{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %} {%- set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES %} {%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES %} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES %} {%- set proxy_append_list = [('', 'Default proxy configuration')] %} {%- if prefer_gzip %} {%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %} {%- endif %} {#- if prefer_gzip #} {%- set server_alias_list = slave_parameter.get('server-alias', '').split() %} {%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default'])).lower() in TRUE_VALUES %} {%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES %} {%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %} {%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES %} {%- set slave_type = slave_parameter.get('type', '') %} {%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list %} {%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')) %} {%- set http_host_list = [] %} {%- set https_host_list = [] %} {%- for host in host_list %} {%- do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %} {%- do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %} {%- endfor %} {#- for host in host_list #} # SSL enabled hosts {{ https_host_list|join(', ') }} { bind {{ slave_parameter['local_ipv4'] }} # Compress the output gzip {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} status 501 / {%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #} tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { {%- if slave_parameter.get('path_to_ssl_ca_crt') %} # Configuration of accepted clients clients {{ slave_parameter.get('path_to_ssl_ca_crt') }} {%- endif %} {#- if slave_parameter.get('path_to_ssl_ca_crt') #} {%- if enable_h2 %} # Allow HTTP2 alpn h2 http/1.1 {%- else %} {#- if enable_h2 #} # Disallow HTTP2 alpn http/1.1 {%- endif %} {#- if enable_h2 #} } {# tls #} log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" errors {{ slave_parameter.get('error_log') }} {%- if prefer_gzip %} rewrite { if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" to /prefer-gzip{uri} } {%- endif %} {#- if prefer_gzip #} {%- if slave_type == 'zope' and backend_url %} # Zope configuration {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ backend_url }} { {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} # As backend is trusting REMOTE_USER header unset it always header_upstream -REMOTE_USER {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent timeout 600s {%- if ssl_proxy_verify %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} {%- else %} {#- if ssl_proxy_verify #} insecure_skip_verify {%- endif %} {#- if ssl_proxy_verify #} } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {# redir #} {%- endif %} {#- if 'default-path' in slave_parameter #} rewrite { regexp (.*) to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} } {# rewrite #} {%- elif slave_type == 'redirect' and backend_url %} {#- if slave_type == 'zope' and backend_url #} # Redirect configuration redir 302 { / {{ backend_url }}{uri} } {# redir #} {%- else %} {#- if slave_type == 'zope' and backend_url #} # Default configuration {%- if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {# redir #} {%- endif %} {#- if 'default-path' in slave_parameter #} {%- if backend_url %} {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ backend_url }} { {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} # As backend is trusting REMOTE_USER header unset it always header_upstream -REMOTE_USER {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent timeout 600s {%- if ssl_proxy_verify %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} {%- else %} {#- if ssl_proxy_verify #} insecure_skip_verify {%- endif %} {#- if ssl_proxy_verify #} } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- endif %} {#- if backend_url #} {%- endif %} {#- if slave_type == 'zope' and backend_url #} } {# https_host_list|join(', ') #} # SSL-disabled hosts {{ http_host_list|join(', ') }} { bind {{ slave_parameter['local_ipv4'] }} # Compress the output gzip {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} status 501 / {%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #} log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" errors {{ slave_parameter.get('error_log') }} {%- if prefer_gzip %} rewrite { if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" to /prefer-gzip{uri} } {%- endif %} {#- if prefer_gzip #} {%- if https_only %} # Enforced redirection to SSL-enabled host redir / https://{host}{uri} {%- elif slave_type == 'redirect' and slave_parameter.get('url', '') %} {#- if https_only #} # Redirect configuration redir 302 { / {{ slave_parameter.get('url', '') }}{uri} } {# redir #} {%- elif slave_type == 'zope' and backend_url %} {#- if https_only #} # Zope configuration {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ backend_url }} { {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} # As backend is trusting REMOTE_USER header unset it always header_upstream -REMOTE_USER {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent timeout 600s {%- if ssl_proxy_verify %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} {%- else %} {#- if ssl_proxy_verify #} insecure_skip_verify {%- endif %} {#- if ssl_proxy_verify #} } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {# redir #} {%- endif %} {#- if 'default-path' in slave_parameter #} rewrite { regexp (.*) to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} } {# rewrite #} {%- else %} {#- if https_only #} # Default configuration {%- if 'default-path' in slave_parameter %} redir 301 { if {path} is / / {scheme}://{host}/{{ slave_parameter.get('default-path') }} } {# redir #} {%- endif %} {#- if 'default-path' in slave_parameter #} {%- if slave_parameter.get('url', '') %} {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ slave_parameter.get('url', '') }} { {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} # As backend is trusting REMOTE_USER header unset it always header_upstream -REMOTE_USER {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent timeout 600s {%- if ssl_proxy_verify %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %} {%- endif %} {#- if 'ssl_proxy_ca_crt' in slave_parameter #} {%- else %} {#- if ssl_proxy_verify #} insecure_skip_verify {%- endif %} {#- if ssl_proxy_verify #} } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- endif %} {#- if slave_parameter.get('url', '') #} {%- endif %} {#- if https_only #} } {# http_host_list|join(', ') #}