Revert "caddy-frontend: Enable (experimental) QUIC

This reverts commit 8e24f3ab.

QUIC has issues with client certificate authentication, detected by chance.

software/caddy-frontend/TODO.rst

@@ -61,6 +61,7 @@ Generally things to be done with ``caddy-frontend``:
  * reduce the time of configuration validation (in ``instance-apache-frontend.cfg`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_
  * drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_
  * use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_
+ * ensure `QUIC <https://en.wikipedia.org/wiki/QUIC>`_ is used by caddy
 
 Things which can't be implemented:
 

software/caddy-frontend/buildout.hash.cfg

@@ -70,7 +70,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
 
 [template-caddy-wrapper]
 filename = templates/caddy-wrapper.in
-md5sum = 60780c1d3b6898eaec94fd0a0049da55
+md5sum = c5816275757124613920078b6bec1caf
 
 [template-trafficserver-records-config]
 filename = templates/trafficserver/records.config.jinja2

software/caddy-frontend/templates/caddy-wrapper.in

@@ -5,7 +5,6 @@ exec {{ caddy }} \
   -log {{ log }} \
   -http2=true \
   -grace {{ grace }}s \
-  -quic \
   -disable-http-challenge \
   -disable-tls-sni-challenge \
   "$@"

software/caddy-frontend/test/test.py

@@ -67,31 +67,8 @@ else:
 # response_code difference
 if IS_CADDY:
   no_backend_response_code = 404
-  COMMON_HEADERS = {
-    'Content-type': 'application/json',
-    'Alt-Svc': 'quic=":11443"; ma=2592000; v="39"',
-    'Set-Cookie': 'secured=value;secure, nonsecured=value'}
-  COMMON_HEADERS_VARY_GZIP = COMMON_HEADERS.copy()
-  COMMON_HEADERS_VARY_GZIP.update({
-    'Content-Encoding': 'gzip',
-    'Vary': 'Accept-Encoding'})
-  COMMON_HEADERS_VARY_GZIP_AGE = COMMON_HEADERS_VARY_GZIP.copy()
-  COMMON_HEADERS_VARY_GZIP_AGE.update({
-    'Age': '0'
-  })
 else:
   no_backend_response_code = 502
-  COMMON_HEADERS = {
-    'Content-type': 'application/json',
-    'Set-Cookie': 'secured=value;secure, nonsecured=value'}
-  COMMON_HEADERS_VARY_GZIP = COMMON_HEADERS.copy()
-  COMMON_HEADERS_VARY_GZIP.update({
-    'Content-Encoding': 'gzip',
-    'Vary': 'Accept-Encoding'})
-  COMMON_HEADERS_VARY_GZIP_AGE = COMMON_HEADERS_VARY_GZIP.copy()
-  COMMON_HEADERS_VARY_GZIP_AGE.update({
-    'Age': '0'
-  })
 
 caddy_custom_https = '''# caddy_custom_https_filled_in_accepted
 https://caddycustomhttpsaccepted.example.com:%%(https_port)s {
@@ -876,44 +853,6 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
       'secured=value;secure, nonsecured=value'
     )
 
-  @skipIf(not IS_CADDY, 'Caddy only')
-  def test_url_quic(self):
-    parameter_dict = self.slave_connection_parameter_dict_dict[
-      'url'].copy()
-    self.assertLogAccessUrlWithPop(parameter_dict, 'url')
-    self.assertEqual(
-      parameter_dict,
-      {
-        'domain': 'url.example.com',
-        'replication_number': '1',
-        'url': 'http://url.example.com',
-        'site_url': 'http://url.example.com',
-        'secure_access': 'https://url.example.com',
-        'public-ipv4': utils.LOCAL_IPV4,
-      }
-    )
-
-    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-
-    self.assertEqual(
-      utils.der2pem(result.peercert),
-      open('wildcard.example.com.crt').read())
-
-    self.assertEqualResultJson(result, 'Path', '/test-path')
-
-    try:
-      j = result.json()
-    except Exception:
-      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
-
-    self.assertEqual(
-      result.headers['Alt-Svc'], 'quic=":11443"; ma=2592000; v="39"'
-    )
-    # TODO: As soon as curl will have QUIC support it will be used to check
-    #       how well QUIC works https://github.com/curl/curl/wiki/QUIC
-
   @skipIf(IS_CADDY, 'Feature postponed')
   def test_url_ipv6_access(self):
     parameter_dict = self.slave_connection_parameter_dict_dict[
@@ -1525,7 +1464,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
       self.assertEqual(
         headers,
-        COMMON_HEADERS
+        {'Age': '0', 'Content-type': 'application/json',
+         'Set-Cookie': 'secured=value;secure, nonsecured=value'}
       )
 
       result_http = self.fakeHTTPResult(
@@ -1547,7 +1487,8 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
       self.assertEqual(
         headers,
-        COMMON_HEADERS
+        {'Age': '0', 'Content-type': 'application/json',
+         'Set-Cookie': 'secured=value;secure, nonsecured=value'}
       )
 
   def test_enable_cache_ssl_proxy_verify_unverified(self):
@@ -1844,7 +1785,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS_VARY_GZIP_AGE
+      {'Age': '0', 'Content-type': 'application/json',
+       'Set-Cookie': 'secured=value;secure, nonsecured=value',
+       'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
     )
 
     result_direct = self.fakeHTTPResult(
@@ -1935,7 +1878,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS_VARY_GZIP_AGE
+      {'Age': '0', 'Content-type': 'application/json',
+       'Set-Cookie': 'secured=value;secure, nonsecured=value',
+       'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
     )
 
     try:
@@ -1984,7 +1929,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS_VARY_GZIP_AGE
+      {'Age': '0', 'Content-type': 'application/json',
+       'Set-Cookie': 'secured=value;secure, nonsecured=value',
+       'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'}
     )
 
   def test_enable_http2_false(self):
@@ -2026,7 +1973,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS_VARY_GZIP
+      {
+        'Vary': 'Accept-Encoding',
+        'Content-Type': 'application/json',
+        'Set-Cookie': 'secured=value;secure, nonsecured=value',
+        'Content-Encoding': 'gzip',
+      }
     )
 
     self.assertFalse(
@@ -2071,7 +2023,12 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS_VARY_GZIP
+      {
+        'Vary': 'Accept-Encoding',
+        'Content-type': 'application/json',
+        'Set-Cookie': 'secured=value;secure, nonsecured=value',
+        'Content-Encoding': 'gzip',
+      }
     )
 
     self.assertTrue(
@@ -2201,7 +2158,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS
+      {
+        'Content-type': 'application/json',
+        'Set-Cookie': 'secured=value;secure, nonsecured=value'
+      }
     )
 
     result_http = self.fakeHTTPResult(
@@ -2274,7 +2234,10 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     self.assertEqual(
       headers,
-      COMMON_HEADERS
+      {
+        'Content-type': 'application/json',
+        'Set-Cookie': 'secured=value;secure, nonsecured=value'
+      }
     )
 
     result_http = self.fakeHTTPResult(