Update Release Candidate

d294ba6b · Thomas Gambier · 804396fa · c965227f · d294ba6b · d294ba6b
Commit d294ba6b authored Jul 08, 2020 by Thomas Gambier 🚴🏼
246 changed files
--- a/component/apache/apache-backend.conf.in
+++ b/component/apache/apache-backend.conf.in
@@ -23,14 +23,14 @@
 #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
 #       "ssl-session-cache": "<folder_path>",
 #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  The path given to "SSLCACertificatePath" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
+ #       "ca-cert-dir": "<directory_path>",
 #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
 #       #  empty)
- #       "crl": "<file_path>",
+ #       "crl-dir": "<directory_path>",
 #
 #       #  The path given to "ErrorLog"
 #       "error-log": "<file_path>",
@@ -69,7 +69,7 @@
 #  From to `backend-list`:
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
@@ -83,6 +83,8 @@
 #  For more details, refer to
 #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}
+{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
+{% set crl_dir = parameter_dict.get('crl-dir') -%}
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule authz_core_module modules/mod_authz_core.so
@@ -133,15 +135,17 @@ SSLProxyEngine On
 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
-{% if parameter_dict['ca-cert'] -%}
+# Drop incoming X-Forwarded-For without valid client authentication
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
+{% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+SSLCACertificatePath {{ ca_cert_dir }}
-{%   if parameter_dict['crl'] -%}
+{%   if crl_dir -%}
 SSLCARevocationCheck chain
-SSLCARevocationFile {{ parameter_dict['crl'] }}
+SSLCARevocationPath {{ crl_dir }}
-{%-   endif %}
+{%   endif -%}
-{%- endif %}
+{% endif -%}
 ErrorLog "{{ parameter_dict['error-log'] }}"
 # Default apache log format with request time in microsecond at the end
@@ -161,11 +165,9 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
  SSLEngine on
-{% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication -%}
+{{     assert(ca_cert_dir) -}}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
@@ -183,11 +185,9 @@ Listen {{ ip }}:{{ port }}
 <VirtualHost {{ ip }}:{{ port }}>
  SSLEngine on
  Timeout 3600
-{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication -%}
+{{     assert(ca_cert_dir) -}}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

--- a/component/apache/buildout.hash.cfg
+++ b/component/apache/buildout.hash.cfg
@@ -14,5 +14,5 @@
 # not need these here).
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = bb8c175a93336f0e1838fd47225426f9
+md5sum = ace264843228af84d025797f520ce70f
--- a/component/haproxy/buildout.cfg
+++ b/component/haproxy/buildout.cfg
@@ -13,14 +13,15 @@ parts = haproxy
 [haproxy]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://www.haproxy.org/download/1.8/src/haproxy-1.8.25.tar.gz
+url = http://www.haproxy.org/download/2.0/src/haproxy-2.0.15.tar.gz
-md5sum = ef2164ca3b1ea9011aa271a8cbe030a4
+md5sum = 59f892991476f08e2d16ac460c502f61
 configure-command = true
-# If the system is running on Linux 2.6, we use "linux26" as the TARGET,
+# for Linux kernel 2.6.28 and above, we use "linux-glibc" as the TARGET,
 # otherwise use "generic".
 # For ARCH value, x86_64 and i[3456]86 are supported.
 make-options =
-  TARGET="$(uname -sr 2>/dev/null|grep -Eq '^Linux (2\.6\.2[89]|2\.6\.[3-9]|[3-9])' && echo linux2628 || echo generic)"
+  TARGET="$(uname -sr 2>/dev/null|grep -Eq '^Linux (2\.6\.2[89]|2\.6\.[3-9]|[3-9])' && echo linux-glibc || echo generic)"
+  CPU=native
  ARCH="$(uname -m 2>/dev/null|grep -E '^(x86_64|i[3456]86)$')"
  PREFIX=@@LOCATION@@
  USE_DL=1

--- a/component/libestr/buildout.cfg
+++ b/component/libestr/buildout.cfg
@@ -4,5 +4,6 @@ parts =
 [libestr]
 recipe = slapos.recipe.cmmi
-url = http://libestr.adiscon.com/files/download/libestr-0.1.10.tar.gz
+url = http://libestr.adiscon.com/files/download/libestr-0.1.11.tar.gz
-md5sum = f4c9165a23587e77f7efe65d676d5e8e
+md5sum = 1f25a2332750d4bfacfb314235fedff0
+shared = true
--- a/component/libfastjson/buildout.cfg
+++ b/component/libfastjson/buildout.cfg
+[buildout]
+extends =
+  ../autoconf/buildout.cfg
+  ../automake/buildout.cfg
+  ../pkgconfig/buildout.cfg
+  ../m4/buildout.cfg
+parts =
+  libfastjson
+[libfastjson]
+recipe = slapos.recipe.cmmi
+url = https://github.com/rsyslog/libfastjson/archive/v0.99.8.tar.gz
+md5sum = 730713ad1d851def7ac8898f751bbfdd
+shared = true
+pre-configure =
+  autoreconf -fvi -I ${libtool:location}/share/aclocal -I ${pkgconfig:location}/share/aclocal -I ${automake:location}/share/aclocal
+environment =
+  PATH=${autoconf:location}/bin:${automake:location}/bin:${libtool:location}/bin:%(PATH)s
+  M4=${m4:location}/bin/m4
--- a/component/mariadb/mdev20693-mixin.cfg
+++ b/component/mariadb/mdev20693-mixin.cfg
+# To be extended after mariadb's buildout.cfg
+[mariadb]
+patches +=
+  ${:_profile_base_location_}/mdev20693.patch#34ca907d6b36ba81d75bed118243f637
--- a/component/mariadb/mdev20693.patch
+++ b/component/mariadb/mdev20693.patch
+From: Sergei Petrunia <psergey@askmonty.org>
+Date: Tue, 1 Oct 2019 15:29:38 -0700
+Subject: [PATCH] #1052: ha_rocksdb::records_in_range() vastly overestimates
+ #rows (#1053)
+Summary:
+In ha_rocksdb::records_in_range, Do not adjust the key value. See
+issue comments for justification.
+The optimizer_loose_index_scans test was hitting this. The testcase
+there has a key(b,d) and queries with WHERE b=... and d>=98 (the latter
+condition not matching any rows in the table).
+Pull Request resolved: https://github.com/facebook/mysql-5.6/pull/1053
+Upstream commit 2b1e7918066a967b3a48fe486e5687d786aee052.
+diff -ur a/storage/rocksdb/ha_rocksdb.cc b/storage/rocksdb/ha_rocksdb.cc
+--- a/storage/rocksdb/ha_rocksdb.cc	2020-05-09 21:28:02.000000000 +0200
+++ b/storage/rocksdb/ha_rocksdb.cc	2020-06-24 21:14:13.090911121 +0200
+@@ -11941,11 +11941,6 @@
+         max_key->flag == HA_READ_AFTER_KEY) {
+       kd.successor(m_sk_packed_tuple_old, size2);
+     }
+-    // pad the upper key with FFFFs to make sure it is more than the lower
+-    if (size1 > size2) {
+-      memset(m_sk_packed_tuple_old + size2, 0xff, size1 - size2);
+-      size2 = size1;
+-    }
+   } else {
+     kd.get_supremum_key(m_sk_packed_tuple_old, &size2);
+   }
+@@ -11953,8 +11948,11 @@
+   const rocksdb::Slice slice1((const char *)m_sk_packed_tuple, size1);
+   const rocksdb::Slice slice2((const char *)m_sk_packed_tuple_old, size2);
+-  // slice1 >= slice2 means no row will match
+  // It's possible to get slice1 == slice2 for a non-inclusive range with the
+  // right bound being successor() of the left one, e.g. "t.key>10 AND t.key<11"
+   if (slice1.compare(slice2) >= 0) {
+    // It's not possible to get slice2 > slice1
+    DBUG_ASSERT(slice1.compare(slice2) == 0);
+     DBUG_RETURN(HA_EXIT_SUCCESS);
+   }
+diff -ur a/storage/rocksdb/mysql-test/rocksdb/r/optimizer_loose_index_scans.result b/storage/rocksdb/mysql-test/rocksdb/r/optimizer_loose_index_scans.result
+--- a/storage/rocksdb/mysql-test/rocksdb/r/optimizer_loose_index_scans.result	2020-05-09 21:28:02.000000000 +0200
+++ b/storage/rocksdb/mysql-test/rocksdb/r/optimizer_loose_index_scans.result	2020-06-24 21:14:13.082911030 +0200
+@@ -126,9 +126,9 @@
+ set optimizer_switch = 'skip_scan=off';
+ explain select a, b, c, d from t where a in (1, 5) and b in (1, 2) and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+-1	SIMPLE	t	range	PRIMARY,b	PRIMARY	8	NULL	#	Using where; Using index
+1	SIMPLE	t	range	PRIMARY,b	b	12	NULL	#	Using where; Using index
+ rows_read
+-200
+0
+ set optimizer_switch = 'skip_scan=on,skip_scan_cost_based=off';
+ explain select a, b, c, d from t where a in (1, 5) and b in (1, 2) and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+@@ -140,9 +140,9 @@
+ set optimizer_switch = 'skip_scan=off';
+ explain select a, b, c, d from t where a in (1, 2, 3, 4, 5) and b in (1, 2, 3) and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+-1	SIMPLE	t	range	PRIMARY,b	PRIMARY	8	NULL	#	Using where; Using index
+1	SIMPLE	t	range	PRIMARY,b	b	12	NULL	#	Using where; Using index
+ rows_read
+-750
+0
+ set optimizer_switch = 'skip_scan=on,skip_scan_cost_based=off';
+ explain select a, b, c, d from t where a in (1, 2, 3, 4, 5) and b in (1, 2, 3) and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+@@ -154,9 +154,9 @@
+ set optimizer_switch = 'skip_scan=off';
+ explain select a, b, c, d from t where a = 5 and b = 2 and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+-1	SIMPLE	t	ref	PRIMARY,b	PRIMARY	8	const,const	#	Using where; Using index
+1	SIMPLE	t	range	PRIMARY,b	b	12	NULL	#	Using where; Using index
+ rows_read
+-50
+0
+ set optimizer_switch = 'skip_scan=on,skip_scan_cost_based=off';
+ explain select a, b, c, d from t where a = 5 and b = 2 and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+@@ -271,7 +271,7 @@
+ 1
+ explain select a, b, c, d from t where (a < 1 or a = 4 or a = 5) and b in (1, 2, 3) and d >= 98;
+ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+-1	SIMPLE	t	range	PRIMARY,b	PRIMARY	8	NULL	#	Using where; Using index
+1	SIMPLE	t	range	PRIMARY,b	b	8	NULL	#	Using where; Using index
+ select count(*) from information_schema.optimizer_trace where trace like '%prefix_not_const_equality%';
+ count(*)
+ 1
+diff -ur a/storage/rocksdb/mysql-test/rocksdb/r/rocksdb_range2.result b/storage/rocksdb/mysql-test/rocksdb/r/rocksdb_range2.result
+--- a/storage/rocksdb/mysql-test/rocksdb/r/rocksdb_range2.result	2020-05-09 21:28:02.000000000 +0200
+++ b/storage/rocksdb/mysql-test/rocksdb/r/rocksdb_range2.result	2020-06-24 21:14:13.082911030 +0200
+@@ -27,3 +27,42 @@
+ date
+ 2018-10-05
+ drop table t1;
+#
+# Issue #1052: ha_rocksdb::records_in_range() vastly overestimates the number of rows in certain ranges
+#
+CREATE TABLE t1 (
+part_id smallint(5) unsigned NOT NULL,
+oid bigint(20) unsigned NOT NULL,
+tid bigint(20) unsigned NOT NULL,
+filler char(32),
+KEY tid (part_id,tid,oid)
+) ENGINE=ROCKSDB;
+create table t2(a int primary key);
+insert into t2 values (0),(1),(2),(3),(4),(5),(6),(7),(8),(9);
+create table t3(a int primary key);
+insert into t3 select A.a + B.a* 10 + C.a * 100 from t2 A, t2 B, t2 C;
+set rocksdb_max_row_locks=1000000;
+insert into t1
+select 
+0, 
+A.a + 1000*B.a,
+A.a + 1000*B.a,
+'filler-data'
+from t2 A, t3 B;
+insert into t1
+select 
+1,
+A.a + 1000*B.a,
+A.a + 1000*B.a,
+'filler-data'
+from t2 A, t3 B;
+set global rocksdb_force_flush_memtable_now=1;
+explain select * from t1 where part_id=0 and tid>100000000;
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+1	SIMPLE	t1	range	tid	tid	10	NULL	#	Using index condition
+# We can't check "rows" in EXPLAIN output directly as that value tends
+# to change a bit. Instead, check that the value is sufficiently low
+select @a < 10 as "MUST BE 1";
+MUST BE 1
+1
+drop table t2,t3,t1;
+diff -ur a/storage/rocksdb/mysql-test/rocksdb/t/rocksdb_range2.test b/storage/rocksdb/mysql-test/rocksdb/t/rocksdb_range2.test
+--- a/storage/rocksdb/mysql-test/rocksdb/t/rocksdb_range2.test	2020-05-09 21:28:02.000000000 +0200
+++ b/storage/rocksdb/mysql-test/rocksdb/t/rocksdb_range2.test	2020-06-24 21:14:13.082911030 +0200
+@@ -31,3 +31,63 @@
+ select * from t1 where date < '2018-10-09' order by date desc limit 1;
+ drop table t1;
+
+--echo #
+--echo # Issue #1052: ha_rocksdb::records_in_range() vastly overestimates the number of rows in certain ranges
+--echo #
+
+CREATE TABLE t1 (
+  part_id smallint(5) unsigned NOT NULL,
+  oid bigint(20) unsigned NOT NULL,
+  tid bigint(20) unsigned NOT NULL,
+  filler char(32),
+  KEY tid (part_id,tid,oid)
+) ENGINE=ROCKSDB;
+
+create table t2(a int primary key);
+insert into t2 values (0),(1),(2),(3),(4),(5),(6),(7),(8),(9);
+
+create table t3(a int primary key);
+insert into t3 select A.a + B.a* 10 + C.a * 100 from t2 A, t2 B, t2 C;
+
+set rocksdb_max_row_locks=1000000;
+insert into t1
+select 
+  0, 
+  A.a + 1000*B.a,
+  A.a + 1000*B.a,
+  'filler-data'
+from t2 A, t3 B;
+
+insert into t1
+select 
+  1,
+  A.a + 1000*B.a,
+  A.a + 1000*B.a,
+  'filler-data'
+from t2 A, t3 B;
+set global rocksdb_force_flush_memtable_now=1;
+
+--replace_column 9 #
+explain select * from t1 where part_id=0 and tid>100000000;
+
+--echo # We can't check "rows" in EXPLAIN output directly as that value tends
+--echo # to change a bit. Instead, check that the value is sufficiently low
+
+let $explain=`explain select * from t1 where part_id=0 and tid>100000000`;
+--disable_query_log
+eval set @a= '$explain';
+set @a=(select substr(@a, 1+locate('\t', @a))); # id
+set @a=(select substr(@a, 1+locate('\t', @a))); # select_type
+set @a=(select substr(@a, 1+locate('\t', @a))); # table
+set @a=(select substr(@a, 1+locate('\t', @a))); # type
+set @a=(select substr(@a, 1+locate('\t', @a))); # possible_keys
+set @a=(select substr(@a, 1+locate('\t', @a))); # key
+set @a=(select substr(@a, 1+locate('\t', @a))); # key_len
+set @a=(select substr(@a, 1+locate('\t', @a))); # ref
+# ok now at rows
+set @a=(select substr(@a, 1, locate('\t', @a)-1)); # rows
+--enable_query_log
+
+select @a < 10 as "MUST BE 1";
+drop table t2,t3,t1;
--- a/component/powerdns/buildout.cfg
+++ b/component/powerdns/buildout.cfg
@@ -2,33 +2,42 @@
 extends =
  ../autoconf/buildout.cfg
  ../automake/buildout.cfg
-  ../bison/buildout.cfg
-  ../flex/buildout.cfg
-  ../git/buildout.cfg
  ../boost-lib/buildout.cfg
  ../libtool/buildout.cfg
  ../make/buildout.cfg
-  ../mariadb/buildout.cfg
+  ../openssl/buildout.cfg
  ../pkgconfig/buildout.cfg
-  ../ragel/buildout.cfg
  ../zlib/buildout.cfg
+# For geoip backend
+# https://doc.powerdns.com/authoritative/backends/geoip.html
+  ../geoip2/buildout.cfg
+  ../yaml-cpp/buildout.cfg
 parts =
  powerdns
 [powerdns]
 recipe = slapos.recipe.cmmi
-url = http://downloads.powerdns.com/releases/pdns-3.3.1.tar.gz
+url = http://downloads.powerdns.com/releases/pdns-4.2.1.tar.bz2
-md5sum = 074e2ff211fd12ecad25b5c1cc190dd4
+md5sum = b5f3998a3bc438b905c72c0473408839
 configure-options =
  --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
  --with-boost=${boost-lib:location}
-  --with-modules="geo"
+  --with-libcrypto=${openssl:location}
+  --with-modules="geoip"
  --with-dynmodules=""
  --without-lua
+  --disable-lua-records
+pkg_config_depends = ${yaml-cpp:location}/lib/pkgconfig
 environment =
-  PATH=${make:location}/bin:${libtool:location}/bin:${pkgconfig:location}/bin:${bison:location}/bin:${flex:location}/bin:${git:location}/bin:${ragel:location}/bin:%(PATH)s
+  PATH=${autoconf:location}/bin:${automake:location}/bin:${libmaxminddb:location}/bin:${libtool:location}/bin:${make:location}/bin:${pkgconfig:location}/bin:%(PATH)s
-  LDFLAGS=-L${boost-lib:location}/lib -Wl,-rpath=${boost-lib:location}/lib -L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -lz
+  LDFLAGS=-L${boost-lib:location}/lib -Wl,-rpath=${boost-lib:location}/lib -L${libmaxminddb:location}/lib -Wl,-rpath=${libmaxminddb:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib -L${yaml-cpp:location}/lib -Wl,-rpath=${yaml-cpp:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
-  CPPFLAGS=-I${boost-lib:location}/include
+  CPPFLAGS=-I${boost-lib:location}/include -I${libmaxminddb:location}/include -I${yaml-cpp:location}/include
+  PKG_CONFIG_PATH=${:pkg_config_depends}
+# XXX: Override the default value "-Llib -lyaml-cpp"; "-Llib" is a problem
+  YAML_LIBS = -lyaml-cpp
+make-options =
+  LIBTOOL=libtool
 make-target =
  install
--- a/component/pypy/buildout.cfg
+++ b/component/pypy/buildout.cfg
+[buildout]
+extends =
+  ../bzip2/buildout.cfg
+  ../gdbm/buildout.cfg
+  ../libexpat/buildout.cfg
+  ../libffi/buildout.cfg
+  ../ncurses/buildout.cfg
+  ../openssl/buildout.cfg
+  ../pkgconfig/buildout.cfg
+  ../sqlite3/buildout.cfg
+  ../zlib/buildout.cfg
+[pycparser-shared]
+# XXX:
+recipe = slapos.recipe.cmmi
+shared = true
+url = https://github.com/eliben/pycparser/archive/release_v2.20.tar.gz
+md5sum = a5d9ea5350a8edb8239af73913ea2858
+configure-command = :
+make-binary =
+make-targets = python setup.py install --install-lib @@LOCATION@@
+[pypy2]
+recipe = slapos.recipe.cmmi
+shared = true
+url = https://bitbucket.org/pypy/pypy/downloads/pypy2.7-v7.3.1-src.tar.bz2
+md5sum = 7608bd58940ffc5403632c2c786d83bb
+configure-command =
+  sed -i '/"_tkinter":/s/^/#/' lib_pypy/tools/build_cffi_imports.py
+  cat <<EOF > Makefile
+  PREFIX = @@LOCATION@@
+  export PYPY_USESSION_BASENAME=slapos
+  export TMPDIR=\$(realpath ..)
+  all: pypy/goal/pypy-c lib_pypy/tools/build_cffi_imports.py
+  	\$^
+  c_src_dir:
+  	cd pypy/goal && PYTHONPATH=${pycparser-shared:location} $${PYTHON:-python2}  ../../rpython/bin/rpython --batch --source --opt=jit --shared targetpypystandalone
+  	ln -s ../usession-\$\$PYPY_USESSION_BASENAME-\$\$USER/testing_1 \$@
+  pypy/goal/pypy-c: c_src_dir
+  	\$(MAKE) -C \$<
+  	mv \$</libpypy-c.so \$</pypy-c pypy/goal
+  	touch \$@
+  install:
+  	mkdir -p \$(PREFIX)/bin \$(PREFIX)/include
+  	find lib_pypy lib-python/2.7 -type d '(' '(' -name __pycache__ -o -name _tkinter -o -name test -o -name tests ')' -prune -o -print ')' \
+  	|while read d; do mkdir -p \$(PREFIX)/\$\$d && find \$\$d -maxdepth 1 -type f ! -name '*.o' ! -name '*.c' |xargs -r cp -t \$(PREFIX)/\$\$d; done
+  	d=lib-python/2.7/test && mkdir -p \$(PREFIX)/\$\$d && for x in __init__ pystone regrtest test_support; do echo \$\$d/\$\$x.py; done |xargs -r cp -t \$(PREFIX)/\$\$d
+  	cd lib-python && cp conftest.py stdlib-version.* \$(PREFIX)/lib-python
+  	cp -r include/pypy_*.h include/PyPy.h pypy/module/cpyext/include/* pypy/module/cpyext/parse/* \$(PREFIX)/include
+  	cd pypy/goal && cp libpypy-c.so \$(PREFIX)/bin && cp pypy-c \$(PREFIX)/bin/pypy
+environment =
+  C_INCLUDE_PATH=${bzip2:location}/include:${gdbm:location}/include:${libexpat:location}/include:${ncurses:location}/include:${ncurses:location}/include/ncursesw:${openssl:location}/include:${sqlite3:location}/include:${zlib:location}/include
+  LDFLAGS=-L${bzip2:location}/lib -L${gdbm:location}/lib -L${libexpat:location}/lib -L${libffi:location}/lib -L${ncurses:location}/lib -L${openssl:location}/lib -L${sqlite3:location}/lib -L${zlib:location}/lib -Wl,-rpath=${bzip2:location}/lib -Wl,-rpath=${gdbm:location}/lib -Wl,-rpath=${libexpat:location}/lib -Wl,-rpath=${libffi:location}/lib -Wl,-rpath=${ncurses:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${zlib:location}/lib
+  PATH=${pkgconfig:location}/bin:%(PATH)s
+  PKG_CONFIG_PATH=${libffi:location}/lib/pkgconfig
--- a/component/rsyslogd/buildout.cfg
+++ b/component/rsyslogd/buildout.cfg
@@ -2,21 +2,25 @@
 parts =
  rsyslogd
 extends =
+  ../curl/buildout.cfg
  ../libestr/buildout.cfg
-  ../json-c/buildout.cfg
+  ../libfastjson/buildout.cfg
  ../libuuid/buildout.cfg
  ../zlib/buildout.cfg
 [rsyslogd]
 recipe = slapos.recipe.cmmi
-url = http://www.rsyslog.com/files/download/rsyslog/rsyslog-8.12.0.tar.gz
+url = https://www.rsyslog.com/files/download/rsyslog/rsyslog-8.2004.0.tar.gz
-md5sum = c31c2d545c8a3b8695bdf076851d1517
+md5sum = 375a60ab0f461367f84f07a5dbda6de2
+shared = true
 configure-options =
  --disable-klog
  --disable-libgcrypt
  --disable-liblogging-stdlog
+  --disable-libsystemd
 environment =
-  PKG_CONFIG_PATH=${libestr:location}/lib/pkgconfig:${json-c:location}/lib/pkgconfig:${libuuid:location}/lib/pkgconfig
+  PATH=${pkgconfig:location}/bin:%(PATH)s
-  CPPFLAGS=-I${libestr:location}/include -I${json-c:location}/include -I${libuuid:location}/include -I${zlib:location}/include
+  PKG_CONFIG_PATH=${libestr:location}/lib/pkgconfig:${curl:location}/lib/pkgconfig:${libfastjson:location}/lib/pkgconfig:${libuuid:location}/lib/pkgconfig
-  LDFLAGS=-Wl,-rpath=${libestr:location}/lib -Wl,-rpath=${json-c:location}/lib -Wl,-rpath=${libuuid:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
+  CPPFLAGS=-I${libestr:location}/include -I${curl:location}/include -I${libfastjson:location}/include -I${libuuid:location}/include -I${zlib:location}/include
+  LDFLAGS=-Wl,-rpath=${libestr:location}/lib -Wl,-rpath=${curl:location}/lib -Wl,-rpath=${libfastjson:location}/lib -Wl,-rpath=${libuuid:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
  ZLIB_CFLAGS=-I${zlib:location}/include
--- a/component/slapos/obs.cfg
+++ b/component/slapos/obs.cfg
@@ -86,8 +86,12 @@ environment +=
 pre-configure =
  sed -i 's#/opt/slapos/parts/dbus/lib/libdbus-1.la#${dbus:location}/lib/libdbus-1.la#' ${dbus-glib:location}/lib/libdbus-glib-1.la
 environment +=
+  PATH=${pkgconfig:location}/bin:${python:location}/bin:%(PATH)s
  LD_LIBRARY_PATH=${dbus:location}/lib
  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${dbus:location}/lib -Wl,-rpath=${dbus:location}/lib
+  PYTHON=${python:location}/bin/python${python:version}
+  PYTHON_INCLUDES=-I${python:location}/include/python${python:version}
+  PYTHON_LIBS=-L${python:location}/lib -lpython${python:version} -lpthread -ldl -lutil -lm
 post-install =
  sed -i 's#${dbus:location}/lib/libdbus-1.la#/opt/slapos/parts/dbus/lib/libdbus-1.la#' ${dbus-glib:location}/lib/libdbus-glib-1.la
@@ -110,7 +114,7 @@ make-options =
 [gobject-introspection]
 pre-configure =
-  ln -s ${python2.7:location}/bin/python2.7 ${python2.7:location}/bin/python2.
+  ln -s ${python:location}/bin/python${python:version} ${python:location}/bin/python2.
  sed -i 's#!/opt/slapos/parts/python2.7/bin/python2.7#!${python2.7:location}/bin/python2.7#' ${python2.7:location}/bin/python-config
  libtoolize -c -f
  aclocal -I${pkgconfig:location}/share/aclocal -I${gettext:location}/share/aclocal -I${libtool:location}/share/aclocal -I${glib:location}/share/aclocal
@@ -120,24 +124,24 @@ configure-options +=
 environment +=
  PATH=${autoconf:location}/bin:${automake:location}/bin:${pkgconfig:location}/bin:${libtool:location}/bin:${intltool:location}/bin:${gettext:location}/bin:${glib:location}/bin:${flex:location}/bin:${bison-go:location}/bin:%(PATH)s
  GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0
-  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include -I${python2.7:location}/include/python2.7
+  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include -I${python:location}/include/python${python:version}
-  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${python2.7:location}/lib
+  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${python:location}/lib
  ACLOCAL_PATH=${pkgconfig:location}/share/aclocal:${gettext:location}/share/aclocal:${libtool:location}/share/aclocal:${glib:location}/share/aclocal:${intltool:location}/share/aclocal
  M4=${m4:location}/bin/m4
  PERL5LIB=${perl:location}/lib/5.28.1/
 post-install = 
-  sed -i 's#!${python2.7:location}/bin/python2.7#!/opt/slapos/parts/python2.7/bin/python2.7#' ${python2.7:location}/bin/python-config
+  sed -i 's#!${python:location}/bin/python${python:version}#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#' ${python:location}/bin/python-config
  rm -rf ${bison-go:location}
 [pygobject3]
 pre-configure +=
-  sed -i 's#!/opt/slapos/parts/python2.7/bin/python2.7#!${python2.7:location}/bin/python2.7#' ${python2.7:location}/bin/python-config
+  sed -i 's#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#!${python:location}/bin/python${python:version}#' ${python:location}/bin/python-config
 environment +=
-  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include -I${gettext:location}/include -I${libffi:location}/include -I${python2.7:location}/include/python2.7
+  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include -I${gettext:location}/include -I${libffi:location}/include -I${python:location}/include/python${python:version}
-  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${python2.7:location}/lib
+  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${python:location}/lib
 post-install =
-  sed -i 's#!${python2.7:location}/bin/python2.7#!/opt/slapos/parts/python2.7/bin/python2.7#' ${python2.7:location}/bin/python-config
+  sed -i 's#!${python:location}/bin/python${python:version}#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#' ${python:location}/bin/python-config
 [ncurses]
 configure-options =

--- a/component/sysbench/buildout.cfg
+++ b/component/sysbench/buildout.cfg
@@ -16,7 +16,6 @@ shared = true
 url = https://github.com/akopytov/sysbench/archive/1.0.19.tar.gz
 md5sum = 2912bfe7238cac7351459019a84e2557
 pre-configure =
-  aclocal -I${pkgconfig:location}/share/aclocal -I${libtool:location}/share/aclocal -I${gettext:location}/share/aclocal
  ./autogen.sh
 configure-options =
  --disable-static

--- a/component/yaml-cpp/buildout.cfg
+++ b/component/yaml-cpp/buildout.cfg
+[buildout]
+extends =
+  ../cmake/buildout.cfg
+parts =
+  yaml-cpp
+[yaml-cpp]
+recipe = slapos.recipe.cmmi
+shared = true
+url = https://github.com/jbeder/yaml-cpp/archive/yaml-cpp-0.6.3.tar.gz
+md5sum = b45bf1089a382e81f6b661062c10d0c2
+location = @@LOCATION@@
+configure-command =
+  mkdir build && cd build && \
+  ${cmake:location}/bin/cmake \
+    -DYAML_BUILD_SHARED_LIBS=ON \
+    -DCMAKE_INSTALL_PREFIX=${:location} \
+    ..
+make-options = -C build
--- a/slapos/recipe/haproxy/template/haproxy.cfg.in
+++ b/slapos/recipe/haproxy/template/haproxy.cfg.in
@@ -3,10 +3,7 @@ global
  stats socket %(socket_path)s level admin
 defaults
-  log global
  mode  http
-  option  httplog
-  option  dontlognull
  retries 1
  option redispatch
  maxconn 2000
@@ -23,11 +20,11 @@ defaults
  timeout connect 5s
  # As requested in haproxy doc, make this "at least equal to timeout server".
  timeout client 305s
-  # Use "option forceclose" to not preserve client & server persistent connections
+  # Use "option httpclose" to not preserve client & server persistent connections
  # while handling every incoming request individually, dispatching them one after
  # another to servers, in HTTP close mode. This is really needed when haproxy
  # is configured with maxconn to 1, without this options browser are unable
  # to render a page
-  option forceclose
+  option httpclose
 %(server_text)s
--- a/software/caddy-frontend/README.caddy_frontend.rst
+++ b/software/caddy-frontend/README.caddy_frontend.rst
@@ -237,14 +237,6 @@ Will append the specified path to the "VirtualHostRoot" of the zope's VirtualHos
 "path" is an optional parameter, ignored if not specified.
 Example of value: "/erp5/web_site_module/hosting/"
-caddy_custom_https
-~~~~~~~~~~~~~~~~~~
-Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the https port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above.
-caddy_custom_http
-~~~~~~~~~~~~~~~~~
-Raw Caddy configuration in python template format (i.e. write "%%" for one "%") for the slave listening to the http port. Its content will be templatified in order to access functionalities such as cache access, ssl certificates... The list is available above
 url
 ~~~
 Necessary to activate cache. ``url`` of backend to use.
@@ -359,33 +351,6 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
    partition_parameter_kw={
        "url":"https://[1:2:3:4:5:6:7:8]:1234",
-        "caddy_custom_https":'
-  https://www.example.com:%(https_port)s, https://example.com:%(https_port)s {
-    bind %(local_ipv4)s
-    tls %(certificate)s %(certificate)s
-    log / %(access_log)s {combined}
-    errors %(error_log)s
-    proxy / https://[1:2:3:4:5:6:7:8]:1234 {
-      transparent
-      timeout 600s
-      insecure_skip_verify
-    }
-  }
-        "caddy_custom_http":'
-  http://www.example.com:%(http_port)s, http://example.com:%(http_port)s {
-    bind %(local_ipv4)s
-    log / %(access_log)s {combined}
-    errors %(error_log)s
-    proxy / https://[1:2:3:4:5:6:7:8]:1234/ {
-      transparent
-      timeout 600s
-      insecure_skip_verify
-    }
-  }
 Simple Cache Example - XXX - to be written
 ------------------------------------------
@@ -402,40 +367,6 @@ Request slave frontend instance so that https://[1:2:3:4:5:6:7:8]:1234 will be::
 	"domain": "www.example.org",
 	"enable_cache": "True",
-        "caddy_custom_https":'
-  ServerName www.example.org
-  ServerAlias www.example.org
-  ServerAlias example.org
-  ServerAdmin geronimo@example.org
-  SSLEngine on
-  SSLProxyEngine on
-  # Rewrite part
-  ProxyVia On
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-  RewriteRule ^/(.*) %(cache_access)s/$1 [L,P]',
-        "caddy_custom_http":'
-  ServerName www.example.org
-  ServerAlias www.example.org
-  ServerAlias example.org
-  ServerAdmin geronimo@example.org
-  SSLProxyEngine on
-  # Rewrite part
-  ProxyVia On
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-  # Not using HTTPS? Ask that guy over there.
-  # Dummy redirection to https. Note: will work only if https listens
-  # on standard port (443).
-  RewriteRule ^/(.*) %(cache_access)s/$1 [L,P],
-    }
-  )
 Advanced example - XXX - to be written
 --------------------------------------
@@ -457,56 +388,6 @@ the proxy::
        "path":"/erp5",
        "domain":"example.org",
-  	"caddy_custom_https":'
-  ServerName www.example.org
-  ServerAlias www.example.org
-  ServerAdmin example.org
-  SSLEngine on
-  SSLProxyEngine on
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-  SSLHonorCipherOrder on
-  # Use personal ssl certificates
-  SSLCertificateFile %(ssl_crt)s
-  SSLCertificateKeyFile %(ssl_key)s
-  SSLCACertificateFile %(ssl_ca_crt)s
-  SSLCertificateChainFile %(ssl_ca_crt)s
-  # Configure personal logs
-  ErrorLog "%(error_log)s"
-  LogLevel info
-  LogFormat "%%h %%l %%{REMOTE_USER}i %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\" %%D" combined
-  CustomLog "%(access_log)s" combined
-  # Rewrite part
-  ProxyVia On
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-  # Redirect / to /index.html
-  RewriteRule ^/$ /index.html [R=302,L]
-  # Use cache
-  RewriteRule ^/(.*) %(cache_access)s/VirtualHostBase/https/www.example.org:443/erp5/VirtualHostRoot/$1 [L,P]',
-    "caddy_custom_http":'
-  ServerName www.example.org
-  ServerAlias www.example.org
-  ServerAlias example.org
-  ServerAdmin geronimo@example.org
-  SSLProxyEngine on
-  # Rewrite part
-  ProxyVia On
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-  # Configure personal logs
-  ErrorLog "%(error_log)s"
-  LogLevel info
-  LogFormat "%%h %%l %%{REMOTE_USER}i %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\" %%D" combined
-  CustomLog "%(access_log)s" combined
-  # Not using HTTPS? Ask that guy over there.
-  # Dummy redirection to https. Note: will work only if https listens
-  # on standard port (443).
-  RewriteRule ^/(.*)$ https://%%{SERVER_NAME}%%{REQUEST_URI}',
    "ssl_key":"-----BEGIN RSA PRIVATE KEY-----
  XXXXXXX..........XXXXXXXXXXXXXXX
  -----END RSA PRIVATE KEY-----",
@@ -522,20 +403,6 @@ the proxy::
    }
  )
-QUIC Protocol
-=============
-Note: QUIC support in Caddy is really experimental. It can result with silently having problems with QUIC connections or hanging Caddy process. So in case of QUIC error ``QUIC_NETWORK_IDLE_TIMEOUT`` or ``QUIC_PEER_GOING_AWAY`` it is required to restart caddy process.
-Note: Chrome will refuse to connect to QUIC on different port then HTTPS has been served. As Caddy binds to high ports, if QUIC is wanted, the browser need to connect to high port too.
-Experimental QUIC available in Caddy is not configurable. If caddy is configured to bind to HTTPS port ``${port}``, QUIC is going to be advertised on this port only. It is not possible to configure another public port in case of port rewriting.
-So it is required to ``DNAT`` from ``${public IP}`` of the computer to the computer partition running caddy ``${local IP}`` with configured port::
-  iptables -A DNAT -d ${public IP}/32 -p udp -m udp --dport ${port} -j DNAT --to-destination ${local IP}:${port}
 Promises
 ========
@@ -621,3 +488,8 @@ Each `caddy-frontend-N` partition downloads certificates from the kedifa server.
 Caucase (exposed by ``kedifa-caucase-url`` in master partition parameters) is used to handle certificates for authentication to kedifa server.
 If ``automatic-internal-kedifa-caucase-csr`` is enabled (by default it is) there are scripts running on master partition to simulate human to sign certificates for each caddy-frontend-N node.
+Support for X-Real-Ip and X-Forwarded-For
+-----------------------------------------
+X-Forwarded-For and X-Real-Ip are transmitted to the backend, but only for IPv4 access to the frontend. In case of IPv6 access, the provided IP will be wrong, because of using 6tunnel.
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 816bc8179cf4195a35e07f22c36679fa
+md5sum = 20f7a925e686949092823595c79a0523
 [template-common]
 filename = instance-common.cfg.in
@@ -22,26 +22,22 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 60aefa15002b04665a95a6c197eac5ab
+md5sum = 0851faa528eb4f21330a6f23f77dea7f
 [template-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 087bd9404cd120bd7602a9fbfcddc064
+md5sum = a544bf7586f5945bbf108abe9818c7dd
 [template-slave-list]
-filename = templates/apache-custom-slave-list.cfg.in
+_update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
-md5sum = d96fea7dd4d7f0a157c86d25a263d8e1
+md5sum = 9da1616d203e4909af37e658aa923d95
-[template-slave-configuration]
-filename = templates/custom-virtualhost.conf.in
-md5sum = 54ae95597a126ae552c3a913ddf29e5e
 [template-replicate-publish-slave-information]
-filename = templates/replicate-publish-slave-information.cfg.in
+_update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
 md5sum = 7e3ee70c447f8203273d78f66ab519c3
 [template-caddy-frontend-configuration]
-filename = templates/Caddyfile.in
+_update_hash_filename_ = templates/Caddyfile.in
 md5sum = f0faf6d2e6c187df7e25bf717676f9df
 [caddy-backend-url-validator]
@@ -49,63 +45,63 @@ filename = templates/caddy-backend-url-validator.in
 md5sum = 0979a03476e86bf038516c9565dadc17
 [template-not-found-html]
-filename = templates/notfound.html
+_update_hash_filename_ = templates/notfound.html
 md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 [template-default-slave-virtualhost]
-filename = templates/default-virtualhost.conf.in
+_update_hash_filename_ = templates/default-virtualhost.conf.in
-md5sum = 7e26935bb6daf00d8fc01d97eebc7abd
+md5sum = a72e9056eeda3c7c794f6f6560056380
 [template-cached-slave-virtualhost]
-filename = templates/cached-virtualhost.conf.in
+_update_hash_filename_ = templates/cached-virtualhost.conf.in
-md5sum = a73839d777fbd548286bbeccf47be335
+md5sum = e839ca3cb308f7fcdfa06c2f1b95e93f
 [template-log-access]
-filename = templates/template-log-access.conf.in
+_update_hash_filename_ = templates/template-log-access.conf.in
 md5sum = f8068179333ce19e95df561c70073857
 [template-empty]
-filename = templates/empty.in
+_update_hash_filename_ = templates/empty.in
 md5sum = c2314c3a9c3412a38d14b312d3df83c1
 [template-wrapper]
-filename = templates/wrapper.in
+_update_hash_filename_ = templates/wrapper.in
 md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
 [template-trafficserver-records-config]
-filename = templates/trafficserver/records.config.jinja2
+_update_hash_filename_ = templates/trafficserver/records.config.jinja2
-md5sum = 3a4e378932ffc7768426bb7a897e2c45
+md5sum = f3f31188de56bb35383335b3219537f4
 [template-trafficserver-storage-config]
-filename = templates/trafficserver/storage.config.jinja2
+_update_hash_filename_ = templates/trafficserver/storage.config.jinja2
 md5sum = baf7b89cc9ab5506100b0c900808c1ea
 [template-trafficserver-logging-config]
-filename = templates/trafficserver/logging.config.jinja2
+_update_hash_filename_ = templates/trafficserver/logging.config.jinja2
 md5sum = 6aed31174dc262ced02f31624321df41
 [template-nginx-eventsource-slave-virtualhost]
-filename = templates/nginx-eventsource-slave.conf.in
+_update_hash_filename_ = templates/nginx-eventsource-slave.conf.in
 md5sum = 217a6c801b8330b0b825f7b8b4c77184
 [template-caddy-lazy-script-call]
-filename = templates/apache-lazy-script-call.sh.in
+_update_hash_filename_ = templates/apache-lazy-script-call.sh.in
 md5sum = b9f73f6323f9fceea054c46c854d2862
 [template-graceful-script]
-filename = templates/graceful-script.sh.in
+_update_hash_filename_ = templates/graceful-script.sh.in
 md5sum = 061cc244558fd3af2b6bacf17cae5555
 [template-validate-script]
-filename = templates/validate-script.sh.in
+_update_hash_filename_ = templates/validate-script.sh.in
 md5sum = f26e11574f266c7437c9c89e3c93825a
 [template-configuration-state-script]
-filename = templates/configuration-state-script.sh.in
+_update_hash_filename_ = templates/configuration-state-script.sh.in
 md5sum = 4d2537d2698d32a7e909989f8778d144
 [template-rotate-script]
-filename = templates/rotate-script.sh.in
+_update_hash_filename_ = templates/rotate-script.sh.in
 md5sum = 8c150e1e6c993708d31936742f3a7302
 [caddyprofiledeps-setup]

--- a/software/caddy-frontend/common.cfg
+++ b/software/caddy-frontend/common.cfg
@@ -119,15 +119,10 @@ template_default_slave_virtualhost = ${template-default-slave-virtualhost:target
 template_empty = ${template-empty:target}
 template_log_access = ${template-log-access:target}
 template_not_found_html = ${template-not-found-html:target}
-template_slave_configuration = ${template-slave-configuration:target}
 template_slave_list = ${template-slave-list:target}
-template_trafficserver_records_config = ${template-trafficserver-records-config:location}
+template_trafficserver_records_config = ${template-trafficserver-records-config:target}
-template_trafficserver_records_config_filename = ${template-trafficserver-records-config:filename}
+template_trafficserver_storage_config = ${template-trafficserver-storage-config:target}
-template_trafficserver_records_config_location = ${template-trafficserver-records-config:location}
+template_trafficserver_logging_config = ${template-trafficserver-logging-config:target}
-template_trafficserver_storage_config_filename = ${template-trafficserver-storage-config:filename}
-template_trafficserver_storage_config_location = ${template-trafficserver-storage-config:location}
-template_trafficserver_logging_config_filename = ${template-trafficserver-logging-config:filename}
-template_trafficserver_logging_config_location = ${template-trafficserver-logging-config:location}
 template_wrapper = ${template-wrapper:output}
 [template]
@@ -155,8 +150,7 @@ mode = 0644
 [caddy-backend-url-validator]
 recipe = slapos.recipe.template
-url = ${:_profile_base_location_}/templates/${:filename}
+url = ${:_profile_base_location_}/${:filename}
-filename = caddy-backend-url-validator.in
 output = ${buildout:directory}/caddy-backend-url-validator
 mode = 0750
@@ -172,44 +166,32 @@ mode = 0644
 [download-template]
 recipe = slapos.recipe.build:download
-url = ${:_profile_base_location_}/templates/${:filename}
+url = ${:_profile_base_location_}/${:_update_hash_filename_}
 mode = 640
 [template-slave-list]
 <=download-template
-filename = apache-custom-slave-list.cfg.in
-[template-slave-configuration]
-<=download-template
-filename = custom-virtualhost.conf.in
 [template-replicate-publish-slave-information]
 <=download-template
-filename = replicate-publish-slave-information.cfg.in
 [template-caddy-frontend-configuration]
 <=download-template
-filename = Caddyfile.in
 [template-not-found-html]
 <=download-template
-filename = notfound.html
 [template-default-slave-virtualhost]
 <=download-template
-filename = default-virtualhost.conf.in
 [template-cached-slave-virtualhost]
 <=download-template
-filename = cached-virtualhost.conf.in
 [template-log-access]
 <=download-template
-filename = template-log-access.conf.in
 [template-empty]
 <=download-template
-filename = empty.in
 [template-wrapper]
 recipe = slapos.recipe.template
@@ -219,35 +201,24 @@ mode = 0644
 [template-trafficserver-records-config]
 <=download-template
-url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
-filename = records.config.jinja2
 [template-trafficserver-storage-config]
 <=download-template
-url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
-filename = storage.config.jinja2
 [template-trafficserver-logging-config]
 <=download-template
-url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
-filename = logging.config.jinja2
 [template-rotate-script]
 <=download-template
-filename = rotate-script.sh.in
 [template-caddy-lazy-script-call]
 <=download-template
-filename = apache-lazy-script-call.sh.in
 [template-graceful-script]
 <=download-template
-filename = graceful-script.sh.in
 [template-validate-script]
 <=download-template
-filename = validate-script.sh.in
 [template-configuration-state-script]
 <=download-template
-filename = configuration-state-script.sh.in
--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
@@ -15,7 +15,6 @@ parts =
  caucase-updater
  caucase-updater-promise
  frontend-caddy-graceful
-  not-found-html
  port-redirection
  promise-frontend-caddy-configuration
  promise-caddy-frontend-v4-https
@@ -147,7 +146,6 @@ context =
 [software-release-path]
 template-empty = {{ parameter_dict['template_empty'] }}
-template-slave-configuration = {{ parameter_dict['template_slave_configuration'] }}
 template-default-slave-virtualhost = {{ parameter_dict['template_default_slave_virtualhost'] }}
 template-cached-slave-virtualhost = {{ parameter_dict['template_cached_slave_virtualhost'] }}
 caddy-location = {{ parameter_dict['caddy_location'] }}
@@ -249,7 +247,6 @@ extra-context =
    key local_ipv6 :local_ipv6
    key global_ipv6 slap-network-information:global-ipv6
    key empty_template software-release-path:template-empty
-    key template_custom_slave_configuration software-release-path:template-slave-configuration
    key template_default_slave_configuration software-release-path:template-default-slave-virtualhost
    key template_cached_slave_configuration software-release-path:template-cached-slave-virtualhost
    key software_type :software_type
@@ -278,19 +275,6 @@ extra-context =
    key apache_certificate apache-certificate:rendered
 # BBB: SlapOS Master non-zero knowledge END
-[dynamic-virtualhost-template-slave]
-<= jinja2-template-base
-template = {{ parameter_dict['template_slave_configuration'] }}
-rendered = ${directory:template}/slave-virtualhost.conf.in
-# BBB: apache_custom_https and apache_custom_http
-extra-context =
-    key https_port configuration:port
-    key http_port configuration:plain_http_port
-    key apache_custom_https configuration:apache_custom_https
-    key apache_custom_http configuration:apache_custom_http
-    key caddy_custom_https configuration:caddy_custom_https
-    key caddy_custom_http configuration:caddy_custom_http
 # Deploy Caddy Frontend with Jinja power
 [dynamic-caddy-frontend-template]
 < = jinja2-template-base
@@ -334,9 +318,6 @@ template = inline:
  -http2=false \
 {% else %}
  -http2=true \
-{% endif %}
-{% if instance_parameter['configuration.enable-quic'].lower() in TRUE_VALUES %}
-  -quic \
 {% endif %}
  -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s \
  -disable-http-challenge \
@@ -353,10 +334,10 @@ hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 hash-files = ${caddy-wrapper:rendered}
 [not-found-html]
-recipe = slapos.cookbook:symbolic.link
+recipe = plone.recipe.command
-target-directory = ${caddy-directory:document-root}
+update-command = ${:command}
-link-binary =
+filename = notfound.html
-	    {{ parameter_dict['template_not_found_html'] }}
+command = ln -sf  {{ parameter_dict['template_not_found_html'] }} ${caddy-directory:document-root}/${:filename}
 [caddy-directory]
 recipe = slapos.cookbook:mkdirectory
@@ -377,7 +358,7 @@ access-log = ${directory:log}/frontend-access.log
 error-log = ${directory:log}/frontend-error.log
 pid-file = ${directory:run}/httpd.pid
 frontend-graceful-command = ${frontend-caddy-validate:rendered} && kill -USR1 $(cat ${:pid-file})
-not-found-file = ${caddy-directory:document-root}/notfound.html
+not-found-file = ${caddy-directory:document-root}/${not-found-html:filename}
 master-certificate = ${caddy-directory:master-autocert-dir}/master.pem
 # Communication with ATS
 cache-port = ${trafficserver-variable:input-port}
@@ -478,19 +459,19 @@ context =
 [trafficserver-records-config]
 < = trafficserver-jinja2-template-base
-template = {{ parameter_dict['template_trafficserver_records_config_location'] }}/{{ parameter_dict['template_trafficserver_records_config_filename'] }}
+template = {{ parameter_dict['template_trafficserver_records_config'] }}
 filename = records.config
 extra-context =
    import os_module os
 [trafficserver-storage-config]
 < = trafficserver-jinja2-template-base
-template = {{ parameter_dict['template_trafficserver_storage_config_location'] }}/{{ parameter_dict['template_trafficserver_storage_config_filename'] }}
+template = {{ parameter_dict['template_trafficserver_storage_config'] }}
 filename = storage.config
 [trafficserver-logging-config]
 < = trafficserver-jinja2-template-base
-template = {{ parameter_dict['template_trafficserver_logging_config_location'] }}/{{ parameter_dict['template_trafficserver_logging_config_filename'] }}
+template = {{ parameter_dict['template_trafficserver_logging_config'] }}
 filename = logging.config
 [trafficserver-remap-config]

--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -78,13 +78,12 @@ context =
                                  }) %}
 {% endfor %}
-{% set authorized_slave_string_list = slapparameter_dict.pop('-frontend-authorized-slave-string', '').split() %}
+{% set authorized_slave_string_list = [] %}
 {% set authorized_slave_list = [] %}
 {% set rejected_slave_dict = {} %}
 {% set rejected_slave_title_dict = {} %}
 {% set warning_slave_dict = {} %}
 {% set used_host_list = [] %}
-{% set unauthorized_message = 'slave not authorized' %}
 {% for slave in sorted(slave_instance_list) %}
 {%   set slave_error_list = [] %}
 {%   set slave_warning_list = [] %}
@@ -104,7 +103,6 @@ context =
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-{#   BBB: apache_custom_https AND apache_custom_http #}
 {%   set custom_domain = slave.get('custom_domain') %}
 {%   if custom_domain and custom_domain in used_host_list %}
 {%      do slave_error_list.append('custom_domain %r clashes' % (custom_domain,)) %}
@@ -133,15 +131,6 @@ context =
 {%     endfor %}
 {%     do slave.__setitem__('server-alias', ' '.join(slave_server_alias_unclashed)) %}
 {%   endif %}
-{%   for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] %}
-{%     if slave.get(key) %}
-{%       if not slave.get('slave_reference') in authorized_slave_string_list %}
-{%         if not unauthorized_message in slave_error_list %}
-{%           do slave_error_list.append(unauthorized_message) %}
-{%         endif %}
-{%       endif %}
-{%     endif %}
-{%   endfor %} {# for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] #}
 {%   if slave.get('url') %}
 {%     if subprocess_module.call([caddy_backend_url_validator, '' ~ slave['url']]) == 1 %}
 {%       do slave_error_list.append('slave url %r invalid' % (slave['url'],)) %}

--- a/software/caddy-frontend/instance-caddy-input-schema.json
+++ b/software/caddy-frontend/instance-caddy-input-schema.json
 {
  "$schema": "http://json-schema.org/draft-04/schema",
  "properties": {
-    "-frontend-authorized-slave-string": {
-      "description": "List of SOFTINST-XXX of Slaves, separated by space which is allowed to use custom configuration.",
-      "title": "Authorized Slave String",
-      "type": "string"
-    },
    "-frontend-quantity": {
      "description": "Quantity of Frontends Replicate.",
      "title": "Frontend Replication Quantity",
@@ -71,16 +66,6 @@
      "title": "Test Verification URL",
      "type": "string"
    },
-    "enable-quic": {
-      "default": "false",
-      "description": "Enables QUIC - Quick UDP Internet Connections. Note that this is experimental feature, thus can result in undefined behaviour. Warning: Changing the parameter will result in restarting Caddy process.",
-      "enum": [
-        "true",
-        "false"
-      ],
-      "title": "Enable QUIC",
-      "type": "string"
-    },
    "proxy-try-duration": {
      "default": 5,
      "description": "A time during which Caddy will try to establish connection with a backend. Setting it to 0 will result with immediate return of 502 EOF error to the browser, even if it would be possible to (re)connect to the backend during few moments. More info in https://caddyserver.com/docs/proxy try_durtion.",

--- a/software/caddy-frontend/instance-slave-caddy-input-schema.json
+++ b/software/caddy-frontend/instance-slave-caddy-input-schema.json
@@ -53,20 +53,6 @@
      "title": "HTTPS Only",
      "type": "string"
    },
-    "caddy_custom_http": {
-      "default": "",
-      "description": "Raw http configuration in python template format. Your site will be rejected if you use it without notification and approval of frontend administrators",
-      "textarea": true,
-      "title": "HTTP configuration",
-      "type": "string"
-    },
-    "caddy_custom_https": {
-      "default": "",
-      "description": "Raw https configuration in python template format. Your site will be rejected if you use it without notification and approval of frontend administrators",
-      "textarea": true,
-      "title": "HTTPS configuration",
-      "type": "string"
-    },
    "default-path": {
      "default": "",
      "description": "Provide default path to redirect user to when user access / (the site root)",
@@ -153,12 +139,6 @@
      "title": "Prefer gzip Encoding for Backend",
      "type": "string"
    },
-    "re6st-optimal-test": {
-      "default": "",
-      "description": "IPv6 and IPv6 Address for the frontend test if re6st is on the optimal status (use ipv6,ipv4)",
-      "title": "IPv6 and IPv4 Address to test Re6st",
-      "type": "string"
-    },
    "server-alias": {
      "default": "",
      "description": "Server Alias List separated by space",

--- a/software/caddy-frontend/instance.cfg.in
+++ b/software/caddy-frontend/instance.cfg.in
@@ -103,11 +103,6 @@ configuration.nginx_port = 9443
 configuration.kedifa_port = 7879
 # Warning: Caucase takes also cacuase_port+1
 configuration.caucase_port = 8890
-# BBB: apache_custom_https and apache_custom_http
-configuration.apache_custom_https = ""
-configuration.apache_custom_http = ""
-configuration.caddy_custom_https = ""
-configuration.caddy_custom_http = ""
 configuration.apache-key =
 configuration.apache-certificate =
 configuration.open-port = 80 443
@@ -120,7 +115,6 @@ configuration.enable-http2-by-default = true
 configuration.global-disable-http2 = false
 configuration.ciphers =
 configuration.request-timeout = 600
-configuration.enable-quic = false
 configuration.mpm-graceful-shutdown-timeout = 5
 configuration.frontend-name =
 configuration.proxy-try-duration = 5

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
-{% if software_type == slap_software_type %}
+{%- if software_type == slap_software_type %}
+{%- set kedifa_updater_mapping = [] %}
-{% set kedifa_updater_mapping = [] %}
+{%- set cached_server_dict = {} %}
-{% set cached_server_dict = {} %}
+{%- set part_list = [] %}
-{% set part_list = [] %}
+{%- set cache_port = caddy_configuration.get('cache-port') %}
-{% set cache_port = caddy_configuration.get('cache-port') %}
+{%- set cached_port = caddy_configuration.get('cache-through-port') %}
-{% set cached_port = caddy_configuration.get('cache-through-port') %}
+{%- set ssl_cached_port = caddy_configuration.get('ssl-cache-through-port') %}
-{% set ssl_cached_port = caddy_configuration.get('ssl-cache-through-port') %}
+{%- set cache_access = "http://%s:%s" % (local_ipv4, cache_port) %}
-{% set cache_access = "http://%s:%s" % (local_ipv4, cache_port) %}
+{%- set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) %}
-{% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) %}
+{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
-{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
+{%- set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
-{% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
+{%- set slave_log_dict = {} %}
-{% set slave_log_dict = {} %}
+{%- if extra_slave_instance_list %}
-{% if extra_slave_instance_list %}
+{%-   set slave_instance_information_list = [] %}
-{%   set slave_instance_information_list = [] %}
+{%-   set slave_instance_list = slave_instance_list + json_module.loads(extra_slave_instance_list) %}
-{%   set slave_instance_list = slave_instance_list + json_module.loads(extra_slave_instance_list) %}
+{%- endif %}
-{% endif %}
+{%- if master_key_download_url %}
+{%-   do kedifa_updater_mapping.append((master_key_download_url, master_certificate, apache_certificate)) %}
+{%- else %}
+{%-   do kedifa_updater_mapping.append(('notreadyyet', master_certificate, apache_certificate)) %}
+{%- endif %}
+{%- if slave_kedifa_information %}
+{%-   set slave_kedifa_information = json_module.loads(slave_kedifa_information) %}
+{%- else %}
+{%-   set slave_kedifa_information = {} %}
+{%- endif -%}
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 extensions = jinja2.ext.do
@@ -30,18 +39,6 @@ sharedscripts = true
 notifempty = true
 create = true
-{% if master_key_download_url %}
-{%   do kedifa_updater_mapping.append((master_key_download_url, master_certificate, apache_certificate)) %}
-{% else %}
-{%   do kedifa_updater_mapping.append(('notreadyyet', master_certificate, apache_certificate)) %}
-{% endif %}
-{% if slave_kedifa_information %}
-{%   set slave_kedifa_information = json_module.loads(slave_kedifa_information) %}
-{% else %}
-{%   set slave_kedifa_information = {} %}
-{% endif %}
 # empty sections if no slaves are available
 [slave-log-directory-dict]
 [slave-password]
@@ -49,172 +46,160 @@ create = true
 # empty section if no cached slaves are available
 [slave-log-cache-direct-directory-dict]
-{# Loop thought slave list to set up slaves #}
+{#- Loop thought slave list to set up slaves #}
-{% for slave_instance in slave_instance_list %}
+{%- for slave_instance in slave_instance_list %}
-{#   Manage ciphers #}
+{#-   Manage ciphers #}
-{%   set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
+{%-   set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
-{%   if slave_ciphers %}
+{%-   if slave_ciphers %}
-{%     set slave_cipher_list = ' '.join(slave_ciphers) %}
+{%-     set slave_cipher_list = ' '.join(slave_ciphers) %}
-{%   else %}
+{%-   else %}
-{%     set slave_cipher_list = ciphers.strip() %}
+{%-     set slave_cipher_list = ciphers.strip() %}
-{%   endif %}
+{%-   endif %}
-{%   do slave_instance.__setitem__('cipher_list', slave_cipher_list) %}
+{%-   do slave_instance.__setitem__('cipher_list', slave_cipher_list) %}
-{%   set slave_type = slave_instance.get('type', '') %}
+{%-   set slave_type = slave_instance.get('type', '') %}
-{%   set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_type != 'redirect') %}
+{%-   set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_type != 'redirect') %}
-{%   set slave_reference = slave_instance.get('slave_reference') %}
+{%-   set slave_reference = slave_instance.get('slave_reference') %}
-{%   set slave_kedifa = slave_kedifa_information.get(slave_reference) %}
+{%-   set slave_kedifa = slave_kedifa_information.get(slave_reference) %}
-{%   if slave_kedifa %}
+{%-   if slave_kedifa %}
-{%     set key_download_url = slave_kedifa.get('key-download-url') %}
+{%-     set key_download_url = slave_kedifa.get('key-download-url') %}
-{%   else %}
+{%-   else %}
-{%     set key_download_url = 'notreadyyet' %}
+{%-     set key_download_url = 'notreadyyet' %}
-{%   endif %}
+{%-   endif %}
-{%   set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference %}
+{%-   set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference %}
-{%   set slave_parameter_dict = generic_instance_parameter_dict.copy() %}
+{%-   set slave_parameter_dict = generic_instance_parameter_dict.copy() %}
-{%   set slave_publish_dict = {} %}
+{%-   set slave_publish_dict = {} %}
-{%   set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %}
+{%-   set slave_configuration_section_name = 'slave-instance-%s-configuration' % slave_reference %}
-{%   set slave_logrotate_section = slave_reference + "-logs" %}
+{%-   set slave_logrotate_section = slave_reference + "-logs" %}
-{%   set slave_logrotate_cache_direct_section = slave_reference + "-cache-direct-logs" %}
+{%-   set slave_logrotate_cache_direct_section = slave_reference + "-cache-direct-logs" %}
-{%   set slave_password_section = slave_reference + "-password" %}
+{%-   set slave_password_section = slave_reference + "-password" %}
-{%   set slave_ln_section = slave_reference + "-ln" %}
+{%-   set slave_ln_section = slave_reference + "-ln" %}
+{#-   extend parts #}
-{#   extend parts #}
+{%-   do part_list.extend([slave_ln_section]) %}
-{%   do part_list.extend([slave_ln_section]) %}
+{%-   do part_list.extend([slave_logrotate_section, slave_section_title]) %}
-{%   do part_list.extend([slave_logrotate_section, slave_section_title]) %}
+{%-   set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %}
+{%-   if enable_cache %}
-{%   set slave_log_folder = '${logrotate-directory:logrotate-backup}/' + slave_reference + "-logs" %}
+{%-     set slave_log_cache_direct_folder = '${logrotate-directory:logrotate-backup}/' + slave_logrotate_cache_direct_section %}
-{%   if enable_cache %}
+{%-     do part_list.extend([slave_logrotate_cache_direct_section]) %}
-{%     set slave_log_cache_direct_folder = '${logrotate-directory:logrotate-backup}/' + slave_logrotate_cache_direct_section %}
+{%-   endif %}
-{%     do part_list.extend([slave_logrotate_cache_direct_section]) %}
+{#-   Pass HTTP2 switch #}
-{%   endif %}
+{%-   do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
+{%-   do slave_instance.__setitem__('global_disable_http2', global_disable_http2) %}
-{#   Pass HTTP2 switch #}
+{#-   Pass proxy_try_duration and proxy_try_interval #}
-{%   do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
+{%-   do slave_instance.__setitem__('proxy_try_duration', proxy_try_duration) %}
-{%   do slave_instance.__setitem__('global_disable_http2', global_disable_http2) %}
+{%-   do slave_instance.__setitem__('proxy_try_interval', proxy_try_interval) %}
+{#-   Set Up log files #}
-{#   Pass proxy_try_duration and proxy_try_interval #}
+{%-   do slave_parameter_dict.__setitem__('access_log', '/'.join([caddy_log_directory, '%s_access_log' % slave_reference])) %}
-{%   do slave_instance.__setitem__('proxy_try_duration', proxy_try_duration) %}
+{%-   do slave_parameter_dict.__setitem__('error_log', '/'.join([caddy_log_directory, '%s_error_log' % slave_reference])) %}
-{%   do slave_instance.__setitem__('proxy_try_interval', proxy_try_interval) %}
+{%-   do slave_instance.__setitem__('access_log', slave_parameter_dict.get('access_log')) %}
+{%-   do slave_instance.__setitem__('error_log', slave_parameter_dict.get('error_log')) %}
-{#   Set Up log files #}
+{%-   if enable_cache %}
-{%   do slave_parameter_dict.__setitem__('access_log', '/'.join([caddy_log_directory, '%s_access_log' % slave_reference])) %}
+{%-     do slave_parameter_dict.__setitem__('access_log_cache_direct', '/'.join([caddy_log_cache_direct_directory, '%s_access_log' % slave_reference])) %}
-{%   do slave_parameter_dict.__setitem__('error_log', '/'.join([caddy_log_directory, '%s_error_log' % slave_reference])) %}
+{%-     do slave_parameter_dict.__setitem__('error_log_cache_direct', '/'.join([caddy_log_cache_direct_directory, '%s_error_log' % slave_reference])) %}
-{%   do slave_instance.__setitem__('access_log', slave_parameter_dict.get('access_log')) %}
+{%-     do slave_instance.__setitem__('access_log_cache_direct', slave_parameter_dict.get('access_log_cache_direct')) %}
-{%   do slave_instance.__setitem__('error_log', slave_parameter_dict.get('error_log')) %}
+{%-     do slave_instance.__setitem__('error_log_cache_direct', slave_parameter_dict.get('error_log_cache_direct')) %}
-{%   if enable_cache %}
+{%-   endif %}
-{%     do slave_parameter_dict.__setitem__('access_log_cache_direct', '/'.join([caddy_log_cache_direct_directory, '%s_access_log' % slave_reference])) %}
+{#-   Add slave log directory to the slave log access dict #}
-{%     do slave_parameter_dict.__setitem__('error_log_cache_direct', '/'.join([caddy_log_cache_direct_directory, '%s_error_log' % slave_reference])) %}
+{%-   do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}
-{%     do slave_instance.__setitem__('access_log_cache_direct', slave_parameter_dict.get('access_log_cache_direct')) %}
+{%-   set slave_log_access_url = 'https://' + slave_reference.lower() + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('caddy-ipv6') + ']:' + frontend_configuration.get('caddy-https-port') + '/' + slave_reference.lower() + '/' %}
-{%     do slave_instance.__setitem__('error_log_cache_direct', slave_parameter_dict.get('error_log_cache_direct')) %}
+{%-   do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
-{%   endif %}
+{%-   do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
+{%-   do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
-{#   Add slave log directory to the slave log access dict #}
+{#-   Set slave domain if none was defined #}
-{%   do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}
+{%-   if slave_instance.get('custom_domain', None) == None %}
+{%-     set domain_prefix = slave_instance.get('slave_reference').replace("-", "").replace("_", "").lower() %}
-{%   set slave_log_access_url = 'https://' + slave_reference.lower() + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('caddy-ipv6') + ']:' + frontend_configuration.get('caddy-https-port') + '/' + slave_reference.lower() + '/' %}
+{%-     do slave_instance.__setitem__('custom_domain', "%s.%s" % (domain_prefix, slapparameter_dict.get('domain'))) %}
-{%   do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
+{%-   endif %}
-{%   do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
+{%-   if enable_cache and 'url' in slave_instance %}
-{%   do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
+{%-     if 'domain' in slave_instance %}
+{%-       if not slave_instance.get('custom_domain') %}
-{# Set slave domain if none was defined #}
+{%-         do slave_instance.__setitem__('custom_domain', slave_instance.get('domain')) %}
-{%   if slave_instance.get('custom_domain', None) == None %}
+{%-       endif %}
-{%     set domain_prefix = slave_instance.get('slave_reference').replace("-", "").replace("_", "").lower() %}
+{%-     endif %}
-{%     do slave_instance.__setitem__('custom_domain', "%s.%s" % (domain_prefix, slapparameter_dict.get('domain'))) %}
+{%-     do slave_instance.__setitem__('backend_url', slave_instance.get('url')) %}
-{%   endif %}
+{%-     do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) %}
+{%-     do slave_instance.__setitem__('url', cache_access) %}
-{%   if enable_cache and 'url' in slave_instance %}
+{%-     do slave_instance.__setitem__('https-url', ssl_cache_access) %}
-{%     if 'domain' in slave_instance %}
+{%-     do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) %}
-{%       if not slave_instance.get('custom_domain') %}
+{%-   endif %}
-{%         do slave_instance.__setitem__('custom_domain', slave_instance.get('domain')) %}
+{%-   do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) %}
-{%       endif %}
+{%-   do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
-{%     endif %}
+{%-   do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
-{%     do slave_instance.__setitem__('backend_url', slave_instance.get('url')) %}
+{%-   do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
-{%     do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) %}
-{%     do slave_instance.__setitem__('url', cache_access) %}
-{%     do slave_instance.__setitem__('https-url', ssl_cache_access) %}
-{%     do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) %}
-{%   endif %}
-{# BBB: apache_custom_https and apache_custom_http #}
-{%   if not slave_instance.has_key('caddy_custom_http') and not slave_instance.has_key('caddy_custom_https') and not slave_instance.has_key('apache_custom_http') and not slave_instance.has_key('apache_custom_https') %}
-{%     do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) %}
-{%     do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
-{%     do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
-{%     do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
-{%   endif %}
 [slave-log-directory-dict]
 {{slave_reference}} = {{ slave_log_folder }}
-{%   if enable_cache %}
+{%-   if enable_cache %}
 [slave-log-cache-direct-directory-dict]
 {{slave_reference}}_cache_direct = {{ slave_log_cache_direct_folder }}
-{%   endif %}
+{%-   endif %}
 [slave-password]
 {{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}
-{# Set slave logrotate entry #}
+{#-   Set slave logrotate entry #}
 [{{slave_logrotate_section}}]
 <= logrotate-entry-base
 name = ${:_buildout_section_name_}
 log = {{slave_parameter_dict.get('access_log')}} {{slave_parameter_dict.get('error_log')}}
 backup = {{ slave_log_folder }}
-{%    if enable_cache %}
+{%-   if enable_cache %}
 [{{slave_logrotate_cache_direct_section}}]
 <= logrotate-entry-base
 name = ${:_buildout_section_name_}
 log = {{slave_parameter_dict.get('access_log_cache_direct')}} {{slave_parameter_dict.get('error_log_cache_direct')}}
 backup = {{ slave_log_cache_direct_folder }}
-{%    endif %}
+{%-   endif %}
+{#-   integrate current logs inside #}
-{# integrate current logs inside #}
 [{{slave_ln_section}}]
 recipe = plone.recipe.command
 stop-on-error = false
 command = ln -s {{slave_parameter_dict.get('error_log')}} {{ slave_log_folder }}/error.log && ln -s {{slave_parameter_dict.get('access_log')}} {{ slave_log_folder }}/access.log
-{# Set password for slave #}
+{#-   Set password for slave #}
 [{{slave_password_section}}]
 recipe = slapos.cookbook:generate.password
 storage-path = {{caddy_configuration_directory}}/.{{slave_reference}}.passwd
 bytes = 8
-{# ################################################## #}
+{#-   ################################################## #}
-{# Set Slave Certificates if needed                   #}
+{#-   Set Slave Certificates if needed                   #}
-{# Set certificate key for custom configuration       #}
+{#-   Set certificate key for custom configuration       #}
-{% set cert_name = slave_reference.replace('-','.') + '.pem' %}
+{%-   set cert_name = slave_reference.replace('-','.') + '.pem' %}
-{% set certificate = '%s/%s' % (autocert, cert_name) %}
+{%-   set certificate = '%s/%s' % (autocert, cert_name) %}
-{% do slave_parameter_dict.__setitem__('certificate', certificate )%}
+{%-   do slave_parameter_dict.__setitem__('certificate', certificate )%}
+{#-   Set ssl certificates for each slave #}
-{# Set ssl certificates for each slave #}
+{%-     for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%}
-{%   for cert_name in ('ssl_csr', 'ssl_proxy_ca_crt')%}
+{%-       if cert_name in slave_instance %}
-{%     if cert_name in slave_instance %}
+{%-         set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) %}
-{%       set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) %}
+{%-         set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
-{%       set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) %}
+{%-         do part_list.append(cert_title) %}
-{%       do part_list.append(cert_title) %}
+{%-         do slave_parameter_dict.__setitem__(cert_name, cert_file) %}
-{%       do slave_parameter_dict.__setitem__(cert_name, cert_file) %}
+{%-         do slave_instance.__setitem__('path_to_' + cert_name, cert_file) %}
-{%       do slave_instance.__setitem__('path_to_' + cert_name, cert_file) %}
+{#-         Store certificates on fs #}
-{# Store certificates on fs #}
 [{{ cert_title }}]
 < = jinja2-template-base
 template = {{ empty_template }}
 rendered = {{ cert_file }}
 extra-context =
    key content {{ cert_title + '-config:value' }}
-# BBB: SlapOS Master non-zero knowledge BEGIN
+{#-         BBB: SlapOS Master non-zero knowledge BEGIN #}
-# Store certificate in config
+{#-         Store certificate in config #}
 [{{ cert_title + '-config' }}]
 value = {{ dumps(slave_instance.get(cert_name)) }}
-{%     endif %}
+{%-       endif %}
-{%   endfor %}
+{%-     endfor %}
 {#-   Set Up Certs #}
-{%   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %}
+{%-   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance %}
-{%     set cert_title = '%s-crt' % (slave_reference) %}
+{%-     set cert_title = '%s-crt' % (slave_reference) %}
-{%     set cert_file = '/'.join([bbb_ssl_directory, cert_title.replace('-','.')]) %}
+{%-     set cert_file = '/'.join([bbb_ssl_directory, cert_title.replace('-','.')]) %}
-{%     do kedifa_updater_mapping.append((key_download_url, certificate, cert_file)) %}
+{%-     do kedifa_updater_mapping.append((key_download_url, certificate, cert_file)) %}
-{%     do part_list.append(cert_title) %}
+{%-     do part_list.append(cert_title) %}
-{%     do slave_parameter_dict.__setitem__("ssl_crt", cert_file) %}
+{%-     do slave_parameter_dict.__setitem__("ssl_crt", cert_file) %}
 [{{cert_title}}]
 < = jinja2-template-base
@@ -223,13 +208,14 @@ rendered = {{ cert_file }}
 cert-content = {{ dumps(slave_instance.get('ssl_crt') + '\n' + slave_instance.get('ssl_ca_crt', '') + '\n' + slave_instance.get('ssl_key')) }}
 extra-context =
    key content :cert-content
-{%   else %}
+{%-   else %}
-{%     do kedifa_updater_mapping.append((key_download_url, certificate, master_certificate)) %}
+{%-     do kedifa_updater_mapping.append((key_download_url, certificate, master_certificate)) %}
-{%   endif %}
+{%-   endif %}
-# BBB: SlapOS Master non-zero knowledge END
+{#-   BBB: SlapOS Master non-zero knowledge END #}
+{#-   ########################################## #}
+{#-   Set Slave Configuration                    #}
-{# ########################################## #}
-{# Set Slave Configuration                    #}
 [{{ slave_configuration_section_name }}]
 certificate = {{ certificate }}
 https_port = {{ dumps('' ~ https_port) }}
@@ -238,51 +224,29 @@ local_ipv4 = {{ dumps('' ~ local_ipv4) }}
 cached_port = {{ dumps('' ~ cached_port) }}
 ssl_cached_port = {{ ('' ~ ssl_cached_port) }}
 request_timeout = {{ ('' ~ request_timeout) }}
-{# BBB: apache_custom_https and apache_custom_http #}
+{%-   for key, value in slave_instance.iteritems() %}
-{%     set caddy_custom_http_template = slave_instance.pop('caddy_custom_http', slave_instance.pop('apache_custom_http', '')) %}
+{%-     if value is not none %}
-{%     set caddy_custom_https_template = slave_instance.pop('caddy_custom_https', slave_instance.pop('apache_custom_https', '')) %}
-{%     if caddy_custom_http_template is not none %}
-{%       set caddy_custom_http = ('' ~ caddy_custom_http_template) % slave_parameter_dict %}
-caddy_custom_http = {{ dumps(caddy_custom_http) }}
-{%     else %}
-{%       set caddy_custom_http = None %}
-{%     endif %}
-{%     if caddy_custom_https_template is not none %}
-{%       set caddy_custom_https = ('' ~ caddy_custom_https_template) % slave_parameter_dict %}
-caddy_custom_https = {{ dumps(caddy_custom_https) }}
-{%     else %}
-{%       set caddy_custom_https = None %}
-{%     endif %}
-{{ '\n' }}
-{%     for key, value in slave_instance.iteritems() %}
-{%       if value is not none %}
 {{ key }} = {{ dumps('' ~ value) }}
-{%       endif %}
+{%-     endif %}
-{%     endfor %}
+{%-   endfor %}
 [{{ slave_section_title }}]
 < = jinja2-template-base
 rendered = {{ caddy_configuration_directory }}/${:filename}
-{%   if caddy_custom_http or caddy_custom_https %}
-template = {{ template_custom_slave_configuration }}
-extra-context =
-    section slave_parameter {{ slave_configuration_section_name }}
-{%   else %}
 template = {{ template_default_slave_configuration }}
 extra-context =
    section slave_parameter {{ slave_configuration_section_name }}
    import urllib_module urllib
-{%   endif %}
 filename = {{ '%s.conf' % slave_reference }}
 {{ '\n' }}
-{%   set monitor_ipv6_test = slave_instance.get('monitor-ipv6-test', '') %}
+{%-   set monitor_ipv6_test = slave_instance.get('monitor-ipv6-test', '') %}
-{%   if monitor_ipv6_test %}
+{%-   if monitor_ipv6_test %}
-{%     set monitor_ipv6_section_title = 'check-%s-ipv6-packet-list-test' % slave_instance.get('slave_reference') %}
+{%-     set monitor_ipv6_section_title = 'check-%s-ipv6-packet-list-test' % slave_instance.get('slave_reference') %}
-{%     do part_list.append(monitor_ipv6_section_title) %}
+{%-     do part_list.append(monitor_ipv6_section_title) %}
 [{{ monitor_ipv6_section_title }}]
 <= monitor-promise-base
 module = check_icmp_packet_lost
@@ -290,12 +254,11 @@ name = {{ monitor_ipv6_section_title }}.py
 config-address = {{ dumps(monitor_ipv6_test) }}
 # promise frequency in minutes (2 times/day)
 config-frequency = 720
-{%   endif %}
+{%-   endif %}
+{%-   set monitor_ipv4_test = slave_instance.get('monitor-ipv4-test', '') %}
-{%   set monitor_ipv4_test = slave_instance.get('monitor-ipv4-test', '') %}
+{%-   if monitor_ipv4_test %}
-{%   if monitor_ipv4_test %}
+{%-     set monitor_ipv4_section_title = 'check-%s-ipv4-packet-list-test' % slave_instance.get('slave_reference') %}
-{%     set monitor_ipv4_section_title = 'check-%s-ipv4-packet-list-test' % slave_instance.get('slave_reference') %}
+{%-     do part_list.append(monitor_ipv4_section_title) %}
-{%     do part_list.append(monitor_ipv4_section_title) %}
 [{{ monitor_ipv4_section_title }}]
 <= monitor-promise-base
 module = check_icmp_packet_lost
@@ -304,66 +267,41 @@ config-address = {{ dumps(monitor_ipv4_test) }}
 config-ipv4 = true
 # promise frequency in minutes (2 times/day)
 config-frequency = 720
-{%   endif %}
+{%-   endif %}
-{%   set re6st_optimal_test = '' ~ slave_instance.get('re6st-optimal-test', '') %}
-{%   set re6st_ipv6 = None %}
-{%   set re6st_ipv4 = None %}
-{%   if ',' in re6st_optimal_test %}
-{%     set re6st_ipv6, re6st_ipv4 = re6st_optimal_test.split(",") %}
-{%   endif %}
-{%   if re6st_ipv6 and re6st_ipv4 %}
-{%     set re6st_optimal_test_section_title = 'check-%s-re6st-optimal-test' % slave_instance.get('slave_reference') %}
-{%     do part_list.append(re6st_optimal_test_section_title) %}
-[{{ re6st_optimal_test_section_title }}]
-<= monitor-promise-base
-module = check_re6st_optimal_status
-name = {{ re6st_optimal_test_section_title }}.py
-config-ipv4 = {{ dumps(re6st_ipv4) }}
-config-ipv6 = {{ dumps(re6st_ipv6) }}
-# promise frequency in minutes (2 times/day)
-config-frequency = 720
-{%   endif %}
-{# ###############################  #}
+{#-   ###############################  #}
-{# Publish Slave Information        #}
+{#-   Publish Slave Information        #}
-{%   if not extra_slave_instance_list %}
+{%-   if not extra_slave_instance_list %}
-{%     set publish_section_title = 'publish-%s-connection-information' % slave_instance.get('slave_reference') %}
+{%-     set publish_section_title = 'publish-%s-connection-information' % slave_instance.get('slave_reference') %}
-{%     do part_list.append(publish_section_title) %}
+{%-     do part_list.append(publish_section_title) %}
 [{{ publish_section_title }}]
 recipe = slapos.cookbook:publish
-{%     for key, value in slave_publish_dict.iteritems() %}
+{%-     for key, value in slave_publish_dict.iteritems() %}
 {{ key }} = {{ value }}
-{%     endfor %}
+{%-     endfor %}
-{%   else %}
+{%-   else %}
-{%     do slave_instance_information_list.append(slave_publish_dict) %}
+{%-     do slave_instance_information_list.append(slave_publish_dict) %}
-{%   endif %}
+{%-   endif %}
+{%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}
-{# End of the main for loop#}
-{% endfor %}
 [slave-log-directories]
 <= slave-log-directory-dict
 recipe = slapos.cookbook:mkdirectory
-{% do part_list.append('slave-log-directories') %}
+{%- do part_list.append('slave-log-directories') %}
 [slave-log-cache-direct-directories]
 <= slave-log-cache-direct-directory-dict
 recipe = slapos.cookbook:mkdirectory
-{% do part_list.append('slave-log-cache-direct-directories') %}
+{%- do part_list.append('slave-log-cache-direct-directories') %}
+{%- do part_list.append('caddy-log-access') %}
-{% do part_list.append('caddy-log-access') %}
+{#- ############################################## #}
+{#- ## Prepare virtualhost for slaves using cache  #}
-###############################################
+{%- for slave_reference, slave_configuration_section_name in cached_server_dict.iteritems() %}
-### Prepare virtualhost for slaves using cache
+{%-   set cached_slave_configuration_section_title = '%s-cached-virtualhost' % slave_reference %}
+{%-   do part_list.append(cached_slave_configuration_section_title) %}
-{% for slave_reference, slave_configuration_section_name in cached_server_dict.iteritems() %}
-{%   set cached_slave_configuration_section_title = '%s-cached-virtualhost' % slave_reference %}
-{%   do part_list.append(cached_slave_configuration_section_title) %}
 [{{ cached_slave_configuration_section_title }}]
 < = jinja2-template-base
 template = {{ template_cached_slave_configuration }}
@@ -373,8 +311,7 @@ extensions = jinja2.ext.do
 extra-context =
    section slave_parameter {{ slave_configuration_section_name }}
 {{ '\n' }}
-{% endfor %}
+{%- endfor %}
 {#- Define IPv6 to IPV4 tunneling #}
 [tunnel-6to4-base]
 recipe = slapos.cookbook:wrapper
@@ -404,7 +341,8 @@ ipv6-port = {{ cached_port }}
 ipv4-port = {{ ssl_cached_port }}
 ipv6-port = {{ ssl_cached_port }}
-{# Define log access #}
+{#- Define log access #}
 [caddy-log-access-parameters]
 caddy_log_directory = {{ dumps(caddy_log_directory) }}
 caddy_configuration_directory = {{ dumps(caddy_configuration_directory) }}
@@ -427,15 +365,15 @@ extra-context =
    section parameter_dict caddy-log-access-parameters
-{# Publish information for the instance #}
+{#- Publish information for the instance #}
 [publish-caddy-information]
 recipe = slapos.cookbook:publish.serialised
 public-ipv4 = {{ public_ipv4 }}
 private-ipv4 = {{ local_ipv4 }}
-{% if extra_slave_instance_list %}
+{%- if extra_slave_instance_list %}
-{# sort_keys are important in order to avoid shuffling parameters on each run #}
+{#-   sort_keys are important in order to avoid shuffling parameters on each run #}
 slave-instance-information-list = {{ json_module.dumps(slave_instance_information_list, sort_keys=True) }}
-{% endif %}
+{%- endif %}
 monitor-base-url = {{ monitor_base_url }}
 csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/csr_id.txt
 csr_id-certificate = ${get-csr_id-certificate:certificate}
@@ -463,9 +401,9 @@ update-command = ${:command}
 recipe = slapos.recipe.template:jinja2
 file = {{ kedifa_updater_mapping_file }}
 template = inline:
-{% for mapping in kedifa_updater_mapping %}
+{%- for mapping in kedifa_updater_mapping %}
  {{ mapping[0] }} {{ mapping[1] }} {{ mapping[2] }}
-{% endfor %}
+{%- endfor %}
 rendered = ${:file}
@@ -485,12 +423,12 @@ extends =
 parts +=
    kedifa-updater
    kedifa-updater-run
-{% for part in part_list %}
+{%- for part in part_list %}
 {{ '    %s' % part }}
-{% endfor %}
+{%- endfor %}
-{% if 'caddy-log-access' not in part_list %}
+{%- if 'caddy-log-access' not in part_list %}
    caddy-log-access-empty
-{% endif %}
+{%- endif %}
    publish-caddy-information
    tunnel-6to4-base-http_port
    tunnel-6to4-base-https_port
@@ -576,4 +514,4 @@ recipe = collective.recipe.shelloutput
 commands =
  certificate = cat ${certificate-csr_id:certificate}
-{% endif %}
+{%- endif %} {# if software_type == slap_software_type #}
--- a/software/caddy-frontend/templates/cached-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/cached-virtualhost.conf.in
@@ -22,7 +22,10 @@
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
-    transparent
+    header_upstream Host {host}
+{#    header_upstream -X-Forwarded-For - caddy behaviour while removing and setting header is unstable, so for now original header has to be kept, even if in that case it comes from after ATS caddy itself #}
+    header_upstream X-Forwarded-For {>X-Forwarded-For-Real}
+    header_upstream -X-Forwarded-For-Real
    timeout {{ slave_parameter['request_timeout'] }}s
 {%- if ssl_proxy_verify %}
 {%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
@@ -47,7 +50,10 @@
  proxy / {{ slave_parameter.get('https_backend_url', '') }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
-    transparent
+    header_upstream Host {host}
+{#    header_upstream -X-Forwarded-For - caddy behaviour while removing and setting header is unstable, so for now original header has to be kept, even if in that case it comes from after ATS caddy itself #}
+    header_upstream X-Forwarded-For {>X-Forwarded-For-Real}
+    header_upstream -X-Forwarded-For-Real
    timeout {{ slave_parameter['request_timeout'] }}s
 {%- if ssl_proxy_verify %}
 {%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}

--- a/software/caddy-frontend/templates/custom-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/custom-virtualhost.conf.in
-{{ slave_parameter.get('caddy_custom_https', '') }}
-{{ slave_parameter.get('caddy_custom_http', '') }}
--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
 {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
+{%- set enable_cache = slave_parameter.get('enable_cache', '').lower() in TRUE_VALUES %}
 {%- set disable_no_cache_header = slave_parameter.get('disable-no-cache-request', '').lower() in TRUE_VALUES %}
 {%- set disable_via_header = slave_parameter.get('disable-via-header', '').lower() in TRUE_VALUES %}
 {%- set prefer_gzip = slave_parameter.get('prefer-gzip-encoding-to-backend', '').lower() in TRUE_VALUES %}
@@ -39,6 +40,25 @@
 {%-   set enable_h2 = False %}
 {%- endif %}
+{%- macro proxy_header() %}
+    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
+    timeout {{ slave_parameter['request_timeout'] }}s
+{%-   if ssl_proxy_verify %}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
+{%-   else %} {#-   if ssl_proxy_verify #}
+    insecure_skip_verify
+{%-   endif %} {#-   if ssl_proxy_verify #}
+    # force reset of X-Forwarded-For
+    header_upstream X-Forwarded-For {remote}
+{%-     if enable_cache %}
+    # provide a header for other components
+    header_upstream X-Forwarded-For-Real {remote}
+{%-     endif %}
+{%- endmacro %} {# proxy_header #}
 {%- for tls in [True, False] %}
 {%- if tls %}
 {%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')).rstrip('/') %}
@@ -102,8 +122,7 @@
 {%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
 {%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
@@ -122,14 +141,6 @@
    header_upstream -Pragma
 {%-   endif %} {#-   if disable_no_cache_header #}
    transparent
-    timeout {{ slave_parameter['request_timeout'] }}s
-{%-   if ssl_proxy_verify %}
-{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
-    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
-{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
-{%-   else %} {#-   if ssl_proxy_verify #}
-    insecure_skip_verify
-{%-   endif %} {#-   if ssl_proxy_verify #}
  } {# proxy #}
 {%-   endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
  {%- if default_path %}
@@ -174,54 +185,43 @@
  } {# redir #}
 {%- elif slave_type == 'notebook' %}
  proxy / {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
    transparent
-    insecure_skip_verify
  }
  rewrite {
    regexp "/(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/?"
    to /proxy/{1}
  }
  proxy /proxy/ {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
+    transparent
-    header_upstream X-Real-IP {remote}
-    header_upstream Host {host}
    websocket
    without /proxy/
-    insecure_skip_verify
  }
 {%- elif slave_type == 'websocket' %}
 {%-   if websocket_path_list %}
  proxy / {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
 {%-     if websocket_transparent %}
    transparent
 {%-     endif %}
-    insecure_skip_verify
  }
 {%-     for websocket_path in websocket_path_list %}
  proxy /{{ websocket_path }} {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
    websocket
 {%-       if websocket_transparent %}
    transparent
 {%-       endif %}
-    insecure_skip_verify
  }
 {%-     endfor %}
 {%-   else %}
  proxy / {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
    websocket
 {%-   if websocket_transparent %}
    transparent
 {%-   endif %}
-    insecure_skip_verify
  }
 {%-   endif %}
 {%- else %} {#- if slave_type ==  'zope' and backend_url #}
@@ -237,8 +237,7 @@
 {%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
-    try_duration {{ slave_parameter['proxy_try_duration'] }}s
+{{ proxy_header() }}
-    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
 {%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
@@ -257,14 +256,6 @@
    header_upstream -Pragma
 {%-     endif %} {#-     if disable_no_cache_header #}
    transparent
-    timeout {{ slave_parameter['request_timeout'] }}s
-{%-     if ssl_proxy_verify %}
-{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
-    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
-{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
-{%-     else %} {#-     if ssl_proxy_verify #}
-    insecure_skip_verify
-{%-     endif %} {#-     if ssl_proxy_verify #}
  }  {# proxy #}
 {%-    endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
 {%-   endif %} {#-   if backend_url #}

--- a/software/caddy-frontend/templates/trafficserver/records.config.jinja2
+++ b/software/caddy-frontend/templates/trafficserver/records.config.jinja2
@@ -27,6 +27,14 @@ CONFIG proxy.config.http.cache.open_write_fail_action INT 2
 CONFIG proxy.config.body_factory.template_sets_dir STRING  {{ ats_configuration['templates-dir'] }}
 # Support stale-if-error by returning cached content on backend 5xx or unavailability
 CONFIG proxy.config.http.negative_revalidating_enabled INT 1
+##############################################################################
+# Proxy users variables. Docs:
+#    https://docs.trafficserver.apache.org/records.config#proxy-user-variables
+##############################################################################
+# Do not modify headers, as it needlessly pollutes information
+CONFIG proxy.config.http.insert_client_ip INT 0
+CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 0
 ##############################################################################
 # Thread configurations. Docs:
@@ -98,13 +106,6 @@ CONFIG proxy.config.http.down_server.abort_threshold INT 10
 CONFIG proxy.config.http.negative_caching_enabled INT 0
 CONFIG proxy.config.http.negative_caching_lifetime INT 1800
-##############################################################################
-# Proxy users variables. Docs:
-#    https://docs.trafficserver.apache.org/records.config#proxy-user-variables
-##############################################################################
-CONFIG proxy.config.http.insert_client_ip INT 1
-CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
 ##############################################################################
 # Security. Docs:
 #    https://docs.trafficserver.apache.org/records.config#security

--- a/software/caddy-frontend/test/setup.py
+++ b/software/caddy-frontend/test/setup.py
@@ -46,7 +46,6 @@ setup(name=name,
        # ipaddress is patching IPAddress so IPv6 in SSL certificates
        # match works
        'ipaddress >= 1.0.22',
-        'forcediphttpsadapter',
        'requests-toolbelt',
        'supervisor',
        # caucase needed to connect to the KeDiFa caucase

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -33,12 +33,10 @@ from requests_toolbelt.adapters import source
 import json
 import multiprocessing
 import subprocess
-from unittest import skip, expectedFailure
+from unittest import skip
 import ssl
-import signal
 from BaseHTTPServer import HTTPServer
 from BaseHTTPServer import BaseHTTPRequestHandler
-from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 import time
 import tempfile
 import ipaddress
@@ -48,6 +46,8 @@ import base64
 import re
 from slapos.recipe.librecipe import generateHashFromFiles
 import xml.etree.ElementTree as ET
+import urlparse
+import socket
 try:
@@ -77,6 +77,24 @@ HTTPS_PORT = '11443'
 CAUCASE_PORT = '15090'
 KEDIFA_PORT = '15080'
+# IP to originate requests from
+# has to be not partition one
+SOURCE_IP = '127.0.0.1'
+# "--resolve" inspired from https://stackoverflow.com/a/44378047/9256748
+DNS_CACHE = {}
+def add_custom_dns(domain, port, ip):
+  port = int(port)
+  key = (domain, port)
+  value = (socket.AF_INET, 1, 6, '', (ip, port))
+  DNS_CACHE[key] = [value]
+def new_getaddrinfo(*args):
+  return DNS_CACHE[args[:2]]
 # for development: debugging logs and install Ctrl+C handler
 if os.environ.get('SLAPOS_TEST_DEBUG'):
@@ -225,17 +243,6 @@ def isHTTP2(domain, ip):
  return 'Using HTTP2, server supports multi-use' in err
-def getQUIC(url, ip, port):
-  quic_client_command = 'quic_client --disable-certificate-verification '\
-    '--port=%(port)s --host=%(host)s %(url)s' % dict(
-      port=port, host=ip, url=url)
-  try:
-    return True, subprocess.check_output(
-      quic_client_command.split(), stderr=subprocess.STDOUT)
-  except subprocess.CalledProcessError as e:
-    return False, e.output
 def getPluginParameterDict(software_path, filepath):
  """Load the slapos monitor plugin and returns the configuration used by this plugin.
@@ -328,7 +335,7 @@ class TestDataMixin(object):
      )
    except AssertionError:
      if os.environ.get('SAVE_TEST_DATA', '0') == '1':
-        open(test_data_file, 'w').write(runtime_data.strip())
+        open(test_data_file, 'w').write(runtime_data.strip() + '\n')
      raise
    finally:
      self.maxDiff = maxDiff
@@ -413,21 +420,26 @@ class TestDataMixin(object):
 def fakeHTTPSResult(domain, real_ip, path, port=HTTPS_PORT,
-                    headers=None, cookies=None, source_ip=None):
+                    headers=None, cookies=None, source_ip=SOURCE_IP):
  if headers is None:
    headers = {}
  # workaround request problem of setting Accept-Encoding
  # https://github.com/requests/requests/issues/2234
  headers.setdefault('Accept-Encoding', 'dummy')
+  # Headers to tricks the whole system, like rouge user would do
+  headers.setdefault('X-Forwarded-For', '192.168.0.1')
+  headers.setdefault('X-Forwarded-Proto', 'irc')
+  headers.setdefault('X-Forwarded-Port', '17')
  session = requests.Session()
-  session.mount(
-    'https://%s:%s' % (domain, port),
-    ForcedIPHTTPSAdapter(
-      dest_ip=real_ip))
  if source_ip is not None:
    new_source = source.SourceAddressAdapter(source_ip)
    session.mount('http://', new_source)
    session.mount('https://', new_source)
+  socket_getaddrinfo = socket.getaddrinfo
+  try:
+    add_custom_dns(domain, port, real_ip)
+    socket.getaddrinfo = new_getaddrinfo
    return session.get(
      'https://%s:%s/%s' % (domain, port, path),
      verify=False,
@@ -435,17 +447,28 @@ def fakeHTTPSResult(domain, real_ip, path, port=HTTPS_PORT,
      headers=headers,
      cookies=cookies
    )
+  finally:
+    socket.getaddrinfo = socket_getaddrinfo
 def fakeHTTPResult(domain, real_ip, path, port=HTTP_PORT,
-                   headers=None):
+                   headers=None, source_ip=SOURCE_IP):
  if headers is None:
    headers = {}
  # workaround request problem of setting Accept-Encoding
  # https://github.com/requests/requests/issues/2234
  headers.setdefault('Accept-Encoding', 'dummy')
-  headers['Host'] = domain
+  # Headers to tricks the whole system, like rouge user would do
-  return requests.get(
+  headers.setdefault('X-Forwarded-For', '192.168.0.1')
+  headers.setdefault('X-Forwarded-Proto', 'irc')
+  headers.setdefault('X-Forwarded-Port', '17')
+  headers['Host'] = '%s:%s' % (domain, port)
+  session = requests.Session()
+  if source_ip is not None:
+    new_source = source.SourceAddressAdapter(source_ip)
+    session.mount('http://', new_source)
+    session.mount('https://', new_source)
+  return session.get(
    'http://%s:%s/%s' % (real_ip, port, path),
    headers=headers,
    allow_redirects=False,
@@ -1044,73 +1067,11 @@ class TestMasterRequest(HttpFrontendTestCase, TestDataMixin):
 class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
-  caddy_custom_https = '''# caddy_custom_https_filled_in_accepted
-https://caddycustomhttpsaccepted.example.com:%%(https_port)s {
-  bind %%(local_ipv4)s
-  tls %%(certificate)s %%(certificate)s
-  log / %%(access_log)s {combined}
-  errors %%(error_log)s
-  proxy / %(url)s {
-    transparent
-    timeout 600s
-    insecure_skip_verify
-  }
-}
-'''
-  caddy_custom_http = '''# caddy_custom_http_filled_in_accepted
-http://caddycustomhttpsaccepted.example.com:%%(http_port)s {
-  bind %%(local_ipv4)s
-  log / %%(access_log)s {combined}
-  errors %%(error_log)s
-  proxy / %(url)s {
-    transparent
-    timeout 600s
-    insecure_skip_verify
-  }
-}
-'''
-  apache_custom_https = '''# apache_custom_https_filled_in_accepted
-https://apachecustomhttpsaccepted.example.com:%%(https_port)s {
-  bind %%(local_ipv4)s
-  tls %%(certificate)s %%(certificate)s
-  log / %%(access_log)s {combined}
-  errors %%(error_log)s
-  proxy / %(url)s {
-    transparent
-    timeout 600s
-    insecure_skip_verify
-  }
-}
-'''
-  apache_custom_http = '''# apache_custom_http_filled_in_accepted
-http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
-  bind %%(local_ipv4)s
-  log / %%(access_log)s {combined}
-  errors %%(error_log)s
-  proxy / %(url)s {
-    transparent
-    timeout 600s
-    insecure_skip_verify
-  }
-}
-'''
  @classmethod
  def getInstanceParameterDict(cls):
    return {
      'domain': 'example.com',
      'public-ipv4': cls._ipv4_address,
-      '-frontend-authorized-slave-string':
-      '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
      'kedifa_port': KEDIFA_PORT,
@@ -1344,36 +1305,6 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'enable-http2-default': {
        'url': cls.backend_url,
      },
-      # 'apache_custom_http_s-rejected': {
-      #   'url': cls.backend_url,
-      #   'apache_custom_https': '# apache_custom_https_filled_in_rejected',
-      #   'apache_custom_http': '# apache_custom_http_filled_in_rejected',
-      # },
-      'apache_custom_http_s-accepted': {
-        'url': cls.backend_url,
-        'apache_custom_https': cls.apache_custom_https % dict(
-          url=cls.backend_url),
-        'apache_custom_http': cls.apache_custom_http % dict(
-          url=cls.backend_url),
-      },
-      # 'caddy_custom_http_s-rejected': {
-      #   'url': cls.backend_url,
-      #   'caddy_custom_https': '# caddy_custom_https_filled_in_rejected',
-      #   'caddy_custom_http': '# caddy_custom_http_filled_in_rejected',
-      # },
-      'caddy_custom_http_s-accepted': {
-        'url': cls.backend_url,
-        'caddy_custom_https': cls.caddy_custom_https % dict(
-          url=cls.backend_url),
-        'caddy_custom_http': cls.caddy_custom_http % dict(
-          url=cls.backend_url),
-      },
-      # # this has to be rejected
-      # 'caddy_custom_http_s': {
-      #   'url': cls.backend_url,
-      #   'caddy_custom_https': '# caddy_custom_https_filled_in_rejected_2',
-      #   'caddy_custom_http': '# caddy_custom_http_filled_in_rejected_2',
-      # },
      'prefer-gzip-encoding-to-backend': {
        'url': cls.backend_url,
        'prefer-gzip-encoding-to-backend': 'true',
@@ -1393,9 +1324,6 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      'monitor-ipv6-test': {
        'monitor-ipv6-test': 'monitor-ipv6-test',
      },
-      're6st-optimal-test': {
-        're6st-optimal-test': 'ipv6,ipv4',
-      },
      'ciphers': {
        'ciphers': 'RSA-3DES-EDE-CBC-SHA RSA-AES128-CBC-SHA',
      }
@@ -1572,9 +1500,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    expected_parameter_dict = {
      'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
      'domain': 'example.com',
-      'accepted-slave-amount': '54',
+      'accepted-slave-amount': '51',
      'rejected-slave-amount': '0',
-      'slave-amount': '54',
+      'slave-amount': '51',
      'rejected-slave-dict': {
      }
    }
@@ -1647,7 +1575,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://empty.example.com/test-path',
+      'https://empty.example.com:%s/test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -1682,6 +1610,33 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      self.assertFalse('connection-parameter-hash' in line)
      self.assertFalse('timestamp' in line)
+  def assertBackendHeaders(
+    self, backend_header_dict, domain, source_ip=SOURCE_IP, port=HTTPS_PORT,
+    proto='https', ignore_header_list=None):
+    if ignore_header_list is None:
+      ignore_header_list = []
+    self.assertFalse('remote_user' in backend_header_dict.keys())
+    self.assertFalse('x-forwarded-for-real' in backend_header_dict.keys())
+    if 'Host' not in ignore_header_list:
+      self.assertEqual(
+        backend_header_dict['host'],
+        '%s:%s' % (domain, port))
+    # XXX It's really hard to play with Caddy headers, thus we have to keep
+    #     some of them. As other solutions will come in future, more control
+    #     over sent X-Forwarded-For will be possible
+    self.assertEqual(
+      backend_header_dict['x-forwarded-for'].split(',')[0],
+      source_ip
+    )
+    self.assertEqual(
+      backend_header_dict['x-forwarded-port'],
+      port
+    )
+    self.assertEqual(
+      backend_header_dict['x-forwarded-proto'],
+      proto
+    )
  def test_url(self):
    parameter_dict = self.assertSlaveBase('Url')
@@ -1704,11 +1659,10 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
    self.assertEqual(j['Incoming Headers']['timeout'], '10')
    self.assertFalse('Content-Encoding' in result.headers)
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'secured=value;secure, nonsecured=value',
@@ -1725,7 +1679,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://url.example.com/test-path/deeper',
+      'https://url.example.com:%s/test-path/deeper' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -2350,7 +2304,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -2369,7 +2323,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://typezope.example.com/test-path/deep/.././deeper',
+      'https://typezope.example.com:%s/test-path/deep/.././deeper' % (
+        HTTP_PORT,),
      result.headers['Location']
    )
@@ -2389,7 +2344,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -2424,7 +2379,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -2467,7 +2422,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -2487,7 +2442,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deep/.././deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deep/.././deeper' % (
+        parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -2504,7 +2460,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -2527,7 +2483,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deep/.././deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deep/.././deeper' % (
+        parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -2626,6 +2583,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2655,6 +2613,10 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    parsed = urlparse.urlparse(self.backend_url)
+    self.assertBackendHeaders(
+      j['Incoming Headers'], parsed.hostname, port='17', proto='irc',
+      ignore_header_list=['Host'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2686,6 +2648,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertFalse('connection' in j['Incoming Headers'].keys())
    self.assertTrue('x-real-ip' in j['Incoming Headers'])
@@ -2704,6 +2667,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2725,6 +2689,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2755,6 +2720,10 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    parsed = urlparse.urlparse(self.backend_url)
+    self.assertBackendHeaders(
+      j['Incoming Headers'], parsed.hostname, port='17', proto='irc',
+      ignore_header_list=['Host'])
    self.assertFalse('connection' in j['Incoming Headers'].keys())
    self.assertFalse('x-real-ip' in j['Incoming Headers'])
@@ -2773,6 +2742,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(
+      j['Incoming Headers'], parsed.hostname, port='17', proto='irc',
+      ignore_header_list=['Host'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2794,6 +2766,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertBackendHeaders(
+      j['Incoming Headers'], parsed.hostname, port='17', proto='irc',
+      ignore_header_list=['Host'])
    self.assertEqual(
      'Upgrade',
      j['Incoming Headers']['connection']
@@ -2910,7 +2885,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://sslproxyverifysslproxycacrtunverified.example.com/test-path',
+      'https://sslproxyverifysslproxycacrtunverified.example.com:%s/'
+      'test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -2930,7 +2906,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertFalse('Content-Encoding' in result.headers)
@@ -2948,7 +2924,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://sslproxyverifysslproxycacrt.example.com/test-path',
+      'https://sslproxyverifysslproxycacrt.example.com:%s/test-path' % (
+        HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3021,8 +2998,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://enablecachesslproxyverifysslproxycacrtunverified.example.com/'
+      'https://enablecachesslproxyverifysslproxycacrtunverified.example.com'
-      'test-path/deeper',
+      ':%s/test-path/deeper' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3159,8 +3136,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://typezopesslproxyverifysslproxycacrtunverified.example.com/'
+      'https://typezopesslproxyverifysslproxycacrtunverified.example.com:%s/'
-      'test-path',
+      'test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3179,7 +3156,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      j = result.json()
    except Exception:
      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
    self.assertEqualResultJson(
      result,
@@ -3198,7 +3175,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://typezopesslproxyverifysslproxycacrt.example.com/test-path',
+      'https://typezopesslproxyverifysslproxycacrt.example.com:'
+      '%s/test-path' % (HTTP_PORT,),
      result.headers['Location']
    )
@@ -3238,7 +3216,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://monitoripv6test.example.com/test-path',
+      'https://monitoripv6test.example.com:%s/test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3275,7 +3253,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://monitoripv4test.example.com/test-path',
+      'https://monitoripv4test.example.com:%s/test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3293,44 +3271,6 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      }
    )
-  def test_re6st_optimal_test(self):
-    parameter_dict = self.assertSlaveBase('re6st-optimal-test')
-    result = fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqual(httplib.NOT_FOUND, result.status_code)
-    result_http = fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      httplib.FOUND,
-      result_http.status_code
-    )
-    self.assertEqual(
-      'https://re6stoptimaltest.example.com/test-path',
-      result_http.headers['Location']
-    )
-    monitor_file = glob.glob(
-      os.path.join(
-        self.instance_path, '*', 'etc', 'plugin',
-        'check-_re6st-optimal-test-re6st-optimal-test.py'))[0]
-    # get promise module and check that parameters are ok
-    self.assertEqual(
-      getPluginParameterDict(self.software_path, monitor_file),
-      {
-        'frequency': '720',
-        'ipv4': 'ipv4',
-        'ipv6': 'ipv6'
-      }
-    )
  def test_ciphers(self):
    parameter_dict = self.assertSlaveBase('ciphers')
@@ -3352,7 +3292,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://ciphers.example.com/test-path',
+      'https://ciphers.example.com:%s/test-path' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -3414,6 +3354,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    backend_headers = result.json()['Incoming Headers']
+    self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
    via = backend_headers.pop('via', None)
    self.assertNotEqual(via, None)
    self.assertRegexpMatches(
@@ -3455,6 +3396,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    backend_headers = result.json()['Incoming Headers']
+    self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
    via = backend_headers.pop('via', None)
    self.assertNotEqual(via, None)
    self.assertRegexpMatches(
@@ -3473,18 +3415,23 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://enablecacheserveralias1.example.com/test-path/deeper',
+      'https://enablecacheserveralias1.example.com:%s/test-path/deeper' % (
+        HTTP_PORT,),
      result.headers['Location']
    )
  def test_enable_cache(self):
    parameter_dict = self.assertSlaveBase('enable_cache')
+    source_ip = '127.0.0.1'
    result = fakeHTTPSResult(
      parameter_dict['domain'], parameter_dict['public-ipv4'],
      'test-path/deep/.././deeper', headers={
        'X-Reply-Header-Cache-Control': 'max-age=1, stale-while-'
-        'revalidate=3600, stale-if-error=3600'})
+        'revalidate=3600, stale-if-error=3600',
+      },
+      source_ip=source_ip
+    )
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
@@ -3511,6 +3458,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    backend_headers = result.json()['Incoming Headers']
+    self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
    via = backend_headers.pop('via', None)
    self.assertNotEqual(via, None)
    self.assertRegexpMatches(
@@ -3576,6 +3524,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
      )
      backend_headers = result.json()['Incoming Headers']
+      self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
      via = backend_headers.pop('via', None)
      self.assertNotEqual(via, None)
      self.assertRegexpMatches(
@@ -3743,6 +3692,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    backend_headers = result.json()['Incoming Headers']
+    self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
    via = backend_headers.pop('via', None)
    self.assertNotEqual(via, None)
    self.assertRegexpMatches(
@@ -3789,6 +3739,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    backend_headers = result.json()['Incoming Headers']
+    self.assertBackendHeaders(backend_headers, parameter_dict['domain'])
    via = backend_headers.pop('via', None)
    self.assertNotEqual(via, None)
    self.assertRegexpMatches(
@@ -3879,6 +3830,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])
@@ -3889,6 +3842,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'deflate', result.json()['Incoming Headers']['accept-encoding'])
@@ -3915,6 +3870,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'],
+      port=HTTP_PORT, proto='http')
    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])
@@ -3925,6 +3883,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'],
+      port=HTTP_PORT, proto='http')
    self.assertEqual(
      'deflate', result.json()['Incoming Headers']['accept-encoding'])
@@ -3955,6 +3916,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'gzip', result.json()['Incoming Headers']['accept-encoding'])
@@ -3965,6 +3928,8 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'deflate', result.json()['Incoming Headers']['accept-encoding'])
@@ -3995,7 +3960,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deeper' % (parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -4010,7 +3975,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deeper' % (parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -4024,7 +3989,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deeper' % (parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -4038,7 +4003,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://%s/test-path/deeper' % (parameter_dict['domain'],),
+      'https://%s:%s/test-path/deeper' % (parameter_dict['domain'], HTTP_PORT),
      result.headers['Location']
    )
@@ -4059,189 +4024,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    self.assertEqualResultJson(result, 'Path', '/test-path')
+    self.assertBackendHeaders(
+      result.json()['Incoming Headers'], parameter_dict['domain'])
    self.assertEqual(
      'Coffee=present', result.json()['Incoming Headers']['cookie'])
-  @skip('Not implemented in new test system')
-  def test_apache_custom_http_s_rejected(self):
-    parameter_dict = self.parseSlaveParameterDict(
-      'apache_custom_http_s-rejected')
-    self.assertEqual(
-      {
-        'request-error-list': ["slave not authorized"]
-      },
-      parameter_dict)
-    slave_configuration_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
-    # no configuration file contains provided custom http
-    configuration_file_with_custom_https_list = [
-      q for q in slave_configuration_file_list
-      if 'apache_custom_https_filled_in_rejected' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_https_list)
-    configuration_file_with_custom_http_list = [
-      q for q in slave_configuration_file_list
-      if 'apache_custom_http_filled_in_rejected' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_http_list)
-  def test_apache_custom_http_s_accepted(self):
-    parameter_dict = self.parseSlaveParameterDict(
-      'apache_custom_http_s-accepted')
-    self.assertLogAccessUrlWithPop(parameter_dict)
-    self.assertKedifaKeysWithPop(parameter_dict)
-    self.assertEqual(
-      {'replication_number': '1', 'public-ipv4': self._ipv4_address},
-      parameter_dict
-    )
-    result = fakeHTTPSResult(
-      'apachecustomhttpsaccepted.example.com',
-      parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqualResultJson(result, 'Path', '/test-path')
-    headers = result.headers.copy()
-    self.assertKeyWithPop('Server', headers)
-    self.assertKeyWithPop('Date', headers)
-    # drop vary-keys
-    headers.pop('Content-Length', None)
-    headers.pop('Transfer-Encoding', None)
-    headers.pop('Connection', None)
-    headers.pop('Keep-Alive', None)
-    self.assertEqual(
-      {
-        'Content-type': 'application/json',
-        'Set-Cookie': 'secured=value;secure, nonsecured=value'
-      },
-      headers
-    )
-    result_http = fakeHTTPResult(
-      'apachecustomhttpsaccepted.example.com',
-      parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqualResultJson(result_http, 'Path', '/test-path')
-    slave_configuration_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
-    # no configuration file contains provided custom http
-    configuration_file_with_custom_https_list = [
-      q for q in slave_configuration_file_list
-      if 'apache_custom_https_filled_in_accepted' in open(q).read()]
-    self.assertEqual(1, len(configuration_file_with_custom_https_list))
-    configuration_file_with_custom_http_list = [
-      q for q in slave_configuration_file_list
-      if 'apache_custom_http_filled_in_accepted' in open(q).read()]
-    self.assertEqual(1, len(configuration_file_with_custom_http_list))
-  @skip('Not implemented in new test system')
-  def test_caddy_custom_http_s_rejected(self):
-    parameter_dict = self.parseSlaveParameterDict(
-      'caddy_custom_http_s-rejected')
-    self.assertEqual(
-      {
-        'request-error-list': ["slave not authorized"]
-      },
-      parameter_dict)
-    slave_configuration_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
-    # no configuration file contains provided custom http
-    configuration_file_with_custom_https_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_https_filled_in_rejected' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_https_list)
-    configuration_file_with_custom_http_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_http_filled_in_rejected' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_http_list)
-  @skip('Not implemented in new test system')
-  def test_caddy_custom_http_s(self):
-    parameter_dict = self.parseSlaveParameterDict(
-      'caddy_custom_http_s')
-    self.assertEqual(
-      {
-        'request-error-list': ["slave not authorized"]
-      },
-      parameter_dict)
-    slave_configuration_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
-    # no configuration file contains provided custom http
-    configuration_file_with_custom_https_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_https_filled_in_rejected_2' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_https_list)
-    configuration_file_with_custom_http_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_http_filled_in_rejected_2' in open(q).read()]
-    self.assertEqual([], configuration_file_with_custom_http_list)
-  def test_caddy_custom_http_s_accepted(self):
-    parameter_dict = self.parseSlaveParameterDict(
-      'caddy_custom_http_s-accepted')
-    self.assertLogAccessUrlWithPop(parameter_dict)
-    self.assertKedifaKeysWithPop(parameter_dict)
-    self.assertEqual(
-      {'replication_number': '1', 'public-ipv4': self._ipv4_address},
-      parameter_dict
-    )
-    result = fakeHTTPSResult(
-      'caddycustomhttpsaccepted.example.com',
-      parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqualResultJson(result, 'Path', '/test-path')
-    headers = result.headers.copy()
-    self.assertKeyWithPop('Server', headers)
-    self.assertKeyWithPop('Date', headers)
-    # drop vary-keys
-    headers.pop('Content-Length', None)
-    headers.pop('Transfer-Encoding', None)
-    headers.pop('Connection', None)
-    headers.pop('Keep-Alive', None)
-    self.assertEqual(
-      {
-        'Content-type': 'application/json',
-        'Set-Cookie': 'secured=value;secure, nonsecured=value'
-      },
-      headers
-    )
-    result_http = fakeHTTPResult(
-      'caddycustomhttpsaccepted.example.com',
-      parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqualResultJson(result_http, 'Path', '/test-path')
-    slave_configuration_file_list = glob.glob(os.path.join(
-      self.instance_path, '*', 'etc', '*slave-conf.d', '*.conf'))
-    # no configuration file contains provided custom http
-    configuration_file_with_custom_https_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_https_filled_in_accepted' in open(q).read()]
-    self.assertEqual(1, len(configuration_file_with_custom_https_list))
-    configuration_file_with_custom_http_list = [
-      q for q in slave_configuration_file_list
-      if 'caddy_custom_http_filled_in_accepted' in open(q).read()]
-    self.assertEqual(1, len(configuration_file_with_custom_http_list))
  def test_https_url(self):
    parameter_dict = self.assertSlaveBase('url_https-url')
@@ -4265,7 +4052,7 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
    )
    self.assertEqual(
-      'https://urlhttpsurl.example.com/test-path/deeper',
+      'https://urlhttpsurl.example.com:%s/test-path/deeper' % (HTTP_PORT,),
      result_http.headers['Location']
    )
@@ -4822,104 +4609,6 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin):
      'Listen [%s]:8072' % (self._ipv6_address,) in slave_monitor_conf)
-class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
-  @classmethod
-  def getInstanceParameterDict(cls):
-    return {
-      'domain': 'example.com',
-      'public-ipv4': cls._ipv4_address,
-      'enable-quic': 'true',
-      'port': HTTPS_PORT,
-      'plain_http_port': HTTP_PORT,
-      'mpm-graceful-shutdown-timeout': 2,
-      'kedifa_port': KEDIFA_PORT,
-      'caucase_port': CAUCASE_PORT,
-    }
-  @classmethod
-  def getSlaveParameterDictDict(cls):
-    return {
-      'url': {
-        'url': cls.backend_url,
-        'enable_cache': True,
-      },
-    }
-  # It is known problem that QUIC does not work after sending reload signal,
-  # SIGUSR1, see https://github.com/mholt/caddy/issues/2394
-  @expectedFailure
-  def test_url(self):
-    parameter_dict = self.parseSlaveParameterDict('url')
-    self.assertLogAccessUrlWithPop(parameter_dict)
-    self.assertKedifaKeysWithPop(parameter_dict)
-    self.assertEqual(
-      {
-        'domain': 'url.example.com',
-        'replication_number': '1',
-        'url': 'http://url.example.com',
-        'site_url': 'http://url.example.com',
-        'secure_access': 'https://url.example.com',
-        'public-ipv4': self._ipv4_address,
-      },
-      parameter_dict
-    )
-    result = fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqualResultJson(result, 'Path', '/test-path')
-    try:
-      j = result.json()
-    except Exception:
-      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
-    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
-    self.assertKeyWithPop('Date', result.headers)
-    self.assertKeyWithPop('Content-Length', result.headers)
-    def assertQUIC():
-      quic_status, quic_result = getQUIC(
-        'https://%s/%s' % (parameter_dict['domain'], 'test-path'),
-        parameter_dict['public-ipv4'],
-        HTTPS_PORT
-      )
-      self.assertTrue(quic_status, quic_result)
-      try:
-        quic_jsoned = quic_result.split('body: ')[2].split('trailers')[0]
-      except Exception:
-        raise ValueError('JSON not found at all in QUIC result:\n%s' % (
-          quic_result,))
-      try:
-        j = json.loads(quic_jsoned)
-      except Exception:
-        raise ValueError('JSON decode problem in:\n%s' % (quic_jsoned,))
-      key = 'Path'
-      self.assertTrue(key in j, 'No key %r in %s' % (key, j))
-      self.assertEqual('/test-path', j[key])
-    assertQUIC()
-    # https://github.com/mholt/caddy/issues/2394
-    # after sending USR1 to Caddy QUIC does not work, check current behaviour
-    caddy_pid = [
-      q['pid'] for q
-      in self.callSupervisorMethod('getAllProcessInfo')
-      if 'frontend_caddy' in q['name']][0]
-    os.kill(caddy_pid, signal.SIGUSR1)
-    # give caddy a moment to refresh its config, as sending signal does not
-    # block until caddy is refreshed
-    time.sleep(2)
-    assertQUIC()
 @skip('New test system cannot be used with failing promises')
 class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
  @classmethod
@@ -4937,13 +4626,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
  @classmethod
  def getSlaveParameterDictDict(cls):
    return {
-      're6st-optimal-test-nocomma': {
-        're6st-optimal-test': 'nocomma',
-      },
-      're6st-optimal-test-unsafe': {
-        're6st-optimal-test':
-        'new\nline;rm -fr ~;,new line\n[s${esection:eoption}',
-      },
      'custom_domain-unsafe': {
        'custom_domain': '${section:option} afterspace\nafternewline',
      },
@@ -4989,9 +4671,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
    expected_parameter_dict = {
      'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
      'domain': 'example.com',
-      'accepted-slave-amount': '8',
+      'accepted-slave-amount': '6',
      'rejected-slave-amount': '3',
-      'slave-amount': '11',
+      'slave-amount': '9',
      'rejected-slave-dict': {
        '_bad-ciphers': [
          "Cipher 'bad' is not supported.",
@@ -5037,83 +4719,6 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
    self.assertEqualResultJson(result, 'Path', '/test-path')
-  def test_re6st_optimal_test_unsafe(self):
-    parameter_dict = self.parseSlaveParameterDict('re6st-optimal-test-unsafe')
-    self.assertLogAccessUrlWithPop(parameter_dict)
-    self.assertKedifaKeysWithPop(parameter_dict)
-    self.assertEqual(
-      {
-        'domain': 're6stoptimaltestunsafe.example.com',
-        'replication_number': '1',
-        'url': 'http://re6stoptimaltestunsafe.example.com',
-        'site_url': 'http://re6stoptimaltestunsafe.example.com',
-        'secure_access': 'https://re6stoptimaltestunsafe.example.com',
-        'public-ipv4': self._ipv4_address,
-      },
-      parameter_dict
-    )
-    result = fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqual(httplib.NOT_FOUND, result.status_code)
-    monitor_file = glob.glob(
-      os.path.join(
-        self.instance_path, '*', 'etc', 'plugin',
-        'check-_re6st-optimal-test-unsafe-re6st-optimal-test.py'))[0]
-    # Note: The result is a bit differnt from the request (newlines stripped),
-    #       but good enough to prove, that ${esection:eoption} has been
-    #       correctly passed to the script.
-    self.assertEqual(
-      getPluginParameterDict(self.software_path, monitor_file),
-      {
-        'frequency': '720',
-        'ipv4': 'new line\n[s${esection:eoption}',
-        'ipv6': 'new\nline;rm -fr ~;',
-      }
-    )
-  def test_re6st_optimal_test_nocomma(self):
-    parameter_dict = self.parseSlaveParameterDict('re6st-optimal-test-nocomma')
-    self.assertLogAccessUrlWithPop(parameter_dict)
-    self.assertKedifaKeysWithPop(parameter_dict)
-    self.assertEqual(
-      {
-        'domain': 're6stoptimaltestnocomma.example.com',
-        'replication_number': '1',
-        'url': 'http://re6stoptimaltestnocomma.example.com',
-        'site_url': 'http://re6stoptimaltestnocomma.example.com',
-        'secure_access': 'https://re6stoptimaltestnocomma.example.com',
-        'public-ipv4': self._ipv4_address,
-      },
-      parameter_dict
-    )
-    result = fakeHTTPSResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
-    self.assertEqual(
-      self.certificate_pem,
-      der2pem(result.peercert))
-    self.assertEqual(httplib.NOT_FOUND, result.status_code)
-    # assert that there is no nocomma file
-    monitor_file_list = glob.glob(
-      os.path.join(
-        self.instance_path, '*', 'etc', 'plugin',
-        'check-_re6st-optimal-test-nocomma-re6st-optimal-test.py'))
-    self.assertEqual(
-      [],
-      monitor_file_list
-    )
  def test_custom_domain_unsafe(self):
    parameter_dict = self.parseSlaveParameterDict('custom_domain-unsafe')
    self.assertEqual(
@@ -6585,8 +6190,6 @@ class TestSlaveCiphers(SlaveHttpFrontendTestCase, TestDataMixin):
    return {
      'domain': 'example.com',
      'public-ipv4': cls._ipv4_address,
-      '-frontend-authorized-slave-string':
-      '_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
      'port': HTTPS_PORT,
      'plain_http_port': HTTP_PORT,
      'kedifa_port': KEDIFA_PORT,

--- a/software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestDefaultMonitorHttpdPort.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestDuplicateSiteKeyProtection.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMalformedBackenUrlSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestQuicEnabled.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt
@@ -26,10 +26,6 @@ T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_error_log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_error_log
-T-2/var/log/httpd/_apache_custom_http_s-accepted_access_log
-T-2/var/log/httpd/_apache_custom_http_s-accepted_error_log
-T-2/var/log/httpd/_caddy_custom_http_s-accepted_access_log
-T-2/var/log/httpd/_caddy_custom_http_s-accepted_error_log
 T-2/var/log/httpd/_ciphers_access_log
 T-2/var/log/httpd/_ciphers_error_log
 T-2/var/log/httpd/_custom_domain_access_log
@@ -76,8 +72,6 @@ T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_access_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_error_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_access_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_error_log
-T-2/var/log/httpd/_re6st-optimal-test_access_log
-T-2/var/log/httpd/_re6st-optimal-test_error_log
 T-2/var/log/httpd/_server-alias-duplicated_access_log
 T-2/var/log/httpd/_server-alias-duplicated_error_log
 T-2/var/log/httpd/_server-alias-wildcard_access_log

--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt
@@ -27,7 +27,6 @@ T-2/etc/plugin/caddy_ssl_cached.py
 T-2/etc/plugin/caucase-updater.py
 T-2/etc/plugin/check-_monitor-ipv4-test-ipv4-packet-list-test.py
 T-2/etc/plugin/check-_monitor-ipv6-test-ipv6-packet-list-test.py
-T-2/etc/plugin/check-_re6st-optimal-test-re6st-optimal-test.py
 T-2/etc/plugin/check-free-disk-space.py
 T-2/etc/plugin/expose-csr_id-ip-port-listening.py
 T-2/etc/plugin/frontend-caddy-configuration-promise.py

--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_master_partition_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_master_partition_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt
 T-2/etc/monitor-promise/check-_monitor-ipv4-test-ipv4-packet-list-test
 T-2/etc/monitor-promise/check-_monitor-ipv6-test-ipv6-packet-list-test
-T-2/etc/monitor-promise/check-_re6st-optimal-test-re6st-optimal-test
--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_file_list_log-CADDY.txt
@@ -12,10 +12,6 @@ T-2/var/log/httpd/_monitor-ipv4-test-unsafe_access_log
 T-2/var/log/httpd/_monitor-ipv4-test-unsafe_error_log
 T-2/var/log/httpd/_monitor-ipv6-test-unsafe_access_log
 T-2/var/log/httpd/_monitor-ipv6-test-unsafe_error_log
-T-2/var/log/httpd/_re6st-optimal-test-nocomma_access_log
-T-2/var/log/httpd/_re6st-optimal-test-nocomma_error_log
-T-2/var/log/httpd/_re6st-optimal-test-unsafe_access_log
-T-2/var/log/httpd/_re6st-optimal-test-unsafe_error_log
 T-2/var/log/httpd/_server-alias-same_access_log
 T-2/var/log/httpd/_server-alias-same_error_log
 T-2/var/log/httpd/_virtualhostroot-http-port-unsafe_access_log

--- a/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveBadParameters.test_monitor_promise_list-CADDY.txt
 T-2/etc/monitor-promise/check-_monitor-ipv4-test-unsafe-ipv4-packet-list-test
 T-2/etc/monitor-promise/check-_monitor-ipv6-test-unsafe-ipv6-packet-list-test
-T-2/etc/monitor-promise/check-_re6st-optimal-test-unsafe-re6st-optimal-test
--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
@@ -26,10 +26,6 @@ T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_error_log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_error_log
-T-2/var/log/httpd/_apache_custom_http_s-accepted_access_log
-T-2/var/log/httpd/_apache_custom_http_s-accepted_error_log
-T-2/var/log/httpd/_caddy_custom_http_s-accepted_access_log
-T-2/var/log/httpd/_caddy_custom_http_s-accepted_error_log
 T-2/var/log/httpd/_ciphers_access_log
 T-2/var/log/httpd/_ciphers_error_log
 T-2/var/log/httpd/_custom_domain_access_log
@@ -76,8 +72,6 @@ T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_access_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_error_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_access_log
 T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_error_log
-T-2/var/log/httpd/_re6st-optimal-test_access_log
-T-2/var/log/httpd/_re6st-optimal-test_error_log
 T-2/var/log/httpd/_server-alias-duplicated_access_log
 T-2/var/log/httpd/_server-alias-duplicated_error_log
 T-2/var/log/httpd/_server-alias-wildcard_access_log

--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
@@ -27,7 +27,6 @@ T-2/etc/plugin/caddy_ssl_cached.py
 T-2/etc/plugin/caucase-updater.py
 T-2/etc/plugin/check-_monitor-ipv4-test-ipv4-packet-list-test.py
 T-2/etc/plugin/check-_monitor-ipv6-test-ipv6-packet-list-test.py
-T-2/etc/plugin/check-_re6st-optimal-test-re6st-optimal-test.py
 T-2/etc/plugin/check-free-disk-space.py
 T-2/etc/plugin/expose-csr_id-ip-port-listening.py
 T-2/etc/plugin/frontend-caddy-configuration-promise.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_master_partition_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_master_partition_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_monitor_promise_list-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_monitor_promise_list-CADDY.txt
 T-1/etc/monitor-promise/check-_monitor-ipv4-test-ipv4-packet-list-test
 T-1/etc/monitor-promise/check-_monitor-ipv6-test-ipv6-packet-list-test
-T-1/etc/monitor-promise/check-_re6st-optimal-test-re6st-optimal-test
--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_etc_cron_d-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_log-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_run-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_dummy-cached_access_log
+T-2/var/log/httpd-cache-direct/_dummy-cached_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_dummy-cached_access_log
+T-2/var/log/httpd/_dummy-cached_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable-http2-true_access_log
+T-2/var/log/httpd/_enable-http2-true_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_dummy-cached_access_log
+T-2/var/log/httpd-cache-direct/_dummy-cached_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_dummy-cached_access_log
+T-2/var/log/httpd/_dummy-cached_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable-http2-true_access_log
+T-2/var/log/httpd/_enable-http2-true_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_dummy-cached_access_log
+T-2/var/log/httpd-cache-direct/_dummy-cached_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_dummy-cached_access_log
+T-2/var/log/httpd/_dummy-cached_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable-http2-true_access_log
+T-2/var/log/httpd/_enable-http2-true_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_dummy-cached_access_log
+T-2/var/log/httpd-cache-direct/_dummy-cached_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_dummy-cached_access_log
+T-2/var/log/httpd/_dummy-cached_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable-http2-true_access_log
+T-2/var/log/httpd/_enable-http2-true_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequest.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_url_access_log
+T-2/var/log/httpd-cache-direct/_url_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_url_access_log
+T-2/var/log/httpd/_url_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestQuicEnabled.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_default_access_log
+T-2/var/log/httpd-cache-direct/_default_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_default_access_log
+T-2/var/log/httpd/_default_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-no-cache-request_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-no-cache-request_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-via-header_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-via-header_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_custom_domain_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_custom_domain_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_Url_access_log
+T-2/var/log/httpd/_Url_error_log
+T-2/var/log/httpd/_ciphers_access_log
+T-2/var/log/httpd/_ciphers_error_log
+T-2/var/log/httpd/_custom_domain_access_log
+T-2/var/log/httpd/_custom_domain_error_log
+T-2/var/log/httpd/_custom_domain_server_alias_access_log
+T-2/var/log/httpd/_custom_domain_server_alias_error_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_error_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_error_log
+T-2/var/log/httpd/_custom_domain_wildcard_access_log
+T-2/var/log/httpd/_custom_domain_wildcard_error_log
+T-2/var/log/httpd/_disabled-cookie-list_access_log
+T-2/var/log/httpd/_disabled-cookie-list_error_log
+T-2/var/log/httpd/_empty_access_log
+T-2/var/log/httpd/_empty_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable_cache-disable-no-cache-request_access_log
+T-2/var/log/httpd/_enable_cache-disable-no-cache-request_error_log
+T-2/var/log/httpd/_enable_cache-disable-via-header_access_log
+T-2/var/log/httpd/_enable_cache-disable-via-header_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_enable_cache_access_log
+T-2/var/log/httpd/_enable_cache_custom_domain_access_log
+T-2/var/log/httpd/_enable_cache_custom_domain_error_log
+T-2/var/log/httpd/_enable_cache_error_log
+T-2/var/log/httpd/_enable_cache_server_alias_access_log
+T-2/var/log/httpd/_enable_cache_server_alias_error_log
+T-2/var/log/httpd/_https-only_access_log
+T-2/var/log/httpd/_https-only_error_log
+T-2/var/log/httpd/_monitor-ipv4-test_access_log
+T-2/var/log/httpd/_monitor-ipv4-test_error_log
+T-2/var/log/httpd/_monitor-ipv6-test_access_log
+T-2/var/log/httpd/_monitor-ipv6-test_error_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_access_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_error_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_access_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_error_log
+T-2/var/log/httpd/_server-alias-duplicated_access_log
+T-2/var/log/httpd/_server-alias-duplicated_error_log
+T-2/var/log/httpd/_server-alias-wildcard_access_log
+T-2/var/log/httpd/_server-alias-wildcard_error_log
+T-2/var/log/httpd/_server-alias_access_log
+T-2/var/log/httpd/_server-alias_custom_domain-duplicated_access_log
+T-2/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
+T-2/var/log/httpd/_server-alias_error_log
+T-2/var/log/httpd/_ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_error_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_access_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_error_log
+T-2/var/log/httpd/_ssl_ca_crt_only_access_log
+T-2/var/log/httpd/_ssl_ca_crt_only_error_log
+T-2/var/log/httpd/_type-notebook_access_log
+T-2/var/log/httpd/_type-notebook_error_log
+T-2/var/log/httpd/_type-redirect_access_log
+T-2/var/log/httpd/_type-redirect_error_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_error_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list_error_log
+T-2/var/log/httpd/_type-websocket-websocket-transparent-false_access_log
+T-2/var/log/httpd/_type-websocket-websocket-transparent-false_error_log
+T-2/var/log/httpd/_type-websocket_access_log
+T-2/var/log/httpd/_type-websocket_error_log
+T-2/var/log/httpd/_type-zope-default-path_access_log
+T-2/var/log/httpd/_type-zope-default-path_error_log
+T-2/var/log/httpd/_type-zope-path_access_log
+T-2/var/log/httpd/_type-zope-path_error_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend-https-only_access_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend-https-only_error_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend_access_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-http-port_error_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-https-port_access_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-https-port_error_log
+T-2/var/log/httpd/_type-zope_access_log
+T-2/var/log/httpd/_type-zope_error_log
+T-2/var/log/httpd/_url_https-url_access_log
+T-2/var/log/httpd/_url_https-url_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-_monitor-ipv4-test-ipv4-packet-list-test.py
+T-2/etc/plugin/check-_monitor-ipv6-test-ipv6-packet-list-test.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_master_partition_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_master_partition_state-CADDY.txt
+SetEnvIf Origin "^http(s)?://(.+\.)?(monitor\.app\.officejs\.com)$" ORIGIN_DOMAIN=$0
+Header always set Access-Control-Allow-Origin "%{ORIGIN_DOMAIN}e" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Credentials "true" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Methods "PROPFIND, PROPPATCH, COPY, MOVE, DELETE, MKCOL, LOCK, UNLOCK, PUT, GETLIB, VERSION-CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, REPORT, UPDATE, CANCELUPLOAD, HEAD, OPTIONS, GET, POST" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Headers "Overwrite, Destination, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Authorization" env=ORIGIN_DOMAIN
--- a/software/caddy-frontend/test/test_data/test.test.TestSlave.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlave.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_default_ciphers_access_log
+T-2/var/log/httpd-cache-direct/_default_ciphers_error_log
+T-2/var/log/httpd-cache-direct/_own_ciphers_access_log
+T-2/var/log/httpd-cache-direct/_own_ciphers_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_default_ciphers_access_log
+T-2/var/log/httpd/_default_ciphers_error_log
+T-2/var/log/httpd/_own_ciphers_access_log
+T-2/var/log/httpd/_own_ciphers_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveCiphers.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-no-cache-request_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-no-cache-request_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-via-header_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-disable-via-header_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_custom_domain_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_custom_domain_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_error_log
+T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_access_log
+T-2/var/log/httpd-cache-direct/_enable_cache_server_alias_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_Url_access_log
+T-2/var/log/httpd/_Url_error_log
+T-2/var/log/httpd/_ciphers_access_log
+T-2/var/log/httpd/_ciphers_error_log
+T-2/var/log/httpd/_custom_domain_access_log
+T-2/var/log/httpd/_custom_domain_error_log
+T-2/var/log/httpd/_custom_domain_server_alias_access_log
+T-2/var/log/httpd/_custom_domain_server_alias_error_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_error_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_error_log
+T-2/var/log/httpd/_custom_domain_wildcard_access_log
+T-2/var/log/httpd/_custom_domain_wildcard_error_log
+T-2/var/log/httpd/_disabled-cookie-list_access_log
+T-2/var/log/httpd/_disabled-cookie-list_error_log
+T-2/var/log/httpd/_empty_access_log
+T-2/var/log/httpd/_empty_error_log
+T-2/var/log/httpd/_enable-http2-default_access_log
+T-2/var/log/httpd/_enable-http2-default_error_log
+T-2/var/log/httpd/_enable-http2-false_access_log
+T-2/var/log/httpd/_enable-http2-false_error_log
+T-2/var/log/httpd/_enable_cache-disable-no-cache-request_access_log
+T-2/var/log/httpd/_enable_cache-disable-no-cache-request_error_log
+T-2/var/log/httpd/_enable_cache-disable-via-header_access_log
+T-2/var/log/httpd/_enable_cache-disable-via-header_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_enable_cache_access_log
+T-2/var/log/httpd/_enable_cache_custom_domain_access_log
+T-2/var/log/httpd/_enable_cache_custom_domain_error_log
+T-2/var/log/httpd/_enable_cache_error_log
+T-2/var/log/httpd/_enable_cache_server_alias_access_log
+T-2/var/log/httpd/_enable_cache_server_alias_error_log
+T-2/var/log/httpd/_https-only_access_log
+T-2/var/log/httpd/_https-only_error_log
+T-2/var/log/httpd/_monitor-ipv4-test_access_log
+T-2/var/log/httpd/_monitor-ipv4-test_error_log
+T-2/var/log/httpd/_monitor-ipv6-test_access_log
+T-2/var/log/httpd/_monitor-ipv6-test_error_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_access_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend-https-only_error_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_access_log
+T-2/var/log/httpd/_prefer-gzip-encoding-to-backend_error_log
+T-2/var/log/httpd/_server-alias-duplicated_access_log
+T-2/var/log/httpd/_server-alias-duplicated_error_log
+T-2/var/log/httpd/_server-alias-wildcard_access_log
+T-2/var/log/httpd/_server-alias-wildcard_error_log
+T-2/var/log/httpd/_server-alias_access_log
+T-2/var/log/httpd/_server-alias_custom_domain-duplicated_access_log
+T-2/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
+T-2/var/log/httpd/_server-alias_error_log
+T-2/var/log/httpd/_ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_error_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_access_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_error_log
+T-2/var/log/httpd/_ssl_ca_crt_only_access_log
+T-2/var/log/httpd/_ssl_ca_crt_only_error_log
+T-2/var/log/httpd/_type-notebook_access_log
+T-2/var/log/httpd/_type-notebook_error_log
+T-2/var/log/httpd/_type-redirect_access_log
+T-2/var/log/httpd/_type-redirect_error_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list-websocket-transparent-false_error_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list_access_log
+T-2/var/log/httpd/_type-websocket-websocket-path-list_error_log
+T-2/var/log/httpd/_type-websocket-websocket-transparent-false_access_log
+T-2/var/log/httpd/_type-websocket-websocket-transparent-false_error_log
+T-2/var/log/httpd/_type-websocket_access_log
+T-2/var/log/httpd/_type-websocket_error_log
+T-2/var/log/httpd/_type-zope-default-path_access_log
+T-2/var/log/httpd/_type-zope-default-path_error_log
+T-2/var/log/httpd/_type-zope-path_access_log
+T-2/var/log/httpd/_type-zope-path_error_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend-https-only_access_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend-https-only_error_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend_access_log
+T-2/var/log/httpd/_type-zope-prefer-gzip-encoding-to-backend_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
+T-2/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-http-port_error_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-https-port_access_log
+T-2/var/log/httpd/_type-zope-virtualhostroot-https-port_error_log
+T-2/var/log/httpd/_type-zope_access_log
+T-2/var/log/httpd/_type-zope_error_log
+T-2/var/log/httpd/_url_https-url_access_log
+T-2/var/log/httpd/_url_https-url_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-_monitor-ipv4-test-ipv4-packet-list-test.py
+T-2/etc/plugin/check-_monitor-ipv6-test-ipv6-packet-list-test.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_master_partition_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_master_partition_state-CADDY.txt
+SetEnvIf Origin "^http(s)?://(.+\.)?(monitor\.app\.officejs\.com)$" ORIGIN_DOMAIN=$0
+Header always set Access-Control-Allow-Origin "%{ORIGIN_DOMAIN}e" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Credentials "true" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Methods "PROPFIND, PROPPATCH, COPY, MOVE, DELETE, MKCOL, LOCK, UNLOCK, PUT, GETLIB, VERSION-CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, REPORT, UPDATE, CANCELUPLOAD, HEAD, OPTIONS, GET, POST" env=ORIGIN_DOMAIN
+Header always set Access-Control-Allow-Headers "Overwrite, Destination, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Authorization" env=ORIGIN_DOMAIN
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_access_log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_error_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_access_log
+T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_ssl_ca_crt_error_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
+T-2/var/log/httpd/_ssl_ca_crt_does_not_match_error_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_access_log
+T-2/var/log/httpd/_ssl_ca_crt_garbage_error_log
+T-2/var/log/httpd/_ssl_from_master_access_log
+T-2/var/log/httpd/_ssl_from_master_error_log
+T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_access_log
+T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_error_log
+T-2/var/log/httpd/_ssl_from_slave_access_log
+T-2/var/log/httpd/_ssl_from_slave_error_log
+T-2/var/log/httpd/_ssl_from_slave_kedifa_overrides_access_log
+T-2/var/log/httpd/_ssl_from_slave_kedifa_overrides_error_log
+T-2/var/log/httpd/_type-notebook-ssl_from_master_access_log
+T-2/var/log/httpd/_type-notebook-ssl_from_master_error_log
+T-2/var/log/httpd/_type-notebook-ssl_from_master_kedifa_overrides_access_log
+T-2/var/log/httpd/_type-notebook-ssl_from_master_kedifa_overrides_error_log
+T-2/var/log/httpd/_type-notebook-ssl_from_slave_access_log
+T-2/var/log/httpd/_type-notebook-ssl_from_slave_error_log
+T-2/var/log/httpd/_type-notebook-ssl_from_slave_kedifa_overrides_access_log
+T-2/var/log/httpd/_type-notebook-ssl_from_slave_kedifa_overrides_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_kedifa_overrides_master_certificate_access_log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_kedifa_overrides_master_certificate_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_master_certificate_access_log
+T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_master_certificate_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_etc_cron_d-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_etc_cron_d-CADDY.txt
+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_log-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_log-CADDY.txt
+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_access_log
+T-2/var/log/httpd-cache-direct/_ssl_from_master_error_log
+T-2/var/log/httpd-csr_id/expose-csr_id.log
+T-2/var/log/httpd/_ssl_from_master_access_log
+T-2/var/log/httpd/_ssl_from_master_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/trafficserver/manager.log
+T-2/var/log/trafficserver/traffic.out
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_cached.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caddy_ssl_cached.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_run-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_run-CADDY.txt
+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
--- a/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED
--- a/software/cloudooo/buildout.hash.cfg
+++ b/software/cloudooo/buildout.hash.cfg
@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
 [template-cloudooo-instance]
 filename = instance-cloudooo.cfg.in
-md5sum = e01ee969a45d44d386653a9eb699cc59
+md5sum = e49ee3e309a19f9a3a9590789690c611
--- a/software/cloudooo/instance-cloudooo-input-schema.json
+++ b/software/cloudooo/instance-cloudooo-input-schema.json
@@ -18,27 +18,6 @@
      "default": 1,
      "type": "integer"
    },
-    "ssl": {
-      "description": "Custom ssl certificate, key and optionaly client ca-cert and crl",
-      "properties": {
-        "cert": {
-          "description": "The content of the certificate file",
-          "type": "string"
-        },
-        "key": {
-          "description": "The content of the ssl key file",
-          "type": "string"
-        },
-        "ca-cert": {
-          "description": "The content of the ca-certificate file",
-          "type": "string"
-        },
-        "crl": {
-          "description": "The content of the revocation file",
-          "type": "string"
-        }
-      }
-    },
    "timeout": {
      "description": "Configure apache with this timeout",
      "type": "integer"

--- a/software/cloudooo/instance-cloudooo.cfg.in
+++ b/software/cloudooo/instance-cloudooo.cfg.in
@@ -24,11 +24,6 @@
 {% endif -%}
 {% do assert(timeout > 0) -%}
-{% set ssl_parameter_dict = instance_parameter_dict.get('ssl', {}) %}
-{% if instance_parameter_dict.get('ssl-dict-parameter-name') -%}
-{%   set ssl_parameter_dict = slapparameter_dict.get(instance_parameter_dict['ssl-dict-parameter-name'], ssl_parameter_dict) -%}
-{% endif -%}
 {% set mimetype_entry_addition = instance_parameter_dict.get('mimetype-entry-addition', '') -%}
 {% if instance_parameter_dict.get('mimetype-entry-addition-parameter-name') -%}
 {%   set mimetype_entry_addition = mimetype_entry_addition ~ "\n" ~ slapparameter_dict.get(instance_parameter_dict['mimetype-entry-addition-parameter-name'], '') -%}
@@ -110,9 +105,6 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
-# Client x509 auth
-ca-cert = ${apache-ssl-client:cert}
-crl = ${apache-ssl-client:crl}
 [apache-promise]
 # Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
@@ -131,28 +123,10 @@ ca-cert =  ${directory:apache-conf}/ca.crt
 crl = ${directory:apache-conf}/crl.pem
 [apache-ssl]
-{% if ssl_parameter_dict.get('key') -%}
-key = ${apache-ssl-key:rendered}
-cert = ${apache-ssl-cert:rendered}
-{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
-{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
-{% else %}
 recipe = plone.recipe.command
 command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
 key = ${apache-conf-ssl:key}
 cert = ${apache-conf-ssl:cert}
-{%- endif %}
-[apache-ssl-client]
-{% if ssl_parameter_dict.get('ca-cert') -%}
-cert = ${apache-ssl-ca:rendered}
-crl = ${apache-ssl-crl:rendered}
-{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
-{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
-{% else %}
-cert =
-crl =
-{%- endif %}
 [apache-logrotate]
 < = logrotate-entry-base
@@ -189,9 +163,8 @@ includes =
 recipe = slapos.cookbook:generic.cloudooo
 ip = {{ ipv4 }}
 environment =
-  LD_LIBRARY_PATH = {{ parameter_dict['cairo'] }}/lib:{{ parameter_dict['cups'] }}/lib:{{ parameter_dict['cups'] }}/lib64:{{ parameter_dict['dbus'] }}/lib:{{ parameter_dict['dbus-glib'] }}/lib:{{ parameter_dict['file'] }}/lib:{{ parameter_dict['fontconfig'] }}/lib:{{ parameter_dict['freetype'] }}/lib:{{ parameter_dict['glib'] }}/lib:{{ parameter_dict['glu'] }}/lib:{{ parameter_dict['libICE'] }}/lib:{{ parameter_dict['libSM'] }}/lib:{{ parameter_dict['libX11'] }}/lib:{{ parameter_dict['libXau'] }}/lib:{{ parameter_dict['libXdmcp'] }}/lib:{{ parameter_dict['libXext'] }}/lib:{{ parameter_dict['libXrender'] }}/lib:{{ parameter_dict['libexpat'] }}/lib:{{ parameter_dict['libffi'] }}/lib:{{ parameter_dict['libffi'] }}/lib64:{{ parameter_dict['libpng12'] }}/lib:{{ parameter_dict['libxcb'] }}/lib:{{ parameter_dict['mesa'] }}/lib:{{ parameter_dict['pixman'] }}/lib:{{ parameter_dict['xdamage'] }}/lib:{{ parameter_dict['xfixes'] }}/lib:{{ parameter_dict['zlib'] }}/lib
+  LD_LIBRARY_PATH = {{ parameter_dict['cairo'] }}/lib:{{ parameter_dict['cups'] }}/lib:{{ parameter_dict['cups'] }}/lib64:{{ parameter_dict['dbus'] }}/lib:{{ parameter_dict['dbus-glib'] }}/lib:{{ parameter_dict['file'] }}/lib:{{ parameter_dict['fontconfig'] }}/lib:{{ parameter_dict['freetype'] }}/lib:{{ parameter_dict['gcc'] }}/lib:{{ parameter_dict['gcc'] }}/lib64:{{ parameter_dict['glib'] }}/lib:{{ parameter_dict['glu'] }}/lib:{{ parameter_dict['libICE'] }}/lib:{{ parameter_dict['libSM'] }}/lib:{{ parameter_dict['libX11'] }}/lib:{{ parameter_dict['libXau'] }}/lib:{{ parameter_dict['libXdmcp'] }}/lib:{{ parameter_dict['libXext'] }}/lib:{{ parameter_dict['libXrender'] }}/lib:{{ parameter_dict['libexpat'] }}/lib:{{ parameter_dict['libffi'] }}/lib:{{ parameter_dict['libffi'] }}/lib64:{{ parameter_dict['libpng12'] }}/lib:{{ parameter_dict['libxcb'] }}/lib:{{ parameter_dict['mesa'] }}/lib:{{ parameter_dict['pixman'] }}/lib:{{ parameter_dict['xdamage'] }}/lib:{{ parameter_dict['xfixes'] }}/lib:{{ parameter_dict['zlib'] }}/lib
  FONTCONFIG_FILE = ${fontconfig-conf:rendered}
  PATH = ${binary-link:target-directory}
 mimetype_entry_addition =
 {% for entry in mimetype_entry_addition.splitlines() -%}

--- a/software/cloudooo/software-common.cfg
+++ b/software/cloudooo/software-common.cfg
@@ -4,6 +4,7 @@ extends =
  ../../stack/cloudooo.cfg
  ../../stack/logrotate/buildout.cfg
  ../../stack/monitor/buildout.cfg
+  ../../component/defaults.cfg
 parts =
  ${cloudooo-buildout:parts}
@@ -62,6 +63,7 @@ fontconfig-includes =
  ${fontconfig:location}/etc/fonts/conf.d
 freetype = ${freetype:location}
+gcc = ${gcc:prefix}
 glib = ${glib:location}
 glu = ${glu:location}
 haproxy = ${haproxy:location}

--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -84,7 +84,8 @@
        "software-url": {
          "description": "Front-end's software type. If this parameter is empty, no front-end instance is requested. Else, sla-dict must specify 'frontend' which is a special value matching all frontends (e.g. {\"instance_guid=bar\": [\"frontend\"]}).",
          "default": "",
-          "type": "string"
+          "type": "string",
+          "format": "uri"
        },
        "domain": {
          "description": "The domain name to request front-end to respond as.",
@@ -225,7 +226,8 @@
    "cloudooo-url": {
      "description": "Format conversion service URL",
      "pattern": "^https?://",
-      "type": "string"
+      "type": "string",
+      "format": "uri"
    },
    "cloudooo-retry-count": {
      "description": "Define retry count for cloudooo in network error case in test",
@@ -453,10 +455,21 @@
        "ssl": {
          "description": "HTTPS certificate generation parameters",
          "properties": {
+            "frontend-caucase-url-list": {
+              "title": "Frontend Caucase URL List",
+              "description": "List of URLs of caucase service of frontend groups to authenticate access from them.",
+              "type": "array",
+              "items": {
+                "type": "string",
+                "format": "uri"
+              },
+              "uniqueItems": true
+            },
            "caucase-url": {
              "title": "Caucase URL",
              "description": "URL of caucase service to use. If not set, global setting will be used.",
-              "type": "string"
+              "type": "string",
+              "format": "uri"
            },
            "csr": {
              "title": "csr",

--- a/software/erp5/test/test/test_balancer.py
+++ b/software/erp5/test/test/test_balancer.py
+from . import ERP5InstanceTestCase
+from . import setUpModule
+from slapos.testing.utils import findFreeTCPPort
+from BaseHTTPServer import HTTPServer
+from BaseHTTPServer import BaseHTTPRequestHandler
+import OpenSSL.SSL
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+import hashlib
+import json
+import multiprocessing
+import os
+import requests
+import shutil
+import subprocess
+import tempfile
+import time
+setUpModule  # pyflakes
+class TestHandler(BaseHTTPRequestHandler):
+  def do_GET(self):
+    self.send_response(200)
+    self.send_header("Content-Type", "application/json")
+    response = {
+      'Path': self.path,
+      'Incoming Headers': self.headers.dict
+    }
+    response = json.dumps(response, indent=2)
+    self.end_headers()
+    self.wfile.write(response)
+class TestFrontendXForwardedFor(ERP5InstanceTestCase):
+  __partition_reference__ = 'xff'
+  http_server_process = None
+  frontend_caucase_dir = None
+  frontend_caucased_process = None
+  backend_caucase_dir = None
+  backend_caucased_process = None
+  @classmethod
+  def getInstanceSoftwareType(cls):
+    return 'balancer'
+  @classmethod
+  def setUpClass(cls):
+    # start a dummy web server echoing headers.
+    http_server_port = findFreeTCPPort(cls._ipv4_address)
+    server = HTTPServer(
+      (cls._ipv4_address, http_server_port),
+      TestHandler)
+    cls.http_server_process = multiprocessing.Process(
+      target=server.serve_forever, name='HTTPServer')
+    cls.http_server_process.start()
+    cls.http_server_netloc = '%s:%s' % (cls._ipv4_address, http_server_port)
+    # start a caucased and generate a valid client certificate.
+    cls.computer_partition_root_path = os.path.abspath(os.curdir)
+    cls.frontend_caucase_dir = tempfile.mkdtemp()
+    frontend_caucased_dir = os.path.join(cls.frontend_caucase_dir, 'caucased')
+    os.mkdir(frontend_caucased_dir)
+    frontend_user_dir = os.path.join(cls.frontend_caucase_dir, 'user')
+    os.mkdir(frontend_user_dir)
+    frontend_service_dir = os.path.join(cls.frontend_caucase_dir, 'service')
+    os.mkdir(frontend_service_dir)
+    frontend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
+    cls.frontend_caucased_url = 'http://' + frontend_caucased_netloc
+    cls.user_certificate = frontend_user_key = os.path.join(frontend_user_dir, 'client.key.pem')
+    frontend_user_csr = os.path.join(frontend_user_dir, 'client.csr.pem')
+    key = rsa.generate_private_key(
+      public_exponent=65537,
+      key_size=2048,
+      backend=default_backend()
+    )
+    with open(frontend_user_key, 'wb') as f:
+      f.write(key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+      ))
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, u'user'),
+    ])).sign(key, hashes.SHA256(), default_backend())
+    with open(frontend_user_csr, 'wb') as f:
+      f.write(csr.public_bytes(serialization.Encoding.PEM))
+    cls.software_release_root_path = os.path.join(
+       cls.slap._software_root,
+       hashlib.md5(cls.getSoftwareURL()).hexdigest(),
+    )
+    caucased_path = os.path.join(cls.software_release_root_path, 'bin', 'caucased')
+    caucase_path = os.path.join(cls.software_release_root_path, 'bin', 'caucase')
+    cls.frontend_caucased_process = subprocess.Popen(
+      [
+        caucased_path,
+        '--db', os.path.join(frontend_caucased_dir, 'caucase.sqlite'),
+        '--server-key', os.path.join(frontend_caucased_dir, 'server.key.pem'),
+        '--netloc', frontend_caucased_netloc,
+        '--service-auto-approve-count', '1',
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    for _ in range(10):
+      try:
+        if requests.get(cls.frontend_caucased_url).status_code == 200:
+          break
+      except Exception:
+        pass
+      time.sleep(1)
+    else:
+      raise RuntimeError, 'caucased failed to start.'
+    cau_args = [
+      caucase_path,
+      '--ca-url', cls.frontend_caucased_url,
+      '--ca-crt', os.path.join(frontend_user_dir, 'service-ca-crt.pem'),
+      '--crl', os.path.join(frontend_user_dir, 'service.crl'),
+      '--user-ca-crt', os.path.join(frontend_user_dir, 'user-ca-crt.pem'),
+      '--user-crl', os.path.join(frontend_user_dir, 'user.crl'),
+    ]
+    cas_args = [
+      caucase_path,
+      '--ca-url', cls.frontend_caucased_url,
+      '--ca-crt', os.path.join(frontend_service_dir, 'service-ca-crt.pem'),
+      '--crl', os.path.join(frontend_service_dir, 'service.crl'),
+      '--user-ca-crt', os.path.join(frontend_service_dir, 'user-ca-crt.pem'),
+      '--user-crl', os.path.join(frontend_service_dir, 'user.crl'),
+    ]
+    caucase_process = subprocess.Popen(
+      cau_args + [
+        '--mode', 'user',
+        '--send-csr', frontend_user_csr,
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    result = caucase_process.communicate()
+    print result
+    csr_id = result[0].split()[0]
+    subprocess.check_call(
+      cau_args + [
+        '--mode', 'user',
+        '--get-crt', csr_id, frontend_user_key,
+      ],
+    )
+    cls.client_certificate = frontend_service_key = os.path.join(frontend_service_dir, 'crt.pem')
+    frontend_service_csr = os.path.join(frontend_service_dir, 'csr.pem')
+    key = rsa.generate_private_key(
+      public_exponent=65537,
+      key_size=2048,
+      backend=default_backend()
+    )
+    with open(frontend_service_key, 'wb') as f:
+      f.write(key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+      ))
+    csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
+      x509.NameAttribute(NameOID.COMMON_NAME, u'service'),
+    ])).sign(key, hashes.SHA256(), default_backend())
+    with open(frontend_service_csr, 'wb') as f:
+      f.write(csr.public_bytes(serialization.Encoding.PEM))
+    caucase_process = subprocess.Popen(
+      cas_args + [
+        '--send-csr', frontend_service_csr,
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    result = caucase_process.communicate()
+    csr_id = result[0].split()[0]
+    for _ in range(10):
+      if not subprocess.call(
+        cas_args + [
+          '--get-crt', csr_id, frontend_service_key,
+        ],
+      ) == 0:
+        break
+      else:
+        time.sleep(1)
+    else:
+      raise RuntimeError, 'getting service certificate failed.'
+    # start a caucased and server certificate.
+    cls.backend_caucase_dir = tempfile.mkdtemp()
+    backend_caucased_dir = os.path.join(cls.backend_caucase_dir, 'caucased')
+    os.mkdir(backend_caucased_dir)
+    backend_caucased_netloc = '%s:%s' % (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address))
+    cls.backend_caucased_url = 'http://' + backend_caucased_netloc
+    cls.backend_caucased_process = subprocess.Popen(
+      [
+        caucased_path,
+        '--db', os.path.join(backend_caucased_dir, 'caucase.sqlite'),
+        '--server-key', os.path.join(backend_caucased_dir, 'server.key.pem'),
+        '--netloc', backend_caucased_netloc,
+        '--service-auto-approve-count', '1',
+      ],
+      stdout=subprocess.PIPE,
+      stderr=subprocess.STDOUT,
+    )
+    for _ in range(10):
+      try:
+        if requests.get(cls.backend_caucased_url).status_code == 200:
+          break
+      except Exception:
+        pass
+      time.sleep(1)
+    else:
+      raise RuntimeError, 'caucased failed to start.'
+    super(TestFrontendXForwardedFor, cls).setUpClass()
+  @classmethod
+  def getInstanceParameterDict(cls):
+    return {
+      '_': json.dumps({
+        'tcpv4-port': 3306,
+        'computer-memory-percent-threshold': 100,
+        # XXX what is this ? should probably not be needed here
+        'name': cls.__name__,
+        'monitor-passwd': 'secret',
+        'apachedex-configuration': '',
+        'apachedex-promise-threshold': 100,
+        'haproxy-server-check-path': '/',
+        'zope-family-dict': {
+          'default': ['dummy_http_server'],
+          'default-auth': ['dummy_http_server'],
+        },
+        'dummy_http_server': [[cls.http_server_netloc, 1, False]],
+        'backend-path-dict': {
+          'default': '/',
+          'default-auth': '/',
+        },
+        'ssl-authentication-dict': {
+          'default': False,
+          'default-auth': True,
+        },
+        'ssl': {
+          'caucase-url': cls.backend_caucased_url,
+          'frontend-caucase-url-list': [cls.frontend_caucased_url],
+        },
+      })
+    }
+  @classmethod
+  def _cleanup(cls, snapshot_name):
+    if cls.http_server_process:
+      cls.http_server_process.terminate()
+    if cls.frontend_caucased_process:
+      cls.frontend_caucased_process.terminate()
+    if cls.frontend_caucase_dir:
+      shutil.rmtree(cls.frontend_caucase_dir)
+    if cls.backend_caucased_process:
+      cls.backend_caucased_process.terminate()
+    if cls.backend_caucase_dir:
+      shutil.rmtree(cls.backend_caucase_dir)
+    super(TestFrontendXForwardedFor, cls)._cleanup(snapshot_name)
+  def test_x_forwarded_for_added_when_verified_connection(self):
+    for backend in ('default', 'default-auth'):
+      balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])[backend]
+      result = requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        cert=self.client_certificate,
+        verify=False,
+      ).json()
+      self.assertEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+  def test_x_forwarded_for_stripped_when_not_verified_connection(self):
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
+    result = requests.get(
+      balancer_url,
+      headers={'X-Forwarded-For': '1.2.3.4'},
+      verify=False,
+    ).json()
+    self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for').split(', ')[0], '1.2.3.4')
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
+    with self.assertRaises(OpenSSL.SSL.Error):
+      requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        verify=False,
+      )
--- a/software/gitlab/buildout.hash.cfg
+++ b/software/gitlab/buildout.hash.cfg
@@ -62,7 +62,7 @@ md5sum = 2af7dcf63f74e5edc53a3ff11fa4989b
 [instance-gitlab-test.cfg.in]
 _update_hash_filename_ = instance-gitlab-test.cfg.in
-md5sum = a4ad76856db98e508af7e773d9ff78f9
+md5sum = 60714fb4e6c869c41bd5e9fada1b6e40
 [macrolib.cfg.in]
 _update_hash_filename_ = macrolib.cfg.in

--- a/software/gitlab/instance-gitlab-test.cfg.in
+++ b/software/gitlab/instance-gitlab-test.cfg.in
 [buildout]
 extends = 
-  {{ instance_gitlab_cfg }}
  {{ instance_gitlab_export_cfg }}
 parts +=

--- a/software/jupyter/software.cfg
+++ b/software/jupyter/software.cfg
@@ -101,7 +101,7 @@ numpy = 1.13.1
 # Required by:
 # tornado==4.4.2
-certifi = 2017.1.23
+certifi = 2020.6.20
 # Required by:
 # notebook==4.3.2

--- a/software/kvm/test/test.py
+++ b/software/kvm/test/test.py
@@ -40,6 +40,7 @@ from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
 has_kvm = os.access('/dev/kvm', os.R_OK|os.W_OK)
 skipUnlessKvm = unittest.skipUnless(has_kvm, 'kvm not loaded or not allowed')
+skipIfPython3 = unittest.skipIf(six.PY3, 'rdiff-backup is not compatible with Python 3 yet')
 if has_kvm:
  setUpModule, InstanceTestCase = makeModuleSetUpAndTestCaseClass(
@@ -327,6 +328,7 @@ class TestAccessKvmClusterAdditional(MonitorAccessMixin, InstanceTestCase):
    )
    self.assertIn('<title>noVNC</title>', result.text)
+@skipIfPython3
 @skipUnlessKvm
 class TestAccessKvmClusterBootstrap(MonitorAccessMixin, InstanceTestCase):
  __partition_reference__ = 'akcb'
@@ -365,6 +367,7 @@ class TestAccessKvmClusterBootstrap(MonitorAccessMixin, InstanceTestCase):
    )
    self.assertIn('<title>noVNC</title>', result.text)
+@skipIfPython3
 @skipUnlessKvm
 class TestInstanceResilient(InstanceTestCase):
  __partition_reference__ = 'ir'
@@ -392,6 +395,7 @@ class TestInstanceResilient(InstanceTestCase):
        'takeover-kvm-1-url',
        'url']))
+@skipIfPython3
 @skipUnlessKvm
 class TestAccessResilientAdditional(InstanceTestCase):
  __partition_reference__ = 'ara'

--- a/software/neoppod/buildout.hash.cfg
+++ b/software/neoppod/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [instance-common]
 filename = instance-common.cfg.in
-md5sum = 80599fcc6e5d07270d7900aebfd62139
+md5sum = 6da513940e5bf7d06b3fb0aeb39c8ad5
 [root-common]
 filename = root-common.cfg.in
@@ -30,7 +30,7 @@ md5sum = 9f27195d770b2f57461c60a82c851ab9
 [instance-neo]
 filename = instance-neo.cfg.in
-md5sum = 7642c760a2c5af3e3e81c2c54486d1a8
+md5sum = 74e0361f3ec3424c905acc4cd55fd8bf
 [template-neo-my-cnf]
 filename = my.cnf.in
@@ -46,4 +46,4 @@ md5sum = 5afd326de385563b5aeac81039f23341
 [runTestSuite.in]
 _update_hash_filename_ = runTestSuite.in
-md5sum = 7a0d5d259eb7f90fc0421d1264fbe7b5
+md5sum = 4e7f5b5230800a65c71310a518225119
--- a/software/neoppod/instance-common.cfg.in
+++ b/software/neoppod/instance-common.cfg.in
@@ -47,3 +47,6 @@ extra-context =
    raw template_mysqld_wrapper {{ template_mysqld_wrapper }}
    raw template_neo_my_cnf {{ template_neo_my_cnf }}
 {%- endif %}
+{%- if pypy_location is defined %}
+    raw pypy_location {{ pypy_location }}
+{%- endif %}
--- a/software/neoppod/instance-neo.cfg.in
+++ b/software/neoppod/instance-neo.cfg.in
@@ -184,6 +184,9 @@ context =
    section my_cnf_parameters my-cnf-parameters
    raw     bin_directory     {{ bin_directory }}
    raw     prepend_path      {{ mariadb_location }}/bin
+{%- if pypy_location is defined %}
+    raw     pypy_location     {{ pypy_location }}/bin/pypy
+{%- endif %}
 {%- if private_tmpfs %}
    key     datadir           my-cnf-parameters:data-directory
    key     results_directory directory:results

--- a/software/neoppod/runTestSuite.in
+++ b/software/neoppod/runTestSuite.in
@@ -115,10 +115,19 @@ def main():
      shutil.rmtree(temp)
    os.mkdir(temp)
-    args = [RUN_NEO_TESTS_COMMAND, '-ufz']
+    args = [RUN_NEO_TESTS_COMMAND,
+{%- if pypy_location is defined -%}
+            '-fz'
+{%- else -%}
+            '-ufz'
+{%- endif -%}
+            ]
    command = ' '.join(args)
    env = {'PATH': PATH,
           'TEMP': temp,
+{%- if pypy_location is defined %}
+           'NEO_PYPY': {{ repr(pypy_location) }},
+{%- endif %}
           'NEO_TESTS_ADAPTER': adapter,
           'NEO_TEST_ZODB_FUNCTIONAL': '1',
           'NEO_DB_USER': 'root'}

--- a/software/neoppod/software-common.cfg
+++ b/software/neoppod/software-common.cfg
@@ -144,8 +144,6 @@ ZODB = 4.4.5
 coverage = 4.5.1
 mock = 3.0.5
 ecdsa = 0.13
-msgpack = 0.5.6
-msgpack-python = 0.5.6
 mysqlclient = 1.3.12
 persistent = 4.5.0
 pycrypto = 2.6.1

--- a/software/neoppod/software-pypy.cfg
+++ b/software/neoppod/software-pypy.cfg
+[buildout]
+extends =
+    ../../component/pypy/buildout.cfg
+    software.cfg
+[instance-common]
+context +=
+    key pypy_location pypy2:location
--- a/software/neoppod/software-zodb5.cfg
+++ b/software/neoppod/software-zodb5.cfg
@@ -10,6 +10,9 @@ ZODB = 5.6.0
 ZEO = 5.2.0
 transaction = 2.4.0
+# BBB: ZEO
+msgpack = 0.5.6
 # Required by:
 # ZEO==5.2.0
 # trollius==2.2.post1

--- a/software/plantuml/software.cfg
+++ b/software/plantuml/software.cfg
@@ -27,8 +27,9 @@ output = ${buildout:directory}/${:_buildout_section_name_}
 [plantuml.war]
 recipe = slapos.recipe.build:download
-url = https://downloads.sourceforge.net/project/plantuml/1.2018.13/plantuml.1.2018.13.war
+url = https://sourceforge.net/projects/plantuml/files/1.2020.15/plantuml.1.2020.15.war
-md5sum = cda05c8163237de039d777c197b3d282
+md5sum = ed203cb3b90df8f77492fa36ea6490a5
 [versions]
 slapos.recipe.template = 4.4
--- a/software/plantuml/test/data/test_class_diagram.png
+++ b/software/plantuml/test/data/test_class_diagram.png
--- a/software/plantuml/test/data/test_sequence_diagram.png
+++ b/software/plantuml/test/data/test_sequence_diagram.png
--- a/software/plantuml/test/data/test_timing_diagram.png
+++ b/software/plantuml/test/data/test_timing_diagram.png
--- a/software/plantuml/test/test.py
+++ b/software/plantuml/test/test.py
@@ -87,6 +87,27 @@ class TestSimpleDiagram(PlantUMLTestCase, ImageComparisonTestCase):
    reference = Image.open(os.path.join(os.path.dirname(__file__), "data", "test_class_diagram.png"))
    self.assertImagesSimilar(Image.open(BytesIO(png)), reference)
+  def test_timing_diagram(self):
+    png = self.plantuml.processes(textwrap.dedent("""\
+    @startuml
+    robust "Web Browser" as WB
+    concise "Web User" as WU
+    @0
+    WU is Idle
+    WB is Idle
+    @100
+    WU is Waiting
+    WB is Processing
+    @300
+    WB is Waiting
+    @enduml
+    """))
+    reference = Image.open(os.path.join(os.path.dirname(__file__), "data", "test_timing_diagram.png"))
+    self.assertImagesSimilar(Image.open(BytesIO(png)), reference)
  def test_fonts(self):
    """Test slapos provided fonts are used"""
    png = self.plantuml.processes(textwrap.dedent("""\

--- a/software/powerdns/buildout.hash.cfg
+++ b/software/powerdns/buildout.hash.cfg
@@ -14,24 +14,24 @@
 # not need these here).
 [template]
 filename = instance.cfg
-md5sum = da8be58db4255c07750f7a7583eab3ca
+md5sum = fddea033e1aa9d6147a1a47bd7cc4b62
 [template-powerdns]
 filename = instance-powerdns.cfg
-md5sum = 681cd9564e491d1f7b7ccb810f8ca7df
+md5sum = 2adb91323d60fc350f52910a3257d4a7
 [template-pdns-configuration]
 _update_hash_filename_ = template/pdns.conf.jinja2
-md5sum = 7934b7037344678eff3031e1e73e0bb2
+md5sum = e45d72de87b4adb89c195ba463be4077
 [template-dns-replicate]
 _update_hash_filename_ = instance-powerdns-replicate.cfg.jinja2
-md5sum = 46acd4ed071df8d7139dcd0434be42eb
+md5sum = a23e241a236f90ae1afbb5bd5ba0b32d
 [iso-list]
 _update_hash_filename_ = template/zz.countries.nexedi.dk.rbldnsd
 md5sum = c4dc8c141d81b92d92cdb82ca67a13ee
-[template-cdn-conf]
+[template-zones-file]
-_update_hash_filename_ = template/cdn.conf.in
+_update_hash_filename_ = template/zones-file.yml.jinja2
-md5sum = 29c29f93b3b0bd2f71f86f7b337e4543
+md5sum = c820a4f53c3e7706f51a5e0be3a8cf74
--- a/software/powerdns/instance-powerdns-replicate.cfg.jinja2
+++ b/software/powerdns/instance-powerdns-replicate.cfg.jinja2
@@ -60,7 +60,7 @@ context =
 <= replicate
 name = {{dns_name}}
 {%   set state_key = "-dns-%s-state" % i %}
-{%   if slapparameter_dict.has_key(state_key) %}
+{%   if state_key in slapparameter_dict %}
 state = {{ slapparameter_dict.pop(state_key) }}
 {%   endif%}
 config-zone = {{ zone }}
@@ -95,7 +95,7 @@ monitor-url-list +=
 <= slap-connection
 recipe = slapos.cookbook:requestoptional
 {% set dns_software_url_key = "-dns-software-release-url" %}
-{% if slapparameter_dict.has_key(dns_software_url_key) %}
+{% if dns_software_url_key in slapparameter_dict %}
 software-url = {{ slapparameter_dict.pop(dns_software_url_key) }}
 {% else %}
 software-url = ${slap-connection:software-release-url}
@@ -104,7 +104,7 @@ software-type = {{dns_type}}
 return = private-ipv4 public-ipv4 slave-instance-information-list monitor-base-url
 config-server-admin = {{ server_admin }}
 config-ns-record = {{ ns_record }}
-{% for parameter, value in slapparameter_dict.iteritems() -%}
+{% for parameter, value in slapparameter_dict.items() -%}
 config-{{parameter}} = {{ value }}
 {% endfor -%}
 config-{{ slave_list_name }} = {{ json_module.dumps(slave_instance_list) }}
@@ -151,7 +151,7 @@ key_file = ${slap-connection:key-file}
 cert_file = ${slap-connection:cert-file}
 [slap-parameter]
-slave_instance_list =
+{% for k, v in slapparameter_dict.items() -%}
-dns-quantity = 1
+{{ k }} = {{ v }}
-dns-type = single-default
+{% endfor -%}
 {%- endif %}
--- a/software/powerdns/instance-powerdns.cfg
+++ b/software/powerdns/instance-powerdns.cfg
 {% if slap_software_type in software_type -%}
-{% set part_list =  [] %}
 # Create all needed directories
 [directory]
@@ -63,13 +62,12 @@ socket-directory = $${pdns-directory:socket}
 webserver-port = 8088
 [geo]
-ip-map-zonefile = ${iso-list:target}
+zones-file = $${zones-file-template:rendered}
-geo-maps = $${pdns-directory:geo-maps}
+database = ${geolite2-country:location}/GeoLite2-Country.mmdb
 [pdns-directory]
 recipe = slapos.cookbook:mkdirectory
 configuration = $${directory:etc}/pdns
-geo-maps = $${:configuration}/geo-maps
 socket = $${directory:run}/pdns-socket
 [pdns-configuration-template]
@@ -80,6 +78,39 @@ extra-context =
  section pdns pdns
  section geo geo
+[asia]
+japan = jp
+hong-kong = hk
+china-telecom = cn-t
+china-unicom = cn-u
+china-mobile = cn-m
+west-asia = ae af am az bh cc cy ge il iq ir jo kg kw kz lb om pk qa ru sa sy tj tm tr uz ye
+east-asia = bn bt cx id in io kh kp kr la lk mm mn mo mv my np ph sg th to tw vn
+[china]
+recipe = slapos.recipe.build
+iso-list = ${iso-list:target}
+init =
+  import re
+  ip_split = []
+  match = re.compile(r"(.*) :.*:(cn-\w)\n").fullmatch
+  with open(options["iso-list"]) as f:
+    for line in f:
+      m = match(line)
+      if m is None:
+        continue
+      ip_split.append(m.groups())
+  options["ip-split"] = ip_split
+[zones-file-template]
+< = jinja2-template-base
+template = ${template-zones-file:target}
+extensions = jinja2.ext.do
+rendered = $${pdns-directory:configuration}/zones-file.yml
+extra-context =
+  section asia asia
+  key china china:ip-split
 # Executables
 [pdns-server]
 recipe = slapos.cookbook:wrapper
@@ -117,29 +148,6 @@ monitor-url = $${monitor-publish-parameters:monitor-url}
 monitor-user = $${monitor-publish-parameters:monitor-user}
 monitor-password = $${monitor-publish-parameters:monitor-password}
-#####################
-# Power DNS Slave configuration
-#
-{% set slave_instance_list = json_module.loads(slapparameter_dict.get('extra_slave_instance_list', '[]')) %}
-# Iter through slave list to prepare configuration
-{% for slave in slave_instance_list %}
-{%   if 'record' in slave and 'origin' in slave and 'default' in slave %}
-{%     set slave_reference = slave.get('slave_reference') %}
-{%     set slave_section_name = 'map-configuration-%s' % slave_reference  %}
-{%     do part_list.append(slave_section_name) %}
-[{{ slave_section_name }}]
-< = jinja2-template-base
-template = ${template-cdn-conf:target}
-rendered = $${geo:geo-maps}/{{ slave_reference }}
-configuration = {{ json_module.dumps(slave) }}
-extra-context =
-  key json_cdn :configuration
-{%   endif %}
-{% endfor %}
-####################
 [buildout]
 parts =
  pdns-configuration-template
@@ -149,9 +157,6 @@ parts =
  pdns-promise-listen-port
  monitor-base
  publish-connection-informations
-{% for part in part_list %}
-{{ '  %s' % part }}
-{% endfor %}
 extends = ${monitor-template:output}

--- a/software/powerdns/instance.cfg
+++ b/software/powerdns/instance.cfg
@@ -8,10 +8,12 @@ offline = true
 [switch-softwaretype]
-recipe = slapos.cookbook:softwaretype
+recipe = slapos.cookbook:switch-softwaretype
-default = $${dynamic-powerdns-replicate:rendered}
+default = dynamic-powerdns-replicate:rendered
-single-default = $${dynamic-template-powerdns:rendered}
+single-default = dynamic-template-powerdns:rendered
+# BBB
+RootSoftwareInstance = $${:default}
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
@@ -21,9 +23,9 @@ context =
    import json_module json
    key eggs_directory buildout:eggs-directory
    key develop_eggs_directory buildout:develop-eggs-directory
-    key slap_software_type slap-parameters:slap-software-type
+    key slap_software_type slap-configuration:slap-software-type
-    key slapparameter_dict slap-parameters:configuration
+    key slapparameter_dict slap-configuration:configuration
-    key slave_instance_list slap-parameters:slave-instance-list
+    key slave_instance_list slap-configuration:slave-instance-list
    $${:extra-context}
 [dynamic-template-powerdns]
@@ -38,14 +40,14 @@ extra-context =
 [dynamic-powerdns-replicate]
 < = jinja2-template-base
 template = ${template-dns-replicate:target}
-filename = instance-apache-replicate.cfg
+filename = instance-powerdns-replicate.cfg
 extensions = jinja2.ext.do
 extra-context =
 # Must match the key id in [switch-softwaretype] which uses this section.
    raw software_type RootSoftwareInstance-default
    raw template_monitor ${monitor2-template:rendered}
-[slap-parameters]
+[slap-configuration]
 recipe = slapos.cookbook:slapconfiguration
 computer = $${slap-connection:computer-id}
 partition = $${slap-connection:partition-id}

--- a/software/powerdns/slave-instance-powerdns-input-schema.json
+++ b/software/powerdns/slave-instance-powerdns-input-schema.json
@@ -10,12 +10,12 @@
    },
    "origin": {
      "title": "Origin",
-      "description": "Used to qualify RR in the configuration. i.e.: if your origin is a.example.com and the RR for Europe is 'eu' the european clients will use eu.a.exmple.com",
+      "description": "Used to qualify RR in the configuration. i.e.: if your origin is a.example.com and the RR for Europe is 'eu' the european clients will use eu.a.example.com",
      "type": "string"
    },
    "default": {
      "title": "Default RR",
-      "description": "Defautl record to use when the ip is not regognized",
+      "description": "Default record to use when the ip is not recognized",
      "type": "string"
    },
    "europe": {

--- a/software/powerdns/software.cfg
+++ b/software/powerdns/software.cfg
@@ -10,10 +10,8 @@ parts =
  slapos-cookbook
  eggs
-[gcc]
+[python]
-# For old version of PowerDNS and Ragel.
+part = python3
-part = gcc-5.5
-max_version = 6
 [eggs]
 recipe = zc.recipe.egg
@@ -47,7 +45,7 @@ recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/${:_update_hash_filename_}
 mode = 0644
-[template-cdn-conf]
+[template-zones-file]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/${:_update_hash_filename_}
 mode = 0644

--- a/software/powerdns/template/cdn.conf.in
+++ b/software/powerdns/template/cdn.conf.in
-{% set cdn = json_module.loads(json_cdn) %}
-$RECORD {{ cdn.get('record') }}
-$ORIGIN {{ cdn.get('origin') }}
-0 {{ cdn.get('default')}}
-# Andorra
-20 {{ cdn.get('europe', 'eu') }}
-# United Arab Emirates
-784 {{ cdn.get('west-asia', 'as') }}
-# Afghanistan
-4 {{ cdn.get('west-asia', 'as') }}
-# Antigua and Barbuda
-28 {{ cdn.get('south-america', 'sa') }}
-# Anguilla
-660 {{ cdn.get('south-america', 'sa') }}
-# Albania
-8 {{ cdn.get('europe', 'eu') }}
-# Armenia
-51 {{ cdn.get('west-asia', 'as') }}
-# Netherlands Antilles
-530 {{ cdn.get('south-america', 'sa') }}
-# Angola
-24 {{ cdn.get('africa', 'af') }}
-# Antarctica
-10 {{ cdn.get('europe', 'eu') }}
-# Argentina
-32 {{ cdn.get('south-america', 'sa') }}
-# American Samoa
-16 {{ cdn.get('oceania', 'oc') }}
-# Austria
-40 {{ cdn.get('europe', 'eu') }}
-# Australia
-36 {{ cdn.get('oceania', 'oc') }}
-# Aruba
-533 {{ cdn.get('south-america', 'sa') }}
-# Azerbaijan
-31 {{ cdn.get('west-asia', 'as') }}
-# Bosnia and Herzegovina
-70 {{ cdn.get('europe', 'eu') }}
-# Barbados
-52 {{ cdn.get('south-america', 'sa') }}
-# Bangladesh
-50 {{ cdn.get('east-asia', 'as') }}
-# Belgium
-56 {{ cdn.get('europe', 'eu') }}
-# Burkina Faso
-854 {{ cdn.get('africa', 'af') }}
-# Bulgaria
-100 {{ cdn.get('europe', 'eu') }}
-# Bahrain
-48 {{ cdn.get('west-asia', 'as') }}
-# Burundi
-108 {{ cdn.get('africa', 'af') }}
-# Benin
-204 {{ cdn.get('africa', 'af') }}
-# Bermuda
-60 {{ cdn.get('south-america', 'sa') }}
-# Brunei Darussalam
-96 {{ cdn.get('east-asia', 'as') }}
-# Bolivia
-68 {{ cdn.get('south-america', 'sa') }}
-# Brazil
-76 {{ cdn.get('south-america', 'sa') }}
-# Bahamas
-44 {{ cdn.get('south-america', 'sa') }}
-# Bhutan
-64 {{ cdn.get('east-asia', 'as') }}
-# Bouvet Island
-74 {{ cdn.get('africa', 'af') }}
-# Botswana
-72 {{ cdn.get('africa', 'af') }}
-# Belarus
-112 {{ cdn.get('europe', 'eu') }}
-# Belize
-84 {{ cdn.get('south-america', 'sa') }}
-# Canada
-124 {{ cdn.get('north-america', 'na') }}
-# Cocos (Keeling) Islands
-166 {{ cdn.get('west-asia', 'as') }}
-# Congo, The Democratic Republic of the
-178 {{ cdn.get('africa', 'af') }}
-# Central African Republic
-140 {{ cdn.get('africa', 'af') }}
-# Switzerland
-756 {{ cdn.get('europe', 'eu') }}
-# Cote D'Ivoire
-384 {{ cdn.get('africa', 'af') }}
-# Cook Islands
-184 {{ cdn.get('oceania', 'oc') }}
-# Chile
-152 {{ cdn.get('south-america', 'sa') }}
-# Cameroon
-120 {{ cdn.get('africa', 'af') }}
-# China telecom
-155 {{ cdn.get('china-telecom', 'cn-t') }}
-#china unicom
-156 {{ cdn.get('china-unicom', 'cn-u') }}
-#china mobile
-157 {{ cdn.get('china-mobile', 'cn-m') }}
-# Colombia
-170 {{ cdn.get('south-america', 'sa') }}
-# Costa Rica
-188 {{ cdn.get('south-america', 'sa') }}
-# Cuba
-192 {{ cdn.get('south-america', 'sa') }}
-# Cape Verde
-132 {{ cdn.get('africa', 'af') }}
-# Christmas Island
-162 {{ cdn.get('east-asia', 'as') }}
-# Cyprus
-196 {{ cdn.get('west-asia', 'as') }}
-# Czech Republic
-203 {{ cdn.get('europe', 'eu') }}
-# Germany
-276 {{ cdn.get('europe', 'eu') }}
-# Djibouti
-262 {{ cdn.get('africa', 'af') }}
-# Denmark
-208 {{ cdn.get('europe', 'eu') }}
-# Dominica
-212 {{ cdn.get('south-america', 'sa') }}
-# Dominican Republic
-214 {{ cdn.get('south-america', 'sa') }}
-# Algeria
-12 {{ cdn.get('africa', 'af') }}
-# Ecuador
-218 {{ cdn.get('south-america', 'sa') }}
-# Estonia
-233 {{ cdn.get('europe', 'eu') }}
-# Egypt
-818 {{ cdn.get('africa', 'af') }}
-# Western Sahara
-732 {{ cdn.get('africa', 'af') }}
-# Eritrea
-232 {{ cdn.get('africa', 'af') }}
-# Spain
-724 {{ cdn.get('europe', 'eu') }}
-# Ethiopia
-210 {{ cdn.get('africa', 'af') }}
-# Finland
-246 {{ cdn.get('europe', 'eu') }}
-# Fiji
-242 {{ cdn.get('oceania', 'oc') }}
-# Falkland Islands (Malvinas)
-238 {{ cdn.get('south-america', 'sa') }}
-# Micronesia, Federated States of
-583 {{ cdn.get('oceania', 'oc') }}
-# Faroe Islands
-234 {{ cdn.get('europe', 'eu') }}
-# France
-250 {{ cdn.get('europe', 'eu') }}
-# France, Metropolitan
-249 {{ cdn.get('europe', 'eu') }}
-# Gabon
-266 {{ cdn.get('africa', 'af') }}
-# United Kingdom
-826 {{ cdn.get('europe', 'eu') }}
-# Grenada
-308 {{ cdn.get('south-america', 'sa') }}
-# Georgia
-268 {{ cdn.get('west-asia', 'as') }}
-# French Guiana
-254 {{ cdn.get('south-america', 'sa') }}
-# Ghana
-288 {{ cdn.get('africa', 'af') }}
-# Gibraltar
-292 {{ cdn.get('europe', 'eu') }}
-# Greenland
-304 {{ cdn.get('south-america', 'sa') }}
-# Gambia
-270 {{ cdn.get('africa', 'af') }}
-# Guinea
-324 {{ cdn.get('africa', 'af') }}
-# Guadeloupe
-312 {{ cdn.get('south-america', 'sa') }}
-# Equatorial Guinea
-226 {{ cdn.get('africa', 'af') }}
-# Greece
-300 {{ cdn.get('europe', 'eu') }}
-# Guatemala
-320 {{ cdn.get('south-america', 'sa') }}
-# Guam
-316 {{ cdn.get('oceania', 'oc') }}
-# Guinea-Bissau
-624 {{ cdn.get('africa', 'af') }}
-# Guyana
-328 {{ cdn.get('south-america', 'sa') }}
-# Hong Kong
-344 {{ cdn.get('hong-kong', 'hk') }}
-# Heard Island and McDonald Islands
-334 {{ cdn.get('africa', 'af') }}
-# Honduras
-340 {{ cdn.get('south-america', 'sa') }}
-# Croatia
-191 {{ cdn.get('europe', 'eu') }}
-# Haiti
-332 {{ cdn.get('south-america', 'sa') }}
-# Hungary
-348 {{ cdn.get('europe', 'eu') }}
-# Indonesia
-360 {{ cdn.get('east-asia', 'as') }}
-# Ireland
-372 {{ cdn.get('europe', 'eu') }}
-# Israel
-376 {{ cdn.get('west-asia', 'as') }}
-# India
-356 {{ cdn.get('east-asia', 'as') }}
-# British Indian Ocean Territory
-86 {{ cdn.get('east-asia', 'as') }}
-# Iraq
-368 {{ cdn.get('west-asia', 'as') }}
-# Iran, Islamic Republic of
-364 {{ cdn.get('west-asia', 'as') }}
-# Iceland
-352 {{ cdn.get('europe', 'eu') }}
-# Italy
-380 {{ cdn.get('europe', 'eu') }}
-# Jamaica
-388 {{ cdn.get('south-america', 'sa') }}
-# Jordan
-400 {{ cdn.get('west-asia', 'as') }}
-# Japan
-392 {{ cdn.get('japan', 'jp') }}
-# Kenya
-404 {{ cdn.get('africa', 'af') }}
-# Kyrgyzstan
-417 {{ cdn.get('west-asia', 'as') }}
-# Cambodia
-116 {{ cdn.get('east-asia', 'as') }}
-# Kiribati
-296 {{ cdn.get('oceania', 'oc') }}
-# Comoros
-174 {{ cdn.get('africa', 'af') }}
-# Saint Kitts and Nevis
-659 {{ cdn.get('south-america', 'sa') }}
-# Korea, Democratic People's Republic of
-408 {{ cdn.get('east-asia', 'as') }}
-# Korea, Republic of
-410 {{ cdn.get('east-asia', 'as') }}
-# Kuwait
-414 {{ cdn.get('west-asia', 'as') }}
-# Cayman Islands
-136 {{ cdn.get('south-america', 'sa') }}
-# Kazakhstan
-398 {{ cdn.get('west-asia', 'as') }}
-# Lao People's Democratic Republic
-418 {{ cdn.get('east-asia', 'as') }}
-# Lebanon
-422 {{ cdn.get('west-asia', 'as') }}
-# Saint Lucia
-662 {{ cdn.get('south-america', 'sa') }}
-# Liechtenstein
-438 {{ cdn.get('europe', 'eu') }}
-# Sri Lanka
-144 {{ cdn.get('east-asia', 'as') }}
-# Liberia
-430 {{ cdn.get('africa', 'af') }}
-# Lesotho
-426 {{ cdn.get('africa', 'af') }}
-# Lithuania
-440 {{ cdn.get('europe', 'eu') }}
-# Luxembourg
-442 {{ cdn.get('europe', 'eu') }}
-# Latvia
-428 {{ cdn.get('europe', 'eu') }}
-# Libyan Arab Jamahiriya
-434 {{ cdn.get('africa', 'af') }}
-# Morocco
-504 {{ cdn.get('africa', 'af') }}
-# Monaco
-492 {{ cdn.get('europe', 'eu') }}
-# Moldova, Republic of
-498 {{ cdn.get('europe', 'eu') }}
-# Madagascar
-450 {{ cdn.get('africa', 'af') }}
-# Marshall Islands
-584 {{ cdn.get('oceania', 'oc') }}
-# Macedonia, the Former Yugoslav Republic of
-807 {{ cdn.get('europe', 'eu') }}
-# Mali
-466 {{ cdn.get('africa', 'af') }}
-# Myanmar
-104 {{ cdn.get('east-asia', 'as') }}
-# Mongolia
-496 {{ cdn.get('east-asia', 'as') }}
-# Macao
-446 {{ cdn.get('east-asia', 'as') }}
-# Northern Mariana Islands
-580 {{ cdn.get('oceania', 'oc') }}
-# Martinique
-474 {{ cdn.get('south-america', 'sa') }}
-# Mauritania
-478 {{ cdn.get('africa', 'af') }}
-# Montserrat
-500 {{ cdn.get('south-america', 'sa') }}
-# Malta
-470 {{ cdn.get('europe', 'eu') }}
-# Mauritius
-480 {{ cdn.get('africa', 'af') }}
-# Maldives
-462 {{ cdn.get('east-asia', 'as') }}
-# Malawi
-454 {{ cdn.get('africa', 'af') }}
-# Mexico
-484 {{ cdn.get('north-america', 'na') }}
-# Malaysia
-458 {{ cdn.get('east-asia', 'as') }}
-# Mozambique
-508 {{ cdn.get('africa', 'af') }}
-# Namibia
-516 {{ cdn.get('africa', 'af') }}
-# New Caledonia
-540 {{ cdn.get('oceania', 'oc') }}
-# Niger
-562 {{ cdn.get('africa', 'af') }}
-# Norfolk Island
-574 {{ cdn.get('oceania', 'oc') }}
-# Nigeria
-566 {{ cdn.get('africa', 'af') }}
-# Nicaragua
-558 {{ cdn.get('south-america', 'sa') }}
-# Netherlands
-528 {{ cdn.get('europe', 'eu') }}
-# Norway
-578 {{ cdn.get('europe', 'eu') }}
-# Nepal
-524 {{ cdn.get('east-asia', 'as') }}
-# Nauru
-520 {{ cdn.get('oceania', 'oc') }}
-# Niue
-570 {{ cdn.get('oceania', 'oc') }}
-# New Zealand
-554 {{ cdn.get('oceania', 'oc') }}
-# Oman
-512 {{ cdn.get('west-asia', 'as') }}
-# Panama
-591 {{ cdn.get('south-america', 'sa') }}
-# Peru
-604 {{ cdn.get('south-america', 'sa') }}
-# French Polynesia
-258 {{ cdn.get('oceania', 'oc') }}
-# Papua New Guinea
-598 {{ cdn.get('oceania', 'oc') }}
-# Philippines
-608 {{ cdn.get('east-asia', 'as') }}
-# Pakistan
-586 {{ cdn.get('west-asia', 'as') }}
-# Poland
-616 {{ cdn.get('europe', 'eu') }}
-# Saint Pierre and Miquelon
-666 {{ cdn.get('south-america', 'sa') }}
-# Pitcairn
-612 {{ cdn.get('oceania', 'oc') }}
-# Puerto Rico
-630 {{ cdn.get('south-america', 'sa') }}
-# Portugal
-620 {{ cdn.get('europe', 'eu') }}
-# Palau
-585 {{ cdn.get('oceania', 'oc') }}
-# Paraguay
-600 {{ cdn.get('south-america', 'sa') }}
-# Qatar
-634 {{ cdn.get('west-asia', 'as') }}
-# Reunion
-638 {{ cdn.get('africa', 'af') }}
-# Romania
-642 {{ cdn.get('europe', 'eu') }}
-# Russian Federation
-643 {{ cdn.get('west-asia', 'as') }}
-# Rwanda
-646 {{ cdn.get('africa', 'af') }}
-# Saudi Arabia
-682 {{ cdn.get('west-asia', 'as') }}
-# Solomon Islands
-90 {{ cdn.get('oceania', 'oc') }}
-# Seychelles
-690 {{ cdn.get('africa', 'af') }}
-# Sudan
-736 {{ cdn.get('africa', 'af') }}
-# Sweden
-752 {{ cdn.get('europe', 'eu') }}
-# Singapore
-702 {{ cdn.get('east-asia', 'as') }}
-# Saint Helena
-654 {{ cdn.get('africa', 'af') }}
-# Slovenia
-705 {{ cdn.get('europe', 'eu') }}
-# Svalbard and Jan Mayen
-744 {{ cdn.get('europe', 'eu') }}
-# Slovakia
-703 {{ cdn.get('europe', 'eu') }}
-# Sierra Leone
-694 {{ cdn.get('africa', 'af') }}
-# San Marino
-674 {{ cdn.get('europe', 'eu') }}
-# Senegal
-686 {{ cdn.get('africa', 'af') }}
-# Somalia
-706 {{ cdn.get('africa', 'af') }}
-# Suriname
-740 {{ cdn.get('south-america', 'sa') }}
-# Sao Tome and Principe
-678 {{ cdn.get('africa', 'af') }}
-# El Salvador
-222 {{ cdn.get('south-america', 'sa') }}
-# Syrian Arab Republic
-760 {{ cdn.get('west-asia', 'as') }}
-# Swaziland
-748 {{ cdn.get('africa', 'af') }}
-# Turks and Caicos Islands
-796 {{ cdn.get('south-america', 'sa') }}
-# Chad
-148 {{ cdn.get('africa', 'af') }}
-# French Southern Territories
-260 {{ cdn.get('africa', 'af') }}
-# Togo
-768 {{ cdn.get('africa', 'af') }}
-# Thailand
-764 {{ cdn.get('east-asia', 'as') }}
-# Tajikistan
-762 {{ cdn.get('west-asia', 'as') }}
-# Tokelau
-772 {{ cdn.get('oceania', 'oc') }}
-# Turkmenistan
-795 {{ cdn.get('west-asia', 'as') }}
-# Tonga
-788 {{ cdn.get('oceania', 'oc') }}
-# East Timor
-776 {{ cdn.get('east-asia', 'as') }}
-# Turkey
-792 {{ cdn.get('west-asia', 'as') }}
-# Trinidad and Tobago
-780 {{ cdn.get('south-america', 'sa') }}
-# Tuvalu
-798 {{ cdn.get('oceania', 'oc') }}
-# Taiwan
-158 {{ cdn.get('east-asia', 'as') }}
-# Tanzania, United Republic of
-834 {{ cdn.get('africa', 'af') }}
-# Ukraine
-804 {{ cdn.get('europe', 'eu') }}
-# Uganda
-800 {{ cdn.get('africa', 'af') }}
-# United States Minor Outlying Islands
-581 {{ cdn.get('oceania', 'oc') }}
-# United States
-840 {{ cdn.get('north-america', 'na') }}
-# Uruguay
-858 {{ cdn.get('south-america', 'sa') }}
-# Uzbekistan
-860 {{ cdn.get('west-asia', 'as') }}
-# Holy See (Vatican City State)
-336 {{ cdn.get('europe', 'eu') }}
-# Saint Vincent and the Grenadines
-670 {{ cdn.get('south-america', 'sa') }}
-# Venezuela
-862 {{ cdn.get('south-america', 'sa') }}
-# Virgin Islands, British
-92 {{ cdn.get('south-america', 'sa') }}
-# Virgin Islands, U.S.
-850 {{ cdn.get('south-america', 'sa') }}
-# Vietnam
-704 {{ cdn.get('east-asia', 'as') }}
-# Vanuatu
-548 {{ cdn.get('oceania', 'oc') }}
-# Wallis and Futuna
-876 {{ cdn.get('oceania', 'oc') }}
-# Samoa
-882 {{ cdn.get('oceania', 'oc') }}
-# Yemen
-887 {{ cdn.get('west-asia', 'as') }}
-# Mayotte
-175 {{ cdn.get('africa', 'af') }}
-# Yugoslavia
-891 {{ cdn.get('europe', 'eu') }}
-# South Africa
-710 {{ cdn.get('africa', 'af') }}
-# Zambia
-894 {{ cdn.get('africa', 'af') }}
-# Zaire
-180 {{ cdn.get('africa', 'af') }}
-# Zimbabwe
-716 {{ cdn.get('africa', 'af') }}
--- a/software/powerdns/template/pdns.conf.jinja2
+++ b/software/powerdns/template/pdns.conf.jinja2
@@ -31,7 +31,8 @@ cache-ttl=0
 # things are working. :)
 log-dns-details=yes
 log-dns-queries=yes
-log-failed-updates=yes
+# https://github.com/PowerDNS/pdns/commit/df9d980
+# log-failed-updates=yes
 loglevel=4
 # This disables wildcards which is more efficient.  geobackend doesn't use
@@ -40,52 +41,11 @@ loglevel=4
 # wildcards=no
 # The geobackend
-launch=geo
+launch=geoip
-# The zone that your geo-balanced RR is inside of.  The whole zone has to be
+edns-subnet-processing=yes
-# delegated to the PowerDNS backend, so you will generally want to make up some
-# subzone of your main zone.  We chose "geo.blitzed.org".
-#
-geo-zone={{ slapparameter_dict.get('zone', 'example.com') }}
-# The only parts of the SOA for "geo.blitzed.org" that apply here are the
-# master server name and the contact address.
-geo-soa-values={{ slapparameter_dict.get('soa', 'ns0.example.com,admin@example.com') }}
-# List of NS records of the PowerDNS servers that are authoritative for your
-# GLB zone.
-geo-ns-records={{ slapparameter_dict.get('ns-record', 'ns0.example.com,ns1.example.com') }}
-# The TTL of the CNAME records that geobackend will return.  Since the same
-# resolver will always get the same CNAME (apart from if the director-map
-# changes) it is safe to return a reasonable TTL, so if you leave this
-# commented then a sane default will be chosen.
-#geo-ttl=3600
-# The TTL of the NS records that will be returned.  Leave this commented if you
-# don't understand.
-#geo-ns-ttl=86400
-# This is the real guts of the data that drives this backend.  This is a DNS
-# zone file for RBLDNSD, a nameserver specialised for running large DNS zones
-# typical of DNSBLs and such.  We choose it for our data because it is easier
-# to parse than the BIND-format one.
-#
-# Anyway, it comes from http://countries.nerd.dk/more.html - there are details
-# there for how to rsync your own copy.  You'll want to do that regularly,
-# every couple of days maybe.  We believe the nerd.dk guys take the netblock
-# info from Regional Internet Registries (RIRs) like RIPE, ARIN, APNIC.  From
-# that they build a big zonefile of IP/prefixlen -> ISO-country-code mappings.
-geo-ip-map-zonefile={{  geo.get('ip-map-zonefile') }}
-# And finally this last directive tells the geobackend where to find the map
+geoip-database-files={{ geo['database'] }}
-# files that say a) which RR to answer for, and b) what actual resource record
+geoip-zones-file={{ geo['zones-file'] }}
-# to return for each ISO country code.  The setting here is a comma-separated
-# list of paths, each of which may either be a single map file or a directory
-# that will contain map files.  If you are only ever going to serve one RR then
-# a single file is probably better, but if you're going to serve many then a
-# directory would probably be better.  The rest of this documentation will
-# assume you chose a directory.
-geo-maps={{  geo.get('geo-maps') }}
 # -------------------------------------------------------------------------
\ No newline at end of file
--- a/software/powerdns/template/zones-file.yml.jinja2
+++ b/software/powerdns/template/zones-file.yml.jinja2
+# See https://doc.powerdns.com/authoritative/backends/geoip.html
+{%- set slave_instance_list = json_module.loads(slapparameter_dict.get('extra_slave_instance_list', '[]')) %}
+{%- set zone = slapparameter_dict.get('zone', 'example.com') %}
+{%- macro disambiguate_domain_name(a, b) %}
+{#- See http://www.dns-sd.org/trailingdotsindomainnames.html #}
+{%- if a.endswith('.') %}
+{{- a[:-1] }}
+{%- else %}
+{{- a }}.{{ b }}
+{%- endif %}
+{%- endmacro %}
+domains:
+- domain: {{ zone }}
+  # TODO: what value for ttl?
+  ttl: 300
+  # Note: For each domain, one record of the domain name MUST exist with a soa record.
+  records:
+    {{ zone }}:
+      - soa: {{ slapparameter_dict.get('soa', 'ns0.example.com,admin@example.com').replace(',', ' ') }}
+      {%- for ns in slapparameter_dict.get('ns-record', 'ns0.example.com,ns1.example.com').split(',') %}
+      - ns: {{ ns }}
+      {%- endfor %}
+    {#- Split the world the way we prefer. 'GeoLite2-Country.mmdb' divides the
+        world into 7 continents: Oceania, Asia, Europe, South America,
+        North America, Africa and Antarctica. However, we also want a more
+        fine-grained division for Asia, i.e. West/East, China, Hong-Kong and
+        Japan. #}
+    {%- set world_split = {
+          "continent": {
+            "eu": "europe",
+            "af": "africa",
+            "sa": "south-america",
+            "na": "north-america",
+            "oc": "oceania",
+          },
+          "country": {}} %}
+    {%- for region, codes in asia.items() %}
+    {%-   for country_code in codes.split() %}
+    {%-     do world_split["country"].__setitem__(country_code, region) %}
+    {%-   endfor %}
+    {%- endfor %}
+    {%- for slave in slave_instance_list %}
+    {#-   Set the RR to use for each region, as described in
+          'slave-instance-powerdns-input-schema.json' #}
+    {%-   set rr_dict = {} %}
+    {%-   for region, default_rr in {"europe": "eu",
+                                     "africa": "af",
+                                     "south-america": "sa",
+                                     "north-america": "na",
+                                     "china-telecom": "cn-t",
+                                     "china-unicom": "cn-u",
+                                     "china-mobile": "cn-m",
+                                     "japan": "jp",
+                                     "hong-kong": "hk",
+                                     "east-asia": "as",
+                                     "west-asia": "eu",
+                                     "oceania": "oc"}.items() %}
+    {%-     do rr_dict.__setitem__(region, slave.get(region, default_rr)) %}
+    {%-   endfor %}
+    {#-   'code2region' maps an ISO3166 country/continent code (i.e. the client
+          origin) to a geographical region. The latter is then used to find the
+          right RR (thanks to 'rr_dict') #}
+    {%-   for placeholder, code2region in world_split.items() %}
+    {%-     for code, region in code2region.items() %}
+    {%-       set origin = slave['origin'] %}
+    {{ code }}.{{ placeholder }}.{{ origin }}:
+      - cname: {{ disambiguate_domain_name(rr_dict[region], origin) }}
+    {%-     endfor %}
+    {%-   endfor %}
+    {%- endfor %}
+  services:
+    {%- for slave in slave_instance_list %}
+    {%-   set origin = slave['origin'] %}
+    {{ disambiguate_domain_name(slave['record'], zone) }}:
+      {#- Note: Placeholders (i.e. "country." and "continent.") are used to avoid
+          possible name collisions, e.g.:
+          - %cc for American Samoa is 'as'
+          - %cn for Asia is also 'as' #}
+      default: ['%cc.country.{{ origin }}', '%cn.continent.{{ origin }}', '{{ disambiguate_domain_name(slave['default'], origin) }}']
+      # Split China's ip addresses according to ISP
+      {%- for ip_range, country_code in china %}
+      {{ ip_range }}: {{ country_code }}.country.{{ origin }}
+      {%- endfor %}
+    {%- endfor %}
--- a/software/repman/buildout.hash.cfg
+++ b/software/repman/buildout.hash.cfg
@@ -18,15 +18,15 @@ md5sum = b41f521b5f7980c64260ed0e5c494450
 [instance-repman.cfg]
 _update_hash_filename_ = instance-repman.cfg.jinja2.in
-md5sum = 7dbaace0d7db0e26d582ad17f36ac9cd
+md5sum = 657ecdb1dfbbcf53e4e7932b3b5708c4
 [config-toml.in]
 _update_hash_filename_ = templates/config.toml.in
-md5sum = 5cfa75ca5a0048a050c0041dfe541f3d
+md5sum = 19fe38a342a5c9857e29f78eedb3c46e
 [config-cluster-toml.in]
 _update_hash_filename_ = templates/cluster-config.toml.in
-md5sum = d2e79a9435082d9420281b4f59a5d464
+md5sum = 079599a2841b5a0d5178bb12c4a30ae8
 [nginx.conf.in]
 _update_hash_filename_ = templates/nginx.conf.in

--- a/software/repman/instance-repman-input-schema.json
+++ b/software/repman/instance-repman-input-schema.json
@@ -37,7 +37,7 @@
    "computer-memory-percent-threshold": {
      "title": "Computer memory percent threshold.",
      "description": "Computer memory percent threshold.",
-			"type": "int",
+      "type": "integer",
      "default": 80
    },
    "monitor-interface-url": {
@@ -61,9 +61,15 @@
    },
    "mail-smtp-addr": {
      "title": "Mail SMTP address",
-			"description": "Mail SMTP address. Default: localhost:25",
+      "description": "Mail SMTP address. Default: localhost",
      "type": "string",
-			"default": "localhost:25"
+      "default": "localhost"
+    },
+    "mail-smtp-port": {
+      "title": "Mail SMTP port",
+      "description": "Mail SMTP port. Default: 25",
+      "type": "integer",
+      "default": "25"
    },
    "mail-smtp-password": {
      "title": "Mail SMTP password",
@@ -84,10 +90,31 @@
      "default": ""
    },
    "tags": {
-			"title": "Provisioning db tags",
+      "title": "Provisioning db tag list",
-			"description": "Provisioning db tags",
+      "description": "Provisioning db tags. Set one tag per line.",
-			"type": "string",
+      "type": "array",
-			"default": "gtidstrict,bind,pkg,innodb,noquerycache,slow,pfs,linux,readonly,diskmonitor,sqlerror,compressbinlog,bm4ci,mroonga,utctime,readcommitted,nohandshake"
+      "items": {
+        "type": "string"
+      },
+      "default": [
+        "gtidstrict",
+        "bind",
+        "pkg",
+        "innodb",
+        "noquerycache",
+        "slow",
+        "pfs",
+        "linux",
+        "readonly",
+        "diskmonitor",
+        "sqlerror",
+        "compressbinlog",
+        "bm4ci",
+        "mroonga",
+        "utctime",
+        "readcommitted",
+        "nohandshake"
+      ]
    },
    "http-session-lifetime": {
      "title": "Web Session life time in s",
@@ -169,10 +196,18 @@
              "default": "external"
            },
            "proxy-tags": {
-							"title": "Proxy tags",
+              "title": "Proxy tag list",
-							"description": "playbook configuration tags. Default: pkg,masterslave,linux,noreadwritesplit",
+              "description": "playbook configuration tags. Default: [\"pkg\", \"masterslave\", \"linux\", \"noreadwritesplit\"]",
-							"type": "string",
+              "type": "array",
-							"default": "pkg,masterslave,linux,noreadwritesplit"
+              "items": {
+                "type": "string"
+              },
+              "default": [
+                "pkg",
+                "masterslave",
+                "linux",
+                "noreadwritesplit"
+              ]
            },
            "logical-backup-cron": {
              "title": "Mysqldump backup cron definition.",
@@ -222,16 +257,36 @@
              "multipleOf": 256
            },
            "db-memory-shared-pct": {
-							"title": "Percent memory shared per buffer",
+              "title": "Percent memory list shared per buffer",
-							"description": "Percent memory shared per buffer (default \"threads:16,innodb:60,myisam:10,aria:10,rocksdb:1,tokudb:1,s3:1,archive:1,querycache:0\")",
+              "description": "Percent memory shared per buffer. Default: [\"threads:16\", \"innodb:60\", \"myisam:10\", \"aria:10\", \"rocksdb:1\", \"tokudb:1\", \"s3:1\", \"archive:1\", \"querycache:0\"]",
-							"type": "string",
+              "type": "array",
-							"default": "threads:16,innodb:60,myisam:10,aria:10,rocksdb:1,tokudb:1,s3:1,archive:1,querycache:0"
+              "items": {
+                "type": "string"
+              },
+              "default": [
+                "threads:16",
+                "innodb:60",
+                "myisam:10",
+                "aria:10",
+                "rocksdb:1",
+                "tokudb:1",
+                "s3:1",
+                "archive:1",
+                "querycache:0"
+              ]
            },
            "db-memory-threaded-pct": {
              "title": "Percent memory allocted per threads",
-							"description": "Percent memory allocted per threads. (default \"tmp:70,join:20,sort:10\")",
+              "description": "Percent memory allocted per threads. Default: [\"tmp:70\", \"join:20\", \"sort:10\"]",
-							"type": "string",
+              "type": "array",
-							"default": "tmp:70,join:20,sort:10"
+              "items": {
+                "type": "string"
+              },
+              "default": [
+                "tmp:70",
+                "join:20",
+                "sort:10"
+              ]
            },
            "innodb-file-per-table": {
              "title": "enable Innodb file per table",
@@ -256,7 +311,6 @@
                "manual",
                "automatic"
              ]
            },
            "failover-limit": {
              "title": "Failover amount limit",

--- a/software/repman/instance-repman.cfg.jinja2.in
+++ b/software/repman/instance-repman.cfg.jinja2.in
@@ -8,7 +8,7 @@
 {% set ip = (ipv6_set | list)[0] -%}
 {% set ipv4 = (ipv4_set | list)[0] -%}
 {% set cluster_list = [] -%}
-{% set tags = "gtidstrict,bind,pkg,innodb,noquerycache,slow,pfs,linux,readonly,diskmonitor,sqlerror,compressbinlog,bm4ci,mroonga,utctime,readcommitted,nohandshake" -%}
+{% set tag_list = ["gtidstrict", "bind", "pkg", "innodb", "noquerycache", "slow", "pfs", "linux", "readonly", "diskmonitor", "sqlerror", "compressbinlog", "bm4ci", "mroonga", "utctime", "readcommitted", "nohandshake"] -%}
 {% set frontend_parameter_dict = slapparameter_dict.get('slave-frontend', {}) -%}
 [directory]
@@ -60,7 +60,7 @@ mode = 755
 {% do mariadb_dict.__setitem__('computer-memory-percent-threshold', 80) -%}
 {% set default_parameter_dict = {"cluster1": {"name": "cluster1", "db-prefered-master": "",
-  "database-amount": 2, "proxysql-user": "external", "proxy-tags": "pkg,masterslave,linux,noreadwritesplit",
+  "database-amount": 2, "proxysql-user": "external",
  "logical-backup-cron": "0 21 * * *", "physical-backup-cron": "0 1 * * *"}} -%}
 {% for name, parameter_dict in slapparameter_dict.get('repman-cluster-dict', default_parameter_dict).items() -%}
@@ -150,7 +150,8 @@ proxysql-servers-ipv6 = [{{ ip }}]
 password = ${repman-parameter:password}
 proxysql-partition = ${buildout:directory}
 receiver-port-list = {{ receiver_port_list | join(',') }}
-proxy-tags = {{ parameter_dict.get("proxy-tags", "pkg,masterslave,linux,noreadwritesplit") }}
+enabled-tags = {{ slapparameter_dict.get("tag-list", tag_list) | join(',') }}
+proxy-tags = {{ parameter_dict.get("proxy-tags", ["pkg", "masterslave", "linux", "noreadwritesplit"]) | join(',') }}
 logical-backup-cron = {{ parameter_dict.get("logical-backup-cron", "0 22 * * *") }}
 physical-backup-cron = {{ parameter_dict.get("physical-backup-cron", "0 0 * * *") }}
 proxy-cpu-cores = {{ parameter_dict.get("proxy-cpu-cores", 2) }}
@@ -158,8 +159,8 @@ proxy-memory = {{ parameter_dict.get("proxy-memory", 1) }}
 db-cpu-cores = {{ parameter_dict.get("db-cpu-cores", 2) }}
 db-disk-iops = {{ parameter_dict.get("db-disk-iops", 300) }}
 db-memory = {{ parameter_dict.get("db-memory", 256) }}
-db-memory-shared-pct = {{ parameter_dict.get("db-memory-shared-pct", "threads:16,innodb:60,myisam:10,aria:10,rocksdb:1,tokudb:1,s3:1,archive:1,querycache:0") }}
+db-memory-shared-pct = {{ parameter_dict.get("db-memory-shared-pct", ["threads:16", "innodb:60", "myisam:10", "aria:10", "rocksdb:1", "tokudb:1", "s3:1", "archive:1", "querycache:0"]) | join(',') }}
-db-memory-threaded-pct = {{ parameter_dict.get("db-memory-threaded-pct", "tmp:70,join:20,sort:10") }}
+db-memory-threaded-pct = {{ parameter_dict.get("db-memory-threaded-pct", ["tmp:70", "join:20", "sort:10"]) | join(',') }}
 # failover
 failover-mode = {{ parameter_dict.get('failover-mode', 'manual') }}
 failover-limit = {{ parameter_dict.get('failover-limit', 5) }}
@@ -336,11 +337,11 @@ sysbench-bin  = {{ sysbench_location }}/bin/sysbench
 restic-bin    = {{ restic_bin_location }}
 mail-from = {{ slapparameter_dict.get("mail-from", "mrm@localhost") }}
-mail-smtp-addr = {{ slapparameter_dict.get("mail-smtp-addr", "localhost:25") }}
+mail-smtp-addr = {{ slapparameter_dict.get("mail-smtp-addr", "localhost") }}
+mail-smtp-port = {{ slapparameter_dict.get("mail-smtp-port", "25") }}
 mail-smtp-password = {{ slapparameter_dict.get("mail-smtp-password", "") }}
 mail-smtp-user = {{ slapparameter_dict.get("mail-smtp-user", "") }}
 mail-to = {{ slapparameter_dict.get("mail-to", "") }}
-enabled-tags = {{ slapparameter_dict.get("tags", tags) }}
 http-session-lifetime = {{ slapparameter_dict.get("http-session-lifetime", 86400) }}
 http-refresh-interval = {{ slapparameter_dict.get("http-refresh-interval", 4) }}

--- a/software/repman/templates/cluster-config.toml.in
+++ b/software/repman/templates/cluster-config.toml.in
@@ -22,6 +22,7 @@ proxysql-bootstrap = true
 proxysql-admin-port = {{ parameter_dict['proxy-admin-port'] }}
 proxysql-password = "{{ parameter_dict['password'] }}"
+prov-db-tags = "{{ parameter_dict['enabled-tags'] }}"
 prov-proxy-tags = "{{ parameter_dict['proxy-tags'] }}"
 monitoring-scheduler = true

--- a/software/repman/templates/config.toml.in
+++ b/software/repman/templates/config.toml.in
@@ -53,14 +53,13 @@ backup-mysqldump-path = "{{ parameter_dict['mysqldump-path'] }}"
 # Alert email sender (default "mrm@localhost")
 mail-from = "{{ parameter_dict['mail-from'] }}"
 # Alert email SMTP server address, in host:[port] format (default "localhost:25")
-mail-smtp-addr = "{{ parameter_dict['mail-smtp-addr'] }}"
+mail-smtp-addr = "{{ parameter_dict['mail-smtp-addr'] }}:{{ parameter_dict['mail-smtp-port'] }}"
 mail-smtp-password = "{{ parameter_dict['mail-smtp-password'] }}"
 mail-smtp-user = "{{ parameter_dict['mail-smtp-user'] }}"
 # Alert email recipients, separated by commas
 mail-to = "{{ parameter_dict['mail-to'] }}"
 prov-orchestrator = "slapos"
-prov-db-tags = "{{ parameter_dict['enabled-tags'] }}"
 sysbench-binary-path = "{{ parameter_dict['sysbench-bin'] }}"
 # Number of threads to run benchmark (default 4)

--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
@@ -23,14 +23,14 @@
 #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
 #       "ssl-session-cache": "<folder_path>",
 #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  The path given to "SSLCACertificatePath" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
+ #       "ca-cert-dir": "<directory_path>",
 #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
 #       #  empty)
- #       "crl": "<file_path>",
+ #       "crl-dir": "<directory_path>",
 #
 #       #  The path given to "ErrorLog"
 #       "error-log": "<file_path>",
@@ -69,7 +69,7 @@
 #  From to `backend-list`:
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
@@ -83,6 +83,8 @@
 #  For more details, refer to
 #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}
+{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
+{% set crl_dir = parameter_dict.get('crl-dir') -%}
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule authz_core_module modules/mod_authz_core.so
@@ -103,7 +105,7 @@ LoadModule headers_module modules/mod_headers.so
 LoadModule deflate_module modules/mod_deflate.so
 LoadModule filter_module modules/mod_filter.so
-AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
+AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
 PidFile "{{ parameter_dict['pid-file'] }}"
 ServerAdmin admin@
@@ -133,17 +135,16 @@ SSLProxyEngine On
 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
-{% if parameter_dict['ca-cert'] -%}
+{% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
-{%   if not parameter_dict['shared-ca-cert'] %}
+SSLCACertificatePath {{ ca_cert_dir }}
-{%     if parameter_dict['crl'] -%}
+{%   if crl_dir -%}
 SSLCARevocationCheck chain
-SSLCARevocationFile {{ parameter_dict['crl'] }}
+SSLCARevocationPath {{ crl_dir }}
-{%-     endif %}
+{%   endif -%}
-{%-   endif %}
+{% endif -%}
-{%- endif %}
 ErrorLog "{{ parameter_dict['error-log'] }}"
 # Default apache log format with request time in microsecond at the end
@@ -163,12 +164,8 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
  SSLEngine on
-{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
+{% if enable_authentication and ca_cert_dir -%}
  SSLVerifyClient require
-  # Custom block we use for now different parameters.
-  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
-  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
@@ -186,11 +183,8 @@ Listen {{ ip }}:{{ port }}
 <VirtualHost {{ ip }}:{{ port }}>
  SSLEngine on
  Timeout 3600
-{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+{%   if enable_authentication and ca_cert_dir -%}
  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -18,8 +18,8 @@ md5sum = 2ef0ddc206c6b0982a37cfc21f23e423
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = ef86e09e44ac67a9b15939df0ab4a466
+md5sum = d10a5ddfffa67b8ca01b3e38315bae2f
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 48f086ce1acffca7bab942b43d856fb7
+md5sum = a169c1d6b0f2636f21f180e8a0b52137
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -2,6 +2,7 @@
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend_caucase_url_list', []) -%}
 {% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
@@ -28,8 +29,8 @@ mode = 644
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
     crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${apache-conf-ssl:ca-cert}',
+     ca_path='${directory:srv}/caucase-updater/ca.crt',
-     crl_path='${apache-conf-ssl:crl}',
+     crl_path='${directory:srv}/caucase-updater/crl.pem',
     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
@@ -37,6 +38,69 @@ mode = 644
     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
 {% do section('caucase-updater') -%}
+{% do section('caucase-updater-promise') -%}
+{% set frontend_caucase_url_hash_list = [] -%}
+{% for frontend_caucase_url in frontend_caucase_url_list -%}
+{%   set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
+{%   do frontend_caucase_url_hash_list.append(hash) -%}
+{%   set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
+{{   caucase.updater(
+       prefix='caucase-updater-%s' % hash,
+       buildout_bin_directory=parameter_dict['bin-directory'],
+       updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
+       url=frontend_caucase_url,
+       data_dir=data_dir,
+       ca_path='%s/ca.crt' % data_dir,
+       crl_path='%s/crl.pem' % data_dir,
+       on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
+       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+     )}}
+{%   do section('caucase-updater-%s' % hash) -%}
+{% endfor -%}
+{% if frontend_caucase_url_hash_list -%}
+[caucase-updater-housekeeper]
+recipe = collective.recipe.template
+output = ${directory:bin}/caucase-updater-housekeeper
+mode = 700
+input =
+  inline:
+  #!${buildout:executable}
+  import glob
+  import os
+  import subprocess
+  hash_list = {{ repr(frontend_caucase_url_hash_list) }}
+  crt_list = ['%s.crt' % e for e in hash_list]
+  crl_list = ['%s.crl' % e for e in hash_list]
+{% if shared_ca_path -%}
+  crt_list.append('{{ shared_ca_path }}/cacert.pem')
+  crl_list.append('{{ shared_ca_path }}/crl')
+{% endif -%}
+  for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
+    if os.path.basename(path) not in crt_list:
+      os.unlink(path)
+  for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
+    if os.path.basename(path) not in crl_list:
+      os.unlink(path)
+  for hash in hash_list:
+    crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
+    crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
+    crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
+    crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
+    if os.path.isfile(crt) and not os.path.islink(crt_link):
+      os.symlink(crt, crt_link)
+    if os.path.isfile(crl) and not os.path.islink(crl_link):
+      os.symlink(crl, crl_link)
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
+[caucase-updater-housekeeper-run]
+recipe = plone.recipe.command
+command = ${caucase-updater-housekeeper:output}
+update-command = ${:command}
+{% endif -%}
 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
@@ -123,8 +187,27 @@ key = ${directory:apache-conf}/apache.pem
 # XXX caucase certificate is not supported by caddy for now
 caucase-cert = ${directory:apache-conf}/apache-caucase.crt
 caucase-key = ${directory:apache-conf}/apache-caucase.pem
-ca-cert =  ${directory:apache-conf}/ca.crt
+{% if frontend_caucase_url_list -%}
-crl = ${directory:apache-conf}/crl.pem
+depends = ${caucase-updater-housekeeper-run:recipe}
+ca-cert-dir = ${directory:apache-ca-cert-dir}
+crl-dir = ${directory:apache-crl-dir}
+{%- endif %}
+[simplefile]
+< = jinja2-template-base
+template = inline:{{ '{{ content }}' }}
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+[{{  section(section_name) }}]
+< = simplefile
+rendered = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}
 [apache-ssl]
 {% if ssl_parameter_dict.get('key') -%}
@@ -154,13 +237,10 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+{% if frontend_caucase_url_list -%}
 # Client x509 auth
-ca-cert = ${apache-conf-ssl:ca-cert}
+ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
-crl = ${apache-conf-ssl:crl}
+crl-dir = ${apache-conf-ssl:crl-dir}
-{% if shared_ca_path -%}
-shared-ca-cert = {{ shared_ca_path }}/cacert.pem
-shared-crl = {{ shared_ca_path }}/crl 
 {%- endif %}
 [apache-conf]
@@ -186,8 +266,8 @@ input = inline:
  kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
 [{{ section('apache-promise') }}]
-# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
 <= monitor-promise-base
+# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
 module = check_port_listening
 name = apache.py
 config-hostname = {{ ipv4 }}
@@ -228,6 +308,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
+{% if frontend_caucase_url_list -%}
+apache-ca-cert-dir = ${:apache-conf}/ssl.crt
+apache-crl-dir = ${:apache-conf}/ssl.crl
+{% endif -%}
 bin = ${buildout:directory}/bin
 etc = ${buildout:directory}/etc
 services = ${:etc}/run

--- a/software/slapos-sr-testing/buildout.hash.cfg
+++ b/software/slapos-sr-testing/buildout.hash.cfg
@@ -15,4 +15,4 @@
 [template]
 filename = instance.cfg
-md5sum = b21b2a9ac7f027a044a897c6eacbba56
+md5sum = 298bac4a631de3b30593b9a1dcf63e1c
--- a/software/slapos-sr-testing/instance.cfg
+++ b/software/slapos-sr-testing/instance.cfg
@@ -36,7 +36,7 @@ command-line =
  --source_code_path_list={{ ','.join(tests.splitlines()) }}
 environment =
-  PATH={{ buildout['bin-directory'] }}:{{ quic_client_location }}:{{ curl_location }}/bin/:/usr/bin/:/bin
+  PATH={{ buildout['bin-directory'] }}:{{ curl_location }}/bin/:/usr/bin/:/bin
  SLAPOS_TEST_IPV4=${slap-configuration:ipv4-random}
  SLAPOS_TEST_IPV6=${slap-configuration:ipv6-random}
  SLAPOS_TEST_WORKING_DIR=${directory:working-dir}
--- a/software/slapos-sr-testing/software-py3.cfg
+++ b/software/slapos-sr-testing/software-py3.cfg
@@ -13,3 +13,4 @@ eggs -=
 [template]
 extra =
  ${slapos.test.monitor-setup:setup}
+  ${slapos.test.powerdns-setup:setup}
--- a/software/slapos-sr-testing/software.cfg
+++ b/software/slapos-sr-testing/software.cfg
@@ -8,7 +8,6 @@ extends =
  ../../component/python-cryptography/buildout.cfg
  ../../component/python-mysqlclient/buildout.cfg
  ../../component/python-pynacl/buildout.cfg
-  ../../component/quic_client-bin/buildout.cfg
  ../../component/python-backports-lzma/buildout.cfg
  ../../stack/slapos.cfg
@@ -235,7 +234,6 @@ context =
  key git_location git:location
  key slapos_location slapos-repository:location
  key interpreter eggs:interpreter
-  key quic_client_location quic_client-bin:location
  key curl_location curl:location
  key tests :tests
 tests =
@@ -251,7 +249,6 @@ extra =
  ${slapos.test.htmlvalidatorserver-setup:setup}
  ${slapos.test.slapos-master-setup:setup}
  ${slapos.test.plantuml-setup:setup}
-  ${slapos.test.powerdns-setup:setup}
  ${slapos.test.proftpd-setup:setup}
  ${slapos.test.re6stnet-setup:setup}
  ${slapos.test.seleniumserver-setup:setup}

--- a/software/slaprunner/buildout.hash.cfg
+++ b/software/slaprunner/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = 8d6878ff1d2e75010c50a1a2b0c13b24
 [template-runner]
 filename = instance-runner.cfg
-md5sum = b03f39d483cb7f3554fb40092b5b89fa
+md5sum = 376ae851bb13bd88b02ecd72249a64bd
 [template-runner-import-script]
 filename = template/runner-import.sh.jinja2

--- a/software/slaprunner/instance-runner.cfg
+++ b/software/slaprunner/instance-runner.cfg
@@ -37,9 +37,12 @@ common-runner-parts =
  slaprunner-frontend-promise
  httpd-frontend-promise
 {% endif %}
-{% if slapparameter_dict.get('custom-frontend-backend-url') and slapparameter_dict.get('check-custom-frontend-promise', 'false') == 'true' %}
+{% if slapparameter_dict.get('custom-frontend-backend-url') %}
+  custom-frontend-url-ready-promise
+{% if slapparameter_dict.get('check-custom-frontend-promise', 'false') == 'true' %}
  custom-frontend-promise
 {% endif %}
+{% endif %}
 ## Monitoring part
  monitor-base
  monitor-check-webrunner-internal-instance

--- a/software/slaprunner/test/test.py
+++ b/software/slaprunner/test/test.py
@@ -46,6 +46,8 @@ from slapos.recipe.librecipe import generateHashFromFiles
 from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
 from slapos.util import bytes2str
+skipIfPython3 = unittest.skipIf(six.PY3, 'rdiff-backup is not compatible with Python 3 yet')
 setUpModule, SlapOSInstanceTestCase = makeModuleSetUpAndTestCaseClass(
    os.path.abspath(
        os.path.join(os.path.dirname(__file__), '..',
@@ -476,6 +478,7 @@ class TestCustomFrontend(SlaprunnerTestCase):
      parameter_dict['custom-frontend-url'],
      'https://www.erp5.com')
+@skipIfPython3
 class TestResilientInstance(SlaprunnerTestCase):
  instance_max_retry = 20
@@ -502,12 +505,14 @@ class TestResilientInstance(SlaprunnerTestCase):
        'url',
        'webdav-url']))
+@skipIfPython3
 class TestResilientCustomFrontend(TestCustomFrontend):
  instance_max_retry = 20
  @classmethod
  def getInstanceSoftwareType(cls):
    return 'resilient'
+@skipIfPython3
 class TestResilientWebInstance(TestWeb):
  instance_max_retry = 20
  @classmethod
@@ -518,6 +523,7 @@ class TestResilientWebInstance(TestWeb):
    pass # Disable until we can write on runner0 rather them
         # on root partition
+@skipIfPython3
 class TestResilientWebrunnerBasicUsage(TestWebRunnerBasicUsage):
  instance_max_retry = 20
  @classmethod
@@ -525,12 +531,14 @@ class TestResilientWebrunnerBasicUsage(TestWebRunnerBasicUsage):
    return 'resilient'
+@skipIfPython3
 class TestResilientWebrunnerAutorun(TestWebRunnerAutorun):
  instance_max_retry = 20
  @classmethod
  def getInstanceSoftwareType(cls):
    return 'resilient'
+@skipIfPython3
 class TestResilientDummyInstance(SlaprunnerTestCase):
  instance_max_retry = 20
  @classmethod

--- a/software/wendelin/software.cfg
+++ b/software/wendelin/software.cfg
@@ -76,7 +76,6 @@ repository = https://lab.nexedi.com/nexedi/wendelin.git
 branch = master
 [versions]
-msgpack = 0.6.1
 msgpack-numpy = 0.4.4.3
 wendelin.core = 0.13

--- a/stack/caucase/README.rst
+++ b/stack/caucase/README.rst
@@ -72,7 +72,7 @@ Client
  This script allows you to re-issue a CSR using a locally-generated private key.
-.. topic:: ``updater(prefix, buildout_bin_directory, updater_path, url, data_dir, crt_path, ca_path, crl_path, key_path=None, on_renew=None, max_sleep=None, mode='service', template_csr_pem=None, openssl=None)``
+.. topic:: ``updater(prefix, buildout_bin_directory, updater_path, url, data_dir, ca_path, crl_path, crt_path=None, key_path=None, on_renew=None, max_sleep=None, mode='service', template_csr_pem=None, openssl=None)``
  - ``<prefix>``: Creates ``<updater>`` executable file to start ``caucase-updater``, and ``<data_dir>`` directory for its data storage needs.

--- a/stack/caucase/buildout.cfg
+++ b/stack/caucase/buildout.cfg
@@ -35,6 +35,6 @@ mode = 0644
 depends = ${caucase-jinja2-library-eggs:eggs}
 [versions]
-caucase = 0.9.7
+caucase = 0.9.8
-pem = 17.1.0
+pem = 20.1.0
 PyJWT = 1.7.1
--- a/stack/caucase/buildout.hash.cfg
+++ b/stack/caucase/buildout.hash.cfg
@@ -15,4 +15,4 @@
 [caucase-jinja2-library]
 filename = caucase.jinja2.library
-md5sum = 9a7247cdb2ee1d66c074b0660c54713f
+md5sum = 2e7e61bb0cf41c28d6d811a0283cf03e
--- a/stack/caucase/caucase.jinja2.library
+++ b/stack/caucase/caucase.jinja2.library
@@ -43,9 +43,9 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
  updater_path,
  url,
  data_dir,
-  crt_path,
  ca_path,
  crl_path,
+  crt_path=None,
  key_path=None,
  on_renew=None,
  max_sleep=None,
@@ -59,6 +59,7 @@ config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc
 recipe = slapos.cookbook:mkdirectory
 data-dir = {{ data_dir }}
+{% if crt_path %}
 {%   if template_csr_pem or template_csr -%}
 [{{ prefix }}-provided-csr-content]
 {%     if template_csr_pem %}
@@ -90,6 +91,7 @@ recipe = plone.recipe.command
 command = '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
 {%-   endif %}
 csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
+{%- endif %}
 [{{ prefix }}]
 recipe = slapos.cookbook:wrapper
@@ -98,8 +100,8 @@ command-line = '{{ buildout_bin_directory }}/caucase-updater'
  --ca-url '{{ url }}'
  --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
  --mode '{{ mode }}'
-  --csr '${ {{- prefix }}-csr:csr}'
+  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
-  --crt '{{ crt_path }}'
+  --crt '{{ crt_path }}' {%- endif %}
  --ca '{{ ca_path }}'
  --crl '{{ crl_path }}'
  {% if key_path %}--key '{{ key_path }}' {%- endif %}

--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -630,7 +630,6 @@ WSGIUtils = 0.7
 ZODB3 = 3.11.0
 # astroid 1.4.1 breaks testDynamicClassGeneration
 astroid = 1.3.8
-chardet = 2.3.0
 csp-eventlet = 0.7.0
 erp5diff = 0.8.1.7
 eventlet = 0.20.1

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -34,7 +34,7 @@ md5sum = e91c0fbd0df441884f7422fa7976053c
 [template-zope-conf]
 filename = zope.conf.in
-md5sum = 762897486b1e7e28b614224a9a577125
+md5sum = c43da8f7b4db22e40a4864e6cfcaef44
 [site-zcml]
 filename = site.zcml
@@ -70,7 +70,7 @@ md5sum = cc19560b9400cecbd23064d55c501eec
 [template]
 filename = instance.cfg.in
-md5sum = f0f3b18f9963b137e366752886591fc3
+md5sum = 328ea2bb5f2bff18f8be8c541c01f260
 [monitor-template-dummy]
 filename = dummy.cfg
@@ -90,8 +90,8 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 6851e0c28a025bd26a4d3450204ae335
+md5sum = 0097e49b5bd7ad4978c722c1cdd27d6c
 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 13f1f731ec941f4ba941d6fa8834a5cc
+md5sum = fec6a312e4ef84b02837742992aaf495
--- a/stack/erp5/haproxy.cfg.in
+++ b/stack/erp5/haproxy.cfg.in
@@ -4,10 +4,7 @@ global
  stats socket {{ parameter_dict['socket-path'] }} level admin
 defaults
-  log global
  mode http
-  option httplog
-  option dontlognull
  retries 1
  option redispatch
  maxconn 2000
@@ -28,12 +25,12 @@ defaults
  timeout connect 5s
  # As requested in haproxy doc, make this "at least equal to timeout server".
  timeout client 305s
-  # Use "option forceclose" to not preserve client & server persistent connections
+  # Use "option httpclose" to not preserve client & server persistent connections
  # while handling every incoming request individually, dispatching them one after
  # another to servers, in HTTP close mode. This is really needed when haproxy
  # is configured with maxconn to 1, without this option browsers are unable
  # to render a page
-  option forceclose
+  option httpclose
 {% for name, (port, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
 listen {{ name }}

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -2,6 +2,7 @@
 {% set part_list = [] -%}
 {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
 {#
 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
 per partition. No more (undefined result), no less (IndexError).
@@ -27,8 +28,8 @@ mode = 644
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
     crt_path='${apache-conf-ssl:caucase-cert}',
-     ca_path='${apache-conf-ssl:ca-cert}',
+     ca_path='${directory:srv}/caucase-updater/ca.crt',
-     crl_path='${apache-conf-ssl:crl}',
+     crl_path='${directory:srv}/caucase-updater/crl.pem',
     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
@@ -38,6 +39,64 @@ mode = 644
 {% do section('caucase-updater') -%}
 {% do section('caucase-updater-promise') -%}
+{% set frontend_caucase_url_hash_list = [] -%}
+{% for frontend_caucase_url in frontend_caucase_url_list -%}
+{%   set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
+{%   do frontend_caucase_url_hash_list.append(hash) -%}
+{%   set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
+{{   caucase.updater(
+       prefix='caucase-updater-%s' % hash,
+       buildout_bin_directory=parameter_dict['bin-directory'],
+       updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
+       url=frontend_caucase_url,
+       data_dir=data_dir,
+       ca_path='%s/ca.crt' % data_dir,
+       crl_path='%s/crl.pem' % data_dir,
+       on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
+       max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+       openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+     )}}
+{%   do section('caucase-updater-%s' % hash) -%}
+{% endfor -%}
+{% if frontend_caucase_url_hash_list -%}
+[caucase-updater-housekeeper]
+recipe = collective.recipe.template
+output = ${directory:bin}/caucase-updater-housekeeper
+mode = 700
+input =
+  inline:
+  #!${buildout:executable}
+  import glob
+  import os
+  import subprocess
+  hash_list = {{ repr(frontend_caucase_url_hash_list) }}
+  crt_list = ['%s.crt' % e for e in hash_list]
+  crl_list = ['%s.crl' % e for e in hash_list]
+  for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
+    if os.path.basename(path) not in crt_list:
+      os.unlink(path)
+  for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
+    if os.path.basename(path) not in crl_list:
+      os.unlink(path)
+  for hash in hash_list:
+    crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
+    crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
+    crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
+    crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
+    if os.path.isfile(crt) and not os.path.islink(crt_link):
+      os.symlink(crt, crt_link)
+    if os.path.isfile(crl) and not os.path.islink(crl_link):
+      os.symlink(crl, crl_link)
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
+  subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
+[caucase-updater-housekeeper-run]
+recipe = plone.recipe.command
+command = ${caucase-updater-housekeeper:output}
+update-command = ${:command}
+{% endif -%}
 {% set haproxy_dict = {} -%}
 {% set apache_dict = {} -%}
 {% set zope_virtualhost_monster_backend_dict = {} %}
@@ -123,8 +182,27 @@ key = ${directory:apache-conf}/apache.pem
 # XXX caucase certificate is not supported by caddy for now
 caucase-cert = ${directory:apache-conf}/apache-caucase.crt
 caucase-key = ${directory:apache-conf}/apache-caucase.pem
-ca-cert =  ${directory:apache-conf}/ca.crt
+{% if frontend_caucase_url_list -%}
-crl = ${directory:apache-conf}/crl.pem
+depends = ${caucase-updater-housekeeper-run:recipe}
+ca-cert-dir = ${directory:apache-ca-cert-dir}
+crl-dir = ${directory:apache-crl-dir}
+{%- endif %}
+[simplefile]
+< = jinja2-template-base
+template = inline:{{ '{{ content }}' }}
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+[{{  section(section_name) }}]
+< = simplefile
+rendered = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}
 [apache-ssl]
 {% if ssl_parameter_dict.get('key') -%}
@@ -154,9 +232,11 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+{% if frontend_caucase_url_list -%}
 # Client x509 auth
-ca-cert = ${apache-conf-ssl:ca-cert}
+ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
-crl = ${apache-conf-ssl:crl}
+crl-dir = ${apache-conf-ssl:crl-dir}
+{%- endif %}
 [apache-conf]
 < = jinja2-template-base
@@ -209,6 +289,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
+{% if frontend_caucase_url_list -%}
+apache-ca-cert-dir = ${:apache-conf}/ssl.crt
+apache-crl-dir = ${:apache-conf}/ssl.crl
+{% endif -%}
 bin = ${buildout:directory}/bin
 etc = ${buildout:directory}/etc
 services = ${:etc}/run

--- a/stack/erp5/instance.cfg.in
+++ b/stack/erp5/instance.cfg.in
@@ -72,6 +72,7 @@ filename = instance-balancer.cfg
 extra-context =
    section parameter_dict dynamic-template-balancer-parameters
    import itertools itertools
+    import hashlib hashlib
 import-list =
    file caucase context:caucase-jinja2-library

--- a/stack/erp5/zope.conf.in
+++ b/stack/erp5/zope.conf.in
@@ -25,6 +25,13 @@ rest-output-encoding utf-8
 # XXX: isn't this entry implicit ?
 products {{ parameter_dict['instance-products'] }}
+# Magic parameter to use the first entry of X-Forwarded-For as the source IP address.
+# (see monkey patches in ERP5Type/patches/HTTPRequest.py and ERP5Type/patches/http_server.py)
+# * Frontend HTTP server should drop incoming X-Forwarded-For.
+# * Communication between frontend and backend should use SSL Client Authentication.
+# * Backend proxy drops incoming X-Forwarded-For without valid SSL Client Authentification.
+trusted-proxy 0.0.0.0
 {% if not parameter_dict['wsgi'] -%}
 {%   if parameter_dict['webdav'] -%}
 <webdav-source-server>

--- a/stack/slapos.cfg
+++ b/stack/slapos.cfg
@@ -134,16 +134,16 @@ Jinja2 = 2.9.5
 MarkupSafe = 1.0
 PyYAML = 3.13
 Werkzeug = 0.12
-asn1crypto = 0.21.1
+asn1crypto = 1.3.0
-cffi = 1.9.1
+cffi = 1.14.0
 click = 6.7
 cliff = 2.4.0
 cmd2 = 0.7.0
 collective.recipe.shelloutput = 0.1
 collective.recipe.template = 2.0
-cryptography = 2.3.1
+cryptography = 2.9.2
 decorator = 4.3.0
-idna = 2.2
+idna = 2.9
 inotify-simple = 1.1.1
 itsdangerous = 0.24
 lock-file = 2.0
@@ -154,10 +154,10 @@ pbr = 2.0.0
 plone.recipe.command = 1.1
 prettytable = 0.7.2
 psutil = 5.6.3
-pyOpenSSL = 18.0.0
+pyOpenSSL = 19.1.0
 pyparsing = 2.2.0
 pytz = 2016.10
-requests = 2.13.0
+requests = 2.24.0
 six = 1.12.0
 slapos.cookbook = 1.0.152
 slapos.core = 1.5.12
@@ -174,7 +174,7 @@ unicodecsv = 0.14.1
 xml-marshaller = 1.0.2
 paramiko = 2.1.3
 CacheControl = 0.12.5
-msgpack = 0.6.1
+msgpack = 0.6.2
 # Required by:
 # slapos.core==1.5.0
@@ -214,7 +214,7 @@ dnspython = 1.15.0
 # Required by:
 # cryptography==1.8.1
-enum34 = 1.1.6
+enum34 = 1.1.10
 # Required by:
 # slapos.toolbox==0.94
@@ -242,7 +242,7 @@ setuptools-scm = 3.5.0
 # Required by:
 # cryptography==1.8.1
-ipaddress = 1.0.18
+ipaddress = 1.0.23
 # Required by:
 # slapos.cookbook==1.0.143
@@ -271,7 +271,7 @@ pyasn1 = 0.4.5
 # Required by:
 # cffi==1.9.1
-pycparser = 2.17
+pycparser = 2.20
 # Required by:
 # slapos.toolbox==0.94
@@ -301,6 +301,18 @@ uritemplate = 3.0.0
 # slapos.core==1.5.0
 zope.interface = 4.3.3
+# Required by:
+# requests==2.24.0
+certifi = 2020.6.20
+# Required by:
+# requests==2.24.0
+chardet = 3.0.4
+# Required by:
+# requests==2.24.0
+urllib3 = 1.25.9
 [networkcache]
 download-cache-url = http://shacache.nxdcdn.com
 download-dir-url = http://shadir.nxdcdn.com