GitLab

Initial cleanup phase: all components used in the HTTP pass thru traffic shall be interconnected with the highest possible HTTP protocol:

• frontend haproxy
• ATS
• backend haproxy

The shall use SSL with locally generated certificates from local partition.

Tasks:

• make local caucase on each frontend node
• replace existing self-signed certificates with caucase ones
• switch internal connections of fronted haproxy, backend haproxy and ATS to SSLs coming from one CA with validation
• local caucased recreation on service change
  • the lock count is not typed it, in depends on the registered services
  • caucased directory is a hash of services using it, changes each time service change
  • service change is:
    • addition
    • removal
    • name change

Feature phase: like incoming connections, outgoing connections from backend haproxy shall use the best possible protocol, which can be downgraded per slave with parameters:

• make connection between frontend, ATS and backend haproxy on SSL, only one link
  • make https-url really working
    • if url is present too then if present use it for requests incoming with X-Forwarded-Proto: https
    • otherwise use just like url, but emit warning
    • if https-only is true emit warning
    • do NOT make it passing differently via cluster
    • pass through the URL via ATS
• use ATS correctly
  • really pass a KEY as real URL coming from the client without any manipulation, as currently it’s very messy!
• use the highest possible protocol between frontend haproxy, backend haproxy and ATS
  • assure that it does not impact websocket on HTTP/1.1
  • assure enable-http2=false is honored
  • assure enable-http3=false is honored
  • check behavior of client using low protocol version
  • websocket-h2
    • new parameter, by default true
  • enable-backend-http2
    • new parameter, by default true

Note: haproxy does not support HTTP/3 to the backends.