-
Jérome Perrin authored
Two main differences of haproxy are file format for certificates and logs. HAProxy also uses certificates in PEM format, but it expect its own server certificate and the key to be in the same file (although recent version seems to accept separate files, we don't use this now) and the CRL and CA certificates also all together in the same file. We change to use the same file for certificate and key and for CA and CRL, in the updater script we we build PEM files by containing all CA certificates and all CRL together. Also, since haproxy needs to be reloaded when certificate change, we run it in master-worker mode, with a pid file so that we can signal it to reload. For the logs, since haproxy does not log to file, we introduce a rsyslogd to log to a file. The log format is same as with httpd, except that timing are not in microseconds but in milliseconds - this did not seem to be configurable. This is a problem for apachedex reports on log, for that we plan to use an updated version of apachedex with support for `%{ms}T` for durations. HAProxy is configured with same timeouts, except: - "connect" timeout has been increased a bit (from 5 to 10s), because the comment "The connection should be immediate on LAN" was no longer true, now that haproxy is accessed from frontend. - the server entries for testrunner are a very long timeout (8h) because some ERP5 functional tests exceeed the 305s timeout. The SSL configuration is with current "modern" config from https://ssl-config.mozilla.org/ Tests have been modified a bit, because haproxy uses HTTP/2.0 and not 1.1 like httpd was doing several haproxy features (keep alive and gzip compression) are only available when backend uses HTTP/1.1, so we adjusted tests to use a 1.1 backend. There was also differences with logs, because of the time being in milliseconds. TestPublishedURLIsReachableMixin._checkERP5IsReachable was also updated, it was working by chance because when accessed behind httpd->haproxy->zope, zope was producing a redirect URL that was the URL of haproxy, which could be resolved by chance. This test was updated to access zope with a path that contains VirtualHostMonster magic, as the shared frontend ( with "zope" software type) is supposed to set. This should hopefuly solve the "502 Proxy Error" that we are observing with httpd.
944f60b3