Commit fc23be53 authored by Łukasz Nowak's avatar Łukasz Nowak

caddy-frontend: Move out logic from configuration file generation

As decision making quite often requires access to more than one slave entry,
it's better to keep the logic above configuration generation. Also
configuration generation is already complex, and it's better to have it
simplified, especially in case of switching the component.

Use already prepared values from apache-custom-slave-list.cfg.in in
default-virtualhost.conf.in to simplify even more.

Pass variables to the other profiles without casting them to string, so that
they work out of the box.
parent 6909dcef
...@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68 ...@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
[profile-caddy-frontend] [profile-caddy-frontend]
filename = instance-apache-frontend.cfg.in filename = instance-apache-frontend.cfg.in
md5sum = e8db3179e3278c6390a786cdcc947173 md5sum = a6a626fd1579fd1d4b80ea67433ca16a
[profile-caddy-replicate] [profile-caddy-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
...@@ -30,7 +30,7 @@ md5sum = 2329022227099971a57f710832509153 ...@@ -30,7 +30,7 @@ md5sum = 2329022227099971a57f710832509153
[profile-slave-list] [profile-slave-list]
_update_hash_filename_ = templates/apache-custom-slave-list.cfg.in _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
md5sum = 2cbcdff6fe75ec469ab7d6accd72f83c md5sum = eadc3ee8927461fe9475e8b01667bbfe
[profile-replicate-publish-slave-information] [profile-replicate-publish-slave-information]
_update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
...@@ -46,11 +46,11 @@ md5sum = 88af61e7abbf30dc99a1a2526161128d ...@@ -46,11 +46,11 @@ md5sum = 88af61e7abbf30dc99a1a2526161128d
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
_update_hash_filename_ = templates/default-virtualhost.conf.in _update_hash_filename_ = templates/default-virtualhost.conf.in
md5sum = bd9e269130bac989faa639e0903814e2 md5sum = 1eb9f415229aa74de83f6d8660cac5a8
[template-backend-haproxy-configuration] [template-backend-haproxy-configuration]
_update_hash_filename_ = templates/backend-haproxy.cfg.in _update_hash_filename_ = templates/backend-haproxy.cfg.in
md5sum = 5c807d34198f334b143cfa9263f6bc4e md5sum = 0923a9227c131d2f1e11d7ddd5b15673
[template-empty] [template-empty]
_update_hash_filename_ = templates/empty.in _update_hash_filename_ = templates/empty.in
......
...@@ -287,6 +287,7 @@ extra-context = ...@@ -287,6 +287,7 @@ extra-context =
key backend_client_caucase_url :backend-client-caucase-url key backend_client_caucase_url :backend-client-caucase-url
import urlparse_module urlparse import urlparse_module urlparse
import furl_module furl import furl_module furl
import urllib_module urllib
key master_key_download_url :master_key_download_url key master_key_download_url :master_key_download_url
key autocert caddy-directory:autocert key autocert caddy-directory:autocert
key caddy_log_directory caddy-directory:slave-log key caddy_log_directory caddy-directory:slave-log
......
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
{%- set kedifa_updater_mapping = [] %} {%- set kedifa_updater_mapping = [] %}
{%- set cached_server_dict = {} %} {%- set cached_server_dict = {} %}
{%- set backend_slave_list = [] %} {%- set backend_slave_list = [] %}
{%- set frontend_slave_list = [] %}
{%- set part_list = [] %} {%- set part_list = [] %}
{%- set cache_port = caddy_configuration.get('cache-port') %} {%- set cache_port = caddy_configuration.get('cache-port') %}
{%- set cache_access = "http://%s:%s" % (instance_parameter_dict['ipv4-random'], cache_port) %} {%- set cache_access = "http://%s:%s" % (instance_parameter_dict['ipv4-random'], cache_port) %}
...@@ -39,16 +40,39 @@ context = ...@@ -39,16 +40,39 @@ context =
[slave-password] [slave-password]
[slave-htpasswd] [slave-htpasswd]
{#- Loop thought slave list to set up slaves #} {#- Prepare configuration parameters #}
{%- set DEFAULT_PORT = {'http': 80, 'https': 443, '': None} %} {%- set DEFAULT_PORT = {'http': 80, 'https': 443, '': None} %}
{%- for key in ['enable-http2-by-default', 'global-disable-http2'] %}
{%- do configuration.__setitem__(key, ('' ~ configuration[key]).lower() in TRUE_VALUES) %}
{%- endfor %}
{#- Loop thought slave list to set up slaves #}
{%- for slave_instance in slave_instance_list %} {%- for slave_instance in slave_instance_list %}
{#- prepare backend parameters #} {#- Prepare slave parameters: #}
{#- * convert strings to booleans (as slapproxy and SlapOS Master differ a bit) #}
{#- * create real lists from string lists #}
{#- * setup defaults to simplify other profiles #}
{#- * stabilise values for backend #}
{%- for key, prefix in [('url', 'http_backend'), ('https-url', 'https_backend')] %} {%- for key, prefix in [('url', 'http_backend'), ('https-url', 'https_backend')] %}
{%- set parsed = urlparse_module.urlparse(slave_instance.get(key, '').strip()) %} {%- set parsed = urlparse_module.urlparse(slave_instance.get(key, '').strip()) %}
{%- set info_dict = {'scheme': parsed.scheme, 'hostname': parsed.hostname, 'port': parsed.port or DEFAULT_PORT[parsed.scheme], 'path': parsed.path, 'fragment': parsed.fragment} %} {%- set info_dict = {'scheme': parsed.scheme, 'hostname': parsed.hostname, 'port': parsed.port or DEFAULT_PORT[parsed.scheme], 'path': parsed.path, 'fragment': parsed.fragment} %}
{%- do slave_instance.__setitem__(prefix, info_dict) %} {%- do slave_instance.__setitem__(prefix, info_dict) %}
{%- endfor %} {%- endfor %}
{%- do slave_instance.__setitem__('ssl_proxy_verify', ('' ~ slave_instance.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES) %} {%- do slave_instance.__setitem__('ssl_proxy_verify', ('' ~ slave_instance.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES) %}
{%- do slave_instance.__setitem__('enable-http2', ('' ~ slave_instance.get('enable-http2', configuration['enable-http2-by-default'])).lower() in TRUE_VALUES) %}
{%- for key in ['https-only', 'websocket-transparent'] %}
{%- do slave_instance.__setitem__(key, ('' ~ slave_instance.get(key, 'true')).lower() in TRUE_VALUES) %}
{%- endfor %}
{%- for key in ['enable_cache', 'disable-no-cache-request', 'disable-via-header', 'prefer-gzip-encoding-to-backend'] %}
{%- do slave_instance.__setitem__(key, ('' ~ slave_instance.get(key, 'false')).lower() in TRUE_VALUES) %}
{%- endfor %}
{%- for key in ['disabled-cookie-list'] %}
{%- do slave_instance.__setitem__(key, slave_instance.get(key, '').split()) %}
{%- endfor %}
{%- for key, default in [('virtualhostroot-http-port', '80'), ('virtualhostroot-https-port', '443')] %}
{%- do slave_instance.__setitem__(key, int(slave_instance.get(key, default))) %}
{%- endfor %}
{%- do slave_instance.__setitem__('default-path', slave_instance.get('default-path', '').strip('/') | urlencode) %}
{%- do slave_instance.__setitem__('path', slave_instance.get('path', '').strip('/')) %}
{#- Manage ciphers #} {#- Manage ciphers #}
{%- set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %} {%- set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
{%- if slave_ciphers %} {%- if slave_ciphers %}
...@@ -56,10 +80,10 @@ context = ...@@ -56,10 +80,10 @@ context =
{%- else %} {%- else %}
{%- set slave_cipher_list = configuration['ciphers'].strip() %} {%- set slave_cipher_list = configuration['ciphers'].strip() %}
{%- endif %} {%- endif %}
{%- do slave_instance.__setitem__('cipher_list', slave_cipher_list) %} {%- do slave_instance.__setitem__('ciphers', slave_cipher_list) %}
{#- Manage common instance parameters #} {#- Manage common instance parameters #}
{%- set slave_type = slave_instance.get('type', '') %} {%- set slave_type = slave_instance.get('type', '') %}
{%- set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_type != 'redirect') %} {%- set enable_cache = (slave_instance['enable_cache'] and slave_type != 'redirect') %}
{%- set slave_reference = slave_instance.get('slave_reference') %} {%- set slave_reference = slave_instance.get('slave_reference') %}
{%- set slave_kedifa = slave_kedifa_information.get(slave_reference) %} {%- set slave_kedifa = slave_kedifa_information.get(slave_reference) %}
{#- Setup backend URLs for front facing Caddy #} {#- Setup backend URLs for front facing Caddy #}
...@@ -103,9 +127,6 @@ context = ...@@ -103,9 +127,6 @@ context =
{%- do part_list.extend([slave_ln_section]) %} {%- do part_list.extend([slave_ln_section]) %}
{%- do part_list.extend([slave_section_title]) %} {%- do part_list.extend([slave_section_title]) %}
{%- set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %} {%- set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %}
{#- Pass HTTP2 switch #}
{%- do slave_instance.__setitem__('enable_http2_by_default', configuration['enable-http2-by-default']) %}
{%- do slave_instance.__setitem__('global_disable_http2', configuration['global-disable-http2']) %}
{#- Pass backend timeout values #} {#- Pass backend timeout values #}
{%- for key in ['backend-connect-timeout', 'backend-connect-retries', 'request-timeout', 'authenticate-to-backend'] %} {%- for key in ['backend-connect-timeout', 'backend-connect-retries', 'request-timeout', 'authenticate-to-backend'] %}
{%- if slave_instance.get(key, '') == '' %} {%- if slave_instance.get(key, '') == '' %}
...@@ -168,6 +189,28 @@ context = ...@@ -168,6 +189,28 @@ context =
{%- do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %} {%- do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
{%- do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %} {%- do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
{%- do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %} {%- do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
{%- set host_list = slave_instance.get('server-alias', '').split() %}
{%- if slave_instance.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_instance.get('custom_domain')) %}
{%- endif %}
{%- do slave_instance.__setitem__('host_list', host_list) %}
{%- do slave_instance.__setitem__('type', slave_instance.get('type', '')) %}
{%- set websocket_path_list = [] %}
{%- for websocket_path in slave_instance.get('websocket-path-list', '').split() %}
{%- set websocket_path = websocket_path.strip('/') %}
{#- Unquote the path, so %20 and similar can be represented correctly #}
{%- set websocket_path = urllib_module.unquote(websocket_path.strip()) %}
{%- if websocket_path %}
{%- do websocket_path_list.append(websocket_path) %}
{%- endif %}
{%- endfor %}
{%- do slave_instance.__setitem__('websocket-path-list', websocket_path_list) %}
{%- do slave_instance.__setitem__('enable_h2', not configuration['global-disable-http2'] and slave_instance['enable-http2']) %}
{%- if slave_instance['type'] in ['notebook', 'websocket'] %}
{# websocket style needs http 1.1 max #}
{%- do slave_instance.__setitem__('enable_h2', False) %}
{%- endif %}
{%- do slave_instance.__setitem__('default-path', slave_instance.get('default-path', '').strip('/') | urlencode) %}
[slave-log-directory-dict] [slave-log-directory-dict]
{{slave_reference}} = {{ slave_log_folder }} {{slave_reference}} = {{ slave_log_folder }}
...@@ -224,12 +267,13 @@ command = {{ software_parameter_dict['htpasswd'] }} -cb ${:file} {{ slave_refere ...@@ -224,12 +267,13 @@ command = {{ software_parameter_dict['htpasswd'] }} -cb ${:file} {{ slave_refere
{%- do slave_parameter_dict.__setitem__('certificate', certificate )%} {%- do slave_parameter_dict.__setitem__('certificate', certificate )%}
{#- Set ssl certificates for each slave #} {#- Set ssl certificates for each slave #}
{%- for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%} {%- for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%}
{%- set cert_file_key = 'path_to_' + cert_name %}
{%- if cert_name in slave_instance %} {%- if cert_name in slave_instance %}
{%- set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) %} {%- set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) %}
{%- set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %} {%- set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
{%- do part_list.append(cert_title) %} {%- do part_list.append(cert_title) %}
{%- do slave_parameter_dict.__setitem__(cert_name, cert_file) %} {%- do slave_parameter_dict.__setitem__(cert_name, cert_file) %}
{%- do slave_instance.__setitem__('path_to_' + cert_name, cert_file) %} {%- do slave_instance.__setitem__(cert_file_key, cert_file) %}
{#- Store certificates on fs #} {#- Store certificates on fs #}
[{{ cert_title }}] [{{ cert_title }}]
< = jinja2-template-base < = jinja2-template-base
...@@ -241,7 +285,9 @@ extra-context = ...@@ -241,7 +285,9 @@ extra-context =
{#- Store certificate in config #} {#- Store certificate in config #}
[{{ cert_title + '-config' }}] [{{ cert_title + '-config' }}]
value = {{ dumps(slave_instance.get(cert_name)) }} value = {{ dumps(slave_instance.get(cert_name)) }}
{%- endif %} {%- else %}
{%- do slave_instance.__setitem__(cert_file_key, None) %}
{%- endif %} {#- if cert_name in slave_instance #}
{%- endfor %} {%- endfor %}
{#- Set Up Certs #} {#- Set Up Certs #}
{%- if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %} {%- if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %}
...@@ -273,7 +319,7 @@ http_port = {{ dumps('' ~ configuration['plain_http_port']) }} ...@@ -273,7 +319,7 @@ http_port = {{ dumps('' ~ configuration['plain_http_port']) }}
local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }} local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
{%- for key, value in slave_instance.iteritems() %} {%- for key, value in slave_instance.iteritems() %}
{%- if value is not none %} {%- if value is not none %}
{{ key }} = {{ dumps('' ~ value) }} {{ key }} = {{ dumps(value) }}
{%- endif %} {%- endif %}
{%- endfor %} {%- endfor %}
...@@ -284,7 +330,6 @@ rendered = {{ caddy_configuration_directory }}/${:filename} ...@@ -284,7 +330,6 @@ rendered = {{ caddy_configuration_directory }}/${:filename}
template = {{ template_default_slave_configuration }} template = {{ template_default_slave_configuration }}
extra-context = extra-context =
section slave_parameter {{ slave_configuration_section_name }} section slave_parameter {{ slave_configuration_section_name }}
import urllib_module urllib
filename = {{ '%s.conf' % slave_reference }} filename = {{ '%s.conf' % slave_reference }}
{{ '\n' }} {{ '\n' }}
...@@ -329,6 +374,7 @@ recipe = slapos.cookbook:publish ...@@ -329,6 +374,7 @@ recipe = slapos.cookbook:publish
{%- else %} {%- else %}
{%- do slave_instance_information_list.append(slave_publish_dict) %} {%- do slave_instance_information_list.append(slave_publish_dict) %}
{%- endif %} {%- endif %}
{%- do frontend_slave_list.append(slave_instance) %}
{%- if slave_type != 'redirect' %} {%- if slave_type != 'redirect' %}
{%- do backend_slave_list.append(slave_instance) %} {%- do backend_slave_list.append(slave_instance) %}
{%- endif %} {%- endif %}
......
...@@ -18,12 +18,8 @@ defaults ...@@ -18,12 +18,8 @@ defaults
{%- macro frontend_entry(slave_instance, scheme, wildcard) %} {%- macro frontend_entry(slave_instance, scheme, wildcard) %}
{#- wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #} {#- wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
{%- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %} {%- if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %}
{%- set host_list = (slave_instance.get('server-alias') or '').split() %}
{%- if slave_instance.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_instance.get('custom_domain')) %}
{%- endif %}
{%- set matched = {'count': 0} %} {%- set matched = {'count': 0} %}
{%- for host in host_list %} {%- for host in slave_instance['host_list'] %}
{#- Match up to the end or optional port (starting with ':') #} {#- Match up to the end or optional port (starting with ':') #}
{#- Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #} {#- Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
{%- if wildcard and host.startswith('*.') %} {%- if wildcard and host.startswith('*.') %}
...@@ -80,10 +76,9 @@ frontend https-backend ...@@ -80,10 +76,9 @@ frontend https-backend
{%- do ssl_list.append('crt %s' % (configuration['certificate'],)) %} {%- do ssl_list.append('crt %s' % (configuration['certificate'],)) %}
{%- endif %} {%- endif %}
{%- do ssl_list.append('ssl verify') %} {%- do ssl_list.append('ssl verify') %}
{%- set path_to_ssl_proxy_ca_crt = slave_instance.get('path_to_ssl_proxy_ca_crt') %}
{%- if slave_instance['ssl_proxy_verify'] %} {%- if slave_instance['ssl_proxy_verify'] %}
{%- if path_to_ssl_proxy_ca_crt %} {%- if slave_instance['path_to_ssl_proxy_ca_crt'] %}
{%- do ssl_list.append('required ca-file %s' % (path_to_ssl_proxy_ca_crt,)) %} {%- do ssl_list.append('required ca-file %s' % (slave_instance['path_to_ssl_proxy_ca_crt'],)) %}
{%- else %} {%- else %}
{#- Backend SSL shall be verified, but not CA provided, disallow connection #} {#- Backend SSL shall be verified, but not CA provided, disallow connection #}
{#- Simply dropping hostname from the dict will result with ignoring it... #} {#- Simply dropping hostname from the dict will result with ignoring it... #}
......
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
{%- set enable_cache = slave_parameter.get('enable_cache', '').lower() in TRUE_VALUES %}
{%- set disable_no_cache_header = slave_parameter.get('disable-no-cache-request', '').lower() in TRUE_VALUES %}
{%- set disable_via_header = slave_parameter.get('disable-via-header', '').lower() in TRUE_VALUES %}
{%- set prefer_gzip = slave_parameter.get('prefer-gzip-encoding-to-backend', '').lower() in TRUE_VALUES %}
{%- set proxy_append_list = [('', 'Default proxy configuration')] %} {%- set proxy_append_list = [('', 'Default proxy configuration')] %}
{%- if prefer_gzip %} {%- if slave_parameter['prefer-gzip-encoding-to-backend'] %}
{%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %} {%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %}
{%- endif %} {#- if prefer_gzip #} {%- endif %} {#- if slave_parameter['prefer-gzip-encoding-to-backend'] #}
{%- set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{%- set enable_h2 = slave_parameter['global_disable_http2'].lower() not in TRUE_VALUES and slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default']).lower() in TRUE_VALUES %}
{%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %}
{%- set https_only = slave_parameter.get('https-only', 'true').lower() in TRUE_VALUES %}
{%- set slave_type = slave_parameter.get('type', '') %}
{%- set host_list = server_alias_list %}
{%- set cipher_list = slave_parameter.get('cipher_list', '').strip() %}
{%- if slave_parameter.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_parameter.get('custom_domain')) %}
{%- endif %}
{%- set http_host_list = [] %} {%- set http_host_list = [] %}
{%- set https_host_list = [] %} {%- set https_host_list = [] %}
{%- for host in host_list %} {%- for host in slave_parameter['host_list'] %}
{%- do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %} {%- do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %}
{%- do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %} {%- do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %}
{%- endfor %} {#- for host in host_list #} {%- endfor %} {#- for host in slave_parameter['host_list'] #}
{%- set default_path = slave_parameter.get('default-path', '').strip('/') | urlencode %}
{%- set websocket_path_list = [] %}
{%- for websocket_path in slave_parameter.get('websocket-path-list', '').split() %}
{%- set websocket_path = websocket_path.strip('/') %}
{#- Unquote the path, so %20 and similar can be represented correctly #}
{%- set websocket_path = urllib_module.unquote(websocket_path.strip()) %}
{%- if websocket_path %}
{%- do websocket_path_list.append(websocket_path) %}
{%- endif %}
{%- endfor %}
{%- set websocket_transparent = slave_parameter.get('websocket-transparent', 'true').lower() in TRUE_VALUES %}
{%- if slave_type in ['notebook', 'websocket'] %}
{# websocket style needs http 1.1 max #}
{%- set enable_h2 = False %}
{%- endif %}
{%- macro proxy_header() %} {%- macro proxy_header() %}
timeout {{ slave_parameter['request-timeout'] }}s timeout {{ slave_parameter['request-timeout'] }}s
...@@ -50,7 +20,7 @@ ...@@ -50,7 +20,7 @@
{%- for tls in [True, False] %} {%- for tls in [True, False] %}
{%- if tls %} {%- if tls %}
{%- set backend_url = slave_parameter.get('backend-https-url', slave_parameter.get('backend-http-url')) %} {%- set backend_url = slave_parameter.get('backend-https-url', slave_parameter['backend-http-url']) %}
# SSL enabled hosts # SSL enabled hosts
{{ https_host_list|join(', ') }} { {{ https_host_list|join(', ') }} {
{%- else %} {%- else %}
...@@ -61,28 +31,28 @@ ...@@ -61,28 +31,28 @@
bind {{ slave_parameter['local_ipv4'] }} bind {{ slave_parameter['local_ipv4'] }}
{%- if tls %} {%- if tls %}
tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} { tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} {
{%- if cipher_list %} {%- if slave_parameter['ciphers'] %}
ciphers {{ cipher_list }} ciphers {{ slave_parameter['ciphers'] }}
{%- endif %} {%- endif %}
{%- if enable_h2 %} {%- if slave_parameter['enable_h2'] %}
# Allow HTTP2 # Allow http2
alpn h2 http/1.1 alpn h2 http/1.1
{%- else %} {#- if enable_h2 #} {%- else %} {#- if slave_parameter['enable_h2'] #}
# Disallow HTTP2 # Disallow HTTP2
alpn http/1.1 alpn http/1.1
{%- endif %} {#- if enable_h2 #} {%- endif %} {#- if slave_parameter['enable_h2'] #}
} {# tls #} } {# tls #}
{%- endif %} {#- if tls #} {%- endif %} {#- if tls #}
log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" { log / {{ slave_parameter['access_log'] }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
rotate_size 0 rotate_size 0
} }
errors {{ slave_parameter.get('error_log') }} { errors {{ slave_parameter['error_log'] }} {
rotate_size 0 rotate_size 0
} }
{%- if not (slave_type == 'zope' and backend_url) %} {%- if not (slave_parameter['type'] == 'zope' and backend_url) %}
{% if prefer_gzip and not (not tls and https_only) %} {% if slave_parameter['prefer-gzip-encoding-to-backend'] and not (not tls and slave_parameter['https-only']) %}
rewrite { rewrite {
regexp (.*) regexp (.*)
if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
...@@ -93,20 +63,20 @@ ...@@ -93,20 +63,20 @@
if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
to {1} to {1}
} }
{% elif slave_type not in ['notebook', 'websocket'] %} {% elif slave_parameter['type'] not in ['notebook', 'websocket'] %}
rewrite { rewrite {
regexp (.*) regexp (.*)
to {1} to {1}
} }
{% endif %} {# elif slave_type != 'notebook' #} {% endif %} {# elif slave_parameter['type'] != 'notebook' #}
{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #} {%- endif %} {#- if not (slave_parameter['type'] == 'zope' and backend_url) #}
{%- if not tls and https_only %} {%- if not tls and slave_parameter['https-only'] %}
# Enforced redirection to SSL-enabled host # Enforced redirection to SSL-enabled host
redir 302 { redir 302 {
/ https://{host}{rewrite_uri} / https://{host}{rewrite_uri}
} }
{%- elif slave_type == 'zope' and backend_url %} {%- elif slave_parameter['type'] == 'zope' and backend_url %}
# Zope configuration # Zope configuration
{%- for (proxy_name, proxy_comment) in proxy_append_list %} {%- for (proxy_name, proxy_comment) in proxy_append_list %}
# {{ proxy_comment }} # {{ proxy_comment }}
...@@ -116,65 +86,65 @@ ...@@ -116,65 +86,65 @@
without /prefer-gzip without /prefer-gzip
header_upstream Accept-Encoding gzip header_upstream Accept-Encoding gzip
{%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- endif %} {#- if proxy_name == 'prefer-gzip' #}
{%- for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in slave_parameter['disabled-cookie-list'] %}
# Remove cookie {{ disabled_cookie }} from client Cookies # Remove cookie {{ disabled_cookie }} from client Cookies
header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- endfor %} {#- for disabled_cookie in slave_parameter['disabled-cookie-list'] #}
{%- if disable_via_header %} {%- if slave_parameter['disable-via-header'] %}
header_downstream -Via header_downstream -Via
{%- endif %} {#- if disable_via_header #} {%- endif %} {#- if slave_parameter['disable-via-header'] #}
{%- if disable_no_cache_header %} {%- if slave_parameter['disable-no-cache-request'] %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{%- endif %} {#- if disable_no_cache_header #} {%- endif %} {#- if slave_parameter['disable-no-cache-request'] #}
transparent transparent
} {# proxy #} } {# proxy #}
{%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #}
{%- if default_path %} {%- if slave_parameter['default-path'] %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ default_path }} / {scheme}://{host}/{{ slave_parameter['default-path'] }}
} {# redir #} } {# redir #}
{%- endif %} {#- if default_path #} {%- endif %} {#- if slave_parameter['default-path'] #}
{%- if prefer_gzip and not (not tls and https_only) %} {%- if slave_parameter['prefer-gzip-encoding-to-backend'] and not (not tls and slave_parameter['https-only']) %}
rewrite { rewrite {
regexp (.*) regexp (.*)
if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
{%- if tls %} {%- if tls %}
to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-https-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- else %} {%- else %}
to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-http-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- endif %} {%- endif %}
} }
rewrite { rewrite {
regexp (.*) regexp (.*)
if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
{%- if tls %} {%- if tls %}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-https-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- else %} {%- else %}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-http-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- endif %} {%- endif %}
} }
{%- else %} {%- else %}
rewrite { rewrite {
regexp (.*) regexp (.*)
{%- if tls %} {%- if tls %}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-https-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- else %} {%- else %}
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter['virtualhostroot-http-port'] }}%2F{{ slave_parameter['path'] }}%2FVirtualHostRoot/{1}
{%- endif %} {%- endif %}
} {# rewrite #} } {# rewrite #}
{%- endif %} {#- if prefer_gzip #} {%- endif %} {#- if slave_parameter['prefer-gzip-encoding-to-backend'] #}
{%- elif slave_type == 'redirect' %} {%- elif slave_parameter['type'] == 'redirect' %}
{%- if backend_url %} {%- if backend_url %}
# Redirect configuration # Redirect configuration
redir 302 { redir 302 {
/ {{ backend_url }}{rewrite_uri} / {{ backend_url }}{rewrite_uri}
} }
{%- endif %} {%- endif %}
{%- elif slave_type == 'notebook' %} {%- elif slave_parameter['type'] == 'notebook' %}
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
{{ proxy_header() }} {{ proxy_header() }}
transparent transparent
...@@ -189,21 +159,21 @@ ...@@ -189,21 +159,21 @@
websocket websocket
without /proxy/ without /proxy/
} }
{%- elif slave_type == 'websocket' %} {%- elif slave_parameter['type'] == 'websocket' %}
{%- if websocket_path_list %} {%- if slave_parameter['websocket-path-list'] %}
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
{{ proxy_header() }} {{ proxy_header() }}
{%- if websocket_transparent %} {%- if slave_parameter['websocket-transparent'] %}
transparent transparent
{%- else %} {%- else %}
header_upstream Host {host} header_upstream Host {host}
{%- endif %} {%- endif %}
} }
{%- for websocket_path in websocket_path_list %} {%- for websocket_path in slave_parameter['websocket-path-list'] %}
proxy "/{{ websocket_path }}" {{ backend_url }} { proxy "/{{ websocket_path }}" {{ backend_url }} {
{{ proxy_header() }} {{ proxy_header() }}
websocket websocket
{%- if websocket_transparent %} {%- if slave_parameter['websocket-transparent'] %}
transparent transparent
{%- else %} {%- else %}
header_upstream Host {host} header_upstream Host {host}
...@@ -214,21 +184,21 @@ ...@@ -214,21 +184,21 @@
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
{{ proxy_header() }} {{ proxy_header() }}
websocket websocket
{%- if websocket_transparent %} {%- if slave_parameter['websocket-transparent'] %}
transparent transparent
{%- else %} {%- else %}
header_upstream Host {host} header_upstream Host {host}
{%- endif %} {%- endif %}
} }
{%- endif %} {%- endif %}
{%- else %} {#- if slave_type == 'zope' and backend_url #} {%- else %} {#- if slave_parameter['type'] == 'zope' and backend_url #}
# Default configuration # Default configuration
{%- if default_path %} {%- if slave_parameter['default-path'] %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ default_path }} / {scheme}://{host}/{{ slave_parameter['default-path'] }}
} {# redir #} } {# redir #}
{%- endif %} {#- if default_path #} {%- endif %} {#- if slave_parameter['default-path'] #}
{%- if backend_url %} {%- if backend_url %}
{%- for (proxy_name, proxy_comment) in proxy_append_list %} {%- for (proxy_name, proxy_comment) in proxy_append_list %}
...@@ -239,23 +209,23 @@ ...@@ -239,23 +209,23 @@
without /prefer-gzip without /prefer-gzip
header_upstream Accept-Encoding gzip header_upstream Accept-Encoding gzip
{%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- endif %} {#- if proxy_name == 'prefer-gzip' #}
{%- for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in slave_parameter['disabled-cookie-list'] %}
# Remove cookie {{ disabled_cookie }} from client Cookies # Remove cookie {{ disabled_cookie }} from client Cookies
header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- endfor %} {#- for disabled_cookie in slave_parameter['disabled-cookie-list'] #}
{%- if disable_via_header %} {%- if slave_parameter['disable-via-header'] %}
header_downstream -Via header_downstream -Via
{%- endif %} {#- if disable_via_header #} {%- endif %} {#- if slave_parameter['disable-via-header'] #}
{%- if disable_no_cache_header %} {%- if slave_parameter['disable-no-cache-request'] %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{%- endif %} {#- if disable_no_cache_header #} {%- endif %} {#- if slave_parameter['disable-no-cache-request'] #}
transparent transparent
} {# proxy #} } {# proxy #}
{%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #}
{%- endif %} {#- if backend_url #} {%- endif %} {#- if backend_url #}
{%- endif %} {#- if slave_type == 'zope' and backend_url #} {%- endif %} {#- if slave_parameter['type'] == 'zope' and backend_url #}
} {# https_host_list|join(', ') #} } {# https_host_list|join(', ') #}
{%- endfor %} {#- for tls in [True, False] #} {%- endfor %} {#- for tls in [True, False] #}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment