apache-frontend: Introduce new architecture for apache frontend

34945832 · Cédric Le Ninivin · 6bc5832d · 34945832 · 34945832 · 34945832
Commit 34945832 authored May 07, 2013 by Cédric Le Ninivin
4 changed files
--- a/slapos/recipe/apache_frontend/__init__.py
+++ b/slapos/recipe/apache_frontend/__init__.py
--- a/slapos/recipe/apache_frontend/template/apache.conf.in
+++ b/slapos/recipe/apache_frontend/template/apache.conf.in
@@ -87,8 +87,6 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javasc
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-# Make sure proxies don't deliver the wrong content
-Header append Vary User-Agent

 # SSL Configuration
 %(ssl_snippet)s
@@ -146,9 +144,6 @@ Header append Vary User-Agent
  ProxyTimeout 600
  RewriteEngine On

-  # Remove "Secure" from cookies, as backend may be https
-  Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
-
  # Include configuration file not operated by slapos. This file won't be erased
  # or changed when slapgrid is ran. It can be freely customized by node admin.
  # Include %(custom_apache_virtualhost_conf)s

--- a/slapos/recipe/apache_frontend/template/apache_cached.conf.in
+++ b/slapos/recipe/apache_frontend/template/apache_cached.conf.in
+# Apache configuration file for Zope
+# Automatically generated
+
+# Basic server configuration
+PidFile "%(pid_cache_file)s"
+ServerName %(server_name)s
+DocumentRoot %(document_root)s
+ServerRoot %(instance_home)s
+
+%(listen_cache)s
+
+ServerAdmin %(server_admin)s
+DefaultType text/plain
+TypesConfig %(httpd_home)s/conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+# As backend is trusting REMOTE_USER header unset it always
+RequestHeader unset REMOTE_USER
+
+ServerTokens Prod
+
+# Log configuration
+ErrorLog "%(error_cache_log)s"
+LogLevel warn
+# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
+# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b" common
+# CustomLog "%(access_log)s" common
+LogFormat "%%h %%l %%{REMOTE_USER}i %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\" %%D" combined
+CustomLog "%(access_cache_log)s" combined
+
+%(path_enable)s
+
+# List of modules
+#LoadModule unixd_module modules/mod_unixd.so
+#LoadModule access_compat_module modules/mod_access_compat.so
+#LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module  %(httpd_home)s/modules/mod_authz_host.so
+LoadModule log_config_module  %(httpd_home)s/modules/mod_log_config.so
+LoadModule deflate_module     %(httpd_home)s/modules/mod_deflate.so
+LoadModule setenvif_module    %(httpd_home)s/modules/mod_setenvif.so
+LoadModule version_module     %(httpd_home)s/modules/mod_version.so
+LoadModule proxy_module       %(httpd_home)s/modules/mod_proxy.so
+LoadModule proxy_http_module  %(httpd_home)s/modules/mod_proxy_http.so
+LoadModule ssl_module         %(httpd_home)s/modules/mod_ssl.so
+LoadModule mime_module        %(httpd_home)s/modules/mod_mime.so
+LoadModule dav_module         %(httpd_home)s/modules/mod_dav.so
+LoadModule dav_fs_module      %(httpd_home)s/modules/mod_dav_fs.so
+LoadModule negotiation_module %(httpd_home)s/modules/mod_negotiation.so
+LoadModule rewrite_module     %(httpd_home)s/modules/mod_rewrite.so
+LoadModule headers_module     %(httpd_home)s/modules/mod_headers.so
+LoadModule cache_module       %(httpd_home)s/modules/mod_cache.so
+LoadModule mem_cache_module   %(httpd_home)s/modules/mod_mem_cache.so
+LoadModule antiloris_module   %(httpd_home)s/modules/mod_antiloris.so
+
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
+                        downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+
+# Cache directives
+CacheEnable mem /
+CacheDefaultExpire 3600
+MCacheSize 8192
+MCacheMaxObjectCount 1000
+MCacheMaxObjectSize 8192
+MCacheRemovalAlgorithm LRU
+
+# Deflate
+AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
+BrowserMatch ^Mozilla/4 gzip-only-text/html
+BrowserMatch ^Mozilla/4\.0[678] no-gzip
+BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+# SSL Configuration
+%(ssl_snippet)s
+
+# Only accept generic (i.e not Zope) backends on http
+<VirtualHost *:%(cached_port)s>
+  SSLProxyEngine on
+  # Rewrite part
+  ProxyVia On
+  ProxyPreserveHost On
+  ProxyTimeout 600
+  RewriteEngine On
+
+
+  # Include configuration file not operated by slapos. This file won't be erased
+  # or changed when slapgrid is ran. It can be freely customized by node admin.
+  # Include %(custom_apache_virtualhost_conf)s
+
+  RewriteMap apachemapcached txt:%(apachecachedmap_path)s
+  RewriteCond ${apachemapcached:%%{SERVER_NAME}} >""
+  RewriteRule ^/(.*)$ ${apachemapcached:%%{SERVER_NAME}}/$1 [L,P]
+
+  # If nothing exist : put a nice error
+  ErrorDocument 404 /notfound.html
+</VirtualHost>
--- a/software/apache-frontend/instance.cfg
+++ b/software/apache-frontend/instance.cfg
@@ -37,7 +37,7 @@ cronstamps = $${:etc}/cronstamps
 ca-dir = $${:srv}/ssl

 squid-cache = $${:srv}/squid_cache
-stunnel-conf = $${:etc}/stunnel
+

 [instance-parameter]
 # Fetches parameters defined in SlapOS Master for this instance.
@@ -79,6 +79,9 @@ ca_crl = $${certificate-authority:ca-crl}
 access-log = $${directory:log}/frontend-apache-access.log
 error-log = $${directory:log}/frontend-apache-error.log
 pid-file = $${directory:run}/httpd.pid
+cache-access-log = $${directory:log}/frontend-apache-access-cached.log
+cache-error-log = $${directory:log}/frontend-apache-error-cached.log
+cache-pid-file = $${directory:run}/httpd-cached.pid


 # Create wrapper for "apachectl conftest" in bin
@@ -106,40 +109,15 @@ certs = $${directory:ca-dir}/certs/
 newcerts = $${directory:ca-dir}/newcerts/
 crl = $${directory:ca-dir}/crl/

-[ca-frontend]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-key-file = $${cadirectory:certs}/apache_frontend.key
-cert-file = $${cadirectory:certs}/apache_frontend.crt
-executable = $${directory:service}/apache_frontend
-wrapper = $${directory:service}/apache_frontend
-# Put domain name
-name = $${instance-parameter:configuration.domain}
-
-[ca-stunnel]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-key-file = $${directory:stunnel-conf}/stunnel.key
-cert-file = $${directory:stunnel-conf}/stunnel.crt
-executable = $${stunnel:wrapper}
-wrapper = $${basedirectory:services}/stunnel
-
-[stunnel]
-recipe = slapos.cookbook:stunnel
-stunnel-binary = ${stunnel:location}/bin/stunnel
-wrapper = $${directory:bin}/stunnel
-log-file = $${directory:log}/stunnel.log
-config-file = $${directory:etc}/stunnel.conf
-key-file = $${ca-stunnel:key-file}
-cert-file = $${ca-stunnel:cert-file}
-pid-file = $${directory:run}/stunnel.pid
-local-port = $${squid-hardcoded:backend-port}
-local-host = $${squid-hardcoded:backend-ip}
-remote-host = $${squid-hardcoded:remote-host}
-remote-port = $${squid-hardcoded:remote-port}
-client = false
-post-rotate-script = $${directory:bin}/stunnel_post_rotate
-
+#[ca-frontend]
+#<= certificate-authority
+#recipe = slapos.cookbook:certificate_authority.request
+#key-file = $${cadirectory:certs}/apache_frontend.key
+#cert-file = $${cadirectory:certs}/apache_frontend.crt
+#executable = $${directory:service}/apache_frontend
+#wrapper = $${directory:service}/apache_frontend
+## Put domain name
+#name = $${instance-parameter:configuration.domain}

 [cron]
 recipe = slapos.cookbook:cron
@@ -182,7 +160,7 @@ recipe = slapos.cookbook:logrotate.d
 name = apache
 log = $${apache:error-log} $${apache:access-log}
 frequency = daily
-rotate-num = 30
+rotatep-num = 30
 post = ${buildout:bin-directory}/killpidfromfile $${apache:pid-file} SIGUSR1
 sharedscripts = true
 notifempty = true
@@ -199,7 +177,7 @@ ip = $${squid-hardcoded:ip}
 port = $${squid-hardcoded:port}
 backend-ip = $${squid-hardcoded:backend-ip}
 backend-port = $${squid-hardcoded:backend-port}
-domain = $${squid-hardcoded:domain}
+public-ipv4 = $${instance-parameter:configuration.public-ipv4}
 access-log-path = $${directory:log}/squid-access.log
 cache-log-path = $${directory:log}/squid-cache.log
 pid-filename-path = $${directory:run}/squid.pid