Update Release Candidate

.gitignore

@@ -15,3 +15,4 @@ slapos.cookbook.egg-info
 *.egg/
 TEST_KNOWN_HOSTS
 node_modules
+update-release.sh

component/caddy/buildout.cfg

 [buildout]
 extends =
   ../../component/golang/buildout.cfg
-  gowork.cfg
 
 parts =
-  gowork
   caddy
 
 [gowork]
+# Caddy 1.x+ uses go modules, for which gowork does not work yet
 golang  = ${golang1.12:location}
 install =
-  github.com/mholt/caddy
+
+[gowork.goinstall]
+command = :
+depends =
+  ${caddy:recipe}
 
 [caddy]
-recipe  = slapos.recipe.cmmi
-path    = ${go_github.com_mholt_caddy:location}
-go      = ${gowork:golang}/bin/go
-configure-command = :
-make-targets =
-make-binary = cd ${:path}/caddy  && ${:go} install -v
-environment =
-  PATH=${pkgconfig:location}/bin:${gowork:golang}/bin:${buildout:bin-directory}:%(PATH)s
-  GOPATH=${gowork:directory}
+# revision and repository can be used to control which caddy version is used
+revision = db2741c6e0a1c06340391c5b9fa282b876a33361
+repository = github.com/mholt/caddy/caddy
+
+recipe  = plone.recipe.command
+update-command = ${:command}
+stop-on-error = True
+# GO111MODULE=on enables go modules support
+# the chmod is needed as modules are fetched with u-w
+command =
+  . ${gowork:env.sh} &&
+  cd ${gowork:directory} &&
+  export GO111MODULE=on &&
+  go get ${:repository}@${:revision} &&
+  chmod -R u+w .
 output = ${gowork:bin}/caddy
+location = ${:output}

component/caddy/gowork.cfg

-# Code generated by gowork-snapshot; DO NOT EDIT.
-
-# list of go git repositories to fetch
-[gowork.goinstall]
-depends_gitfetch  =
-    ${go_github.com_mholt_caddy:recipe}
-
-
-[go_github.com_mholt_caddy]
-<= go-git-package
-go.importpath = github.com/mholt/caddy
-repository    = https://lab.nexedi.com/nexedi/caddy.git
-revision      = nxd-v0.11.1-5-gdd393ce3a67e6a773be87185528a00f2e0a9eb26

component/lz4/buildout.cfg

+[buildout]
+
+parts =
+  lz4
+
+[lz4]
+recipe = slapos.recipe.cmmi
+url = https://github.com/lz4/lz4/archive/v1.8.3.tar.gz
+md5sum = d5ce78f7b1b76002bbfffa6f78a5fc4e
+configure-command = true

component/mariadb/buildout.cfg

@@ -9,11 +9,13 @@ extends =
   ../jemalloc/buildout.cfg
   ../libaio/buildout.cfg
   ../libxml2/buildout.cfg
+  ../lz4/buildout.cfg
   ../ncurses/buildout.cfg
   ../openssl/buildout.cfg
   ../patch/buildout.cfg
   ../pkgconfig/buildout.cfg
   ../readline/buildout.cfg
+  ../snappy/buildout.cfg
   ../xz-utils/buildout.cfg
   ../zlib/buildout.cfg
   ../unixodbc/buildout.cfg
@@ -26,8 +28,8 @@ parts =
 [mariadb]
 recipe = slapos.recipe.cmmi
 url = https://downloads.mariadb.org/f/mariadb-${:version}/source/mariadb-${:version}.tar.gz/from/http%3A//fr.mirror.babylon.network/mariadb/?serve
-version = 10.2.22
-md5sum = f390235995b72b4c50948a43eb7e41fe
+version = 10.2.23
+md5sum = 941c9ac6ee7709fd88a4098ecfc0a4b0
 patch-options = -p0
 patches =
   ${:_profile_base_location_}/mariadb_10.2.16_create_system_tables__no_test.patch#3fd5f9febabdb42d4b6653969a0194f9
@@ -48,10 +50,12 @@ configure-options =
   -DWITH_EMBEDDED_SERVER=0
   -DWITH_JEMALLOC=yes
   -DWITH_INNODB_BZIP2=ON
-  -DWITH_INNODB_LZ4=OFF
+  -DWITH_INNODB_LZ4=ON
   -DWITH_INNODB_LZMA=ON
-  -DWITH_INNODB_LZO=OFF
-  -DWITH_INNODB_SNAPPY=OFF
+  -DWITH_INNODB_SNAPPY=ON
+  -DWITH_ROCKSDB_LZ4=ON
+  -DWITH_ROCKSDB_snappy=ON
+  -DWITH_ROCKSDB_ZSTD=ON
   -DWITH_SAFEMALLOC=OFF
   -DPLUGIN_DAEMON_EXAMPLE=NO
   -DPLUGIN_EXAMPLE=NO
@@ -63,13 +67,13 @@ configure-options =
   -DCMAKE_LIBRARY_PATH=${unixodbc:location}/lib
   -DCMAKE_C_COMPILER=${gcc:location}/bin/gcc
   -DCMAKE_CXX_COMPILER=${gcc:location}/bin/g++
-CMAKE_CFLAGS = -I${bzip2:location}/include -I${jemalloc:location}/include -I${libaio:location}/include -I${libxml2:location}/include -I${ncurses:location}/include -I${openssl:location}/include -I${readline5:location}/include -I${xz-utils:location}/include -I${zlib:location}/include -I${unixodbc:location}/include -I${zstd:location}/include
-CMAKE_LIBRARY_PATH = ${bzip2:location}/lib:${jemalloc:location}/lib:${libaio:location}/lib:${libxml2:location}/lib:${ncurses:location}/lib:${openssl:location}/lib:${readline5:location}/lib:${xz-utils:location}/lib:${zlib:location}/lib:${unixodbc:location}/lib:${zstd:location}/lib:${gcc:location}/lib:${gcc:location}/lib64
+CMAKE_CFLAGS = -I${bzip2:location}/include -I${jemalloc:location}/include -I${libaio:location}/include -I${libxml2:location}/include -I${ncurses:location}/include -I${openssl:location}/include -I${readline5:location}/include -I${xz-utils:location}/include -I${zlib:location}/include -I${unixodbc:location}/include -I${lz4:location}/include -I${snappy:location}/include -I${zstd:location}/include
+CMAKE_LIBRARY_PATH = ${bzip2:location}/lib:${jemalloc:location}/lib:${libaio:location}/lib:${libxml2:location}/lib:${ncurses:location}/lib:${openssl:location}/lib:${readline5:location}/lib:${xz-utils:location}/lib:${zlib:location}/lib:${unixodbc:location}/lib:${lz4:location}/lib:${snappy:location}/lib:${zstd:location}/lib:${gcc:location}/lib:${gcc:location}/lib64
 environment =
   CMAKE_PROGRAM_PATH=${cmake:location}/bin
-  CMAKE_INCLUDE_PATH=${bzip2:location}/include:${libaio:location}/include:${libaio:location}/include:${libxml2:location}/include:${ncurses:location}/include:${openssl:location}/include:${readline5:location}/include:${xz-utils:location}/include:${zlib:location}/include:${unixodbc:location}/include:${zstd:location}/include
+  CMAKE_INCLUDE_PATH=${bzip2:location}/include:${libaio:location}/include:${libaio:location}/include:${libxml2:location}/include:${ncurses:location}/include:${openssl:location}/include:${readline5:location}/include:${xz-utils:location}/include:${zlib:location}/include:${unixodbc:location}/include:${lz4:location}/include:${snappy:location}/include:${zstd:location}/include
   CMAKE_LIBRARY_PATH=${:CMAKE_LIBRARY_PATH}
-  LDFLAGS=-L${bzip2:location}/lib -L${jemalloc:location}/lib -L${libaio:location}/lib -L${xz-utils:location}/lib -L${zlib:location}/lib -L${unixodbc:location}/lib
+  LDFLAGS=-L${bzip2:location}/lib -L${jemalloc:location}/lib -L${libaio:location}/lib -L${xz-utils:location}/lib -L${zlib:location}/lib -L${unixodbc:location}/lib -L${lz4:location}/lib -L${snappy:location}/lib -L${zstd:location}/lib
   PATH=${patch:location}/bin:%(PATH)s
 post-install =
   mkdir -p ${:location}/include/wsrep &&

component/snappy/buildout.cfg

+[buildout]
+extends =
+  ../cmake/buildout.cfg
+parts =
+  snappy
+
+[snappy]
+recipe = slapos.recipe.cmmi
+url = https://github.com/google/snappy/archive/1.1.7.tar.gz
+md5sum = ee9086291c9ae8deb4dac5e0b85bf54a
+location = ${buildout:parts-directory}/${:_buildout_section_name_}
+configure-command = ${cmake:location}/bin/cmake
+configure-options =
+  -DCMAKE_INSTALL_PREFIX=${:location}
+  -DBUILD_SHARED_LIBS=ON
+environment =
+  CMAKE_PROGRAM_PATH=${cmake:location}/bin

software/caddy-frontend/README.caddy_frontend.rst

@@ -90,6 +90,8 @@ About SSL and SlapOS Master Zero Knowledge
 
 SSL keys and certificates are directly send to the frontend cluster in order to follow zero knowledge principle of SlapOS Master.
 
+*Note*: Until master partition or slave specific certificate is uploaded each slave is served with fallback certificate.  This fallback certificate is self signed, does not match served hostname and results with lack of response on HTTPs.
+
 Master partition
 ----------------
 
@@ -218,14 +220,10 @@ caddy_custom_https
 ~~~~~~~~~~~~~~~~~~
 Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the https port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above.
 
-*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
-
 caddy_custom_http
 ~~~~~~~~~~~~~~~~~
 Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the http port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above
 
-*Note*: The system will reject slaves which does not pass validation of caddy configuration, despite them being in ``-frontend-authorized-slave-string``, as otherwise this will lead to the whole frontend to fail.
-
 url
 ~~~
 Necessary to activate cache. ``url`` of backend to use.
@@ -343,7 +341,7 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
         "caddy_custom_https":'
   https://www.example.com:%(https_port)s, https://example.com:%(https_port)s {
     bind %(local_ipv4)s
-    tls %%(certificate)s %%(certificate)s
+    tls %(certificate)s %(certificate)s
 
     log / %(access_log)s {combined}
     errors %(error_log)s

software/caddy-frontend/TODO.rst

 Generally things to be done with ``caddy-frontend``:
 
- * tests: add assertion with results of promises in etc/promise for each partition
  * README: cleanup the documentation, explain various specifics
  * check the whole frontend slave snippet with ``caddy -validate`` during buildout run, and reject if does not pass validation
  * (new) ``type:websocket`` slave

software/caddy-frontend/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 111ff0794c90657b658e3d50525e7fed
+md5sum = fd2ff61d9270109115ced8f56fb0be17
 
 [template-common]
 filename = instance-common.cfg.in
@@ -22,15 +22,15 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = abbbc8f24cdef389b9b2859b0ef8dd0e
+md5sum = ab5312fb5454d5358b22b000cf6ed124
 
 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 81ad603fe0a1e29948bd81b457e8d7a4
+md5sum = 37edefdb9963daa67b01e5d55d97c17d
 
 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = dfbe4378610aa42f2cbc2a55d386324e
+md5sum = f9efdfe7a7e3a78f0b15f414b5469316
 
 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -42,23 +42,19 @@ md5sum = 38e9994be01ea1b8a379f8ff7aa05438
 
 [template-caddy-frontend-configuration]
 filename = templates/Caddyfile.in
-md5sum = df8c08c9aecb48fdbcdfca40f9cf74a4
+md5sum = dfec964a9f194293567b09d0f10e4b3d
 
 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in
 md5sum = 0979a03476e86bf038516c9565dadc17
 
-[caddy-custom-http-validator]
-filename = templates/caddy-custom-http-validator.in
-md5sum = a264208e960cdcd25ef27ed8cf730240
-
 [template-not-found-html]
 filename = templates/notfound.html
 md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 4308b63820d3682511ce54040d1ae60e
+md5sum = b882c408202cd2dd13f619210321a528
 
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
@@ -66,7 +62,7 @@ md5sum = 907372828d1ceb05c41240078196f439
 
 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = 704f37bfdd52fe628ae81d41abba8d7a
+md5sum = f8068179333ce19e95df561c70073857
 
 [template-empty]
 filename = templates/empty.in
@@ -90,7 +86,7 @@ md5sum = cd6bb9bd0734f17469b0ca88f8b1a531
 
 [template-nginx-configuration]
 filename = templates/nginx.cfg.in
-md5sum = 30f30ef3539fe6b7ab99162ae8e71a87
+md5sum = d4c6c585c8a7da12c16b4b8e5a1cd90a
 
 [template-nginx-eventsource-slave-virtualhost]
 filename = templates/nginx-eventsource-slave.conf.in
@@ -98,11 +94,11 @@ md5sum = 217a6c801b8330b0b825f7b8b4c77184
 
 [template-nginx-notebook-slave-virtualhost]
 filename = templates/nginx-notebook-slave.conf.in
-md5sum = ac17212a53be2c08ab84682ec665148d
+md5sum = 982489258b9c2cafc9b52a94e7a8660f
 
-[template-apache-lazy-script-call]
+[template-caddy-lazy-script-call]
 filename = templates/apache-lazy-script-call.sh.in
-md5sum = ebe5d3d19923eb812a40019cb11276d8
+md5sum = b9f73f6323f9fceea054c46c854d2862
 
 [template-graceful-script]
 filename = templates/graceful-script.sh.in
@@ -122,4 +118,4 @@ md5sum = 38792c2dceae38ab411592ec36fff6a8
 
 [template-kedifa]
 filename = instance-kedifa.cfg.in
-md5sum = 5597b2184b445af69ad6d517d0729ad6
+md5sum = cc6f32656e76f4b79b5e47567b930f74

software/caddy-frontend/common.cfg

@@ -35,7 +35,7 @@ parts +=
 recipe = slapos.recipe.build:gitclone
 repository = https://lab.nexedi.com/nexedi/kedifa.git
 git-executable = ${git:location}/bin/git
-revision = 67bd60ea1bfb4fc6aafdfe4fa204f725731f20cf
+revision = 73a14b0e88afe7512f2fefe6ee9e0000fa523d5d
 
 [kedifa-develop]
 recipe = zc.recipe.egg:develop
@@ -111,7 +111,7 @@ openssl_cnf = ${openssl:location}/etc/ssl/openssl.cnf
 trafficserver = ${trafficserver7:location}
 sha256sum = ${coreutils:location}/bin/sha256sum
 kedifa = ${:bin_directory}/kedifa
-kedifa-getter = ${:bin_directory}/kedifa-getter
+kedifa-updater = ${:bin_directory}/kedifa-updater
 kedifa-csr = ${:bin_directory}/kedifa-csr
 
 monitor_template = ${monitor-template:output}
@@ -152,7 +152,6 @@ context =
   key template_kedifa template-kedifa:target
   key template_replicate_publish_slave_information template-replicate-publish-slave-information:target
   key caddy_backend_url_validator caddy-backend-url-validator:output
-  key caddy_custom_http_validator caddy-custom-http-validator:output
 
   section template_frontend_parameter_dict template-frontend-parameter-section
   key caucase_jinja2_library caucase-jinja2-library:target
@@ -169,13 +168,6 @@ filename = caddy-backend-url-validator.in
 output = ${buildout:directory}/caddy-backend-url-validator
 mode = 0750
 
-[caddy-custom-http-validator]
-recipe = slapos.recipe.template
-url = ${:_profile_base_location_}/templates/${:filename}
-filename = caddy-custom-http-validator.in
-output = ${buildout:directory}/caddy-custom-http-validator
-mode = 0750
-
 [template-caddy-replicate]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -100,7 +100,6 @@ single-custom-personal = ${dynamic-custom-personal-template-slave-list:rendered}
 template-log-access = {{ parameter_dict['template_log_access'] }}
 log-access-configuration = ${directory:etc}/log-access.conf
 ip-access-certificate = ${self-signed-ip-access:certificate}
-ip-access-key = ${self-signed-ip-access:key}
 caddy-directory = {{ parameter_dict['caddy_location'] }}
 caddy-ipv6 = {{ instance_parameter['ipv6-random'] }}
 caddy-https-port = ${configuration:port}
@@ -111,17 +110,16 @@ recipe = plone.recipe.command
 update-command = ${:command}
 ipv6 = ${slap-network-information:global-ipv6}
 ipv4 = {{instance_parameter['ipv4-random']}}
-key = ${caddy-directory:master-autocert-dir}/ip-access-${:ipv6}-${:ipv4}.key
 certificate = ${caddy-directory:master-autocert-dir}/ip-access-${:ipv6}-${:ipv4}.crt
 stop-on-error = True
 command =
-  [ -f ${:key} ] && [ -f ${:certificate} ] && exit 0
-  rm -f ${:key} ${:certificate}
+  [ -f ${:certificate} ] && exit 0
+  rm -f ${:certificate}
   /bin/bash -c ' \
   {{ parameter_dict['openssl'] }} req \
      -new -newkey rsa:2048 -sha256 \
      -nodes -x509 -days 36500 \
-     -keyout ${:key} \
+     -keyout ${:certificate} \
      -subj "/CN=Self Signed IP Access" \
      -reqexts SAN \
      -extensions SAN \
@@ -129,6 +127,25 @@ command =
          <(printf "\n[SAN]\nsubjectAltName=IP:${:ipv6},IP:${:ipv4}")) \
      -out ${:certificate}'
 
+[self-signed-fallback-access]
+# Self Signed certificate for HTTPS access to the frontend with fallback certificate
+recipe = plone.recipe.command
+update-command = ${:command}
+ipv6 = ${slap-network-information:global-ipv6}
+ipv4 = {{instance_parameter['ipv4-random']}}
+certificate = ${caddy-directory:master-autocert-dir}/fallback-access.crt
+stop-on-error = True
+command =
+  [ -f ${:certificate} ] && exit 0
+  rm -f ${:certificate}
+  /bin/bash -c ' \
+  {{ parameter_dict['openssl'] }} req \
+     -new -newkey rsa:2048 -sha256 \
+     -nodes -x509 -days 36500 \
+     -keyout ${:certificate} \
+     -subj "/CN=Fallback certificate/OU={{ instance_parameter['configuration.frontend-name'] }}" \
+     -out ${:certificate}'
+
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -138,7 +155,6 @@ slapparameter_dict = {{ dumps(instance_parameter['configuration']) }}
 slap_software_type = {{ dumps(instance_parameter['slap-software-type']) }}
 context =
     import json_module json
-    import os_module os
     raw common_profile {{ parameter_dict['common_profile'] }}
     raw logrotate_base_instance {{ parameter_dict['logrotate_base_instance'] }}
     key slap_software_type :slap_software_type
@@ -212,7 +228,9 @@ bin_directory = {{ parameter_dict['bin_directory'] }}
 caddy_executable = {{ parameter_dict['caddy'] }}
 caucase_url = {{ slapparameter_dict['kedifa-caucase-url'] }}
 sixtunnel_executable = {{ parameter_dict['sixtunnel'] }}/bin/6tunnel
-kedifa-getter = {{ parameter_dict['kedifa-getter'] }}
+kedifa-updater = {{ parameter_dict['kedifa-updater'] }}
+kedifa-updater-mapping-file = ${directory:etc}/kedifa_updater_mapping.txt
+kedifa-updater-state-file = ${directory:srv}/kedifa_updater_state.json
 kedifa-csr = {{ parameter_dict['kedifa-csr'] }}
 service_directory = ${directory:service}
 extra-context =
@@ -222,7 +240,9 @@ extra-context =
     key nginx_configuration_directory caddy-directory:nginx-slave-configuration
     key caddy_cached_configuration_directory caddy-directory:slave-with-cache-configuration
     key slave_with_cache_configuration_directory caddy-directory:slave-with-cache-configuration
-    key kedifa_getter :kedifa-getter
+    key kedifa_updater :kedifa-updater
+    key kedifa_updater_mapping_file :kedifa-updater-mapping-file
+    key kedifa_updater_state_file :kedifa-updater-state-file
     key kedifa_csr :kedifa-csr
     key caddy_executable :caddy_executable
     key caucase_url :caucase_url
@@ -259,6 +279,8 @@ extra-context =
     key template_notebook_slave_configuration software-release-path:template-nginx-notebook-slave-virtualhost
     key software_type :software_type
     key frontend_lazy_graceful_reload frontend-caddy-lazy-graceful:rendered
+    key frontend_graceful_reload caddy-configuration:frontend-graceful-command
+    key nginx_graceful_reload nginx-configuration:nginx-graceful-command
     section frontend_configuration frontend-configuration
     section caddy_configuration caddy-configuration
     section nginx_configuration nginx-configuration
@@ -277,10 +299,10 @@ extra-context =
     key service_directory directory:service
     key run_directory directory:etc-run
     key not_found_file caddy-configuration:not-found-file
-# BBB: SlapOS Master non-zero knowledge BEGIN
     key custom_ssl_directory caddy-directory:custom-ssl-directory
+# BBB: SlapOS Master non-zero knowledge BEGIN
+    key bbb_ssl_directory directory:bbb-ssl-dir
     key apache_certificate apache-certificate:rendered
-    key apache_key apache-key:rendered
 # BBB: SlapOS Master non-zero knowledge END
 
 [dynamic-virtualhost-template-slave]
@@ -323,7 +345,6 @@ extra-context =
     key password monitor-htpasswd:passwd
 # BBB: SlapOS Master non-zero knowledge BEGIN
     key apache_certificate apache-certificate:rendered
-    key apache_key apache-key:rendered
 # BBB: SlapOS Master non-zero knowledge END
 
 [caddy-wrapper]
@@ -332,7 +353,8 @@ environment =
   CADDYPATH=${directory:frontend_cluster}
 command-line = {{ parameter_dict['caddy'] }}
   -conf ${dynamic-caddy-frontend-template:rendered}
-  -log stdout
+  -log ${caddy-configuration:error-log}
+  -log-roll-mb 0
 {% if instance_parameter['configuration.global-disable-http2'].lower() in TRUE_VALUES %}
   -http2=false
 {% else %}
@@ -343,7 +365,7 @@ command-line = {{ parameter_dict['caddy'] }}
 {% endif %}
   -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s
   -disable-http-challenge
-  -disable-tls-sni-challenge
+  -disable-tls-alpn-challenge
 wrapper-path = ${directory:bin}/caddy-wrapper
 
 [caddy-frontend]
@@ -369,9 +391,7 @@ slave-log = ${directory:log}/httpd
 nginx-slave-configuration = ${directory:etc}/nginx-slave-conf.d/
 autocert = ${directory:srv}/autocert
 master-autocert-dir = ${:autocert}/master-autocert
-# BBB: SlapOS Master non-zero knowledge BEGIN
 custom-ssl-directory = ${:slave-configuration}/ssl
-# BBB: SlapOS Master non-zero knowledge END
 
 [caddy-configuration]
 frontend-configuration = ${directory:etc}/Caddyfile
@@ -393,21 +413,23 @@ command-line = ${frontend-caddy-validate:rendered}
 wrapper-path = ${directory:bin}/caddy-configtest
 
 # BBB: SlapOS Master non-zero knowledge BEGIN
-[apache-key]
-< = jinja2-template-base
-template = {{ parameter_dict['template_empty'] }}
-rendered = ${directory:bbb-ssl-dir}/frontend.key
-content = ${configuration:apache-key}
-extra-context =
-    key content :content
+[get-self-signed-fallback-access]
+recipe = collective.recipe.shelloutput
+commands =
+  certificate = cat ${self-signed-fallback-access:certificate}
 
 [apache-certificate]
-< = jinja2-template-base
-template = {{ parameter_dict['template_empty'] }}
+recipe = slapos.recipe.template:jinja2
+template = inline:
+{% raw %}
+  {{ certificate or fallback_certificate }}
+  {{ key or '' }}
+{% endraw %}
+context =
+  key certificate configuration:apache-certificate
+  key key configuration:apache-key
+  key fallback_certificate get-self-signed-fallback-access:certificate
 rendered = ${directory:bbb-ssl-dir}/frontend.crt
-content = ${configuration:apache-certificate}
-extra-context =
-    key content :content
 # BBB: SlapOS Master non-zero knowledge END
 
 [logrotate-entry-caddy]
@@ -415,6 +437,11 @@ extra-context =
 name = caddy
 log = ${caddy-configuration:error-log} ${caddy-configuration:access-log}
 rotate-num = 30
+# Note: Slaves do not define their own reload, as this would be repeated,
+#       because sharedscripts work per entry, and each slave needs its own
+#       olddir
+#       Here we trust that there will be something to be rotated with error
+#       or access log, and that this will trigger postrotate script.
 post = ${frontend-caddy-lazy-graceful:rendered} &
 
 [logrotate-entry-nginx]
@@ -557,7 +584,7 @@ template = {{ parameter_dict['template_graceful_script'] }}
 rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
 mode = 0700
 
-path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*/*.pem ${caddy-directory:custom-ssl-directory}/*.key ${caddy-directory:custom-ssl-directory}/*.crt ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.key ${directory:bbb-ssl-dir}/*.crt
+path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*.pem ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.crt
 sha256sum = {{ parameter_dict['sha256sum'] }}
 signature_file = ${directory:run}/caddy_graceful_signature
 extra-context =
@@ -571,7 +598,7 @@ extra-context =
 template = {{ parameter_dict['template_graceful_script'] }}
 rendered = ${directory:etc-run}/frontend-nginx-safe-graceful
 mode = 0700
-path_list = ${dynamic-nginx-frontend-template:rendered} ${caddy-directory:nginx-slave-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*/*.pem ${caddy-directory:custom-ssl-directory}/*.key ${caddy-directory:custom-ssl-directory}/*.crt ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.key ${directory:bbb-ssl-dir}/*.crt
+path_list = ${dynamic-nginx-frontend-template:rendered} ${caddy-directory:nginx-slave-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*.pem ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.crt
 sha256sum = {{ parameter_dict['sha256sum'] }}
 signature_file = ${directory:run}/nginx_graceful_signature
 extra-context =
@@ -741,7 +768,8 @@ environment =
   CADDYPATH=${directory:nginx_cluster}
 command-line = {{ parameter_dict['caddy'] }}
   -conf ${dynamic-nginx-frontend-template:rendered}
-  -log stdout
+  -log ${nginx-configuration:error_log}
+  -log-roll-mb 0
 {% if instance_parameter['configuration.global-disable-http2'].lower() in TRUE_VALUES %}
   -http2=false
 {% else %}
@@ -749,7 +777,7 @@ command-line = {{ parameter_dict['caddy'] }}
 {% endif %}
   -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s
   -disable-http-challenge
-  -disable-tls-sni-challenge
+  -disable-tls-alpn-challenge
 wrapper-path = ${directory:bin}/nginx-wrapper
 
 [nginx-frontend]
@@ -774,7 +802,6 @@ extra-context =
   key master_certificate caddy-configuration:master-certificate
 # BBB: SlapOS Master non-zero knowledge BEGIN
   key apache_certificate apache-certificate:rendered
-  key apache_key apache-key:rendered
 # BBB: SlapOS Master non-zero knowledge END
 
 [nginx-configuration]

software/caddy-frontend/instance-apache-replicate.cfg.in

@@ -75,7 +75,7 @@ context =
 {% set warning_slave_dict = {} %}
 {% set used_host_list = [] %}
 {% set unauthorized_message = 'slave not authorized' %}
-{% for slave in slave_instance_list %}
+{% for slave in sorted(slave_instance_list) %}
 {%   set slave_error_list = [] %}
 {%   set slave_warning_list = [] %}
 {%   set slave_server_alias_unclashed = [] %}
@@ -114,8 +114,6 @@ context =
 {%         if not unauthorized_message in slave_error_list %}
 {%           do slave_error_list.append(unauthorized_message) %}
 {%         endif %}
-{%       elif subprocess_module.call([caddy_custom_http_validator, '' ~ slave[key]]) == 1 %}
-{%         do slave_error_list.append('slave %s configuration invalid' % (key,)) %}
 {%       endif %}
 {%     endif %}
 {%   endfor %} {# for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] #}

software/caddy-frontend/instance-kedifa.cfg.in

@@ -159,7 +159,7 @@ command-line = {{ parameter_dict['caddy'] }}
   -log ${expose-csr_id-configuration:error-log}
   -http2=true
   -disable-http-challenge
-  -disable-tls-sni-challenge
+  -disable-tls-alpn-challenge
   -root ${directory:csr_id}
 
 wrapper-path = ${directory:service}/expose-csr_id

software/caddy-frontend/instance-slave-caddy-input-schema.json

@@ -139,13 +139,6 @@
       "title": "Verify Backend Certificates",
       "type": "string"
     },
-    "ssl_ca_crt": {
-      "default": "",
-      "description": "Content of the CA certificate file",
-      "textarea": true,
-      "title": "SSL Certificate Authority's Certificate",
-      "type": "string"
-    },
     "ssl_proxy_ca_crt": {
       "default": "",
       "description": "Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",

software/caddy-frontend/instance-slave-caddy-simplified-input-schema.json

@@ -97,27 +97,6 @@
       "title": "Prefer gzip Encoding for Backend",
       "type": "string"
     },
-    "ssl_ca_crt": {
-      "default": "",
-      "description": "Content of the CA certificate file",
-      "textarea": true,
-      "title": "SSL Certificate Authority's Certificate",
-      "type": "string"
-    },
-    "ssl_crt": {
-      "default": "",
-      "description": "Content of the SSL Certificate file",
-      "textarea": true,
-      "title": "SSL Certificate",
-      "type": "string"
-    },
-    "ssl_key": {
-      "default": "",
-      "description": "Content of the SSL Key file",
-      "textarea": true,
-      "title": "SSL Key",
-      "type": "string"
-    }
   },
   "title": "Input Parameters",
   "type": "object"

software/caddy-frontend/instance.cfg.in

@@ -59,7 +59,6 @@ extra-context =
     import validators validators
     key cluster_identification instance-parameter:root-instance-title
     raw caddy_backend_url_validator {{ caddy_backend_url_validator }}
-    raw caddy_custom_http_validator {{ caddy_custom_http_validator }}
     raw template_publish_slave_information {{ template_replicate_publish_slave_information }}
 # Must match the key id in [switch-softwaretype] which uses this section.
     raw software_type RootSoftwareInstance-default-custom-personal-replicate

software/caddy-frontend/software.cfg

@@ -2,6 +2,8 @@
 extends = common.cfg
 
 [versions]
+# Modern KeDiFa requires zc.lockfile
+zc.lockfile = 1.4
 # Versions pinned for kedifa need urllib3 >= 1.18
 urllib3 = 1.24
 requests = 2.20.0

software/caddy-frontend/templates/Caddyfile.in

@@ -4,45 +4,38 @@ import {{frontend_configuration.get('log-access-configuration')}}
 import {{ slave_configuration_directory }}/*.conf
 import {{ slave_with_cache_configuration_directory }}/*.conf
 
-{%- set ssl = {} -%}
-{%- if os_module.path.exists(master_certificate) -%}
-{%-   do ssl.__setitem__('certificate', master_certificate) -%}
-{%-   do ssl.__setitem__('key', master_certificate) -%}
-{#- BBB: SlapOS Master non-zero knowledge BEGIN -#}
-{%- elif os_module.path.getsize(apache_certificate) > 0 and os_module.path.getsize(apache_key) > 0 -%}
-{%-   do ssl.__setitem__('certificate', apache_certificate) -%}
-{%-   do ssl.__setitem__('key', apache_key) -%}
-{%- endif -%}
-{#- BBB: SlapOS Master non-zero knowledge END #}
-# Catch-all and 404 for not configured instances
-{% if 'key' in ssl %}
 :{{ https_port }} {
-  tls {{ ssl['certificate'] }} {{ ssl['key'] }}
+  tls {{ master_certificate }} {{ master_certificate }}
   bind {{ local_ipv4 }}
   # Compress the output
   gzip
   status 404 /
-  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ error_log }} {
+    rotate_size 0
     * {{ not_found_file }}
   }
 }
-{% endif %}
 
 :{{ http_port }} {
   bind {{ local_ipv4 }}
   # Compress the output
   gzip
   status 404 /
-  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ error_log }} {
+    rotate_size 0
     * {{ not_found_file }}
   }
 }
 
 # Access to server-status Caddy-style
 https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
-  tls {{ frontend_configuration['ip-access-certificate'] }} {{ frontend_configuration['ip-access-key'] }}
+  tls {{ frontend_configuration['ip-access-certificate'] }} {{ frontend_configuration['ip-access-certificate'] }}
   # Compress the output
   gzip
   bind {{ local_ipv4 }}
@@ -52,8 +45,11 @@ https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv
   }
   expvar
   pprof
-  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ error_log }} {
+    rotate_size 0
     * {{ not_found_file }}
   }
 }

software/caddy-frontend/templates/apache-custom-slave-list.cfg.in

 {% if software_type == slap_software_type %}
 
+{% set kedifa_updater_mapping = [] %}
 {% set cached_server_dict = {} %}
 {% set part_list = [] %}
 {% set cache_port = caddy_configuration.get('cache-port') %}
@@ -20,7 +21,6 @@ recipe = slapos.recipe.template:jinja2
 extensions = jinja2.ext.do
 extra-context =
 context =
-    import os_module os
     raw common_profile {{ common_profile }}
     ${:extra-context}
 
@@ -32,12 +32,7 @@ notifempty = true
 create = true
 
 {% if master_key_download_url %}
-{%   do part_list.append('master-key-download') %}
-[master-key-download]
-recipe = plone.recipe.command
-destination = {{ master_certificate }}
-command = {{ kedifa_getter }} --out ${:destination} --server-ca-certificate {{ kedifa_caucase_ca_certificate }} --identity {{ kedifa_login_certificate }} {{ master_key_download_url }}
-update-command = ${:command}
+{%   do kedifa_updater_mapping.append((master_key_download_url, master_certificate, apache_certificate)) %}
 {% endif %}
 
 {% if slave_kedifa_information %}
@@ -174,34 +169,11 @@ bytes = 8
 
 {# ################################################## #}
 {# Set Slave Certificates if needed                   #}
-{%   set cert_dirname = slave_reference.replace('-','.') %}
-{%   set autocert_dir = '/'.join([autocert, cert_dirname]) %}
-[{{ slave_reference }}-path]
-recipe = slapos.cookbook:mkdirectory
-cert = {{ autocert_dir }}
 {# Set certificate key for custom configuration       #}
-{% set certificate = '%s/certificate.pem' % (autocert_dir, ) %}
+{% set cert_name = slave_reference.replace('-','.') + '.pem' %}
+{% set certificate = '%s/%s' % (autocert, cert_name) %}
 {% do slave_parameter_dict.__setitem__('certificate', certificate )%}
 
-[{{ slave_reference }}-key-download]
-recipe = plone.recipe.command
-destination = {{ '${' + slave_reference + '-path:cert}/downloaded.pem' }}
-used = {{ '${' + slave_reference + '-path:cert}/certificate.pem' }}
-source-master = ${master-key-download:destination}
-command =
-  {{ kedifa_getter }} --out ${:destination} --server-ca-certificate {{ kedifa_caucase_ca_certificate }} --identity {{ kedifa_login_certificate }} {{ key_download_url }}
-  if [ -f ${:destination} ] ; then
-    # if the slave specific certificate is available, use it
-    ln -sf ${:destination} ${:used}
-  elif [ -f ${:source-master} ] ; then
-    # if the master provided certificate is available, use it
-    ln -sf ${:source-master} ${:used}
-  else
-    rm -f ${:used}
-  fi
-update-command = ${:command}
-
-# BBB: SlapOS Master non-zero knowledge BEGIN
 {# Set ssl certificates for each slave #}
 {%   for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%}
 {%     if cert_name in slave_instance %}
@@ -217,6 +189,7 @@ template = {{ empty_template }}
 rendered = {{ cert_file }}
 extra-context =
     key content {{ cert_title + '-config:value' }}
+# BBB: SlapOS Master non-zero knowledge BEGIN
 # Store certificate in config
 [{{ cert_title + '-config' }}]
 value = {{ dumps(slave_instance.get(cert_name)) }}
@@ -224,42 +197,29 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
 {%   endfor %}
 
 {#-   Set Up Certs #}
-{%   do slave_instance.__setitem__('apache_certificate', apache_certificate) %}
-{%   do slave_instance.__setitem__('apache_key', apache_key) %}
 {%   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %}
 {%     set cert_title = '%s-crt' % (slave_reference) %}
-{%     set key_title = '%s-key' % (slave_reference) %}
-{%     set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
-{%     set key_file = '/'.join([custom_ssl_directory, key_title.replace('-','.')]) %}
+{%     set cert_file = '/'.join([bbb_ssl_directory, cert_title.replace('-','.')]) %}
+{%     do kedifa_updater_mapping.append((key_download_url, certificate, cert_file)) %}
 {%     do part_list.append(cert_title) %}
-{%     do part_list.append(key_title) %}
 {%     do slave_parameter_dict.__setitem__("ssl_crt", cert_file) %}
-{%     do slave_parameter_dict.__setitem__("ssl_key", key_file) %}
-{%     do slave_instance.__setitem__('path_to_ssl_crt', cert_file) %}
-{%     do slave_instance.__setitem__('path_to_ssl_key', key_file) %}
-
-[{{key_title}}]
-< = jinja2-template-base
-template = {{ empty_template }}
-rendered = {{ key_file }}
-key-content = {{ dumps(slave_instance.get('ssl_key')) }}
-extra-context =
-    key content :key-content
 
 [{{cert_title}}]
 < = jinja2-template-base
 template = {{ empty_template }}
 rendered = {{ cert_file }}
-cert-content = {{ dumps(slave_instance.get('ssl_crt') + '\n' + slave_instance.get('ssl_ca_crt', '')) }}
+cert-content = {{ dumps(slave_instance.get('ssl_crt') + '\n' + slave_instance.get('ssl_ca_crt', '') + '\n' + slave_instance.get('ssl_key')) }}
 extra-context =
     key content :cert-content
+{%   else %}
+{%     do kedifa_updater_mapping.append((key_download_url, certificate, master_certificate)) %}
 {%   endif %}
 # BBB: SlapOS Master non-zero knowledge END
 
 {# ########################################## #}
 {# Set Slave Configuration                    #}
 [{{ slave_configuration_section_name }}]
-certificate = {{ '${' + slave_reference + '-key-download:used}' }}
+certificate = {{ certificate }}
 https_port = {{ dumps('' ~ https_port) }}
 http_port = {{ dumps('' ~ http_port) }}
 local_ipv4 = {{ dumps('' ~ local_ipv4) }}
@@ -466,7 +426,6 @@ global_ipv6 = {{ dumps(global_ipv6) }}
 https_port = {{ dumps(https_port) }}
 http_port = {{ dumps(http_port) }}
 ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
-ip_access_key = {{ frontend_configuration.get('ip-access-key') }}
 access_log = {{ dumps(access_log) }}
 error_log = {{ dumps(error_log) }}
 not_found_file = {{ dumps(not_found_file) }}
@@ -493,12 +452,44 @@ monitor-base-url = {{ monitor_base_url }}
 csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/csr_id.txt
 csr_id-certificate = ${get-csr_id-certificate:certificate}
 
+[kedifa-updater]
+recipe = slapos.cookbook:wrapper
+command-line = {{ kedifa_updater }}
+  --server-ca-certificate {{ kedifa_caucase_ca_certificate }}
+  --identity {{ kedifa_login_certificate }}
+  --master-certificate {{ master_certificate }}
+  --on-update "{{ frontend_graceful_reload }} ; {{ nginx_graceful_reload }}"
+  ${kedifa-updater-mapping:file}
+  {{ kedifa_updater_state_file }}
+
+wrapper-path = {{ service_directory }}/kedifa-updater
+hash-files = ${buildout:directory}/software_release/buildout.cfg
+
+[kedifa-updater-mapping]
+recipe = slapos.recipe.template:jinja2
+file = {{ kedifa_updater_mapping_file }}
+template = inline:
+{% for mapping in kedifa_updater_mapping %}
+  {{ mapping[0] }} {{ mapping[1] }} {{ mapping[2] }}
+{% endfor %}
+
+rendered = ${:file}
+
+[caddy-log-access-header]
+# Caddy refuse to start if an `import`ed file is empty, so we prepend a header
+# so that the file is never empty.
+< = jinja2-template-base
+template = inline: # This file contain directives to serve directories with log files
+rendered = {{frontend_configuration.get('log-access-configuration')}}
+
 [buildout]
 extends =
   {{ common_profile }}
   {{ logrotate_base_instance }} 
 
 parts +=
+    kedifa-updater
+    caddy-log-access-header
 {% for part in part_list %}
 {{ '    %s' % part }}
 {% endfor %}
@@ -570,7 +561,7 @@ command-line = {{ caddy_executable }}
   -log ${expose-csr_id-configuration:error-log}
   -http2=true
   -disable-http-challenge
-  -disable-tls-sni-challenge
+  -disable-tls-alpn-challenge
   -root {{ directory_csr_id }}
 
 wrapper-path = {{ service_directory }}/expose-csr_id

software/caddy-frontend/templates/apache-lazy-script-call.sh.in

@@ -9,6 +9,7 @@ if [ ! -f $PIDFILE ]; then
   echo $PID > $PIDFILE
   sleep {{ wait_time }}
   {{ lazy_command }}
+  rm -f $PIDFILE
 else
   ps --pid `cat $PIDFILE` &>/dev/null
   if [ $? -eq 0 ]; then
@@ -17,6 +18,7 @@ else
     echo $PID > $PIDFILE
     sleep {{ wait_time }}
     {{ lazy_command }}
+    rm -f $PIDFILE
   fi
 fi
 

software/caddy-frontend/templates/caddy-custom-http-validator.in

-#!${dash:location}/bin/dash
-config="$1"
-
-echo -e $config | ${caddy:output} -conf stdin -validate > /dev/null 2>&1

software/caddy-frontend/templates/default-virtualhost.conf.in

@@ -26,25 +26,11 @@
 {%- set default_path = slave_parameter.get('default-path', '').strip('/') | urlencode %}
 
 # SSL enabled hosts
-{% set ssl = {} %}
-{% if os_module.path.exists(slave_parameter['certificate']) %}
-{%   do ssl.__setitem__('certificate', slave_parameter['certificate']) %}
-{%   do ssl.__setitem__('key', slave_parameter['certificate']) %}
-{#- BBB: SlapOS Master non-zero knowledge BEGIN -#}
-{% elif 'path_to_ssl_crt' in slave_parameter and 'path_to_ssl_key' in slave_parameter %}
-{%   do ssl.__setitem__('certificate', slave_parameter['path_to_ssl_crt']) %}
-{%   do ssl.__setitem__('key', slave_parameter['path_to_ssl_key']) %}
-{% elif os_module.path.getsize(slave_parameter['apache_certificate']) > 0 and os_module.path.getsize(slave_parameter['apache_key']) > 0 %}
-{%   do ssl.__setitem__('certificate', slave_parameter['apache_certificate']) %}
-{%   do ssl.__setitem__('key', slave_parameter['apache_key']) %}
-{% endif %}
-{#- BBB: SlapOS Master non-zero knowledge END -#}
-{% if 'key' in ssl %}
 {{ https_host_list|join(', ') }} {
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-  tls {{ ssl['certificate'] }} {{ ssl['key'] }} {
+  tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} {
 {%- if enable_h2 %}
     # Allow HTTP2
     alpn h2 http/1.1
@@ -53,8 +39,13 @@
     alpn http/1.1
 {%- endif %} {#- if enable_h2 #}
   } {# tls #}
-  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
-  errors {{ slave_parameter.get('error_log') }}
+  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
+
+  errors {{ slave_parameter.get('error_log') }} {
+    rotate_size 0
+  }
 
 {%- if not (slave_type == 'zope' and backend_url) %}
 {%    if prefer_gzip %}
@@ -189,7 +180,6 @@
 {%-   endif %} {#-   if backend_url #}
 {%- endif %} {#- if slave_type ==  'zope' and backend_url #}
 }  {# https_host_list|join(', ') #}
-{% endif %}
 
 # SSL-disabled hosts
 {{ http_host_list|join(', ') }} {
@@ -197,8 +187,12 @@
   # Compress the output
   gzip
 
-  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
-  errors {{ slave_parameter.get('error_log') }}
+  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+}
+  errors {{ slave_parameter.get('error_log') }} {
+    rotate_size 0
+}
 
 {%- if not (slave_type == 'zope' and backend_url) %}
 {%-   if prefer_gzip  %}

software/caddy-frontend/templates/nginx-notebook-slave.conf.in

@@ -5,28 +5,18 @@
 {%-   set https_upstream = https_url.split("/")[2] %}
 
 # SSL-enabled
-{% set ssl = {} %}
-{% if os_module.path.exists(slave_parameter['certificate']) %}
-{%   do ssl.__setitem__('certificate', slave_parameter['certificate']) %}
-{%   do ssl.__setitem__('key', slave_parameter['certificate']) %}
-{#- BBB: SlapOS Master non-zero knowledge BEGIN -#}
-{% elif 'path_to_ssl_crt' in slave_parameter and 'path_to_ssl_key' in slave_parameter %}
-{%   do ssl.__setitem__('certificate', slave_parameter['path_to_ssl_crt']) %}
-{%   do ssl.__setitem__('key', slave_parameter['path_to_ssl_key']) %}
-{% elif os_module.path.getsize(slave_parameter['apache_certificate']) > 0 and os_module.path.getsize(slave_parameter['apache_key']) > 0 %}
-{%   do ssl.__setitem__('certificate', slave_parameter['apache_certificate']) %}
-{%   do ssl.__setitem__('key', slave_parameter['apache_key']) %}
-{% endif %}
-{#- BBB: SlapOS Master non-zero knowledge END -#}
-{% if 'key' in ssl %}
 https://{{ slave_parameter.get('custom_domain') }}:{{ slave_parameter['nginx_https_port'] }} {
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
-  errors {{ slave_parameter.get('error_log') }}
+  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
+  errors {{ slave_parameter.get('error_log') }} {
+    rotate_size 0
+  }
 
-  tls {{ ssl['certificate'] }} {{ ssl['key'] }} {
+  tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} {
     alpn http/1.1
   }
 
@@ -50,15 +40,18 @@ https://{{ slave_parameter.get('custom_domain') }}:{{ slave_parameter['nginx_htt
     insecure_skip_verify
   }
 }
-{% endif %}
 
 # SSL-disabled
 http://{{ slave_parameter.get('custom_domain') }}:{{ slave_parameter['nginx_http_port'] }} {
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
-  errors {{ slave_parameter.get('error_log') }}
+  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
+  errors {{ slave_parameter.get('error_log') }} {
+    rotate_size 0
+  }
 
   proxy / {{ upstream }} {
     try_duration {{ slave_parameter['proxy_try_duration'] }}s

software/caddy-frontend/templates/nginx.cfg.in

@@ -58,38 +58,31 @@
 import {{ slave_configuration_directory }}/*.conf
 
 # Catch-all and 404 for not configured instances
-{%- set ssl = {} -%}
-{%- if os_module.path.exists(master_certificate) -%}
-{%-   do ssl.__setitem__('certificate', master_certificate) -%}
-{%-   do ssl.__setitem__('key', master_certificate) -%}
-{#- BBB: SlapOS Master non-zero knowledge BEGIN -#}
-{%- elif os_module.path.getsize(apache_certificate) > 0 and os_module.path.getsize(apache_key) > 0 -%}
-{%-   do ssl.__setitem__('certificate', apache_certificate) -%}
-{%-   do ssl.__setitem__('key', apache_key) -%}
-{%- endif -%}
-{#- BBB: SlapOS Master non-zero knowledge END -#}
-# Catch-all and 404 for not configured instances
-{% if 'key' in ssl %}
 :{{ port }} {
-  tls {{ ssl['certificate'] }} {{ ssl['key'] }}
+  tls {{ master_certificate }} {{ master_certificate }}
   bind {{ local_ip }}
   # Serve an error 204 (No Content) for favicon.ico
   status 204 /favicon.ico
   status 404 /
-  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ error_log }} {
+    rotate_size 0
     * {{ not_found_file }}
   }
 }
-{% endif %}
 
 :{{ plain_port }} {
   bind {{ local_ip }}
   # Serve an error 204 (No Content) for favicon.ico
   status 204 /favicon.ico
   status 404 /
-  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ access_log }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ error_log }} {
+    rotate_size 0
     * {{ not_found_file }}
   }
 }

software/caddy-frontend/templates/template-log-access.conf.in

@@ -4,13 +4,16 @@ https://[{{ parameter_dict['global_ipv6'] }}]:{{ parameter_dict['https_port'] }}
   bind {{ parameter_dict['local_ipv4'] }}
   root {{ directory }}/
   browse
-  tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_key'] }}
+  tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_certificate'] }}
   basicauth "{{ slave }}" {{ slave_password[slave] | trim }} {
     "Log Access {{ slave }}"
     /
   }
-  log / {{ parameter_dict['access_log'] }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
+  log / {{ parameter_dict['access_log'] }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
+    rotate_size 0
+  }
   errors {{ parameter_dict['error_log'] }} {
+    rotate_size 0
     * {{ parameter_dict['not_found_file'] }}
   }
 }

software/caddy-frontend/test/test.py

@@ -359,6 +359,8 @@ class TestDataMixin(object):
     ignored_plugin_list = [
       '__init__.py',  # that's not a plugin
       'monitor-http-frontend.py',  # can't check w/o functioning frontend
+      # ATS cache fillup can't be really controlled during test run
+      'trafficserver-cache-availability.py',
     ]
     runpromise_bin = os.path.join(
       self.software_path, 'bin', 'monitor.runpromise')
@@ -690,6 +692,31 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
       verify=cls.ca_certificate_file)
     assert upload.status_code == httplib.CREATED
 
+  @classmethod
+  def runKedifaUpdater(cls):
+    kedifa_updater = None
+    for kedifa_updater in sorted(glob.glob(
+        os.path.join(
+          cls.instance_path, '*', 'etc', 'service', 'kedifa-updater*'))):
+      # fetch first kedifa-updater, as by default most of the tests are using
+      # only one running partition; in case if test does not need
+      # kedifa-updater this method can be overridden
+      break
+    if kedifa_updater is not None:
+      # try few times kedifa_updater
+      for i in range(10):
+        return_code, output = subprocess_status_output(
+          [kedifa_updater, '--once'])
+        if return_code == 0:
+          break
+        # wait for the other updater to work
+        time.sleep(2)
+      # assert that in the worst case last run was correct
+      assert return_code == 0, output
+      # give caddy a moment to refresh its config, as sending signal does not
+      # block until caddy is refreshed
+      time.sleep(2)
+
   @classmethod
   def untilSlavePartitionReady(cls):
     for slave_reference, partition_parameter_kw in cls\
@@ -724,6 +751,11 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
     # run partition for slaves to be setup
     cls.runComputerPartitionUntil(
       cls.untilSlavePartitionReady)
+    cls.runKedifaUpdater()
+    # run once more slapos node instance, as kedifa-updater sets up
+    # certificates needed for caddy-frontend, and on this moment it can be
+    # not started yet
+    cls.runComputerPartition(max_quantity=1)
     for slave_reference, partition_parameter_kw in cls\
             .getSlaveParameterDictDict().items():
       slave_instance = request(
@@ -1205,25 +1237,6 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
 
     partition_path = self.getMasterPartitionPath()
 
-    self.assertEqual(
-      set([
-        'promise-monitor-httpd-is-process-older-than-dependency-set',
-      ]),
-      set(os.listdir(os.path.join(partition_path, 'etc', 'promise'))))
-
-    self.assertEqual(
-      set([
-        'monitor-bootstrap-status.py',
-        'check-free-disk-space.py',
-        'monitor-http-frontend.py',
-        'monitor-httpd-listening-on-tcp.py',
-        'buildout-T-0-status.py',
-        '__init__.py',
-      ]),
-      set([
-        q for q in os.listdir(os.path.join(partition_path, 'etc', 'plugin'))
-        if not q.endswith('.pyc')]))
-
     # check that monitor cors domains are correctly setup by file presence, as
     # we trust monitor stack being tested in proper place and it is too hard
     # to have working monitor with local proxy
@@ -1616,9 +1629,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       data=data,
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -1631,7 +1642,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
 
     certificate_file_list = glob.glob(os.path.join(
       self.instance_path, '*', 'srv', 'autocert',
-      '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt', 'certificate.pem'))
+      '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt.pem'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
@@ -1700,9 +1711,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       verify=self.ca_certificate_file)
 
     self.assertEqual(httplib.CREATED, upload.status_code)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     with self.assertRaises(requests.exceptions.SSLError):
       self.fakeHTTPSResult(
@@ -1710,7 +1719,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
 
     certificate_file_list = glob.glob(os.path.join(
       self.instance_path, '*', 'srv', 'autocert',
-      '_ssl_ca_crt_garbage', 'certificate.pem'))
+      '_ssl_ca_crt_garbage.pem'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
@@ -1746,9 +1755,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       verify=self.ca_certificate_file)
 
     self.assertEqual(httplib.CREATED, upload.status_code)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -1761,7 +1768,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
 
     certificate_file_list = glob.glob(os.path.join(
       self.instance_path, '*', 'srv', 'autocert',
-      '_ssl_ca_crt_does_not_match', 'certificate.pem'))
+      '_ssl_ca_crt_does_not_match.pem'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
@@ -1863,9 +1870,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       data=data,
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -3593,6 +3598,10 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin):
       'caucase_port': CAUCASE_PORT,
     }
 
+  @classmethod
+  def runKedifaUpdater(cls):
+    return
+
   @classmethod
   def getSlaveParameterDictDict(cls):
     return {
@@ -3633,8 +3642,6 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': SLAPOS_TEST_IPV4,
       'enable-quic': 'true',
-      '-frontend-authorized-slave-string':
-      '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
       'nginx_port': NGINX_HTTPS_PORT,
@@ -3654,20 +3661,6 @@ class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
       },
     }
 
-  def getMasterPartitionPath(self):
-    # partition w/o etc/trafficserver, but with buildout.cfg
-    return [
-      q for q in glob.glob(os.path.join(self.instance_path, '*',))
-      if not os.path.exists(
-        os.path.join(q, 'etc', 'trafficserver')) and os.path.exists(
-          os.path.join(q, 'buildout.cfg'))][0]
-
-  def getSlavePartitionPath(self):
-    # partition w/ etc/trafficserver
-    return [
-      q for q in glob.glob(os.path.join(self.instance_path, '*',))
-      if os.path.exists(os.path.join(q, 'etc', 'trafficserver'))][0]
-
   # It is known problem that QUIC does not work after sending reload signal,
   # SIGUSR1, see https://github.com/mholt/caddy/issues/2394
   @expectedFailure
@@ -3746,7 +3739,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': SLAPOS_TEST_IPV4,
-      '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
       'nginx_port': NGINX_HTTPS_PORT,
@@ -3761,16 +3753,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
   @classmethod
   def getSlaveParameterDictDict(cls):
     return {
-      'caddy_custom_http_s-reject': {
-        'caddy_custom_https': """DestroyCaddyHttps
-For sure
-This shall not be valid
-https://www.google.com {}""",
-        'caddy_custom_http': """DestroyCaddyHttp
-For sure
-This shall not be valid
-https://www.google.com {}""",
-      },
       're6st-optimal-test-nocomma': {
         're6st-optimal-test': 'nocomma',
       },
@@ -3822,12 +3804,9 @@ https://www.google.com {}""",
       'kedifa-caucase-url': 'http://[%s]:%s' % (
          SLAPOS_TEST_IPV6, CAUCASE_PORT),
       'accepted-slave-amount': '8',
-      'rejected-slave-amount': '3',
-      'slave-amount': '11',
+      'rejected-slave-amount': '2',
+      'slave-amount': '10',
       'rejected-slave-dict': {
-        '_caddy_custom_http_s-reject': [
-          'slave caddy_custom_http configuration invalid',
-          'slave caddy_custom_https configuration invalid'],
         '_custom_domain-unsafe': [
           "custom_domain '${section:option} afterspace\\nafternewline' invalid"
         ],
@@ -4147,18 +4126,6 @@ https://www.google.com {}""",
       }
     )
 
-  def test_caddy_custom_http_s_reject(self):
-    parameter_dict = self.parseSlaveParameterDict('caddy_custom_http_s-reject')
-    self.assertEqual(
-      {
-        'request-error-list': [
-          "slave caddy_custom_http configuration invalid",
-          "slave caddy_custom_https configuration invalid"
-        ]
-      },
-      parameter_dict
-    )
-
 
 class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
   @classmethod
@@ -4167,7 +4134,6 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
       'domain': 'example.com',
       'nginx-domain': 'nginx.example.com',
       'public-ipv4': SLAPOS_TEST_IPV4,
-      '-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
       'port': HTTPS_PORT,
       'plain_http_port': HTTP_PORT,
       'nginx_port': NGINX_HTTPS_PORT,
@@ -4211,7 +4177,7 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
       'rejected-slave-amount': '3',
       'slave-amount': '4',
       'rejected-slave-dict': {
-        '_site_1': ["custom_domain 'duplicate.example.com' clashes"],
+        '_site_2': ["custom_domain 'duplicate.example.com' clashes"],
         '_site_3': ["server-alias 'duplicate.example.com' clashes"],
         '_site_4': ["custom_domain 'duplicate.example.com' clashes"]
       }
@@ -4224,15 +4190,6 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
 
   def test_site_1(self):
     parameter_dict = self.parseSlaveParameterDict('site_1')
-    self.assertEqual(
-      {
-        'request-error-list': ["custom_domain 'duplicate.example.com' clashes"]
-      },
-      parameter_dict
-    )
-
-  def test_site_2(self):
-    parameter_dict = self.parseSlaveParameterDict('site_2')
     self.assertLogAccessUrlWithPop(parameter_dict)
     self.assertKedifaKeysWithPop(parameter_dict)
     self.assertEqual(
@@ -4247,6 +4204,15 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
       parameter_dict
     )
 
+  def test_site_2(self):
+    parameter_dict = self.parseSlaveParameterDict('site_2')
+    self.assertEqual(
+      {
+        'request-error-list': ["custom_domain 'duplicate.example.com' clashes"]
+      },
+      parameter_dict
+    )
+
   def test_site_3(self):
     parameter_dict = self.parseSlaveParameterDict('site_3')
     self.assertEqual(
@@ -4487,9 +4453,7 @@ class TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster(
       master_parameter_dict['master-key-upload-url'] + auth.text,
       data=key_pem + certificate_pem,
       verify=self.ca_certificate_file)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -4780,9 +4744,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
       data=data,
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
-
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -4874,8 +4836,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
 
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
@@ -4959,8 +4920,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
 
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
@@ -5053,8 +5013,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
       verify=self.ca_certificate_file)
     self.assertEqual(httplib.CREATED, upload.status_code)
 
-    # after partitions being processed the key will be used for this slave
-    self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
@@ -5143,23 +5102,15 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
     certificate_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
+      self.instance_path, '*', 'srv', 'bbb-ssl',
       '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt.crt'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
+      expected = self.customdomain_ca_certificate_pem + '\n' + \
+        self.ca.certificate_pem + '\n' + self.customdomain_ca_key_pem
       self.assertEqual(
-        self.customdomain_ca_certificate_pem + '\n' + self.ca.certificate_pem,
-        out.read()
-      )
-    key_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
-      '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt.key'))
-    self.assertEqual(1, len(key_file_list))
-    key_file = key_file_list[0]
-    with open(key_file) as out:
-      self.assertEqual(
-        self.customdomain_ca_key_pem,
+        expected,
         out.read()
       )
 
@@ -5186,6 +5137,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
     )
 
     self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
@@ -5196,23 +5148,15 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
     self.assertEqualResultJson(result, 'Path', '/test-path')
 
     certificate_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
+      self.instance_path, '*', 'srv', 'bbb-ssl',
       '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt.crt'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
+      expected = customdomain_ca_certificate_pem + '\n' + ca.certificate_pem \
+        + '\n' + customdomain_ca_key_pem
       self.assertEqual(
-        customdomain_ca_certificate_pem + '\n' + ca.certificate_pem,
-        out.read()
-      )
-    key_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
-      '_custom_domain_ssl_crt_ssl_key_ssl_ca_crt.key'))
-    self.assertEqual(1, len(key_file_list))
-    key_file = key_file_list[0]
-    with open(key_file) as out:
-      self.assertEqual(
-        customdomain_ca_key_pem,
+        expected,
         out.read()
       )
 
@@ -5271,23 +5215,15 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
       der2pem(result.peercert))
 
     certificate_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
+      self.instance_path, '*', 'srv', 'bbb-ssl',
       '_ssl_ca_crt_does_not_match.crt'))
     self.assertEqual(1, len(certificate_file_list))
     certificate_file = certificate_file_list[0]
     with open(certificate_file) as out:
+      expected = self.certificate_pem + '\n' + self.ca.certificate_pem + \
+        '\n' + self.key_pem
       self.assertEqual(
-        self.certificate_pem + '\n' + self.ca.certificate_pem,
-        out.read()
-      )
-    key_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', 'caddy-slave-conf.d', 'ssl',
-      '_ssl_ca_crt_does_not_match.key'))
-    self.assertEqual(1, len(key_file_list))
-    key_file = key_file_list[0]
-    with open(key_file) as out:
-      self.assertEqual(
-        self.key_pem,
+        expected,
         out.read()
       )
 
@@ -5417,6 +5353,7 @@ class TestSlaveSlapOSMasterCertificateCompatibilityUpdate(
 
     })
     self.runComputerPartition(max_quantity=1)
+    self.runKedifaUpdater()
 
     result = self.fakeHTTPSResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')

software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_promise_run_plugin-CADDY.txt

@@ -12,14 +12,13 @@ T-2/etc/plugin/caddy_ssl_cached.py: OK
 T-2/etc/plugin/check-_test-error-log-last-day.py: OK
 T-2/etc/plugin/check-_test-error-log-last-hour.py: OK
 T-2/etc/plugin/check-free-disk-space.py: OK
-T-2/etc/plugin/frontend-caddy-configuration-promise.py: OK
+T-2/etc/plugin/frontend-caddy-configuration-promise.py: ERROR
 T-2/etc/plugin/monitor-bootstrap-status.py: OK
 T-2/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
-T-2/etc/plugin/nginx-configuration-promise.py: OK
+T-2/etc/plugin/nginx-configuration-promise.py: ERROR
 T-2/etc/plugin/nginx_frontend_ipv4_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful STOPPED
 T-2:frontend_caddy-{hash}-on-watch STOPPED
 T-2:frontend_nginx-{hash}-on-watch STOPPED
 T-2:kedifa-login-certificate-caucase-updater-on-watch STOPPED
+T-2:kedifa-updater-{hash}-on-watch STOPPED
 T-2:monitor-httpd-{hash}-on-watch STOPPED
 T-2:monitor-httpd-graceful STOPPED
 T-2:trafficserver-{hash}-on-watch STOPPED

software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_log-CADDY.txt

@@ -4,8 +4,8 @@ T-1/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
-T-2/var/log/httpd/_site_2_access_log
-T-2/var/log/httpd/_site_2_error_log
+T-2/var/log/httpd/_site_1_access_log
+T-2/var/log/httpd/_site_1_error_log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/nginx-access.log
 T-2/var/log/nginx-error.log

software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_promise_run_plugin-CADDY.txt

@@ -9,8 +9,8 @@ T-2/etc/plugin/caddy_frontend_ipv4_https.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_http.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_https.py: OK
 T-2/etc/plugin/caddy_ssl_cached.py: ERROR
-T-2/etc/plugin/check-_site_2-error-log-last-day.py: OK
-T-2/etc/plugin/check-_site_2-error-log-last-hour.py: OK
+T-2/etc/plugin/check-_site_1-error-log-last-day.py: OK
+T-2/etc/plugin/check-_site_1-error-log-last-hour.py: OK
 T-2/etc/plugin/check-free-disk-space.py: OK
 T-2/etc/plugin/frontend-caddy-configuration-promise.py: OK
 T-2/etc/plugin/monitor-bootstrap-status.py: OK
@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_promise_run_plugin-CADDY.txt

@@ -25,5 +25,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_promise_run_plugin-CADDY.txt

@@ -25,5 +25,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_promise_run_plugin-CADDY.txt

@@ -25,5 +25,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_promise_run_plugin-CADDY.txt

@@ -25,5 +25,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_log-CADDY.txt

 T-0/var/log/monitor-httpd-error.log
 T-0/var/log/slapgrid-T-0-error.log
 T-1/var/log/expose-csr_id.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/nginx-access.log
 T-2/var/log/nginx-error.log

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_run-CADDY.txt

@@ -4,6 +4,7 @@ T-1/var/run/kedifa.pid
 T-2/var/run/caddy_graceful_signature
 T-2/var/run/caddy_validate_signature
 T-2/var/run/caddy_validate_signature.status
+T-2/var/run/httpd.pid
 T-2/var/run/monitor/monitor-bootstrap.pid
 T-2/var/run/nginx.pid
 T-2/var/run/nginx_graceful_signature

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_promise_run_plugin-CADDY.txt

@@ -4,20 +4,19 @@ T-0/etc/plugin/monitor-bootstrap-status.py: OK
 T-0/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
 T-2/etc/plugin/buildout-T-2-status.py: OK
 T-2/etc/plugin/caddy_cached.py: ERROR
-T-2/etc/plugin/caddy_frontend_ipv4_http.py: ERROR
-T-2/etc/plugin/caddy_frontend_ipv4_https.py: ERROR
+T-2/etc/plugin/caddy_frontend_ipv4_http.py: OK
+T-2/etc/plugin/caddy_frontend_ipv4_https.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_http.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_https.py: OK
 T-2/etc/plugin/caddy_ssl_cached.py: ERROR
 T-2/etc/plugin/check-free-disk-space.py: OK
-T-2/etc/plugin/frontend-caddy-configuration-promise.py: ERROR
+T-2/etc/plugin/frontend-caddy-configuration-promise.py: OK
 T-2/etc/plugin/monitor-bootstrap-status.py: OK
 T-2/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
 T-2/etc/plugin/nginx-configuration-promise.py: OK
 T-2/etc/plugin/nginx_frontend_ipv4_http.py: OK
-T-2/etc/plugin/nginx_frontend_ipv4_https.py: ERROR
+T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_supervisor_state-CADDY.txt

@@ -20,9 +20,10 @@ T-2:crond-{hash}-on-watch RUNNING
 T-2:expose-csr_id-{hash}-on-watch RUNNING
 T-2:frontend-caddy-safe-graceful EXITED
 T-2:frontend-nginx-safe-graceful EXITED
-T-2:frontend_caddy-{hash}-on-watch EXITED
+T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch EXITED
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_log-CADDY.txt

 T-0/var/log/monitor-httpd-error.log
 T-0/var/log/slapgrid-T-0-error.log
 T-1/var/log/expose-csr_id.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/nginx-access.log
 T-2/var/log/nginx-error.log

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_run-CADDY.txt

@@ -4,6 +4,7 @@ T-1/var/run/kedifa.pid
 T-2/var/run/caddy_graceful_signature
 T-2/var/run/caddy_validate_signature
 T-2/var/run/caddy_validate_signature.status
+T-2/var/run/httpd.pid
 T-2/var/run/monitor/monitor-bootstrap.pid
 T-2/var/run/nginx.pid
 T-2/var/run/nginx_graceful_signature

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_promise_run_plugin-CADDY.txt

@@ -4,20 +4,19 @@ T-0/etc/plugin/monitor-bootstrap-status.py: OK
 T-0/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
 T-2/etc/plugin/buildout-T-2-status.py: OK
 T-2/etc/plugin/caddy_cached.py: ERROR
-T-2/etc/plugin/caddy_frontend_ipv4_http.py: ERROR
-T-2/etc/plugin/caddy_frontend_ipv4_https.py: ERROR
+T-2/etc/plugin/caddy_frontend_ipv4_http.py: OK
+T-2/etc/plugin/caddy_frontend_ipv4_https.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_http.py: OK
 T-2/etc/plugin/caddy_frontend_ipv6_https.py: OK
 T-2/etc/plugin/caddy_ssl_cached.py: ERROR
 T-2/etc/plugin/check-free-disk-space.py: OK
-T-2/etc/plugin/frontend-caddy-configuration-promise.py: ERROR
+T-2/etc/plugin/frontend-caddy-configuration-promise.py: OK
 T-2/etc/plugin/monitor-bootstrap-status.py: OK
 T-2/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
 T-2/etc/plugin/nginx-configuration-promise.py: OK
 T-2/etc/plugin/nginx_frontend_ipv4_http.py: OK
-T-2/etc/plugin/nginx_frontend_ipv4_https.py: ERROR
+T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt

@@ -20,9 +20,10 @@ T-2:crond-{hash}-on-watch RUNNING
 T-2:expose-csr_id-{hash}-on-watch RUNNING
 T-2:frontend-caddy-safe-graceful EXITED
 T-2:frontend-nginx-safe-graceful EXITED
-T-2:frontend_caddy-{hash}-on-watch EXITED
+T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch EXITED
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: ERROR
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_promise_run_plugin-CADDY.txt

@@ -21,7 +21,6 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
 T-3/etc/plugin/buildout-T-3-status.py: OK
 T-3/etc/plugin/caddy_cached.py: OK
@@ -33,14 +32,13 @@ T-3/etc/plugin/caddy_ssl_cached.py: OK
 T-3/etc/plugin/check-_replicate-error-log-last-day.py: OK
 T-3/etc/plugin/check-_replicate-error-log-last-hour.py: OK
 T-3/etc/plugin/check-free-disk-space.py: OK
-T-3/etc/plugin/frontend-caddy-configuration-promise.py: OK
+T-3/etc/plugin/frontend-caddy-configuration-promise.py: ERROR
 T-3/etc/plugin/monitor-bootstrap-status.py: OK
 T-3/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
-T-3/etc/plugin/nginx-configuration-promise.py: OK
+T-3/etc/plugin/nginx-configuration-promise.py: ERROR
 T-3/etc/plugin/nginx_frontend_ipv4_http.py: OK
 T-3/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-3/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-3/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-3/etc/plugin/re6st-connectivity.py: OK
-T-3/etc/plugin/trafficserver-cache-availability.py: ERROR
 T-3/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING
@@ -42,6 +43,7 @@ T-3:frontend-nginx-safe-graceful STOPPED
 T-3:frontend_caddy-{hash}-on-watch STOPPED
 T-3:frontend_nginx-{hash}-on-watch STOPPED
 T-3:kedifa-login-certificate-caucase-updater-on-watch STOPPED
+T-3:kedifa-updater-{hash}-on-watch STOPPED
 T-3:monitor-httpd-{hash}-on-watch STOPPED
 T-3:monitor-httpd-graceful STOPPED
 T-3:trafficserver-{hash}-on-watch STOPPED

software/caddy-frontend/test/test_data/test.TestSlave.test_promise_run_plugin-CADDY.txt

@@ -112,5 +112,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlave.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_promise_run_plugin-CADDY.txt

@@ -38,5 +38,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_promise_run_plugin-CADDY.txt

@@ -112,5 +112,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_promise_run_plugin-CADDY.txt

@@ -43,5 +43,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_promise_run_plugin-CADDY.txt

@@ -21,5 +21,4 @@ T-2/etc/plugin/nginx_frontend_ipv4_https.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_http.py: OK
 T-2/etc/plugin/nginx_frontend_ipv6_https.py: OK
 T-2/etc/plugin/re6st-connectivity.py: OK
-T-2/etc/plugin/trafficserver-cache-availability.py: OK
 T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt

@@ -23,6 +23,7 @@ T-2:frontend-nginx-safe-graceful EXITED
 T-2:frontend_caddy-{hash}-on-watch RUNNING
 T-2:frontend_nginx-{hash}-on-watch RUNNING
 T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash}-on-watch RUNNING
 T-2:monitor-httpd-{hash}-on-watch RUNNING
 T-2:monitor-httpd-graceful EXITED
 T-2:trafficserver-{hash}-on-watch RUNNING

software/seleniumserver/buildout.hash.cfg

@@ -19,4 +19,4 @@ md5sum = c4ac5de141ae6a64848309af03e51d88
 
 [template-selenium]
 filename = instance-selenium.cfg.in
-md5sum = fe248a36cd1908fb04b2cbb334c878ff
+md5sum = 4179c998a71bd87b0f0bd624d545071b

software/seleniumserver/instance-selenium.cfg.in

@@ -114,10 +114,8 @@ bytes = 12
 [selenium-server-frontend-config]
 recipe = slapos.recipe.template:jinja2
 rendered = $${directory:etc}/$${:_buildout_section_name_}
-# Catch-all simple frontend, as it can serve on different interface then accessed one, by
-# using "*" as hostname
 template = inline:
-  https://*:$${:port} {
+  https://[$${:ip}]:$${:port} {
     bind $${:ip}
     tls self_signed # TODO
     proxy / $${selenium-server-hub-instance:base-url} {