Commit d413298d authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Rafael Monnerat

caddy-frontend: Improve generated files

Features:

 * amend configuration with comments
 * drop obsolete comments from Apache copy
 * remove not needed whitespaces
 * use indentation for conditionals in Jinja2
parent c2220e22
...@@ -15,7 +15,6 @@ Generally things to be done with ``caddy-frontend``: ...@@ -15,7 +15,6 @@ Generally things to be done with ``caddy-frontend``:
* ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store` * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
* ``check-error-on-caddy-log`` like ``check-error-on-apache-log`` * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
* cover test suite like resilient tests for KVM and prove it works the same way as Caddy * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
* make beautiful (eg. with whitespaces and nice comments) generated files (mostly Jinja2)
* have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones (like ``apache_custom_http`` --> ``caddy_custom_http``) * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones (like ``apache_custom_http`` --> ``caddy_custom_http``)
* change ``switch-softwaretype`` to way how ``software/erp5`` does, which will help with dropping jinja2 template for ``caddy-wrapper``, which is workaround for current situation https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_62678 * change ``switch-softwaretype`` to way how ``software/erp5`` does, which will help with dropping jinja2 template for ``caddy-wrapper``, which is workaround for current situation https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_62678
* use `slapos!326 <https://lab.nexedi.com/nexedi/slapos/merge_requests/326>`_ instead of self-developed graceful restart scripts * use `slapos!326 <https://lab.nexedi.com/nexedi/slapos/merge_requests/326>`_ instead of self-developed graceful restart scripts
......
...@@ -38,7 +38,7 @@ md5sum = 8d318af17da5631d4242c0d6d1531066 ...@@ -38,7 +38,7 @@ md5sum = 8d318af17da5631d4242c0d6d1531066
[template-caddy-frontend-configuration] [template-caddy-frontend-configuration]
filename = templates/Caddyfile.in filename = templates/Caddyfile.in
md5sum = 924d3bb528f590916552534934c604a2 md5sum = 9404959e500a868aab1a217503117047
[template-custom-slave-list] [template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
...@@ -50,11 +50,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b ...@@ -50,11 +50,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost] [template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in filename = templates/default-virtualhost.conf.in
md5sum = b524304177e7854232aa43bed98ddbfd md5sum = fa7dc8481f0c3066045c1dd5a8a3191a
[template-cached-slave-virtualhost] [template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in filename = templates/cached-virtualhost.conf.in
md5sum = 5aab4c15189a39837f56d4f442b233c6 md5sum = bfcc2bcfe9151b9d3f25c4616e2c4f4f
[template-log-access] [template-log-access]
filename = templates/template-log-access.conf.in filename = templates/template-log-access.conf.in
...@@ -82,7 +82,7 @@ md5sum = 117238225b3fc3c5b5be381815f44c67 ...@@ -82,7 +82,7 @@ md5sum = 117238225b3fc3c5b5be381815f44c67
[template-nginx-configuration] [template-nginx-configuration]
filename = templates/nginx.cfg.in filename = templates/nginx.cfg.in
md5sum = b1d6bac767db77ad1662edd06aabdf49 md5sum = fadb2fcaf0f2b4fe735617fac222f7ed
[template-nginx-eventsource-slave-virtualhost] [template-nginx-eventsource-slave-virtualhost]
filename = templates/nginx-eventsource-slave.conf.in filename = templates/nginx-eventsource-slave.conf.in
...@@ -90,7 +90,7 @@ md5sum = 69d65e461cd7cd5ef5b1ccd0098b50c8 ...@@ -90,7 +90,7 @@ md5sum = 69d65e461cd7cd5ef5b1ccd0098b50c8
[template-nginx-notebook-slave-virtualhost] [template-nginx-notebook-slave-virtualhost]
filename = templates/nginx-notebook-slave.conf.in filename = templates/nginx-notebook-slave.conf.in
md5sum = 753e87647d1ed4655432393bba062d3f md5sum = b97ec5b84d5e0d3a76871c15b5bcce2e
[template-apache-lazy-script-call] [template-apache-lazy-script-call]
filename = templates/apache-lazy-script-call.sh.in filename = templates/apache-lazy-script-call.sh.in
......
# Automatically generated # Main caddy configuration file
import {{frontend_configuration.get('log-access-configuration')}} import {{frontend_configuration.get('log-access-configuration')}}
import {{ slave_configuration_directory }}/*.conf import {{ slave_configuration_directory }}/*.conf
import {{ slave_with_cache_configuration_directory }}/*.conf import {{ slave_with_cache_configuration_directory }}/*.conf
# Catch-all and 404 for not configured instances
:{{ https_port }} { :{{ https_port }} {
tls {{ login_certificate }} {{ login_key }} tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
...@@ -14,6 +15,16 @@ import {{ slave_with_cache_configuration_directory }}/*.conf ...@@ -14,6 +15,16 @@ import {{ slave_with_cache_configuration_directory }}/*.conf
} }
} }
:{{ http_port }} {
bind {{ local_ipv4 }}
status 404 /
log / {{ access_log }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ error_log }} {
* {{ not_found_file }}
}
}
# Access to server-status Caddy-style
https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status { https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
tls {{ login_certificate }} {{ login_key }} tls {{ login_certificate }} {{ login_key }}
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
...@@ -28,12 +39,3 @@ https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv ...@@ -28,12 +39,3 @@ https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv
* {{ not_found_file }} * {{ not_found_file }}
} }
} }
:{{ http_port }} {
bind {{ local_ipv4 }}
status 404 /
log / {{ access_log }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ error_log }} {
* {{ not_found_file }}
}
}
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] %} {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %} {%- set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES %} {%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES %}
{% set host_list = [slave_parameter.get('custom_domain')] + server_alias_list %} {%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list %}
{% set http_backend_host_list = [] %} {%- set http_backend_host_list = [] %}
{% set https_backend_host_list = [] %} {%- set https_backend_host_list = [] %}
{% for host in host_list %} {%- for host in host_list %}
{% do http_backend_host_list.append('http://%s:%s' % (host, cached_port)) %} {%- do http_backend_host_list.append('http://%s:%s' % (host, cached_port)) %}
{% do https_backend_host_list.append('http://%s:%s' % (host, ssl_cached_port)) %} {%- do https_backend_host_list.append('http://%s:%s' % (host, ssl_cached_port)) %}
{% endfor %} {%- endfor %}
# Only accept generic (i.e not Zope) backends on http # SSL-disabled backends
{{ http_backend_host_list|join(', ') }} { {{ http_backend_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
{% if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 / status 501 /
{% endif %} {%- endif %}
# Rewrite part # Rewrite part
proxy / {{ slave_parameter.get('backend_url', '') }} { proxy / {{ slave_parameter.get('backend_url', '') }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
...@@ -22,30 +22,31 @@ ...@@ -22,30 +22,31 @@
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
} }
# SSL-enabled backends
{{ https_backend_host_list|join(', ') }} { {{ https_backend_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
{% if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 / status 501 /
{% endif %} {%- endif %}
proxy / {{ slave_parameter.get('https_backend_url', '') }} { proxy / {{ slave_parameter.get('https_backend_url', '') }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
} }
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] %} {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
{% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES %} {%- set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES %}
{% set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES %} {%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES %}
{% set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES %} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES %}
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %} {%- set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{% set enable_h2 = ('' ~ slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default'])).lower() in TRUE_VALUES %} {%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default'])).lower() in TRUE_VALUES %}
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES %} {%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES %}
{% set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %} {%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %}
{% set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES %} {%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES %}
{% set slave_type = slave_parameter.get('type', '') %} {%- set slave_type = slave_parameter.get('type', '') %}
{% set host_list = [slave_parameter.get('custom_domain')] + server_alias_list %} {%- set host_list = [slave_parameter.get('custom_domain')] + server_alias_list %}
{% set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')) %} {%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')) %}
{% set http_host_list = [] %} {%- set http_host_list = [] %}
{% set https_host_list = [] %} {%- set https_host_list = [] %}
{% for host in host_list %} {%- for host in host_list %}
{% do http_host_list.append('http://%s:%s' % (host, http_port)) %} {%- do http_host_list.append('http://%s:%s' % (host, http_port)) %}
{% do https_host_list.append('https://%s:%s' % (host, https_port)) %} {%- do https_host_list.append('https://%s:%s' % (host, https_port)) %}
{% endfor %} {%- endfor %}
# SSL enabled hosts
{{ https_host_list|join(', ') }} { {{ https_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
{% if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 / status 501 /
{% endif %} {%- endif %}
tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{% if slave_parameter.get('path_to_ssl_ca_crt') %} {%- if slave_parameter.get('path_to_ssl_ca_crt') %}
# Configuration of accepted clients
clients {{ slave_parameter.get('path_to_ssl_ca_crt') }} clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
{% endif %} {%- endif %}
{% if enable_h2 %} {%- if enable_h2 %}
# Allow HTTP2
alpn h2 http/1.1 alpn h2 http/1.1
{% else %} {%- else %}
# Disallow HTTP2
alpn http/1.1 alpn http/1.1
{% endif %} {%- endif %}
} }
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
{% for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in disabled_cookie_list %}
{% endfor %} {%- endfor %}
{% if prefer_gzip %} {%- if prefer_gzip %}
{% endif %} {%- endif %}
{% if slave_type == 'zope' and backend_url %} {%- if slave_type == 'zope' and backend_url %}
# Zope configuration
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
{% if disable_via_header %} {%- if disable_via_header %}
header_downstream -Via header_downstream -Via
{% endif %} {%- endif %}
{% if disable_no_cache_header %} {%- if disable_no_cache_header %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{% endif %} {%- endif %}
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
{% if 'default-path' in slave_parameter %} {%- if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }} / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
} }
{% endif %} {%- endif %}
rewrite { rewrite {
regexp (.*) regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} }
{% elif slave_type == 'redirect' and backend_url %} {%- elif slave_type == 'redirect' and backend_url %}
# Redirect configuration
redir 302 { redir 302 {
/ {{ backend_url }}{uri} / {{ backend_url }}{uri}
} }
{% else %} {%- else %}
{% if 'default-path' in slave_parameter %} # Default configuration
{%- if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }} / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
} }
{% endif %} {%- endif %}
{% if backend_url %} {%- if backend_url %}
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
{% if disable_via_header %} {%- if disable_via_header %}
header_downstream -Via header_downstream -Via
{% endif %} {%- endif %}
{% if disable_no_cache_header %} {%- if disable_no_cache_header %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{% endif %} {%- endif %}
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
{% endif %} {%- endif %}
{% endif %} {%- endif %}
} }
# SSL-disabled hosts
{{ http_host_list|join(', ') }} { {{ http_host_list|join(', ') }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
{% if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %} {%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
status 501 / status 501 /
{% endif %} {%- endif %}
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
{% for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in disabled_cookie_list %}
{% endfor %} {%- endfor %}
{% if prefer_gzip %} {%- if prefer_gzip %}
{% endif %} {%- endif %}
{% if https_only %} {%- if https_only %}
# Enforced redirection to SSL-enabled host
redir / https://{host}{uri} redir / https://{host}{uri}
{% elif slave_type == 'redirect' and slave_parameter.get('url', '') %} {%- elif slave_type == 'redirect' and slave_parameter.get('url', '') %}
# Redirect configuration
redir 302 { redir 302 {
/ {{ slave_parameter.get('url', '') }}{uri} / {{ slave_parameter.get('url', '') }}{uri}
} }
{% elif slave_type == 'zope' and backend_url %} {%- elif slave_type == 'zope' and backend_url %}
# Zope configuration
proxy / {{ backend_url }} { proxy / {{ backend_url }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
{% if disable_via_header %} {%- if disable_via_header %}
header_downstream -Via header_downstream -Via
{% endif %} {%- endif %}
{% if disable_no_cache_header %} {%- if disable_no_cache_header %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{% endif %} {%- endif %}
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
{% if 'default-path' in slave_parameter %} {%- if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }} / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
} }
{% endif %} {%- endif %}
rewrite { rewrite {
regexp (.*) regexp (.*)
to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}%2F{{ slave_parameter.get('path', '') }}%2FVirtualHostRoot/{1}
} }
{% else %} {%- else %}
{% if 'default-path' in slave_parameter %} # Default configuration
{%- if 'default-path' in slave_parameter %}
redir 301 { redir 301 {
if {path} is / if {path} is /
/ {scheme}://{host}/{{ slave_parameter.get('default-path') }} / {scheme}://{host}/{{ slave_parameter.get('default-path') }}
} }
{% endif %} {%- endif %}
{% if slave_parameter.get('url', '') %} {%- if slave_parameter.get('url', '') %}
proxy / {{ slave_parameter.get('url', '') }} { proxy / {{ slave_parameter.get('url', '') }} {
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting REMOTE_USER header unset it always
header_upstream -REMOTE_USER header_upstream -REMOTE_USER
{% if disable_via_header %} {%- if disable_via_header %}
header_downstream -Via header_downstream -Via
{% endif %} {%- endif %}
{% if disable_no_cache_header %} {%- if disable_no_cache_header %}
header_upstream -Cache-Control header_upstream -Cache-Control
header_upstream -Pragma header_upstream -Pragma
{% endif %} {%- endif %}
transparent transparent
timeout 600s timeout 600s
{% if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
{% if 'ssl_proxy_ca_crt' in slave_parameter %} {%- if 'ssl_proxy_ca_crt' in slave_parameter %}
{% endif %} {%- endif %}
{% else %} {%- else %}
insecure_skip_verify insecure_skip_verify
{% endif %} {%- endif %}
} }
{% endif %} {%- endif %}
{% endif %} {%- endif %}
# If nothing exist : put a nice error
# ErrorDocument 404 /notfound.html
# Dadiboom
} }
{% set url = slave_parameter.get('url') %} {%- set url = slave_parameter.get('url') %}
{% set https_url = slave_parameter.get('https-url', url) %} {%- set https_url = slave_parameter.get('https-url', url) %}
{% if url.startswith("http://") or url.startswith("https://") %} {%- if url.startswith("http://") or url.startswith("https://") %}
{% set upstream = url.split("/")[2] %} {%- set upstream = url.split("/")[2] %}
{% set https_upstream = https_url.split("/")[2] %} {%- set https_upstream = https_url.split("/")[2] %}
# SSL-enabled
https://{{ slave_parameter.get('custom_domain') }}:{{ nginx_https_port }} { https://{{ slave_parameter.get('custom_domain') }}:{{ nginx_https_port }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
errors {{ slave_parameter.get('error_log') }} errors {{ slave_parameter.get('error_log') }}
tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} { tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{% if slave_parameter.get('path_to_ssl_ca_crt') %} {%- if slave_parameter.get('path_to_ssl_ca_crt') %}
clients {{ slave_parameter.get('path_to_ssl_ca_crt') }} clients {{ slave_parameter.get('path_to_ssl_ca_crt') }}
{% endif %} {%- endif %}
alpn http/1.1 alpn http/1.1
} }
...@@ -33,6 +34,7 @@ https://{{ slave_parameter.get('custom_domain') }}:{{ nginx_https_port }} { ...@@ -33,6 +34,7 @@ https://{{ slave_parameter.get('custom_domain') }}:{{ nginx_https_port }} {
} }
} }
# SSL-disabled
http://{{ slave_parameter.get('custom_domain') }}:{{ nginx_http_port }} { http://{{ slave_parameter.get('custom_domain') }}:{{ nginx_http_port }} {
bind {{ local_ipv4 }} bind {{ local_ipv4 }}
log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
...@@ -54,4 +56,4 @@ http://{{ slave_parameter.get('custom_domain') }}:{{ nginx_http_port }} { ...@@ -54,4 +56,4 @@ http://{{ slave_parameter.get('custom_domain') }}:{{ nginx_http_port }} {
insecure_skip_verify insecure_skip_verify
} }
} }
{% endif %} {%- endif %}
...@@ -57,6 +57,7 @@ ...@@ -57,6 +57,7 @@
import {{ slave_configuration_directory }}/*.conf import {{ slave_configuration_directory }}/*.conf
# Catch-all and 404 for not configured instances
:{{ port }} { :{{ port }} {
tls {{ ssl_certificate }} {{ ssl_key }} tls {{ ssl_certificate }} {{ ssl_key }}
bind {{ local_ip }} bind {{ local_ip }}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment