An error occurred fetching the project authors.
- 31 May, 2019 1 commit
-
-
Łukasz Nowak authored
Order of files does not matter for the assertion.
-
- 30 May, 2019 4 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
It's interesting what appears in cron entries, as they are important for proper partition usage.
-
Łukasz Nowak authored
Always work from the slave_dir path for extensibility and allow no ignore paths if caller does not need to ignore anything.
-
Łukasz Nowak authored
Ignore path's shall be relative to checked directory.
-
- 28 May, 2019 4 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Some arguments needs Caddy process restart, so implement it with hash-files and also inform the master partition requester about parameters which will result with process restart.
-
Łukasz Nowak authored
Kedifa partition was missing monitoring at all, so add it and monitor kedifa and exposer ip and port. Partition running caddy was missing monitoring for exposer, so add it.
-
- 15 May, 2019 1 commit
-
-
Łukasz Nowak authored
Buildout's kedifa updater just prepares, and so real one has to be run.
-
- 08 May, 2019 2 commits
-
-
Łukasz Nowak authored
It is needed by users to check certificate of KeDiFa while uploading certificates.
-
Łukasz Nowak authored
Each time new slave appears the kedifa-updater has to be run immediately, in order for certificates to be properly setup. Otherwise caddy can be left in non-runnable state until next kedifa-updater would run again.
-
- 26 Apr, 2019 2 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Since caddy 1.0.0 it is less fragile for PEMs with some garbage, and can serve sites in such cases. It revealed, that test was wrongly written, as now the certificate can be a bit messy, and will be lodaded, but then won't be used, as it does not match the site.
-
- 23 Apr, 2019 2 commits
-
-
Łukasz Nowak authored
By default whole slave makes websocket connection to the backend. With websocket-path, only the path has websocket style connections, the rest is standard HTTP.
-
Łukasz Nowak authored
There is no need anymore to have two processes for normal and nginx slaves, as nginx ones are served by caddy anyway. Also inform the requester that type:eventsource is not implemented.
-
- 19 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
-
- 16 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
Instance to check custom configuration protection was removed, so follow this in master partition assertion.
-
- 15 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
This reverts commit 7993ff81. Custom configuration checks are hard to be trusted, as they can impact too many aspects of running frontend. Frontend administrator knows the risks of custom configuration, and shall take proper care. /reviewed-on nexedi/slapos!543
-
- 12 Apr, 2019 6 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
ATS cache fillup is uncontrollable during test run.
-
Łukasz Nowak authored
Instead of complex architecture in the profiles, reuse kedifa-updater capability to do backward compatibility certificate management thanks to its fall-back mechanism. kedifa-updater uses state file to know, if it ever succeed to download certificate from KeDiFa, and so it really makes it that pushing at least once certificate to KeDiFa, even if it is sometimes unresponsive, will switch to it. Fallback certificate is used, thus each slave listens immediately on HTTP and HTTPS. Thanks to this, asynchronous updates do not need to communicate with slapos node instance, and slapos node instance does not care about the certificates anymore.
-
Łukasz Nowak authored
Instead of fetching certificates on each slapos node instance use new kedifa-updater, which is a tool to asynchronously fetch certificates and has a hook to reload the server in case if new certificate is available. custom_ssl_directory is NOT BBB
-
Łukasz Nowak authored
This mostly useful during tests to have stable results, especially when some slaves are rejected. This change is expected to be no-op during normal run. Note: The slave rejection system does not guarantee any ordering, as the sort order can change, because of parameters can reorder slaves. Thus, even if slave A was requested before slave B, and they conflict each other, slave A can be rejected instead of "expected" slave B.
-
Łukasz Nowak authored
-
- 05 Apr, 2019 3 commits
-
-
Łukasz Nowak authored
--force with --check-anomaly makes monitor.runpromise execute the promise unconditionally, even for testless ones.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
- 26 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
Łukasz Nowak authored
-
- 22 Mar, 2019 1 commit
-
-
Jérome Perrin authored
in apache frontend, we have been using: ``` LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined ``` The %l is (from mod_log_config docs): Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set On. In the case of apache frontend, it was always a - . This is missing in caddy frontend and our existing log processing tools (apachedex) cannot be used on frontend logs since we switched to Caddy. /reviewed-on nexedi/slapos!530
-
- 21 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
dict in headers is smallcase, so it was never working in reality.
-
Łukasz Nowak authored
Added assertion which proves that the ATS is serving stale content in case if the backend does not work, according to RFC5861. It is beleived that stale-while-revalidate will work the same way, but it is much harder to test, thus it is not done directly.
-
Łukasz Nowak authored
Adapted configuration and instantiation to ATS 7. Deployment: * traffic_line has been replaced with traffic_ctl * access log, of squid style, is ascii instead of binary, to do so logging.config is generated * ip_allow.config is configured to allow access from any host * RFC 5861 (stale content on error or revalidate) is implemented with core instead with deprecated plugin * trafficserver-autoconf-port renamed to trafficserver-synthetic-port * proxy.config.system.mmap_max removed, as it is not used by the system anymore Tests: * As Via header is not returned to the client, it is dropped from the tests, instead its existence in the backend is checked. * Promise plugin trafficserver-cache-availability.py is re enabled, as it is expected to work immediately.
-
- 13 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
It is better to have automation similar to previous implementation by default.
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Use KeDiFa to store keys, and transmit the url to the requester for master and slave partitions. Download keys on the slave partitions level. Use caucase to fetch main caucase CA. kedifa-caucase-url is published in order to have access to it. Note: caucase is prepended with kedifa, as this is that one. Use kedifa-csr tool to generate CSR and use caucase-updater macro. Switch to KeDiFa with SSL Auth and updated goodies. KeDiFa endpoint URLs are randomised. Only one (first) user certificate is going to be automatically accepted. This one shall be operated by the cluster owner, the requester of frontend master partition. Then he will be able to sign certificates for other users and also for services - so each node in the cluster. Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line is used for one command generation of extensions in the certificate. Note: We could upgrade to openssl 1.1.1 in order to have it really simplified (see https://security.stackexchange.com/a/183973 ) Improve CSR readability by creating cluster-identification, which is master partition title, and use it as Organization of the CSR. Reserve slots for data exchange in KeDiFa.
-
- 11 Mar, 2019 1 commit
-
-
Łukasz Nowak authored
As the test runs in erp5.util.testnode, which has some ports reserved, and they collide with default ports of caddy-frontend services, select ports for those services, and leave out default for monitor, as test expects.
-
- 07 Mar, 2019 1 commit
-
-
Łukasz Nowak authored
Use safe JSON serialisation/deserialisation, as otherwise unusual slave_references can lead to issues and also character case is not kept. Also care about case of log access user, which was undetected since slave_reference in tests were always lowercase.
-