OpenVPN fails to build on Debian testing because
net-tools is no longer provided by default.

/reviewed-on !534

in apache frontend, we have been using:

```
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
```

The %l is (from mod_log_config docs): Remote logname (from identd, if
supplied). This will return a dash unless mod_ident is present and
IdentityCheck is set On.

In the case of apache frontend, it was always a - . This is missing in
caddy frontend and our existing log processing tools (apachedex) cannot
be used on frontend logs since we switched to Caddy.

/reviewed-on !530

dict in headers is smallcase, so it was never working in reality.

Added assertion which proves that the ATS is serving stale content in case if
the backend does not work, according to RFC5861.

It is beleived that stale-while-revalidate will work the same way, but it is
much harder to test, thus it is not done directly.

Adapted configuration and instantiation to ATS 7.

Deployment:
 * traffic_line has been replaced with traffic_ctl
 * access log, of squid style, is ascii instead of binary, to do so
   logging.config is generated
 * ip_allow.config is configured to allow access from any host
 * RFC 5861 (stale content on error or revalidate) is implemented with core
   instead with deprecated plugin
 * trafficserver-autoconf-port renamed to trafficserver-synthetic-port
 * proxy.config.system.mmap_max removed, as it is not used by the system anymore

Tests:
 * As Via header is not returned to the client, it is dropped from the
   tests, instead its existence in the backend is checked.
 * Promise plugin trafficserver-cache-availability.py is re enabled, as
   it is expected to work immediately.

as suggested by Jerome on b26ae6b3

old URL doesn't exist anymore

Do not change any defaults regarding 1.9, 1.10 and 1.11.

Usually the slapos.core on nodes is installed with slapos.libnetworkcache,
so do the same for testing environment, so shacache can be used during
installation.

It is better to have automation similar to previous implementation by
default.

AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered
by option automatic-internal-kedifa-caucase-csr.

It signs all CSR which match csr_id and certificate from the nodes which needs them.

csr_id is exposed over HTTPS with short living self signed certificate,
which is transmitted via SlapOS Master. Thanks to this, it is possible to
match csr_id with certificate of given partition and take decision if it shall
be signed or not.

This is "quite secure" apporach, a bit better than blidny trusting what CSR
to sign in KeDiFa. The bootstrap information, which is short living
(certificates are valid for 5 days), resides in SlapOS Master. The csr_id
is not directly known to SlapOS Master, and shall be consumed as fast as
possible by frontend cluster operator in order to sign CSR appearing in
KeDiFa caucase. The known possible attack vector requires that attacker knows
caucased HTTP listening port and can hijack HTTPS traffic to the csr_id-url
to get the human approve his own csr_id. The second is hoped to be overcomed
by publishing certificate of this endpoint via SlapOS Master.

Unfortunately caucase-updater prefix is directly used to find real CSR, as the
one generated is just a template for rerequest, thus csr_id would be different
from really used by caucase-updater.

Use KeDiFa to store keys, and transmit the url to the requester for master
and slave partitions.

Download keys on the slave partitions level.

Use caucase to fetch main caucase CA.

kedifa-caucase-url is published in order to have access to it.

Note: caucase is prepended with kedifa, as this is that one.

Use kedifa-csr tool to generate CSR and use caucase-updater macro.

Switch to KeDiFa with SSL Auth and updated goodies.

KeDiFa endpoint URLs are randomised.

Only one (first) user certificate is going to be automatically accepted. This
one shall be operated by the cluster owner, the requester of frontend master
partition.

Then he will be able to sign certificates for other users and also for
services - so each node in the cluster.

Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line
is used for one command generation of extensions in the certificate.
Note: We could upgrade to openssl 1.1.1 in order to have it really
simplified (see https://security.stackexchange.com/a/183973 )

Improve CSR readability by creating cluster-identification, which is master
partition title, and use it as Organization of the CSR.

Reserve slots for data exchange in KeDiFa.

Improvements:

 * support CSR as a file
   Allow to pass template_csr as a file, as it is useful for some cases.

 * use dumps where needed, as it is available

 * fix rerequest internal call

The certificates generated by caucase are not supported by Caddy (see https://www.erp5.com/project_section/vifib/forum/Problem-with-caddy-frontend-and-caucase-0.95-issued-certificate-UNinzubDv0)

/cc @rafael @alain.takoudjou

/reviewed-on !531

  As the instance is already allocated, we add a dummy template to keep data there until user do something.

  And to prevent to buildout keep failing.

/cc @rafael @jm @alain.takoudjou 

Here we go

/reviewed-on !529

  This helps on updating the 1.0 branch (release candidate) with the result of the latest tests.

share parts with instance-runner.cfg

/cc @rafael @Nicolas @alain.takoudjou 

/reviewed-on !527

As the test runs in erp5.util.testnode, which has some ports reserved,
and they collide with default ports of caddy-frontend services, select
ports for those services, and leave out default for monitor, as test expects.

use address 1 instead of address 0 and display a /etc/network/interfaces syntax.

Also display the info for resilient KVM.

Note that formatting is not perfect due to softwaretype recipe (which doesn't preserve spaces).

/cc @jm @rafael @alain.takoudjou

/reviewed-on nexedi/slapos!521