificates",
      "type": "string"
    },
    "ssl_ca_crt": {
@@ -162,8 +162,8 @@
    },
    "ssl_proxy_ca_crt": {
      "default": "",
-      "description": "[NOT Implemented] Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
-      "title": "[NOT Implemented] SSL Backend Authority's Certificate",
+      "description": "Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
+      "title": "SSL Backend Authority's Certificate",
      "type": "string"
    },
    "type": {

--- a/software/caddy-frontend/templates/cached-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/cached-virtualhost.conf.in
@@ -19,9 +19,6 @@
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
 # Rewrite part
  proxy / {{ slave_parameter.get('backend_url', '') }} {
    # As backend is trusting REMOTE_USER header unset it always
@@ -30,7 +27,8 @@
    transparent
    timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
    insecure_skip_verify
@@ -43,16 +41,14 @@
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
  proxy / {{ slave_parameter.get('https_backend_url', '') }} {
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
    transparent
    timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
    insecure_skip_verify

--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -30,9 +30,6 @@
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
  tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
 {%- if enable_h2 %}
    # Allow HTTP2
@@ -79,8 +76,9 @@
    transparent
    timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
    insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -136,8 +134,9 @@
    transparent
    timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
    insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}
@@ -152,9 +151,6 @@
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}

  log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
  errors {{ slave_parameter.get('error_log') }}
@@ -201,8 +197,9 @@
    transparent
    timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
    insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -252,8 +249,9 @@
    transparent
    timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
    insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
@@ -27,6 +27,8 @@ TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_access_log
 TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_enable_cache_access_log
@@ -51,6 +53,8 @@ TestSlave-1/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
 TestSlave-1/var/log/httpd/_server-alias_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
@@ -67,6 +71,8 @@ TestSlave-1/var/log/httpd/_type-zope-path_access_log
 TestSlave-1/var/log/httpd/_type-zope-path_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log

--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
@@ -28,6 +28,8 @@ TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_monitor-ipv4-test-error-log-last-day
@@ -53,6 +55,8 @@ TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-las
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_garbage-error-log-last-day
@@ -73,6 +77,8 @@ TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-err
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-https-port-error-log-last-day