Commit 074b2d31 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Protect against duplicate site key

Slaves' hostnames (custom_domain or server-alias) can clash, resulting
with stopping the whole frontend.

In order to avoid so assure hostname unicity across whole frontend.
parent 7993ff81
...@@ -26,7 +26,7 @@ md5sum = 750e2b1c922bf14511a3bc8a42468b1b ...@@ -26,7 +26,7 @@ md5sum = 750e2b1c922bf14511a3bc8a42468b1b
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
md5sum = 3a3dd6c5efeeff7fbc817e48e84e3e84 md5sum = e5e537052c533c6d6f1c2197428f77fd
[template-slave-list] [template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in filename = templates/apache-custom-slave-list.cfg.in
......
...@@ -67,9 +67,29 @@ context = ...@@ -67,9 +67,29 @@ context =
{% set authorized_slave_string = slapparameter_dict.pop('-frontend-authorized-slave-string', '') %} {% set authorized_slave_string = slapparameter_dict.pop('-frontend-authorized-slave-string', '') %}
{% set authorized_slave_list = [] %} {% set authorized_slave_list = [] %}
{% set rejected_slave_list = [] %} {% set rejected_slave_list = [] %}
{% set used_host_list = [] %}
{% for slave in slave_instance_list %} {% for slave in slave_instance_list %}
{% set slave_dict = {'state': True} %} {% set slave_dict = {'state': True} %}
{# BBB: apache_custom_https AND apache_custom_http #} {# BBB: apache_custom_https AND apache_custom_http #}
{% set custom_domain = slave.get('custom_domain') %}
{% if custom_domain and custom_domain in used_host_list %}
{% do slave_dict.__setitem__('state', False) %}
{% else %}
{% do used_host_list.append(custom_domain) %}
{% endif %}
{% if slave.get('server-alias') %}
{% for slave_alias in slave['server-alias'].split() %}
{% if not validators.domain(slave_alias) %}
{% do slave_dict.__setitem__('state', False) %}
{% else %}
{% if slave_alias in used_host_list %}
{% do slave_dict.__setitem__('state', False) %}
{% else %}
{% do used_host_list.append(slave_alias) %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] %} {% for key in ['caddy_custom_http', 'caddy_custom_https', 'apache_custom_http', 'apache_custom_https'] %}
{% if slave.get(key) %} {% if slave.get(key) %}
{% if not slave.get('slave_reference') in authorized_slave_string %} {% if not slave.get('slave_reference') in authorized_slave_string %}
...@@ -103,13 +123,6 @@ context = ...@@ -103,13 +123,6 @@ context =
{% do slave_dict.__setitem__('state', False) %} {% do slave_dict.__setitem__('state', False) %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if slave.get('server-alias') %}
{% for slave_alias in slave['server-alias'].split() %}
{% if not validators.domain(slave_alias) %}
{% do slave_dict.__setitem__('state', False) %}
{% endif %}
{% endfor %}
{% endif %}
{% if slave_dict['state'] %} {% if slave_dict['state'] %}
{% do authorized_slave_list.append(slave) %} {% do authorized_slave_list.append(slave) %}
{% else %} {% else %}
......
...@@ -3412,3 +3412,74 @@ https://www.google.com {}""", ...@@ -3412,3 +3412,74 @@ https://www.google.com {}""",
parameter_dict, parameter_dict,
{} {}
) )
class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
def getInstanceParameterDict(cls):
return {
'domain': 'example.com',
'nginx-domain': 'nginx.example.com',
'public-ipv4': LOCAL_IPV4,
'apache-certificate': open('wildcard.example.com.crt').read(),
'apache-key': open('wildcard.example.com.key').read(),
'-frontend-authorized-slave-string': '_caddy_custom_http_s-reject',
'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT,
'plain_nginx_port': NGINX_HTTP_PORT,
'monitor-httpd-port': MONITOR_HTTPD_PORT,
'-frontend-config-1-monitor-httpd-port': MONITOR_F1_HTTPD_PORT,
'mpm-graceful-shutdown-timeout': 2,
}
@classmethod
def getSlaveParameterDictDict(cls):
return {
'site_1': {
'custom_domain': 'duplicate.example.com',
},
'site_2': {
'custom_domain': 'duplicate.example.com',
},
'site_3': {
'server-alias': 'duplicate.example.com',
},
'site_4': {
'custom_domain': 'duplicate.example.com',
'server-alias': 'duplicate.example.com',
},
}
def test_master_partition_state(self):
parameter_dict = self.computer_partition.getConnectionParameterDict()
self.assertKeyWithPop('monitor-setup-url', parameter_dict)
expected_parameter_dict = {
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '1',
'rejected-slave-amount': '3',
'slave-amount': '4',
'rejected-slave-list': '["_site_3", "_site_1", "_site_4"]'}
self.assertEqual(
expected_parameter_dict,
parameter_dict
)
def test_site_2(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'site_2']
self.assertLogAccessUrlWithPop(parameter_dict, 'site_2')
self.assertEqual(
parameter_dict,
{
'domain': 'duplicate.example.com',
'replication_number': '1',
'url': 'http://duplicate.example.com',
'site_url': 'http://duplicate.example.com',
'secure_access': 'https://duplicate.example.com',
'public-ipv4': LOCAL_IPV4,
}
)
TestDuplicateSiteKeyProtection-0/var/log/monitor-httpd-error.log
TestDuplicateSiteKeyProtection-1/var/log/frontend-access.log
TestDuplicateSiteKeyProtection-1/var/log/frontend-error.log
TestDuplicateSiteKeyProtection-1/var/log/httpd/_site_2_access_log
TestDuplicateSiteKeyProtection-1/var/log/httpd/_site_2_error_log
TestDuplicateSiteKeyProtection-1/var/log/monitor-httpd-error.log
TestDuplicateSiteKeyProtection-1/var/log/nginx-access.log
TestDuplicateSiteKeyProtection-1/var/log/nginx-error.log
TestDuplicateSiteKeyProtection-1/var/log/trafficserver/manager.log
TestDuplicateSiteKeyProtection-1/var/log/trafficserver/traffic.out
\ No newline at end of file
TestDuplicateSiteKeyProtection-0/var/run/monitor-httpd.pid
TestDuplicateSiteKeyProtection-0/var/run/monitor/monitor-bootstrap.pid
TestDuplicateSiteKeyProtection-1/var/run/caddy_configuration.signature
TestDuplicateSiteKeyProtection-1/var/run/httpd.pid
TestDuplicateSiteKeyProtection-1/var/run/monitor-httpd.pid
TestDuplicateSiteKeyProtection-1/var/run/monitor/monitor-bootstrap.pid
TestDuplicateSiteKeyProtection-1/var/run/ncaddy_configuration.signature
TestDuplicateSiteKeyProtection-1/var/run/nginx.pid
\ No newline at end of file
TestDuplicateSiteKeyProtection-1/etc/monitor-promise/check-_site_2-error-log-last-day
TestDuplicateSiteKeyProtection-1/etc/monitor-promise/check-_site_2-error-log-last-hour
\ No newline at end of file
TestDuplicateSiteKeyProtection-0/etc/plugin/__init__.py
TestDuplicateSiteKeyProtection-0/etc/plugin/buildout-TestDuplicateSiteKeyProtection-0-status.py
TestDuplicateSiteKeyProtection-0/etc/plugin/check-free-disk-space.py
TestDuplicateSiteKeyProtection-0/etc/plugin/monitor-bootstrap-status.py
TestDuplicateSiteKeyProtection-1/etc/plugin/__init__.py
TestDuplicateSiteKeyProtection-1/etc/plugin/buildout-TestDuplicateSiteKeyProtection-1-status.py
TestDuplicateSiteKeyProtection-1/etc/plugin/check-free-disk-space.py
TestDuplicateSiteKeyProtection-1/etc/plugin/monitor-bootstrap-status.py
\ No newline at end of file
TestDuplicateSiteKeyProtection-0/etc/promise/monitor-http-frontend
TestDuplicateSiteKeyProtection-0/etc/promise/monitor-httpd-listening-on-tcp
TestDuplicateSiteKeyProtection-0/etc/promise/promise-monitor-httpd-is-process-older-than-dependency-set
TestDuplicateSiteKeyProtection-1/etc/promise/caddy-frontend-is-running-actual-software-release
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_cached
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_frontend_ipv4_http
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_frontend_ipv4_https
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_frontend_ipv6_http
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_frontend_ipv6_https
TestDuplicateSiteKeyProtection-1/etc/promise/caddy_ssl_cached
TestDuplicateSiteKeyProtection-1/etc/promise/frontend-caddy-configuration-promise
TestDuplicateSiteKeyProtection-1/etc/promise/monitor-http-frontend
TestDuplicateSiteKeyProtection-1/etc/promise/monitor-httpd-listening-on-tcp
TestDuplicateSiteKeyProtection-1/etc/promise/nginx-configuration-promise
TestDuplicateSiteKeyProtection-1/etc/promise/nginx_frontend_ipv4_http
TestDuplicateSiteKeyProtection-1/etc/promise/nginx_frontend_ipv4_https
TestDuplicateSiteKeyProtection-1/etc/promise/nginx_frontend_ipv6_http
TestDuplicateSiteKeyProtection-1/etc/promise/nginx_frontend_ipv6_https
TestDuplicateSiteKeyProtection-1/etc/promise/promise-monitor-httpd-is-process-older-than-dependency-set
TestDuplicateSiteKeyProtection-1/etc/promise/promise-nginx-is-process-older-than-dependency-set
TestDuplicateSiteKeyProtection-1/etc/promise/re6st-connectivity
TestDuplicateSiteKeyProtection-1/etc/promise/trafficserver-cache-availability
TestDuplicateSiteKeyProtection-1/etc/promise/trafficserver-port-listening
\ No newline at end of file
TestDuplicateSiteKeyProtection-0:bootstrap-monitor EXITED
TestDuplicateSiteKeyProtection-0:certificate_authority-on-watch RUNNING
TestDuplicateSiteKeyProtection-0:crond RUNNING
TestDuplicateSiteKeyProtection-0:monitor-httpd-graceful EXITED
TestDuplicateSiteKeyProtection-0:monitor-httpd-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-11080-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-11443-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-12080-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-12443-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-26011-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:6tunnel-26012-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:bootstrap-monitor EXITED
TestDuplicateSiteKeyProtection-1:certificate_authority-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:crond-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:frontend-caddy-safe-graceful EXITED
TestDuplicateSiteKeyProtection-1:frontend-nginx-safe-graceful EXITED
TestDuplicateSiteKeyProtection-1:frontend_caddy-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:frontend_nginx-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:monitor-httpd-graceful EXITED
TestDuplicateSiteKeyProtection-1:monitor-httpd-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:trafficserver-on-watch RUNNING
TestDuplicateSiteKeyProtection-1:trafficserver-reload EXITED
watchdog:watchdog RUNNING
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment