Feature/caddy frontend path normalization

/reviewed-on nexedi/slapos!487

Feature/caddy frontend path normalization
/reviewed-on nexedi/slapos!487
c8ef7db5 · Łukasz Nowak · Łukasz Nowak · dddb4d20 · c8ef7db5 · c8ef7db5
Commit c8ef7db5 authored Dec 27, 2018 by Łukasz Nowak Committed by Łukasz Nowak Dec 30, 2018
3 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -58,7 +58,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b

 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = e21bf673c35f049e7457ec78de9a1964
+md5sum = 55d0ca695318d7d6111742f4b37fe1b8

 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in

--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -42,12 +42,25 @@
  log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
  errors {{ slave_parameter.get('error_log') }}

-{%- if prefer_gzip and not (slave_type == 'zope' and backend_url) %}
+{%- if not (slave_type == 'zope' and backend_url) %}
+{%    if prefer_gzip %}
  rewrite {
+    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
-    to /prefer-gzip{uri}
+    to /prefer-gzip{1}
+  }
+  rewrite {
+    regexp (.*)
+    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
+    to {1}
+  }
+{%    else %}
+  rewrite {
+    regexp (.*)
+    to {1}
  }
-{%- endif %} {#- if prefer_gzip and not (slave_type == 'zope' and backend_url) #}
+{%    endif %}
+{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}

 {%- if slave_type ==  'zope' and backend_url %}
  # Zope configuration
@@ -105,7 +118,7 @@
 {%- elif slave_type ==  'redirect' and backend_url %} {#- if slave_type ==  'zope' and backend_url #}
  # Redirect configuration
  redir 302 {
-    /  {{ backend_url }}{uri}
+    /  {{ backend_url }}{rewrite_uri}
  } {# redir #}
 {%- else %} {#- if slave_type ==  'zope' and backend_url #}
  # Default configuration
@@ -163,20 +176,33 @@
  log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
  errors {{ slave_parameter.get('error_log') }}

-{%- if prefer_gzip and not (slave_type == 'zope' and backend_url) %}
+{%- if not (slave_type == 'zope' and backend_url) %}
+{%-   if prefer_gzip  %}
  rewrite {
+    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
-    to /prefer-gzip{uri}
+    to /prefer-gzip{1}
+  }
+  rewrite {
+    regexp (.*)
+    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
+    to {1}
+  }
+{%    else %}
+  rewrite {
+    regexp (.*)
+    to {1}
  }
-{%- endif %} {#- if prefer_gzip and not (slave_type == 'zope' and backend_url) #}
+{%    endif %}
+{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}

 {%- if https_only %}
  # Enforced redirection to SSL-enabled host
-  redir / https://{host}{uri}
+  redir / https://{host}{rewrite_uri}
 {%- elif slave_type ==  'redirect' and slave_parameter.get('url', '') %} {#- if https_only #}
  # Redirect configuration
  redir 302 {
-    /  {{ slave_parameter.get('url', '') }}{uri}
+    /  {{ slave_parameter.get('url', '') }}{rewrite_uri}
  } {# redir #}
 {%- elif slave_type ==  'zope' and backend_url %} {#- if https_only #}
  # Zope configuration

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -1161,13 +1161,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    try:
      j = result.json()
@@ -1186,8 +1187,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqualResultJson(result_http, 'Path', '/test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')
+    self.assertEqualResultJson(result_http, 'Path', '/test-path/deeper')

    try:
      j = result_http.json()
@@ -1252,7 +1254,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
@@ -1262,7 +1265,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      result,
      'Path',
      '/VirtualHostBase/https//'
-      'typezopepath.example.com:443/path/VirtualHostRoot/test-path'
+      'typezopepath.example.com:443/path/VirtualHostRoot/test-path/deeper'
    )

  def test_type_zope_default_path(self):
@@ -1309,25 +1312,28 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    result = self.fakeHTTPSResult(
-      'alias1.example.com', parameter_dict['public-ipv4'], 'test-path')
+      'alias1.example.com', parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    result = self.fakeHTTPSResult(
-      'alias2.example.com', parameter_dict['public-ipv4'], 'test-path')
+      'alias2.example.com', parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
@@ -1525,19 +1531,21 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
-      'https://httpsonly.example.com/test-path',
+      'https://httpsonly.example.com/test-path/deeper',
      result_http.headers['Location']
    )

@@ -1631,7 +1639,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
@@ -1647,17 +1656,18 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      result,
      'Path',
      '/VirtualHostBase/https//typezope.example.com:443/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )

    result = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqualResultJson(
      result,
      'Path',
      '/VirtualHostBase/http//typezope.example.com:80/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )

  def test_type_zope_prefer_gzip_encoding_to_backend(self):
@@ -1678,7 +1688,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
@@ -1695,22 +1706,24 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'Path',
      '/VirtualHostBase/https//'
      'typezopeprefergzipencodingtobackend.example.com:443/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )

    result = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqualResultJson(
      result,
      'Path',
      '/VirtualHostBase/http//'
      'typezopeprefergzipencodingtobackend.example.com:80/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper',
      headers={'Accept-Encoding': 'gzip, deflate'})

    self.assertEqual(
@@ -1728,13 +1741,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'Path',
      '/VirtualHostBase/https//'
      'typezopeprefergzipencodingtobackend.example.com:443/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )
    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])

    result = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper',
      headers={'Accept-Encoding': 'gzip, deflate'})

    self.assertEqualResultJson(
@@ -1742,7 +1756,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'Path',
      '/VirtualHostBase/http//'
      'typezopeprefergzipencodingtobackend.example.com:80/'
-      '/VirtualHostRoot/test-path'
+      '/VirtualHostRoot/test-path/deeper'
    )
    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])
@@ -1821,7 +1835,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path',
      NGINX_HTTPS_PORT)

    self.assertEqual(
@@ -1830,6 +1845,17 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {

    self.assertEqualResultJson(result, 'Path', '/test-path')

+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test/terminals/websocket/test',
+      NGINX_HTTPS_PORT)
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqualResultJson(result, 'Path', '/terminals/websocket')
+
  @skip('Feature postponed')
  def test_type_websocket(self):
    # Pure websocket configurable frontend
@@ -1903,14 +1929,15 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

    self.assertEqual(
-      '%s/test-path' % (self.backend_url,),
+      '%s/test-path/deeper' % (self.backend_url,),
      result.headers['Location']
    )

@@ -2066,7 +2093,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
@@ -2078,7 +2106,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deeper')

    self.assertEqual(
      httplib.BAD_GATEWAY,
@@ -2105,13 +2134,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    headers = result.headers.copy()

@@ -2472,13 +2502,14 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    headers = result.headers.copy()

@@ -2760,40 +2791,44 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper',
      headers={'Accept-Encoding': 'gzip, deflate'})

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper',
      headers={'Accept-Encoding': 'deflate'})

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    self.assertEqual(
      'deflate', result.json()['Incoming Headers']['accept-encoding'])

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

-    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')

  def test_disabled_cookie_list(self):
    parameter_dict = self.parseSlaveParameterDict('disabled-cookie-list')
@@ -3018,17 +3053,19 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )

    result = self.fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')

    self.assertEqual(
      self.certificate_pem,
      der2pem(result.peercert))

-    self.assertEqualResultJson(result, 'Path', '/https/test-path')
+    self.assertEqualResultJson(result, 'Path', '/https/test-path/deeper')

    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqualResultJson(result_http, 'Path', '/http/test-path')
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')
+    self.assertEqualResultJson(result_http, 'Path', '/http/test-path/deeper')


 class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):