Commit 23428ecc authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

apache-frontend: New Release, Merge from master into 1.0

- Update security settings
- httpd after cache now use virtualhost (all configuration in ram now)
- Add option to strip via headers from cache
- Add option to verify backend Certificates
- Add option to provide Backend CA Certificate
parents 9b18d75f 82406584
...@@ -10,9 +10,10 @@ parts = ...@@ -10,9 +10,10 @@ parts =
[glib] [glib]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/glib-2.42.1.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/glib-2.44.1.tar.xz
md5sum = 89c4119e50e767d3532158605ee9121a md5sum = 83efba4722a9674b97437d1d99af79db
configure-options = configure-options =
--with-python=${python2.7:location}/bin/python2.7
--disable-static --disable-static
--disable-selinux --disable-selinux
--disable-fam --disable-fam
......
...@@ -11,8 +11,8 @@ parts = ...@@ -11,8 +11,8 @@ parts =
[glibmm] [glibmm]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/glibmm-2.42.0.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/glibmm-2.44.0.tar.xz
md5sum = 7c52cc42085d30ac3b73d74c3f2eb22e md5sum = 32ee4150b436d097fe2506d0b0b13a75
pkg_config_depends = ${glib:location}/lib/pkgconfig:${libsigc:location}/lib/pkgconfig pkg_config_depends = ${glib:location}/lib/pkgconfig:${libsigc:location}/lib/pkgconfig
configure-options = configure-options =
--disable-documentation --disable-documentation
......
...@@ -80,8 +80,8 @@ environment = ...@@ -80,8 +80,8 @@ environment =
[gdk-pixbuf] [gdk-pixbuf]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/gdk-pixbuf-2.31.1.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/gdk-pixbuf-2.31.4.tar.xz
md5sum = 74cde211f5b7ac1015d1a7c9feee037c md5sum = b4ce8f0d7548cb8cbdcb833e1c4d095e
pkg_config_depends = ${glib:location}/lib/pkgconfig:${libX11:location}/lib/pkgconfig:${libX11:pkg_config_depends} pkg_config_depends = ${glib:location}/lib/pkgconfig:${libX11:location}/lib/pkgconfig:${libX11:pkg_config_depends}
configure-options = configure-options =
--disable-static --disable-static
...@@ -97,8 +97,11 @@ environment = ...@@ -97,8 +97,11 @@ environment =
[atk] [atk]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/atk-2.14.0.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/atk-2.16.0.tar.xz
md5sum = ecb7ca8469a5650581b1227d78051b8b md5sum = c7c5002bd6e58b4723a165f1bf312116
configure-options =
--with-python=${python2.7:location}/bin/python2.7
--disable-gtk-doc-html
environment = environment =
PATH=${glib:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s PATH=${glib:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig
...@@ -107,8 +110,8 @@ environment = ...@@ -107,8 +110,8 @@ environment =
[gtk-2] [gtk-2]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/gtk+-2.24.25.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/gtk+-2.24.28.tar.xz
md5sum = 612350704dd3aacb95355a4981930c6f md5sum = bfacf87b2ea67e4e5c7866a9003e6526
pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${atk:location}/lib/pkgconfig:${gdk-pixbuf:location}/lib/pkgconfig pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${atk:location}/lib/pkgconfig:${gdk-pixbuf:location}/lib/pkgconfig
configure-options = configure-options =
--disable-static --disable-static
......
...@@ -28,8 +28,8 @@ environment = ...@@ -28,8 +28,8 @@ environment =
[pangomm] [pangomm]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.12/3.12.2/sources/pangomm-2.34.0.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/pangomm-2.36.0.tar.xz
md5sum = 2c702caede167323c9ed9eed2b933098 md5sum = 62910723211d86ab825b666b479871c9
pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${glibmm:location}/lib/pkgconfig:${glibmm:pkg_config_depends}:${cairomm:location}/lib/pkgconfig pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${glibmm:location}/lib/pkgconfig:${glibmm:pkg_config_depends}:${cairomm:location}/lib/pkgconfig
configure-options = configure-options =
--disable-static --disable-static
......
...@@ -21,8 +21,8 @@ environment = ...@@ -21,8 +21,8 @@ environment =
[librsvg] [librsvg]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/librsvg-2.40.5.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/librsvg-2.40.9.tar.xz
md5sum = c2b044fccf415902a052d0e978e0ea60 md5sum = 31df15e3beaa8fbbf538ca3c52b400d2
pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${zlib:location}/lib/pkgconfig:${gdk-pixbuf:location}/lib/pkgconfig:${libcroco:location}/lib/pkgconfig pkg_config_depends = ${pango:location}/lib/pkgconfig:${pango:pkg_config_depends}:${zlib:location}/lib/pkgconfig:${gdk-pixbuf:location}/lib/pkgconfig:${libcroco:location}/lib/pkgconfig
configure-options = configure-options =
--disable-static --disable-static
......
...@@ -9,8 +9,8 @@ parts = ...@@ -9,8 +9,8 @@ parts =
[libsigc] [libsigc]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
url = http://ftp.gnome.org/pub/gnome/core/3.14/3.14.2/sources/libsigc++-2.4.0.tar.xz url = http://ftp.gnome.org/pub/gnome/core/3.16/3.16.2/sources/libsigc++-2.4.1.tar.xz
md5sum = c6cd2259f5ef973e4c8178d0abbdbfa7 md5sum = 55945ba6e1652f89999e910f6b52047c
configure-options = configure-options =
--disable-documentation --disable-documentation
environment = environment =
......
...@@ -20,9 +20,9 @@ parts = ...@@ -20,9 +20,9 @@ parts =
[mariadb] [mariadb]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
version = 10.0.19 version = 10.0.20
url = https://downloads.mariadb.org/f/mariadb-${:version}/source/mariadb-${:version}.tar.gz/from/http:/ftp.osuosl.org/pub/mariadb url = https://downloads.mariadb.org/f/mariadb-${:version}/source/mariadb-${:version}.tar.gz/from/http:/ftp.osuosl.org/pub/mariadb
md5sum = aeaf101c688515dc8f73a5250e6c1df9 md5sum = 59d6c00827ad56f2ac76340fece32fc0
patch-options = -p0 patch-options = -p0
patches = patches =
${:_profile_base_location_}/mariadb_10.0.8_create_system_tables__no_test.patch#a176d491cf45fccd53ee397c70393bc4 ${:_profile_base_location_}/mariadb_10.0.8_create_system_tables__no_test.patch#a176d491cf45fccd53ee397c70393bc4
......
...@@ -65,7 +65,7 @@ mode = 0644 ...@@ -65,7 +65,7 @@ mode = 0644
[template-apache-frontend] [template-apache-frontend]
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-apache-frontend.cfg url = ${:_profile_base_location_}/instance-apache-frontend.cfg
md5sum = cd5a385c44d56b4d13392eba4e938969 md5sum = f65456f704a32c43822b1efefc7ae4b7
output = ${buildout:directory}/template-apache-frontend.cfg output = ${buildout:directory}/template-apache-frontend.cfg
mode = 0644 mode = 0644
...@@ -78,7 +78,7 @@ mode = 0644 ...@@ -78,7 +78,7 @@ mode = 0644
[template-slave-list] [template-slave-list]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in
md5sum = 1fe76dde85c488e94baf8510775ebcaf md5sum = 588cbae0ac6fdb65ae97d1c90c8d53cf
mode = 640 mode = 640
[template-slave-configuration] [template-slave-configuration]
...@@ -102,7 +102,7 @@ mode = 640 ...@@ -102,7 +102,7 @@ mode = 640
[template-apache-cached-configuration] [template-apache-cached-configuration]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache_cached.conf.in url = ${:_profile_base_location_}/templates/apache_cached.conf.in
md5sum = 0c4393db80670daf18b432b7f07383e9 md5sum = a1c744e48b465a63c2d6f0f384466013
mode = 640 mode = 640
[template-rewrite-cached] [template-rewrite-cached]
...@@ -127,13 +127,19 @@ mode = 640 ...@@ -127,13 +127,19 @@ mode = 640
[template-default-virtualhost] [template-default-virtualhost]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/000.conf.in url = ${:_profile_base_location_}/templates/000.conf.in
md5sum = ed1b680e31e30596bf051682ec0270b4 md5sum = d98a01182f38868612948c87d5231428
mode = 640 mode = 640
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in
md5sum = 5463dd67f1b1bea0bee57a421e371dd0 md5sum = aed0077ee82aaa7fbd2b7e84ce5fbd69
mode = 640
[template-cached-slave-virtualhost]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/cached-virtualhost.conf.in
md5sum = b1fd5f2b94f026ccca5ff47167015f23
mode = 640 mode = 640
[template-log-access] [template-log-access]
......
...@@ -159,6 +159,8 @@ filename = custom-personal-instance-slave-list.cfg ...@@ -159,6 +159,8 @@ filename = custom-personal-instance-slave-list.cfg
extensions = jinja2.ext.do extensions = jinja2.ext.do
extra-context = extra-context =
key apache_configuration_directory apache-directory:slave-configuration key apache_configuration_directory apache-directory:slave-configuration
key apache_cached_configuration_directory apache-directory:slave-with-cache-configuration
key cached_port apache-configuration:cache-through-port
key http_port instance-parameter:configuration.plain_http_port key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port key https_port instance-parameter:configuration.port
key public_ipv4 instance-parameter:configuration.public-ipv4 key public_ipv4 instance-parameter:configuration.public-ipv4
...@@ -172,7 +174,7 @@ extra-context = ...@@ -172,7 +174,7 @@ extra-context =
raw empty_template ${template-empty:target} raw empty_template ${template-empty:target}
raw template_custom_slave_configuration ${template-slave-configuration:target} raw template_custom_slave_configuration ${template-slave-configuration:target}
raw template_default_slave_configuration ${template-default-slave-virtualhost:target} raw template_default_slave_configuration ${template-default-slave-virtualhost:target}
raw template_rewrite_cached ${template-rewrite-cached:target} raw template_cached_slave_configuration ${template-cached-slave-virtualhost:target}
raw software_type single-custom-personal raw software_type single-custom-personal
section logrotate_dict logrotate section logrotate_dict logrotate
section frontend_configuration frontend-configuration section frontend_configuration frontend-configuration
...@@ -297,6 +299,7 @@ extra-context = ...@@ -297,6 +299,7 @@ extra-context =
key access_log apache-configuration:cache-access-log key access_log apache-configuration:cache-access-log
key error_log apache-configuration:cache-error-log key error_log apache-configuration:cache-error-log
key pid_file apache-configuration:cache-pid-file key pid_file apache-configuration:cache-pid-file
key slave_with_cache_configuration_directory apache-directory:slave-with-cache-configuration
key apachecachedmap_path apache-configuration:cached-rewrite-file key apachecachedmap_path apache-configuration:cached-rewrite-file
[apache-cached] [apache-cached]
...@@ -317,6 +320,7 @@ link-binary = ...@@ -317,6 +320,7 @@ link-binary =
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
document-root = $${directory:srv}/htdocs document-root = $${directory:srv}/htdocs
slave-configuration = $${directory:etc}/apache-slave-conf.d/ slave-configuration = $${directory:etc}/apache-slave-conf.d/
slave-with-cache-configuration = $${directory:etc}/apache-slave-with-cache-conf.d/
cache = $${directory:var}/cache cache = $${directory:var}/cache
mod-ssl = $${:cache}/httpd_mod_ssl mod-ssl = $${:cache}/httpd_mod_ssl
vh-ssl = $${:slave-configuration}/ssl vh-ssl = $${:slave-configuration}/ssl
......
...@@ -72,6 +72,21 @@ ...@@ -72,6 +72,21 @@
"enum": ["false", "true"] "enum": ["false", "true"]
}, },
"ssl-proxy-verify": {
"title": "Verify Backend Certificates",
"description": "If set to true, Backend Certificates are checked",
"type": "string",
"default": "false",
"enum": ["false", "true"]
},
"ssl_proxy_ca_crt": {
"title": "SSL Backend Authority's Certificate",
"description": "SSL Certificate Authority of the backen (to be used with ssl-proxy-verify)",
"type": "string",
"default": ""
},
"enable_cache": { "enable_cache": {
"title": "Enable Cache", "title": "Enable Cache",
"description": "If set to true, the cache is used", "description": "If set to true, the cache is used",
...@@ -88,6 +103,14 @@ ...@@ -88,6 +103,14 @@
"enum": ["false", "true"] "enum": ["false", "true"]
}, },
"disable-via-header": {
"title": "Disable 'Via' headers from cache",
"description": "If set to true, via headers will be disabled",
"type": "string",
"default": "false",
"enum": ["false", "true"]
},
"prefer-gzip-encoding-to-backend": { "prefer-gzip-encoding-to-backend": {
"title": "Prefer gzip Encoding for Backend", "title": "Prefer gzip Encoding for Backend",
"description": "If set to true, if a request is made with accept encoding 'gzip', only that one will be transferred to the backend", "description": "If set to true, if a request is made with accept encoding 'gzip', only that one will be transferred to the backend",
......
...@@ -2,16 +2,15 @@ ...@@ -2,16 +2,15 @@
ServerName www.example.org ServerName www.example.org
SSLEngine on SSLEngine on
SSLProxyEngine on SSLProxyEngine on
SSLProtocol ALL -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
# Rewrite part # Rewrite part
ProxyVia On
ProxyPreserveHost On ProxyPreserveHost On
ProxyTimeout 600 ProxyTimeout 600
RewriteEngine On RewriteEngine On
ErrorDocument 404 /notfound.html ErrorDocument 404 /notfound.html
</VirtualHost> </VirtualHost>
......
...@@ -12,7 +12,6 @@ ...@@ -12,7 +12,6 @@
{% endif -%} {% endif -%}
[jinja2-template-base] [jinja2-template-base]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
rendered = {{ apache_configuration_directory }}/${:filename}
extra-context = extra-context =
context = context =
key eggs_directory buildout:eggs-directory key eggs_directory buildout:eggs-directory
...@@ -31,6 +30,7 @@ context = ...@@ -31,6 +30,7 @@ context =
{% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%} {% set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%}
{% set slave_parameter_dict = generic_instance_parameter_dict.copy() -%} {% set slave_parameter_dict = generic_instance_parameter_dict.copy() -%}
{% set slave_publish_dict = {} -%} {% set slave_publish_dict = {} -%}
{% set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %}
{% do part_list.append(slave_section_title) -%} {% do part_list.append(slave_section_title) -%}
############################ ############################
...@@ -98,7 +98,7 @@ command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${ ...@@ -98,7 +98,7 @@ command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${
#### Set Slave Certificates if needed #### Set Slave Certificates if needed
# Set ssl certificates for each slave # Set ssl certificates for each slave
{% for cert_name in ('ssl_key', 'ssl_crt', 'ssl_ca_crt', 'ssl_csr')-%} {% for cert_name in ('ssl_key', 'ssl_crt', 'ssl_ca_crt', 'ssl_csr', 'ssl_proxy_ca_crt')-%}
{% if cert_name in slave_instance -%} {% if cert_name in slave_instance -%}
{% set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) -%} {% set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) -%}
{% set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) -%} {% set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) -%}
...@@ -136,20 +136,24 @@ extra-context = ...@@ -136,20 +136,24 @@ extra-context =
raw http_port {{ http_port }} raw http_port {{ http_port }}
{{ '\n' }} {{ '\n' }}
# The slave use cache
{% if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%}
{% do slave_instance.__setitem__('custom_domain', slapparameter_dict.get('domain')) -%}
{% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%}
# Set apache configuration value for slave # Set apache configuration value for slave
[{{ ('slave-instance-%s-configuration' % slave_reference) }}] [{{ slave_configuration_section_name }}]
{% set apache_custom_http = ((slave_instance.get('apache_custom_http', '')) % slave_parameter_dict) -%} {% set apache_custom_http = ((slave_instance.pop('apache_custom_http', '')) % slave_parameter_dict) -%}
{% set apache_custom_https = ((slave_instance.get('apache_custom_https', '')) % slave_parameter_dict) -%} {% set apache_custom_https = ((slave_instance.pop('apache_custom_https', '')) % slave_parameter_dict) -%}
apache_custom_http = {{ dumps(apache_custom_http) }} apache_custom_http = {{ dumps(apache_custom_http) }}
apache_custom_https = {{ dumps(apache_custom_https) }} apache_custom_https = {{ dumps(apache_custom_https) }}
{% for key, value in slave_instance.iteritems() -%}
{{ key }} = {{ dumps(value) }}
{% endfor %}
{{ '\n' }} {{ '\n' }}
# The slave use cache
{% if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%}
{% do cached_server_dict.__setitem__(slave_instance.get('domain'), slave_instance.get('url')) -%}
{% endif -%}
# Publish information # Publish information
{% do slave_publish_dict.update(**{'slave-reference':slave_instance.get('slave_reference'), 'public-ipv4':public_ipv4, 'log-access': slave_log_access_url}) %} {% do slave_publish_dict.update(**{'slave-reference':slave_instance.get('slave_reference'), 'public-ipv4':public_ipv4, 'log-access': slave_log_access_url}) %}
...@@ -163,15 +167,16 @@ apache_custom_https = {{ dumps(apache_custom_https) }} ...@@ -163,15 +167,16 @@ apache_custom_https = {{ dumps(apache_custom_https) }}
# The slave use cache # The slave use cache
# Next line is forbidden and people who copy it will be hanged short # Next line is forbidden and people who copy it will be hanged short
{% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%} {% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%}
{% if enable_cache -%} {% if enable_cache -%}
{% do cached_server_dict.__setitem__(slave_instance.get('custom_domain'), slave_instance.get('url')) -%} {% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
{% do slave_instance.__setitem__('url', cache_access) -%} {% do slave_instance.__setitem__('url', cache_access) -%}
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%} {% endif -%}
{% do part_list.append(slave_section_title) -%} {% do part_list.append(slave_section_title) -%}
[{{ ('slave-instance-%s-configuration' % slave_reference) }}] [{{ slave_configuration_section_name }}]
{% for key, value in slave_instance.iteritems() -%} {% for key, value in slave_instance.iteritems() -%}
{{ key }} = {{ dumps(value) }} {{ key }} = {{ dumps(value) }}
{% endfor %} {% endfor %}
...@@ -181,10 +186,10 @@ apache_custom_https = {{ dumps(apache_custom_https) }} ...@@ -181,10 +186,10 @@ apache_custom_https = {{ dumps(apache_custom_https) }}
< = jinja2-template-base < = jinja2-template-base
template = {{ template_default_slave_configuration }} template = {{ template_default_slave_configuration }}
filename = {{ '%s.conf' % slave_reference }} filename = {{ '%s.conf' % slave_reference }}
rendered = {{ apache_configuration_directory }}/${:filename}
extensions = jinja2.ext.do extensions = jinja2.ext.do
extra-context = extra-context =
section slave_parameter {{ 'slave-instance-%s-configuration' % slave_reference }} section slave_parameter {{ slave_configuration_section_name }}
raw https_port {{ https_port }} raw https_port {{ https_port }}
raw http_port {{ http_port }} raw http_port {{ http_port }}
{{ '\n' }} {{ '\n' }}
...@@ -193,6 +198,25 @@ extra-context = ...@@ -193,6 +198,25 @@ extra-context =
{% endif -%} {% endif -%}
############################
### Prepare virtualhost for slaves using cache
{% for slave_reference, slave_configuration_section_name in cached_server_dict.iteritems() %}
{% set cached_slave_configuration_section_title = '%s-cached-virtualhost' % slave_reference %}
{% do part_list.append(cached_slave_configuration_section_title) -%}
[{{ cached_slave_configuration_section_title }}]
< = jinja2-template-base
template = {{ template_cached_slave_configuration }}
filename = {{ '%s.conf' % slave_reference }}
rendered = {{ apache_cached_configuration_directory }}/${:filename}
extensions = jinja2.ext.do
extra-context =
section slave_parameter {{ slave_configuration_section_name }}
raw cached_port {{ cached_port }}
{{ '\n' }}
{% endfor %}
############################ ############################
#### Publish Slave Information #### Publish Slave Information
...@@ -239,18 +263,6 @@ slave-instance-information-list = {{ json_module.dumps(slave_instance_informatio ...@@ -239,18 +263,6 @@ slave-instance-information-list = {{ json_module.dumps(slave_instance_informatio
{% endif -%} {% endif -%}
monitor_url = {{ monitor_url }} monitor_url = {{ monitor_url }}
{% do part_list.append('cached-rewrite-rules') -%}
[cached-rewrite-rules]
< = jinja2-template-base
template = {{ template_rewrite_cached }}
rendered = {{ rewrite_cached_configuration }}
extra-context =
import json_module json
key server_dict rewrite-rules:rules
[rewrite-rules]
rules = {{ dumps(cached_server_dict) }}
[buildout] [buildout]
parts += parts +=
{% for part in part_list -%} {% for part in part_list -%}
......
...@@ -105,9 +105,10 @@ SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000) ...@@ -105,9 +105,10 @@ SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout 300 SSLSessionCacheTimeout 300
SSLRandomSeed startup /dev/urandom 256 SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin SSLRandomSeed connect builtin
SSLProtocol -ALL +SSLv3 +TLSv1 SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLCipherSuite RC4-SHA:HIGH:!ADH SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</FilesMatch> </FilesMatch>
...@@ -115,19 +116,10 @@ SSLCipherSuite RC4-SHA:HIGH:!ADH ...@@ -115,19 +116,10 @@ SSLCipherSuite RC4-SHA:HIGH:!ADH
SSLProxyCheckPeerCN off SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off SSLProxyCheckPeerExpire off
# Only accept generic (i.e not Zope) backends on http NameVirtualHost *:{{ cached_port }}
<VirtualHost *:{{ cached_port }}>
SSLProxyEngine on include {{ slave_with_cache_configuration_directory }}/*.conf
# Rewrite part
ProxyVia On ErrorDocument 404 /notfound.html
ProxyPreserveHost On RewriteRule (.*) /notfound.html [R=404,L]
ProxyTimeout 600
RewriteEngine On
RewriteMap apachemapcached txt:{{ apachecachedmap_path }}
RewriteCond ${apachemapcached:%{SERVER_NAME}} >""
RewriteRule ^/(.*)$ ${apachemapcached:%{SERVER_NAME}}/$1 [L,P]
# If nothing exist : put a nice error
ErrorDocument 404 /notfound.html
</VirtualHost>
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
# Only accept generic (i.e not Zope) backends on http
<VirtualHost *:{{ cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
SSLProxyEngine on
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
</VirtualHost>
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%} {% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%}
{% set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%}
{%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%}
<VirtualHost *:{{ https_port }}> <VirtualHost *:{{ https_port }}>
...@@ -15,9 +16,18 @@ ...@@ -15,9 +16,18 @@
SSLEngine on SSLEngine on
SSLProxyEngine on SSLProxyEngine on
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
{% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'), {% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
('SSLCertificateKeyFile', 'path_to_ssl_key'), ('SSLCertificateKeyFile', 'path_to_ssl_key'),
...@@ -38,9 +48,11 @@ ...@@ -38,9 +48,11 @@
CustomLog "{{ slave_parameter.get('access_log') }}" combined CustomLog "{{ slave_parameter.get('access_log') }}" combined
# Rewrite part # Rewrite part
ProxyVia On
ProxyPreserveHost On ProxyPreserveHost On
ProxyTimeout 600 ProxyTimeout 600
{% if disable_via_header %}
Header unset Via
{% endif -%}
RewriteEngine On RewriteEngine On
{% if disable_no_cache_header %} {% if disable_no_cache_header %}
...@@ -89,10 +101,21 @@ ...@@ -89,10 +101,21 @@
{% endif %} {% endif %}
SSLProxyEngine on SSLProxyEngine on
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part # Rewrite part
ProxyVia On
ProxyPreserveHost On ProxyPreserveHost On
ProxyTimeout 600 ProxyTimeout 600
{% if disable_via_header %}
Header unset Via
{% endif -%}
RewriteEngine On RewriteEngine On
# One Slave two logs # One Slave two logs
......
...@@ -53,13 +53,13 @@ output = ${buildout:directory}/instance.cfg ...@@ -53,13 +53,13 @@ output = ${buildout:directory}/instance.cfg
PyRSS2Gen = 1.1 PyRSS2Gen = 1.1
Pygments = 2.0.2 Pygments = 2.0.2
cns.recipe.symlink = 0.2.3 cns.recipe.symlink = 0.2.3
ipython = 3.1.0 ipython = 3.2.0
matplotlib = 1.4.3 matplotlib = 1.4.3
mistune = 0.5.1 mistune = 0.6
nose = 1.3.7 nose = 1.3.7
pandas = 0.16.1 pandas = 0.16.2
plone.recipe.command = 1.1 plone.recipe.command = 1.1
pyzmq = 14.6.0 pyzmq = 14.7.0
scikit-learn = 0.16.1 scikit-learn = 0.16.1
scipy = 0.15.1 scipy = 0.15.1
simpy = 3.0.7 simpy = 3.0.7
......
...@@ -64,5 +64,5 @@ pandas = 0.16.1 ...@@ -64,5 +64,5 @@ pandas = 0.16.1
msgpack-python = 0.4.6 msgpack-python = 0.4.6
numpy = 1.9.2 numpy = 1.9.2
wendelin.core = 0.3 wendelin.core = 0.3
ipython = 3.1.0 ipython = 3.2.0
matplotlib = 1.4.3 matplotlib = 1.4.3
...@@ -522,7 +522,7 @@ setup = ${erp5:location} ...@@ -522,7 +522,7 @@ setup = ${erp5:location}
[cloudooo-repository] [cloudooo-repository]
branch = branch =
revision = 8db3977b312e3cf8dbb64660c6f4f9e639b749c9 revision = 3241978a6ec832f6aa71d1df1a62e22a8feae2f1
[slapos.cookbook-repository] [slapos.cookbook-repository]
branch = erp5 branch = erp5
...@@ -619,16 +619,16 @@ httplib2 = 0.9.1 ...@@ -619,16 +619,16 @@ httplib2 = 0.9.1
huBarcode = 1.0.0 huBarcode = 1.0.0
interval = 1.0.0 interval = 1.0.0
ipdb = 0.8.1 ipdb = 0.8.1
ipython = 3.1.0 ipython = 3.2.0
logilab-common = 0.63.2 logilab-common = 0.63.2
numpy = 1.9.2 numpy = 1.9.2
plone.recipe.command = 1.1 plone.recipe.command = 1.1
ply = 3.6 ply = 3.6
polib = 1.0.6 polib = 1.0.6
pprofile = 1.7.3 pprofile = 1.7.3
pycountry = 1.10 pycountry = 1.12
pycrypto = 2.6.1 pycrypto = 2.6.1
pyflakes = 0.9.1 pyflakes = 0.9.2
pylint = 1.4.3 pylint = 1.4.3
python-ldap = 2.4.19 python-ldap = 2.4.19
python-magic = 0.4.6 python-magic = 0.4.6
......
...@@ -123,9 +123,9 @@ lxml = 3.4.4 ...@@ -123,9 +123,9 @@ lxml = 3.4.4
meld3 = 1.0.2 meld3 = 1.0.2
mr.developer = 1.33 mr.developer = 1.33
netaddr = 0.7.14 netaddr = 0.7.14
pbr = 1.1.1 pbr = 1.2.0
prettytable = 0.7.2 prettytable = 0.7.2
psutil = 2.2.1 psutil = 3.0.1
pyOpenSSL = 0.15.1 pyOpenSSL = 0.15.1
pyparsing = 2.0.3 pyparsing = 2.0.3
pytz = 2015.4 pytz = 2015.4
...@@ -186,7 +186,7 @@ netifaces = 0.10.4 ...@@ -186,7 +186,7 @@ netifaces = 0.10.4
# Required by: # Required by:
# cryptography==0.9.1 # cryptography==0.9.1
pyasn1 = 0.1.7 pyasn1 = 0.1.8
# Required by: # Required by:
# cffi==1.1.2 # cffi==1.1.2
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment