caddy-frontend: Minimal working implementation

4b145c0c · Łukasz Nowak · 20336f9f · 4b145c0c · 4b145c0c · 4b145c0c
Commit 4b145c0c authored May 11, 2018 by Łukasz Nowak
4 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg
-md5sum = 2b0c456ac9b9ed2de4257dcc48311c4c
+md5sum = ee634be491fff95a0d50eddb8c0629bd

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -27,7 +27,7 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 0dc922c2cafe99b16c9debe0fd5461a7
+md5sum = 7c904edd37754ac89b436c3632aca0bc

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -43,7 +43,7 @@ md5sum = d1a7a759aa2801c96ecf4445a33203f2

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 0dc922c2cafe99b16c9debe0fd5461a7
+md5sum = 7c904edd37754ac89b436c3632aca0bc

 [template-not-found-html]
 filename = templates/notfound.html
@@ -55,7 +55,7 @@ md5sum = 4dbb8560e4de1af2a0706b020e713fe7

 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = b302fc0a44ffac068902b1fb37c96bd7
+md5sum = 41f2c8bc8972f777becbf1cb588276ac

 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in

--- a/software/caddy-frontend/instance-apache-frontend.cfg
+++ b/software/caddy-frontend/instance-apache-frontend.cfg
@@ -171,6 +171,7 @@ extra-context =
    key custom_ssl_directory caddy-directory:vh-ssl
    key apache_log_directory caddy-directory:slave-log
    key local_ipv4 instance-parameter:ipv4-random
+    key local_ipv6 instance-parameter:ipv6-random
    key global_ipv6 slap-network-information:global-ipv6
    key empty_template software-release-path:template-empty
    key template_custom_slave_configuration software-release-path:template-slave-configuration
@@ -185,6 +186,9 @@ extra-context =
    key promise_directory monitor-directory:promises
    key report_directory monitor-directory:reports
    raw bin_directory ${buildout:bin-directory}
+    key login_certificate ca-frontend:cert-file
+    key login_key ca-frontend:key-file
+    key login_ca_crt ca-custom-frontend:rendered

 [dynamic-virtualhost-template-slave]
 <= jinja2-template-base

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -158,6 +158,10 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
 {%     endif -%}
 {%   endfor -%}

+{#-   Set Up Certs #}
+{%-   do slave_instance.__setitem__('login_certificate', login_certificate) %}
+{%-   do slave_instance.__setitem__('login_key', login_key) %}
+{%-   do slave_instance.__setitem__('login_ca_crt', login_ca_crt) %}
 {%   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance -%}
 {%     set cert_title = '%s-crt' % (slave_reference) -%}
 {%     set key_title = '%s-key' % (slave_reference) -%}
@@ -218,6 +222,7 @@ extra-context =
    raw http_port {{ http_port }}
    raw global_ipv6 {{ global_ipv6 }}
    raw local_ipv4 {{ local_ipv4 }}
+    raw local_ipv6 {{ local_ipv6 }}
    section slave_parameter {{ slave_configuration_section_name }}
 {{ '\n' }}


--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -8,21 +8,27 @@
 {%- set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() -%}
 {%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
 {%- set slave_type = slave_parameter.get('type', '') -%}
-{%- set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
-                                 ('SSLCertificateKeyFile', 'path_to_ssl_key'),
-                                 ('SSLCACertificateFile', 'path_to_ssl_ca_crt'),
-                                 ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%}
-
-# TODO-Caddy <VirtualHost *:{{ https_port }}>
-# TODO-Caddy   ServerName {{ slave_parameter.get('custom_domain') }}
-# TODO-Caddy   ServerAlias {{ slave_parameter.get('custom_domain') }}
-
-{%- for server_alias in server_alias_list %}
-# TODO-Caddy   ServerAlias {{ server_alias }}
-{% endfor %}
+{%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list -%}
+{%- set http_host_list = [] %}
+{%- set https_host_list = [] %}
+{%- for host in host_list %}
+{%-   do http_host_list.append('http://%s:%s' % (host, http_port)) %}
+{%-   do https_host_list.append('https://%s:%s' % (host, https_port)) %}
+{%- endfor %}
+{{ https_host_list|join(', ') }} {
+  bind {{ local_ipv4 }}
+# TODO-Caddy  bind {{ local_ipv6 }}
+  tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
+{%- if slave_parameter.get('path_to_ssl_ca_crt') %}
+    clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
+{%- endif %}
+  }
+# TODO-Caddy   # One Slave two logs
+# TODO-Caddy   LogLevel notice
+# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+  log / {{ slave_parameter.get('access_log') }} {combined}
+  errors {{ slave_parameter.get('error_log') }}

-# TODO-Caddy   SSLEngine on
-# TODO-Caddy   SSLProxyEngine on
 {% if ssl_proxy_verify -%}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
 # TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
@@ -39,18 +45,6 @@
 # TODO-Caddy   Protocols h2 http/1.1
 {% endif -%}

-{% for key, value in ssl_configuration_list -%}
-{%   if value in slave_parameter -%}
-# TODO-Caddy {{ '  %s' % key }} {{ slave_parameter.get(value) }}
-{% endif -%}
-{% endfor -%}
-
-# TODO-Caddy   # One Slave two logs
-# TODO-Caddy   ErrorLog "{{ slave_parameter.get('error_log') }}"
-# TODO-Caddy   LogLevel notice
-# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
-# TODO-Caddy   CustomLog "{{ slave_parameter.get('access_log') }}" combined
-
 # TODO-Caddy   # Rewrite part
 # TODO-Caddy   ProxyPreserveHost On
 # TODO-Caddy   ProxyTimeout 600
@@ -85,21 +79,27 @@
 # TODO-Caddy   RewriteRule  (.*)  {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L]
 {% else -%}
  {% if 'default-path' in slave_parameter %}
-# TODO-Caddy   RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
+  redir 301 {
+    if {path} is /
+    / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
+  }
  {% endif -%}
-# TODO-Caddy   RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/$1 [L,P]
+  proxy / {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }} {
+    transparent
+{%- if not ssl_proxy_verify %}
+    insecure_skip_verify
+{%-   endif %}
+  }
 {% endif -%}
-# TODO-Caddy </VirtualHost>
+}

-# TODO-Caddy <VirtualHost *:{{ http_port }}>
-# TODO-Caddy   ServerName {{ slave_parameter.get('custom_domain') }}
-# TODO-Caddy   ServerAlias {{ slave_parameter.get('custom_domain') }}
+{{ http_host_list|join(', ') }} {
+  bind {{ local_ipv4 }}
+# TODO-Caddy  bind {{ local_ipv6 }}

-{%-  for server_alias in server_alias_list %}
-# TODO-Caddy   ServerAlias {{ server_alias }}
-{% endfor %}
+  log / {{ slave_parameter.get('access_log') }} {combined}
+  errors {{ slave_parameter.get('error_log') }}

-# TODO-Caddy   SSLProxyEngine on
 {% if ssl_proxy_verify -%}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
 # TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
@@ -118,10 +118,8 @@
 # TODO-Caddy   RewriteEngine On

 # TODO-Caddy   # One Slave two logs
-# TODO-Caddy   ErrorLog "{{ slave_parameter.get('error_log') }}"
 # TODO-Caddy   LogLevel notice
 # TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
-# TODO-Caddy   CustomLog "{{ slave_parameter.get('access_log') }}" combined

 # TODO-Caddy   # Remove "Secure" from cookies, as backend may be https
 # TODO-Caddy   Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
@@ -143,13 +141,8 @@
 # TODO-Caddy   RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
 {% endif %}

-# Next line is forbidden and people who copy it will be hanged short
-{% if https_only -%}
-  # Not using HTTPS? Ask that guy over there.
-  # Dummy redirection to https. Note: will work only if https listens
-  # on standard port (443).
-# TODO-Caddy   RewriteCond     %{SERVER_PORT}  !^{{ https_port }}$
-# TODO-Caddy   RewriteRule     ^/(.*)          https://%{SERVER_NAME}/$1 [NC,R,L]
+{%- if https_only %}
+  redir / https://{host}{uri}
 {% elif slave_type ==  'redirect' -%}
 # TODO-Caddy   RewriteRule     (.*)  {{slave_parameter.get('url', '')}}$1 [R,L]
 {% elif slave_type ==  'zope' -%}
@@ -162,12 +155,19 @@
 # TODO-Caddy   RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
 {% else -%}
  {% if 'default-path' in slave_parameter %}
-# TODO-Caddy   RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
+  redir 301 {
+    if {path} is /
+    / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
+  }
  {% endif -%}
-# TODO-Caddy   RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
+  proxy / {{ slave_parameter.get('url', '') }} {
+    transparent
+{%- if not ssl_proxy_verify %}
+    insecure_skip_verify
+{%-   endif %}
+  }
 {% endif -%}
  # If nothing exist : put a nice error
 #  ErrorDocument 404 /notfound.html
 # Dadiboom
-
-# TODO-Caddy </VirtualHost>
+}