Feature/caddy frontend auth to backend (!771) · Merge Requests · nexedi / slapos · GitLab

Skip to content

Projects
Groups
Snippets
Help

Loading...
Sign in / Register

Project overview
Repository
Labels
Merge Requests 105
- Merge Requests 105
CI / CD
Analytics
Snippets
- Snippets
Members
- Members

Collapse sidebar

Activity
Graph
Jobs
Commits

nexedi
slapos
Merge Requests
!771

Merged

Opened May 29, 2020 by Łukasz Nowak @luke30 of 30 tasks completed30/30 tasks

Report abuse

Feature/caddy frontend auth to backend

Overview 38
Commits 11
Pipelines 45
Changes 71

Prerequisites:

check that url and https-url with a path (like https://example.com/some/path) are supported correctly (it seems missing in the tests) ▶ covered by test_https_url
depends on !783 (merged)

Tasks:

check behaviour of backend while SSL client cert is offered !771 (comment 112004)
review maxconn and input from !771 (comment 111938)
improve naming of timeout-backend-connect and timeout-backend-connect-retries !771 (comment 111939)
consider moving the whole parsing and preparation logic to templates/apache-custom-slave-list.cfg.in, so that configuration generation of Caddy, Apache Traffic Server, Haproxy and others will simplify ▶ current improvements are good enough
- or maybe even to instance-apache-replicate.cfg.in, where the rejection of bad parameters happens
put haproxy before the backend, stabilise test, do cleanups if needed
- ssl_proxy_verify
- backend_url in templates/default-virtualhost.conf.in can be ignored, as it's always present (in sense, that haproxy gives it), it shall be correctly done in the templates/backend-haproxy.cfg.in
- generally support correctly url and https-url
- graceful script in etc/run (be smart about signals supported by haproxy)
- configuration validation
- logs --> ❗ blocker haproxy does not write log to files (only stdout/stderr), but their logs are critical, considering using rsyslogd in the partition
  - logrotate
- setup good limits (maxconn, timeout *), drop/hide not needed configuration
  - redo proxy_try_duration and proxy_try_interval --> possibly not needed anymore
  - support request_timeout, which in reality is proxy connection timeout, but then proxy_try_duration/interval helps
- stabilise tests, good result is here
enable sending certificates to the backend
- configure it on haproxy level
- check that it works against real backend
- setup additional tasks (like signing certificates by CSR_ID)
- add tests
logrotate for backend haproxy log
prove that listed below are correctly configurable on master and per slave:
- timeout-backend-connect
- timeout-backend-connect-retries
- request-timeout
validate again that it works correctly against real backend (eg. recent ERP5), if needed extend test suite (note: for ERP5 the minimal request parameters are {"balancer": {"ssl": {"frontend-caucase-url-list": ["<value-of-backend-client-cacucase-url>"]}}}
~~❗ tentative: create stack/rsyslogd instead of generating the file directly in software/caddy-frontend~~

Notes:

X-Forwarded-For shall be reduced to one element only, as possibly backend-haproxy is more configurable
the authentication is simple http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-crt

Future improvements:

haproxy with active check to the backend, thus serving fast 5xx replies on malfuctioning/dead backend, so resulting with fast cached responses

Prerequisites:

- [X] check that `url` and `https-url` with a path (like https://example.com/some/path) are supported correctly (it seems missing in the tests) :arrow_forward: covered by `test_https_url`
 - [x] depends on https://lab.nexedi.com/nexedi/slapos/merge_requests/783

Tasks:

- [x] check behaviour of backend while SSL client cert is offered https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_112004
 - [x] review `maxconn` and input from https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_111938
 - [x] improve naming of `timeout-backend-connect` and `timeout-backend-connect-retries` https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_111939
 - [X] consider moving the whole parsing and preparation logic to `templates/apache-custom-slave-list.cfg.in`, so that configuration generation of Caddy, Apache Traffic Server, Haproxy and others will simplify :arrow_forward: current improvements are good enough
   - or maybe even to `instance-apache-replicate.cfg.in`, where the rejection of bad parameters happens
 - [x] put haproxy before the backend, stabilise test, do cleanups if needed
   - [x] `ssl_proxy_verify`
   - [x] backend_url in `templates/default-virtualhost.conf.in` can be ignored, as it's always present (in sense, that haproxy gives it), it shall be correctly done in the `templates/backend-haproxy.cfg.in`
   - [x] generally support correctly `url` and `https-url`
   - [x] graceful script in `etc/run` (be smart about signals supported by haproxy)
   - [x] configuration validation
   - [x] logs --> :exclamation:  **blocker** haproxy does not write log to files (only stdout/stderr), but their logs are critical, considering using rsyslogd in the partition
     - [x] logrotate
   - [x] setup good limits (maxconn, timeout *), drop/hide not needed configuration
     - [x] redo `proxy_try_duration` and `proxy_try_interval` --> possibly not needed anymore
     - [x] support `request_timeout`, which in reality is proxy connection timeout, but then `proxy_try_duration/interval` helps
   - [x] stabilise tests, good result is [here](https://nexedijs.erp5.net/#/test_result_module/20200703-3205A051)
 - [x] enable sending certificates to the backend
   - [x] configure it on haproxy level
   - [x] check that it works against real backend
   - [x] setup additional tasks (like signing certificates by CSR_ID)
   - [x] add tests
 - [x] logrotate for backend haproxy log
 - [x] prove that listed below are correctly configurable on master and per slave:
   - [x] `timeout-backend-connect`
   - [x] `timeout-backend-connect-retries`
   - [x] `request-timeout`
 - [x] validate again that it works correctly against real backend (eg. recent ERP5), if needed extend test suite (note: for ERP5 the minimal request parameters are `{"balancer": {"ssl": {"frontend-caucase-url-list": ["<value-of-backend-client-cacucase-url>"]}}}`
 - [x] ~~:exclamation: tentative: create `stack/rsyslogd` instead of generating the file directly in `software/caddy-frontend`~~

Notes:

- `X-Forwarded-For` shall be reduced to one element only, as possibly backend-haproxy is more configurable
 - the authentication is simple http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-crt

Future improvements:

- haproxy with active check to the backend, thus serving fast 5xx replies on malfuctioning/dead backend, so resulting with fast cached responses

Edited Jul 15, 2020 by Łukasz Nowak

Assignee

Assign to

None

Milestone

None

Assign milestone

Time tracking

0

Labels

None

Assign labels

View project labels

Reference: nexedi/slapos!771

Revert this merge request

This will create a new commit in order to revert the existing changes.

Revert in branch

Switch branch

A new branch will be created in your fork and a new merge request will be started.

Cherry-pick this merge request

Pick into branch

Switch branch

A new branch will be created in your fork and a new merge request will be started.

GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7