Commit 4756684b authored by Cédric Le Ninivin's avatar Cédric Le Ninivin

Introduce new architecture for apache frontend

parent e7628a27
This diff is collapsed.
...@@ -87,8 +87,6 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javasc ...@@ -87,8 +87,6 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javasc
BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent
# SSL Configuration # SSL Configuration
%(ssl_snippet)s %(ssl_snippet)s
...@@ -146,9 +144,6 @@ Header append Vary User-Agent ...@@ -146,9 +144,6 @@ Header append Vary User-Agent
ProxyTimeout 600 ProxyTimeout 600
RewriteEngine On RewriteEngine On
# Remove "Secure" from cookies, as backend may be https
Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
# Include configuration file not operated by slapos. This file won't be erased # Include configuration file not operated by slapos. This file won't be erased
# or changed when slapgrid is ran. It can be freely customized by node admin. # or changed when slapgrid is ran. It can be freely customized by node admin.
# Include %(custom_apache_virtualhost_conf)s # Include %(custom_apache_virtualhost_conf)s
# Apache configuration file for Zope
# Automatically generated
# Basic server configuration
PidFile "%(pid_cache_file)s"
ServerName %(server_name)s
DocumentRoot %(document_root)s
ServerRoot %(instance_home)s
ServerAdmin %(server_admin)s
DefaultType text/plain
TypesConfig %(httpd_home)s/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# As backend is trusting REMOTE_USER header unset it always
RequestHeader unset REMOTE_USER
ServerTokens Prod
# Log configuration
ErrorLog "%(error_cache_log)s"
LogLevel warn
# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b" common
# CustomLog "%(access_log)s" common
LogFormat "%%h %%l %%{REMOTE_USER}i %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\" %%D" combined
CustomLog "%(access_cache_log)s" combined
# List of modules
#LoadModule unixd_module modules/
#LoadModule access_compat_module modules/
#LoadModule authz_core_module modules/
LoadModule authz_host_module %(httpd_home)s/modules/
LoadModule log_config_module %(httpd_home)s/modules/
LoadModule deflate_module %(httpd_home)s/modules/
LoadModule setenvif_module %(httpd_home)s/modules/
LoadModule version_module %(httpd_home)s/modules/
LoadModule proxy_module %(httpd_home)s/modules/
LoadModule proxy_http_module %(httpd_home)s/modules/
LoadModule ssl_module %(httpd_home)s/modules/
LoadModule mime_module %(httpd_home)s/modules/
LoadModule dav_module %(httpd_home)s/modules/
LoadModule dav_fs_module %(httpd_home)s/modules/
LoadModule negotiation_module %(httpd_home)s/modules/
LoadModule rewrite_module %(httpd_home)s/modules/
LoadModule headers_module %(httpd_home)s/modules/
LoadModule cache_module %(httpd_home)s/modules/
LoadModule mem_cache_module %(httpd_home)s/modules/
LoadModule antiloris_module %(httpd_home)s/modules/
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
# Cache directives
CacheEnable mem /
CacheDefaultExpire 3600
MCacheSize 8192
MCacheMaxObjectCount 1000
MCacheMaxObjectSize 8192
MCacheRemovalAlgorithm LRU
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# SSL Configuration
# Only accept generic (i.e not Zope) backends on http
<VirtualHost *:%(plain_cached_port)s>
SSLProxyEngine on
# Rewrite part
ProxyVia On
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
# Include configuration file not operated by slapos. This file won't be erased
# or changed when slapgrid is ran. It can be freely customized by node admin.
# Include %(custom_apache_virtualhost_conf)s
RewriteMap apachemapcached txt:%(apachecachedmap_path)s
RewriteCond ${apachemapcached:%%{SERVER_NAME}} >""
RewriteRule ^/(.*)$ ${apachemapcached:%%{SERVER_NAME}}/$1 [L,P]
# If nothing exist : put a nice error
ErrorDocument 404 /notfound.html
## Include configuration file not operated by slapos. This file won't be erased
## or changed when slapgrid is ran. It can be freely customized by node admin.
#Include %(custom_apache_cached_conf)s
...@@ -37,7 +37,7 @@ cronstamps = $${:etc}/cronstamps ...@@ -37,7 +37,7 @@ cronstamps = $${:etc}/cronstamps
ca-dir = $${:srv}/ssl ca-dir = $${:srv}/ssl
squid-cache = $${:srv}/squid_cache squid-cache = $${:srv}/squid_cache
stunnel-conf = $${:etc}/stunnel
[instance-parameter] [instance-parameter]
# Fetches parameters defined in SlapOS Master for this instance. # Fetches parameters defined in SlapOS Master for this instance.
...@@ -79,6 +79,9 @@ ca_crl = $${certificate-authority:ca-crl} ...@@ -79,6 +79,9 @@ ca_crl = $${certificate-authority:ca-crl}
access-log = $${directory:log}/frontend-apache-access.log access-log = $${directory:log}/frontend-apache-access.log
error-log = $${directory:log}/frontend-apache-error.log error-log = $${directory:log}/frontend-apache-error.log
pid-file = $${directory:run}/ pid-file = $${directory:run}/
cache-access-log = $${directory:log}/frontend-apache-access-cached.log
cache-error-log = $${directory:log}/frontend-apache-error-cached.log
cache-pid-file = $${directory:run}/
# Create wrapper for "apachectl conftest" in bin # Create wrapper for "apachectl conftest" in bin
...@@ -106,40 +109,15 @@ certs = $${directory:ca-dir}/certs/ ...@@ -106,40 +109,15 @@ certs = $${directory:ca-dir}/certs/
newcerts = $${directory:ca-dir}/newcerts/ newcerts = $${directory:ca-dir}/newcerts/
crl = $${directory:ca-dir}/crl/ crl = $${directory:ca-dir}/crl/
[ca-frontend] #[ca-frontend]
<= certificate-authority #<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request #recipe = slapos.cookbook:certificate_authority.request
key-file = $${cadirectory:certs}/apache_frontend.key #key-file = $${cadirectory:certs}/apache_frontend.key
cert-file = $${cadirectory:certs}/apache_frontend.crt #cert-file = $${cadirectory:certs}/apache_frontend.crt
executable = $${directory:service}/apache_frontend #executable = $${directory:service}/apache_frontend
wrapper = $${directory:service}/apache_frontend #wrapper = $${directory:service}/apache_frontend
# Put domain name ## Put domain name
name = $${instance-parameter:configuration.domain} #name = $${instance-parameter:configuration.domain}
<= certificate-authority
recipe = slapos.cookbook:certificate_authority.request
key-file = $${directory:stunnel-conf}/stunnel.key
cert-file = $${directory:stunnel-conf}/stunnel.crt
executable = $${stunnel:wrapper}
wrapper = $${basedirectory:services}/stunnel
recipe = slapos.cookbook:stunnel
stunnel-binary = ${stunnel:location}/bin/stunnel
wrapper = $${directory:bin}/stunnel
log-file = $${directory:log}/stunnel.log
config-file = $${directory:etc}/stunnel.conf
key-file = $${ca-stunnel:key-file}
cert-file = $${ca-stunnel:cert-file}
pid-file = $${directory:run}/
local-port = $${squid-hardcoded:backend-port}
local-host = $${squid-hardcoded:backend-ip}
remote-host = $${squid-hardcoded:remote-host}
remote-port = $${squid-hardcoded:remote-port}
client = false
post-rotate-script = $${directory:bin}/stunnel_post_rotate
[cron] [cron]
recipe = slapos.cookbook:cron recipe = slapos.cookbook:cron
...@@ -182,7 +160,7 @@ recipe = slapos.cookbook:logrotate.d ...@@ -182,7 +160,7 @@ recipe = slapos.cookbook:logrotate.d
name = apache name = apache
log = $${apache:error-log} $${apache:access-log} log = $${apache:error-log} $${apache:access-log}
frequency = daily frequency = daily
rotate-num = 30 rotatep-num = 30
post = ${buildout:bin-directory}/killpidfromfile $${apache:pid-file} SIGUSR1 post = ${buildout:bin-directory}/killpidfromfile $${apache:pid-file} SIGUSR1
sharedscripts = true sharedscripts = true
notifempty = true notifempty = true
...@@ -199,7 +177,7 @@ ip = $${squid-hardcoded:ip} ...@@ -199,7 +177,7 @@ ip = $${squid-hardcoded:ip}
port = $${squid-hardcoded:port} port = $${squid-hardcoded:port}
backend-ip = $${squid-hardcoded:backend-ip} backend-ip = $${squid-hardcoded:backend-ip}
backend-port = $${squid-hardcoded:backend-port} backend-port = $${squid-hardcoded:backend-port}
domain = $${squid-hardcoded:domain} public-ipv4 = $${instance-parameter:configuration.public-ipv4}
access-log-path = $${directory:log}/squid-access.log access-log-path = $${directory:log}/squid-access.log
cache-log-path = $${directory:log}/squid-cache.log cache-log-path = $${directory:log}/squid-cache.log
pid-filename-path = $${directory:run}/ pid-filename-path = $${directory:run}/
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment