An error occurred fetching the project authors.
- 14 Jun, 2019 1 commit
-
-
Łukasz Nowak authored
In "caddy-frontend: Implement KeDiFa SSL information" the certificates were dropped from the schema, but still internally supported. This lead to missing UI fields for still supported parameters. Reintroduced them with OBSOLETE mark. /reviewed-on nexedi/slapos!574
-
- 28 May, 2019 1 commit
-
-
Łukasz Nowak authored
Some arguments needs Caddy process restart, so implement it with hash-files and also inform the master partition requester about parameters which will result with process restart.
-
- 23 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
There is no need anymore to have two processes for normal and nginx slaves, as nginx ones are served by caddy anyway. Also inform the requester that type:eventsource is not implemented.
-
- 13 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
It is better to have automation similar to previous implementation by default.
-
Łukasz Nowak authored
AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered by option automatic-internal-kedifa-caucase-csr. It signs all CSR which match csr_id and certificate from the nodes which needs them.
-
Łukasz Nowak authored
Use KeDiFa to store keys, and transmit the url to the requester for master and slave partitions. Download keys on the slave partitions level. Use caucase to fetch main caucase CA. kedifa-caucase-url is published in order to have access to it. Note: caucase is prepended with kedifa, as this is that one. Use kedifa-csr tool to generate CSR and use caucase-updater macro. Switch to KeDiFa with SSL Auth and updated goodies. KeDiFa endpoint URLs are randomised. Only one (first) user certificate is going to be automatically accepted. This one shall be operated by the cluster owner, the requester of frontend master partition. Then he will be able to sign certificates for other users and also for services - so each node in the cluster. Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line is used for one command generation of extensions in the certificate. Note: We could upgrade to openssl 1.1.1 in order to have it really simplified (see https://security.stackexchange.com/a/183973 ) Improve CSR readability by creating cluster-identification, which is master partition title, and use it as Organization of the CSR. Reserve slots for data exchange in KeDiFa.
-
- 08 Feb, 2019 1 commit
-
-
Łukasz Nowak authored
try_duration and try_interval are Caddy proxy's switches which allow to deal with non working backend (https://caddyserver.com/docs/proxy) The non working backend is the one, to which connection is lost or was not possible to make, without sending any data. The default try_duration=5s and try_interval=250ms are chosen, so that in normal network conditions (with all possible problems in the network, like lost packets) the browser will have to wait up to 5 seconds to be informed that backend is inaccessible or for the request to start being processed, but only a bit more than 250ms if Caddy would have to reestablish connection to faulty backend. In order to check it out it is advisable to setup a system, with real backend, like apache one, and configure iptables to randomly reject packets to it: iptables -A INPUT -m statistic --mode random -p tcp --dport <backend_port> \ --probability 0.05 -j REJECT --reject-with tcp-reset Using ab or any other tool will results with lot of 502 EOF in the Caddy error log and also reported by ab. With this configuration there are no more errors visible to the client, which come from the problems on the network between Caddy and the backend.
-
- 17 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
One of solutions for random 502 errors from caddy is to fully disable HTTP2 protocol ( https://github.com/mholt/caddy/issues/1080 ) We run Caddy with HTTP2 enabled by default, as we can enable/disable it per each slave, but in some environments it might be just better to fully avoid HTTP2 codepaths in Caddy. /reviewed-on nexedi/slapos!495
-
- 20 Nov, 2018 1 commit
-
-
Łukasz Nowak authored
-
- 03 Sep, 2018 1 commit
-
-
Jérome Perrin authored
-
- 06 Aug, 2018 1 commit
-
-
Łukasz Nowak authored
/reviewed-on nexedi/slapos!368
-
- 28 Jun, 2018 1 commit
-
-
Łukasz Nowak authored
-