Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Ivan Tyagov
slapos
Commits
631aab21
Commit
631aab21
authored
Jun 15, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fixup! stack/erp5: support frontend-caucase-url-list option.
parent
b1904514
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
36 additions
and
18 deletions
+36
-18
software/erp5/test/test/test_balancer.py
software/erp5/test/test/test_balancer.py
+29
-11
stack/erp5/buildout.hash.cfg
stack/erp5/buildout.hash.cfg
+2
-2
stack/erp5/instance-balancer.cfg.in
stack/erp5/instance-balancer.cfg.in
+5
-4
stack/erp5/instance-erp5.cfg.in
stack/erp5/instance-erp5.cfg.in
+0
-1
No files found.
software/erp5/test/test/test_balancer.py
View file @
631aab21
...
...
@@ -4,6 +4,7 @@ from slapos.testing.utils import findFreeTCPPort
from
BaseHTTPServer
import
HTTPServer
from
BaseHTTPServer
import
BaseHTTPRequestHandler
import
OpenSSL.SSL
from
cryptography.hazmat.backends
import
default_backend
from
cryptography.hazmat.primitives
import
serialization
,
hashes
from
cryptography.hazmat.primitives.asymmetric
import
rsa
...
...
@@ -237,10 +238,19 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
'apachedex-configuration'
:
''
,
'apachedex-promise-threshold'
:
100
,
'haproxy-server-check-path'
:
'/'
,
'zope-family-dict'
:
{
'default'
:
[
'dummy_http_server'
]},
'zope-family-dict'
:
{
'default'
:
[
'dummy_http_server'
],
'default-auth'
:
[
'dummy_http_server'
],
},
'dummy_http_server'
:
[[
cls
.
http_server_netloc
,
1
,
False
]],
'backend-path-dict'
:
{
'default'
:
'/'
},
'ssl-authentication-dict'
:
{
'default'
:
False
},
'backend-path-dict'
:
{
'default'
:
'/'
,
'default-auth'
:
'/'
,
},
'ssl-authentication-dict'
:
{
'default'
:
False
,
'default-auth'
:
True
,
},
'ssl'
:
{
'caucase-url'
:
cls
.
backend_caucased_url
,
'frontend-caucase-url-list'
:
[
cls
.
frontend_caucased_url
],
...
...
@@ -264,14 +274,15 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
super
(
TestFrontendXForwardedFor
,
cls
).
_cleanup
(
snapshot_name
)
def
test_x_forwarded_for_added_when_verified_connection
(
self
):
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default'
]
result
=
requests
.
get
(
balancer_url
,
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
cert
=
self
.
client_certificate
,
verify
=
False
,
).
json
()
self
.
assertEqual
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
).
split
(
', '
)[
0
],
'1.2.3.4'
)
for
backend
in
(
'default'
,
'default-auth'
):
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
backend
]
result
=
requests
.
get
(
balancer_url
,
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
cert
=
self
.
client_certificate
,
verify
=
False
,
).
json
()
self
.
assertEqual
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
).
split
(
', '
)[
0
],
'1.2.3.4'
)
def
test_x_forwarded_for_stripped_when_not_verified_connection
(
self
):
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default'
]
...
...
@@ -281,3 +292,10 @@ class TestFrontendXForwardedFor(ERP5InstanceTestCase):
verify
=
False
,
).
json
()
self
.
assertNotEqual
(
result
[
'Incoming Headers'
].
get
(
'x-forwarded-for'
).
split
(
', '
)[
0
],
'1.2.3.4'
)
balancer_url
=
json
.
loads
(
self
.
computer_partition
.
getConnectionParameterDict
()[
'_'
])[
'default-auth'
]
with
self
.
assertRaises
(
OpenSSL
.
SSL
.
Error
):
requests
.
get
(
balancer_url
,
headers
=
{
'X-Forwarded-For'
:
'1.2.3.4'
},
verify
=
False
,
)
stack/erp5/buildout.hash.cfg
View file @
631aab21
...
...
@@ -78,7 +78,7 @@ md5sum = d41d8cd98f00b204e9800998ecf8427e
[template-erp5]
filename = instance-erp5.cfg.in
md5sum =
038c367b7c4249d854bb0535891f29b3
md5sum =
82dc695e212be124d60ceb1143e56b0d
[template-zeo]
filename = instance-zeo.cfg.in
...
...
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
[template-balancer]
filename = instance-balancer.cfg.in
md5sum =
e2d2a94caed4d8a45912cd37a96a08f6
md5sum =
0097e49b5bd7ad4978c722c1cdd27d6c
[template-haproxy-cfg]
filename = haproxy.cfg.in
...
...
stack/erp5/instance-balancer.cfg.in
View file @
631aab21
...
...
@@ -2,6 +2,7 @@
{% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
{#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
per partition. No more (undefined result), no less (IndexError).
...
...
@@ -39,7 +40,7 @@ mode = 644
{% do section('caucase-updater-promise') -%}
{% set frontend_caucase_url_hash_list = [] -%}
{% for frontend_caucase_url in
ssl_parameter_dict['frontend-caucase-url-list']
-%}
{% for frontend_caucase_url in
frontend_caucase_url_list
-%}
{% set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
{% do frontend_caucase_url_hash_list.append(hash) -%}
{% set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
...
...
@@ -181,7 +182,7 @@ key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem
{% if
ssl_parameter_dict['frontend-caucase-url-list']
-%}
{% if
frontend_caucase_url_list
-%}
depends = ${caucase-updater-housekeeper-run:recipe}
ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
...
...
@@ -231,7 +232,7 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if
ssl_parameter_dict['frontend-caucase-url-list']
-%}
{% if
frontend_caucase_url_list
-%}
# Client x509 auth
ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl-dir = ${apache-conf-ssl:crl-dir}
...
...
@@ -288,7 +289,7 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
[directory]
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
{% if
ssl_parameter_dict['frontend-caucase-url-list']
-%}
{% if
frontend_caucase_url_list
-%}
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
{% endif -%}
...
...
stack/erp5/instance-erp5.cfg.in
View file @
631aab21
...
...
@@ -98,7 +98,6 @@ backup-caucased = ${:srv}/backup/caucased
{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
{% set balancer_dict = slapparameter_dict.get('balancer', {}) -%}
{% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
{% do balancer_dict['ssl'].setdefault('frontend-caucase-url-list', []) -%}
{{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
{{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment