Commit a039c8cf authored by Łukasz Nowak's avatar Łukasz Nowak

rapid-cdn: Handle correctly wildcard domains

While generating haproxy configuration (including it's CRT list) the specific
order of entries is used, so that wildcard domains end up last. Thanks to this
they work as a catch-all and allow specific domain to take precedence. Care
is taken to support *.example.example.com and *.example.com situation - so
tree like possibility of wildcards.

Anonymous in-place ACL are used per each domain, instead of per-shared
instance grouping in order to avoid situation like *.example.com and
example.com having single ACL, thus resulting with catch-all kicking in too
fast.

For the precision in the haproxy configuration and simplifcation of the regular
expressions the -m reg is used, so that host_only can be applied, which also
lowercases the hostname.

Notes:
 * test00cluster_request_instance_parameter_dict changed due to sorting slaves
   in test's requestSlaves
 * the test infrastructure has been improved to assure repetition of the
   situation
 * tests in TestSlaveHostHaproxyClash are asserting that correct domain AND
   that specific certificate have been used while serving given frontend
   configuration
parent cfd38dbe
Pipeline #30253 passed with stage
in 0 seconds
......@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08
[profile-slave-list]
filename = instance-slave-list.cfg.in
md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
md5sum = b75e42233c1b7bdd5f21971ed8907efc
[profile-master-publish-slave-information]
filename = instance-master-publish-slave-information.cfg.in
......@@ -38,11 +38,11 @@ md5sum = cba4d995962f7fbeae3f61c9372c4181
[template-frontend-haproxy-configuration]
_update_hash_filename_ = templates/frontend-haproxy.cfg.in
md5sum = eef9712c6fe4d62b570b9059157c67ea
md5sum = fc68a825c656bde0ae69a936936b0478
[template-frontend-haproxy-crt-list]
_update_hash_filename_ = templates/frontend-haproxy-crt-list.in
md5sum = 238760d48d2875f087ad2d784e2a8fcd
md5sum = 2f3f75773eb879b97d1ff5e04486591c
[template-not-found-html]
_update_hash_filename_ = templates/notfound.html
......@@ -50,7 +50,7 @@ md5sum = d56e2cfab274cbbbe5b387f2f6e417df
[template-backend-haproxy-configuration]
_update_hash_filename_ = templates/backend-haproxy.cfg.in
md5sum = b4b55d931249f11e4e1256afeb74b503
md5sum = 6457064905f818f21e3733eb4278a580
[template-empty]
_update_hash_filename_ = templates/empty.in
......
{%- set kedifa_updater_mapping = [] %}
{%- set cached_server_dict = {} %}
{%- set backend_slave_list = [] %}
{%- set frontend_slave_list = [] %}
{%- set backend_slave_dict = {} %}
{%- set frontend_slave_dict = {} %}
{%- set part_list = [] %}
{%- set cache_port = frontend_haproxy_configuration.get('cache-port') %}
{%- set cache_access = "http://%s:%s/HTTP" % (instance_parameter_dict['ipv4-random'], cache_port) %}
......@@ -228,7 +228,8 @@ context =
{%- do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
{%- do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
{%- do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
{%- set host_list = slave_instance.get('server-alias', '').split() %}
{%- do slave_instance.__setitem__('server-alias', slave_instance.get('server-alias', '').split()) %}
{%- set host_list = slave_instance['server-alias'] %}
{%- if slave_instance.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_instance.get('custom_domain')) %}
{%- endif %}
......@@ -385,9 +386,9 @@ local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
{#- ############################### #}
{#- Prepare Slave Information #}
{%- do slave_instance_information_list.append(slave_publish_dict) %}
{%- do frontend_slave_list.append(slave_instance) %}
{%- do frontend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
{%- if slave_type != 'redirect' %}
{%- do backend_slave_list.append(slave_instance) %}
{%- do backend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
{%- endif %}
{%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}
......@@ -477,14 +478,30 @@ output = ${:file}
##<Frontend haproxy>
[frontend-haproxy-slave-list]
list = {{ dumps(sorted(frontend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
dict = {{ dumps(frontend_slave_dict) }}
{%- set slave_instance_hostname_frontend_order = [] %}
{%- for slave_instance in frontend_slave_dict.values() %}
{%- for hostname in slave_instance['host_list'] %}
{%- if '*' in hostname %}
{%- set order_value = hostname.count('.') %}
{%- else %}
{%- set order_value = 1000 %}
{%- endif %}
{%- do slave_instance_hostname_frontend_order.append({
'index': order_value,
'hostname': hostname,
'slave_reference': slave_instance['slave_reference']}) %}
{%- endfor %}
{%- endfor %}
order = {{ dumps(slave_instance_hostname_frontend_order) }}
[frontend-haproxy-crt-list]
<= jinja2-template-base
template = {{ template_frontend_haproxy_crt_list }}
rendered = ${frontend-haproxy-config:crt-list}
extra-context =
key frontend_slave_list frontend-haproxy-slave-list:list
key frontend_slave_dict frontend-haproxy-slave-list:dict
key frontend_slave_order frontend-haproxy-slave-list:order
section configuration frontend-haproxy-config
[frontend-haproxy-configuration]
......@@ -492,7 +509,8 @@ extra-context =
template = {{ template_frontend_haproxy_configuration }}
rendered = ${frontend-haproxy-config:file}
extra-context =
key frontend_slave_list frontend-haproxy-slave-list:list
key frontend_slave_dict frontend-haproxy-slave-list:dict
key frontend_slave_order frontend-haproxy-slave-list:order
key crt_list frontend-haproxy-crt-list:rendered
section configuration frontend-haproxy-config
......@@ -512,9 +530,25 @@ autocert-directory = {{ frontend_directory['autocert'] }}
< = jinja2-template-base
url = {{ template_backend_haproxy_configuration }}
output = ${backend-haproxy-config:file}
backend_slave_list = {{ dumps(sorted(backend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
backend_slave_dict = {{ dumps(backend_slave_dict) }}
{%- set slave_instance_hostname_backend_order = [] %}
{%- for slave_instance in backend_slave_dict.values() %}
{%- for hostname in slave_instance['host_list'] %}
{%- if '*' in hostname %}
{%- set order_value = hostname.count('.') %}
{%- else %}
{%- set order_value = 1000 %}
{%- endif %}
{%- do slave_instance_hostname_backend_order.append({
'index': order_value,
'hostname': hostname,
'slave_reference': slave_instance['slave_reference']}) %}
{%- endfor %}
{%- endfor %}
order = {{ dumps(slave_instance_hostname_backend_order) }}
extra-context =
key backend_slave_list :backend_slave_list
key backend_slave_dict :backend_slave_dict
key backend_slave_order :order
section configuration backend-haproxy-config
[backend-haproxy-config]
......
......@@ -17,30 +17,20 @@ defaults
default-server init-addr last,libc,none
{%- set SCHEME_PREFIX_MAPPING = { 'http': 'http_backend', 'https': 'https_backend'} %}
{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
{#- wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
{%- macro frontend_entry(slave_reference, hostname, slave_instance, scheme) %}
{%- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %}
{%- set matched = {'count': 0} %}
{%- for host in slave_instance['host_list'] %}
{#- Match up to the end or optional port (starting with ':') #}
{#- Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
{%- if wildcard and host.startswith('*.') %}
{%- do matched.__setitem__('count', matched['count'] + 1) %}
# match wildcard {{ host }}
acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
{%- elif not wildcard and not host.startswith('*.') %}
{%- do matched.__setitem__('count', matched['count'] + 1) %}
acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i ^{{ host }}($|:.*)
{%- endif %}
{%- endfor %}
{%- if matched['count'] > 0 %}
{%- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
acl is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }} nbsrv({{ slave_instance['slave_reference'] }}-{{ scheme }}) eq 0
use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} ! is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }}-failover if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
{%- else %}
use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }}
{%- endif %}
{%- if hostname.startswith('*') %}
{%- set matcher = '' ~ hostname[2:] ~ '$' %}
{%- else %}
{%- set matcher = '^' ~ hostname ~ '$' %}
{%- endif %}
{%- set acl = '{ req.hdr(host),host_only -m reg ' ~ matcher ~ ' }' %}
{%- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
acl is_failover_{{ slave_reference }}_{{ scheme }} nbsrv({{ slave_reference }}-{{ scheme }}) eq 0
use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }} ! is_failover_{{ slave_reference }}_{{ scheme }}
use_backend {{ slave_reference }}-{{ scheme }}-failover if {{ acl }} is_failover_{{ slave_reference }}_{{ scheme }}
{%- else %}
use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }}
{%- endif %}
{%- endif %}
{%- endmacro %}
......@@ -62,11 +52,8 @@ frontend http-backend
http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
# setup Date
http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
{%- for slave_instance in backend_slave_list -%}
{{ frontend_entry(slave_instance, 'http', False) }}
{%- endfor %}
{%- for slave_instance in backend_slave_list -%}
{{ frontend_entry(slave_instance, 'http', True) }}
{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'http') -}}
{%- endfor %}
frontend https-backend
......@@ -75,14 +62,12 @@ frontend https-backend
http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
# setup Date
http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
{%- for slave_instance in backend_slave_list -%}
{{ frontend_entry(slave_instance, 'https', False) }}
{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'https') -}}
{%- endfor %}
{%- for slave_instance in backend_slave_list -%}
{{ frontend_entry(slave_instance, 'https', True) }}
{% endfor %}
{%- for slave_instance in backend_slave_list %}
{%- for slave_reference in sorted(backend_slave_dict) %}
{%- set slave_instance = backend_slave_dict[slave_reference] %}
{%- for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
{%- set info_dict = slave_instance[prefix] %}
{%- if info_dict['hostname'] and info_dict['port'] %}
......
{%- for slave in frontend_slave_list %}
{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
{%- set slave = frontend_slave_dict[entry['slave_reference']] %}
{%- set entry_list = [] %}
{%- set sslbindconf = [] %}
{#- <crtfile> #}
......@@ -9,7 +10,7 @@
{%- do sslbindconf.append(slave['alpn']) %}
{%- do entry_list.append('[' + ' '.join(sslbindconf) + ']') %}
{#- <snifilter> #}
{%- do entry_list.extend(slave['host_list']) %}
{%- do entry_list.append(entry['hostname']) %}
{{- ' '.join(entry_list) }}
{% endfor -%}
# Fallback to default certificate
......
......@@ -23,30 +23,14 @@ defaults
default-server init-addr last,libc,none
{%- set SCHEME_PREFIX_MAPPING = { 'http': 'backend-http-info', 'https': 'backend-https-info'} %}
{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
{#- wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
{#- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] #}
{%- set host_list = (slave_instance.get('server-alias') or '').split() %}
{%- if slave_instance.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_instance.get('custom_domain')) %}
{%- endif %}
{%- set matched = {'count': 0} %}
{%- for host in host_list %}
{#- Match up to the end or optional port (starting with ':') #}
{#- Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
{%- if wildcard and host.startswith('*.') %}
{%- do matched.__setitem__('count', matched['count'] + 1) %}
# match wildcard {{ host }}
acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
{%- elif not wildcard and not host.startswith('*.') %}
{%- do matched.__setitem__('count', matched['count'] + 1) %}
acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i ^{{ host }}($|:.*)
{%- endif %}
{%- endfor %}
{%- if matched['count'] > 0 %}
use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}
{%- endif %}
{#- endif #}
{%- macro frontend_entry(slave_reference, hostname, scheme) %}
{%- if hostname.startswith('*') %}
{%- set matcher = hostname[2:] %}
{%- else %}
{%- set matcher = '^' ~ hostname %}
{%- endif %}
use_backend {{ slave_reference }}-{{ scheme }} if { req.hdr(host),host_only -m reg {{ matcher }}$ }
{%- endmacro %}
{%- macro frontend_common() %}
......@@ -68,11 +52,8 @@ frontend http-frontend
bind {{ configuration['local-ipv4'] }}:{{ configuration['http-port'] }}
bind {{ configuration['global-ipv6'] }}:{{ configuration['http-port'] }}
{{ frontend_common() }}
{%- for slave_instance in frontend_slave_list -%}
{{ frontend_entry(slave_instance, 'http', False) }}
{%- endfor %}
{%- for slave_instance in frontend_slave_list -%}
{{ frontend_entry(slave_instance, 'http', True) }}
{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'http') -}}
{%- endfor %}
default_backend BACKEND_NOT_FOUND
......@@ -84,16 +65,14 @@ frontend https-frontend
bind quic6@{{ configuration['global-ipv6'] }}:{{ configuration['https-port'] }} ssl crt-list {{ crt_list }} alpn h3
{%- endif %}
{{ frontend_common() }}
{%- for slave_instance in frontend_slave_list -%}
{{ frontend_entry(slave_instance, 'https', False) }}
{%- endfor %}
{%- for slave_instance in frontend_slave_list -%}
{{ frontend_entry(slave_instance, 'https', True) }}
{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'https') -}}
{%- endfor %}
default_backend BACKEND_NOT_FOUND
# Backends
{%- for slave_instance in frontend_slave_list %}
{%- for slave_reference in sorted(frontend_slave_dict) %}
{%- set slave_instance = frontend_slave_dict[slave_reference] %}
{%- for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
{%- set info_dict = slave_instance.get(prefix, slave_instance.get('backend-http-info')) %}
backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
......@@ -189,7 +168,7 @@ backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
{%- endif %} {# if 'hostname' in info_dict and 'port' in info_dict #}
{%- endif %} {# if scheme == 'http' and slave_instance['https-only'] #}
{%- endfor %} {# for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() #}
{%- endfor %} {# for slave_instance in frontend_slave_list #}
{%- endfor %} {# for slave_reference in sorted(frontend_slave_dict) #}
backend BACKEND_NOT_FOUND
{#- a bit hacky but working way to provide default CDN's 404 #}
......
......@@ -1292,7 +1292,9 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
@classmethod
def requestSlaves(cls):
for slave_reference, partition_parameter_kw in list(
# Note: List is sorted here, so that tests which want slaves
# ordered by their slave_reference are stable
for slave_reference, partition_parameter_kw in sorted(
cls.getSlaveParameterDictDict().items()):
software_url = cls.getSoftwareURL()
software_type = cls.getInstanceSoftwareType()
......@@ -6577,49 +6579,83 @@ class TestSlaveHostHaproxyClash(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
def getSlaveParameterDictDict(cls):
# Note: The slaves are specifically constructed to have an order which
# is triggering the problem. Slave list is sorted in many places,
# and such slave configuration will result with them begin seen
# by backend haproxy configuration in exactly the way seen below
# Ordering it here will not help at all.
# Note: Slave list is ordered by it's reference, so that requestSlaves
# will result in an order, which will hit the bugs covered here:
# * the most wildcard domain is requested first
# * then the more specific wildcard comes
# * in the end specific slaves are there
return {
'wildcard': {
'url': cls.backend_url + 'wildcard',
'01wildcard': {
'url': cls.backend_url + '01wildcard',
'custom_domain': '*.example.com',
'server-alias': 'example.com',
},
'02wildcard': {
'url': cls.backend_url + '02wildcard',
'custom_domain': '*.alias1.example.com',
'server-alias': 'alias1.example.com',
},
'03zspecific': {
'url': cls.backend_url + '03zspecific',
'custom_domain': 'zspecific.example.com',
},
'zspecific': {
'url': cls.backend_url + 'zspecific',
'04zspecific': {
'url': cls.backend_url + '04zspecific',
'custom_domain': 'zspecific.alias1.example.com',
},
}
def test(self):
_, wildcard_key, _, wildcard_crt = createSelfSignedCertificate([
'*.example.com'])
_, wildcard_alias1_key, _, wildcard_alias1_crt = \
createSelfSignedCertificate([
'*.alias1.example.com'])
_, zspecific_key, _, zspecific_crt = createSelfSignedCertificate([
'zspecific.example.com'])
_, zspecific_alias1_key, _, zspecific_alias1_crt = \
createSelfSignedCertificate([
'zspecific.alias1.example.com'])
def uploadCertificate(key, certificate):
auth = mimikra.get(
self.current_generate_auth,
verify=self.kedifa_caucase_ca_certificate_file)
self.assertEqual(http.client.CREATED, auth.status_code)
data = certificate + key
upload = mimikra.put(
self.current_upload_url + auth.text,
data=data,
verify=self.kedifa_caucase_ca_certificate_file)
self.assertEqual(http.client.CREATED, upload.status_code)
self.assertSlaveBase(
'wildcard', hostname='*.alias1')
'01wildcard', hostname='*')
uploadCertificate(wildcard_key, wildcard_crt)
self.assertSlaveBase(
'zspecific', hostname='zspecific.alias1')
result_wildcard = fakeHTTPSResult(
'other.alias1.example.com',
'test-path',
headers={
'Timeout': '10', # more than default backend-connect-timeout == 5
'Accept-Encoding': 'gzip',
}
)
self.assertEqual(self.certificate_pem, result_wildcard.certificate)
self.assertEqualResultJson(result_wildcard, 'Path', '/wildcard/test-path')
'02wildcard', hostname='*.alias1')
uploadCertificate(wildcard_alias1_key, wildcard_alias1_crt)
self.assertSlaveBase(
'03zspecific', hostname='zspecific')
uploadCertificate(zspecific_key, zspecific_crt)
self.assertSlaveBase(
'04zspecific', hostname='zspecific.alias1')
uploadCertificate(zspecific_alias1_key, zspecific_alias1_crt)
self.runKedifaUpdater()
result_specific = fakeHTTPSResult(
'zspecific.alias1.example.com',
'test-path',
headers={
'Timeout': '10', # more than default backend-connect-timeout == 5
'Accept-Encoding': 'gzip',
}
)
self.assertEqual(self.certificate_pem, result_specific.certificate)
self.assertEqualResultJson(result_specific, 'Path', '/zspecific/test-path')
def assertResult(hostname, path, certificate):
result_wildcard = fakeHTTPSResult(
hostname,
'test-path',
)
self.assertEqual(certificate, result_wildcard.certificate)
self.assertEqualResultJson(
result_wildcard, 'Path', '/%s/test-path' % (path,))
assertResult('www.example.com', '01wildcard', wildcard_crt)
assertResult('www.alias1.example.com', '02wildcard', wildcard_alias1_crt)
assertResult('zspecific.example.com', '03zspecific', zspecific_crt)
assertResult(
'zspecific.alias1.example.com', '04zspecific', zspecific_alias1_crt)
class TestPassedRequestParameter(HttpFrontendTestCase):
......
......@@ -14,19 +14,6 @@
"slap_software_release_url": "@@00getSoftwareURL@@",
"slap_software_type": "RootSoftwareInstance",
"slave_instance_list": [
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-disabled",
"slave_title": "_health-check-disabled",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"health-check": true,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-default",
"slave_title": "_health-check-default",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"health-check": true,
"health-check-http-method": "CONNECT",
......@@ -49,6 +36,19 @@
"slave_title": "_health-check-custom",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"health-check": true,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-default",
"slave_title": "_health-check-default",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-disabled",
"slave_title": "_health-check-disabled",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"enable_cache": true,
"health-check": true,
......@@ -66,32 +66,32 @@
},
{
"health-check": true,
"health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
"health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
"health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
"health-check-http-path": "/health-check-failover-url",
"health-check-authenticate-to-failover-backend": true,
"health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
"health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
"health-check-http-path": "/health-check-failover-url-auth-to-backend",
"health-check-interval": 1,
"health-check-timeout": 1,
"https-only": false,
"https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-failover-url-netloc-list",
"slave_title": "_health-check-failover-url-netloc-list",
"slave_reference": "_health-check-failover-url-auth-to-backend",
"slave_title": "_health-check-failover-url-auth-to-backend",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
},
{
"health-check": true,
"health-check-authenticate-to-failover-backend": true,
"health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
"health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
"health-check-http-path": "/health-check-failover-url-auth-to-backend",
"health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
"health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
"health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
"health-check-http-path": "/health-check-failover-url",
"health-check-interval": 1,
"health-check-timeout": 1,
"https-only": false,
"https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-failover-url-auth-to-backend",
"slave_title": "_health-check-failover-url-auth-to-backend",
"slave_reference": "_health-check-failover-url-netloc-list",
"slave_title": "_health-check-failover-url-netloc-list",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
},
{
......@@ -109,27 +109,27 @@
},
{
"health-check": true,
"health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
"health-check-failover-ssl-proxy-verify": true,
"health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
"health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
"health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
"health-check-interval": 1,
"health-check-timeout": 1,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
"slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
"slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
"slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"health-check": true,
"health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
"health-check-failover-ssl-proxy-verify": true,
"health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
"health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
"health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
"health-check-interval": 1,
"health-check-timeout": 1,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
"slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
"slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
"slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
}
],
......
......@@ -14,19 +14,35 @@
"slap_software_release_url": "@@00getSoftwareURL@@",
"slap_software_type": "RootSoftwareInstance",
"slave_instance_list": [
{
"custom_domain": "*.example.com",
"server-alias": "example.com",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_01wildcard",
"slave_title": "_01wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
},
{
"custom_domain": "*.alias1.example.com",
"server-alias": "alias1.example.com",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_02wildcard",
"slave_title": "_02wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
},
{
"custom_domain": "zspecific.example.com",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_wildcard",
"slave_title": "_wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
"slave_reference": "_03zspecific",
"slave_title": "_03zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
},
{
"custom_domain": "zspecific.alias1.example.com",
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_zspecific",
"slave_title": "_zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
"slave_reference": "_04zspecific",
"slave_title": "_04zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
}
],
"timestamp": "@@TIMESTAMP@@"
......@@ -41,15 +57,27 @@
"monitor-password": "@@monitor-password@@",
"monitor-username": "admin",
"slave-list": [
{
"custom_domain": "*.example.com",
"server-alias": "example.com",
"slave_reference": "_01wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
},
{
"custom_domain": "*.alias1.example.com",
"slave_reference": "_wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
"server-alias": "alias1.example.com",
"slave_reference": "_02wildcard",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
},
{
"custom_domain": "zspecific.example.com",
"slave_reference": "_03zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
},
{
"custom_domain": "zspecific.alias1.example.com",
"slave_reference": "_zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
"slave_reference": "_04zspecific",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
}
]
},
......@@ -69,7 +97,7 @@
"cluster-identification": "testing partition 0",
"domain": "example.com",
"enable-http3": "false",
"extra_slave_instance_list": "[{\"custom_domain\": \"*.alias1.example.com\", \"slave_reference\": \"_wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/wildcard\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/zspecific\"}]",
"extra_slave_instance_list": "[{\"custom_domain\": \"*.example.com\", \"server-alias\": \"example.com\", \"slave_reference\": \"_01wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard\"}, {\"custom_domain\": \"*.alias1.example.com\", \"server-alias\": \"alias1.example.com\", \"slave_reference\": \"_02wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard\"}, {\"custom_domain\": \"zspecific.example.com\", \"slave_reference\": \"_03zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_04zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific\"}]",
"frontend-name": "caddy-frontend-1",
"http3-port": "443",
"kedifa-caucase-url": "http://[@@_ipv6_address@@]:15090",
......@@ -81,7 +109,7 @@
"plain_http_port": "11080",
"port": "11443",
"request-timeout": "12",
"slave-kedifa-information": "{\"_wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@?auth=\"}, \"_zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@?auth=\"}}"
"slave-kedifa-information": "{\"_01wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@?auth=\"}, \"_02wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@?auth=\"}, \"_03zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@?auth=\"}, \"_04zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@?auth=\"}}"
},
"full_address_list": [],
"instance_title": "caddy-frontend-1",
......
......@@ -8,12 +8,18 @@ T-1/var/log/monitor-httpd-error.log
T-2/var/log/backend-haproxy.log
T-2/var/log/expose-csr.log
T-2/var/log/frontend-haproxy.log
T-2/var/log/httpd/_wildcard_access_log
T-2/var/log/httpd/_wildcard_backend_log
T-2/var/log/httpd/_wildcard_frontend_log
T-2/var/log/httpd/_zspecific_access_log
T-2/var/log/httpd/_zspecific_backend_log
T-2/var/log/httpd/_zspecific_frontend_log
T-2/var/log/httpd/_01wildcard_access_log
T-2/var/log/httpd/_01wildcard_backend_log
T-2/var/log/httpd/_01wildcard_frontend_log
T-2/var/log/httpd/_02wildcard_access_log
T-2/var/log/httpd/_02wildcard_backend_log
T-2/var/log/httpd/_02wildcard_frontend_log
T-2/var/log/httpd/_03zspecific_access_log
T-2/var/log/httpd/_03zspecific_backend_log
T-2/var/log/httpd/_03zspecific_frontend_log
T-2/var/log/httpd/_04zspecific_access_log
T-2/var/log/httpd/_04zspecific_backend_log
T-2/var/log/httpd/_04zspecific_frontend_log
T-2/var/log/monitor-httpd-access.log
T-2/var/log/monitor-httpd-error.log
T-2/var/log/slave-introspection-access.log
......
......@@ -15,35 +15,6 @@
"slap_software_release_url": "@@00getSoftwareURL@@",
"slap_software_type": "RootSoftwareInstance",
"slave_instance_list": [
{
"enable_cache": true,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_master",
"slave_title": "_ssl_from_master",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_master_kedifa_overrides",
"slave_title": "_ssl_from_master_kedifa_overrides",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_slave",
"slave_title": "_ssl_from_slave",
"ssl_crt": "@@ssl_from_slave_certificate_pem@@",
"ssl_key": "@@ssl_from_slave_key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_slave_kedifa_overrides",
"slave_title": "_ssl_from_slave_kedifa_overrides",
"ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
"ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"custom_domain": "customdomainsslcrtsslkey.example.com",
"slap_software_type": "RootSoftwareInstance",
......@@ -63,6 +34,15 @@
"ssl_key": "@@customdomain_ca_key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_ca_crt_does_not_match",
"slave_title": "_ssl_ca_crt_does_not_match",
"ssl_ca_crt": "@@ca.certificate_pem@@",
"ssl_crt": "@@certificate_pem@@",
"ssl_key": "@@key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_ca_crt_garbage",
......@@ -73,12 +53,32 @@
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"enable_cache": true,
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_ca_crt_does_not_match",
"slave_title": "_ssl_ca_crt_does_not_match",
"ssl_ca_crt": "@@ca.certificate_pem@@",
"ssl_crt": "@@certificate_pem@@",
"ssl_key": "@@key_pem@@",
"slave_reference": "_ssl_from_master",
"slave_title": "_ssl_from_master",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_master_kedifa_overrides",
"slave_title": "_ssl_from_master_kedifa_overrides",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_slave",
"slave_title": "_ssl_from_slave",
"ssl_crt": "@@ssl_from_slave_certificate_pem@@",
"ssl_key": "@@ssl_from_slave_key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_ssl_from_slave_kedifa_overrides",
"slave_title": "_ssl_from_slave_kedifa_overrides",
"ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
"ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
......@@ -90,17 +90,17 @@
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_type-notebook-ssl_from_slave",
"slave_title": "_type-notebook-ssl_from_slave",
"ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
"ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
"slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
"slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
"type": "notebook",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
{
"slap_software_type": "RootSoftwareInstance",
"slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
"slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
"slave_reference": "_type-notebook-ssl_from_slave",
"slave_title": "_type-notebook-ssl_from_slave",
"ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
"ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
"type": "notebook",
"url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
},
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment