caddy-frontend: Implement access to log files

c1485d65 · Łukasz Nowak · 0b53209e · c1485d65 · c1485d65 · c1485d65
Commit c1485d65 authored May 23, 2018 by Łukasz Nowak
5 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg
-md5sum = df34d8398a5f19ac7a828e1c85c22867
+md5sum = 6416ce7ffa3e856f8ba06722ab9232fe

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -27,7 +27,7 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 0643a19572f65e496e1656df0971d8bd
+md5sum = 8333871e68e76c7792b4624a2a90b707

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -43,7 +43,7 @@ md5sum = d1a7a759aa2801c96ecf4445a33203f2

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 0643a19572f65e496e1656df0971d8bd
+md5sum = 8333871e68e76c7792b4624a2a90b707

 [template-not-found-html]
 filename = templates/notfound.html
@@ -63,7 +63,7 @@ md5sum = b66ebb546e1762419a22ac853437a9c2

 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = 50541094dd3ee6c240a9c7a0590fcff8
+md5sum = cd3043964ae7fd8489e545ba0d4fc603

 [template-empty]
 filename = templates/empty.in
@@ -99,4 +99,4 @@ md5sum = ebe5d3d19923eb812a40019cb11276d8

 [template-caddy-graceful-script]
 filename = templates/caddy-graceful-script.sh.in
-md5sum = 0b96d401252e3c38a552c51569457929
+md5sum = add097b3cb757675787a87c8ae7fb0cc
--- a/software/caddy-frontend/instance-apache-frontend.cfg
+++ b/software/caddy-frontend/instance-apache-frontend.cfg
@@ -132,9 +132,6 @@ log-access-configuration = $${directory:etc}/apache-log-access.conf
 caddy-directory = ${caddy:location}
 caddy-ipv6 = $${instance-parameter:ipv6-random}
 caddy-https-port = $${instance-parameter:configuration.port}
-# XXX: Maybe it is not the best way to redirect -- anyway instantiation
-#      will fail ASA Apache will be removed
-htpasswd = ${buildout:bin-directory}/htpasswd

 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -57,10 +57,9 @@ crl = {{ custom_ssl_directory }}/crl/
 {%   set slave_logrotate_section = slave_reference + "-logs" -%}
 {%   set slave_password_section = slave_reference + "-password" -%}
 {%   set slave_ln_section = slave_reference + "-ln" -%}
-{%   set slave_htaccess_section = slave_reference + '-htaccess' %}

 {#   extend parts #}
-{%   do part_list.extend([slave_htaccess_section, slave_ln_section]) -%}
+{%   do part_list.extend([slave_ln_section]) -%}
 {%   do part_list.extend([slave_logrotate_section, slave_section_title]) -%}

 {%   set slave_log_folder = logrotate_dict.get('backup') + '/' + slave_reference + "-logs" -%}
@@ -108,9 +107,12 @@ crl = {{ custom_ssl_directory }}/crl/
 {%     do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
 {%   endif -%}

-[slave-log-directories]
+[slave-log-directory-dict]
 {{slave_reference}} = {{ slave_log_folder }}

+[slave-password]
+{{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}
+
 {# Set slave logrotate entry #}
 [{{slave_logrotate_section}}]
 <= logrotate
@@ -131,13 +133,6 @@ recipe = slapos.cookbook:generate.password
 storage-path = {{apache_configuration_directory}}/.{{slave_reference}}.passwd
 bytes = 8

-{# Set up htaccess file for slave #}
-[{{slave_htaccess_section}}]
-recipe = plone.recipe.command
-stop-on-error = true
-htaccess-path = {{apache_configuration_directory}}/.{{slave_reference}}.htaccess
-command = {{frontend_configuration.get('htpasswd')}} -cb ${:htaccess-path} {{ slave_reference }} {{ '${' + slave_password_section + ':passwd}' }}
-
 {# ################################################## #}
 {# Set Slave Certificates if needed                   #}

@@ -329,6 +324,7 @@ extra-context =
 {% endfor %}

 [slave-log-directories]
+<= slave-log-directory-dict
 recipe = slapos.cookbook:mkdirectory

 {# Define log access #}
@@ -337,9 +333,17 @@ recipe = slapos.cookbook:mkdirectory
 template = {{frontend_configuration.get('template-log-access')}}
 rendered = {{frontend_configuration.get('log-access-configuration')}}
 extra-context =
-    section slave_log_directory slave-log-directories
+    section slave_log_directory slave-log-directory-dict
+    section slave_password slave-password
    raw apache_log_directory {{apache_log_directory}}
    raw apache_configuration_directory {{apache_configuration_directory}}
+    raw local_ipv4 {{ local_ipv4 }}
+    raw local_ipv6 {{ local_ipv6 }}
+    raw https_port {{ https_port }}
+    raw http_port {{ http_port }}
+    raw global_ipv6 {{ global_ipv6 }}
+    raw login_certificate {{ login_certificate }}
+    raw login_key {{ login_key }}

 {# Publish information for the instance #}
 [publish-apache-information]

--- a/software/caddy-frontend/templates/caddy-graceful-script.sh.in
+++ b/software/caddy-frontend/templates/caddy-graceful-script.sh.in
@@ -8,7 +8,7 @@ CADDY_SIGNATURE_FILE=$RUN_DIR/caddy_configuration.signature
 NCADDY_SIGNATURE_FILE=$RUN_DIR/ncaddy_configuration.signature

 touch $CADDY_SIGNATURE_FILE
-sha256sum $BIN_DIR/caddy-wrapper $ETC_DIR/Caddyfile $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE
+sha256sum $BIN_DIR/caddy-wrapper $ETC_DIR/Caddyfile $ETC_DIR/*-log-access.conf $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE

 # If no diff, no restart for now
 if diff "$CADDY_SIGNATURE_FILE" "$NCADDY_SIGNATURE_FILE"; then

--- a/software/caddy-frontend/templates/template-log-access.conf.in
+++ b/software/caddy-frontend/templates/template-log-access.conf.in
 {% for slave, directory in slave_log_directory.iteritems() %}
-# TODO-Caddy Alias /{{slave}}/ {{directory}}/
-# TODO-Caddy <Directory {{directory}}>
-# TODO-Caddy   Order Deny,Allow
-# TODO-Caddy   Deny from env=AUTHREQUIRED
-# TODO-Caddy   <Files ".??*">
-# TODO-Caddy     Order Allow,Deny
-# TODO-Caddy     Deny from all
-# TODO-Caddy   </Files>
-# TODO-Caddy   AuthType Basic
-# TODO-Caddy   AuthName "Log Access {{slave}}"
-# TODO-Caddy   AuthUserFile "{{ apache_configuration_directory + '/.' + slave.upper() + '.htaccess'}}"
-# TODO-Caddy   Require user {{slave.upper()}}
-# TODO-Caddy   Options Indexes FollowSymLinks
-# TODO-Caddy   Satisfy all
-# TODO-Caddy </Directory>
-
+https://[{{ global_ipv6 }}]:{{ https_port }}/{{ slave }}, https://{{ local_ipv4 }}:{{ https_port }}/{{ slave }} {
+  bind {{ local_ipv4 }}
+  #bind {{ global_ipv6 }}
+  root {{directory}}/
+  browse
+  tls {{ login_certificate }} {{ login_key }}
+  basicauth "{{ slave.upper() }}" {{ slave_password[slave] }} {
+    "Log Access {{ slave }}"
+    /
+  }
+}
 {% endfor %}