apache-frontend: Introduce new architecture for apache frontend

slapos/recipe/apache_frontend/__init__.py

@@ -58,7 +58,7 @@ class Recipe(BaseSlapRecipe):
     frontend_port_number = self.parameter_dict.get("port", 4443)
     frontend_plain_http_port_number = self.parameter_dict.get(
         "plain_http_port", 8080)
-    base_varnish_port = 26009
+    base_varnish_port = 26010
     slave_instance_list = self.parameter_dict.get("slave_instance_list", [])
 
     self.path_list = []
@@ -70,6 +70,7 @@ class Recipe(BaseSlapRecipe):
     self.path_list.append(self.killpidfromfile)
 
     rewrite_rule_list = []
+    rewrite_rule_cached_list = []
     rewrite_rule_https_only_list = []
     rewrite_rule_zope_list = []
     rewrite_rule_zope_path_list = []
@@ -133,7 +134,7 @@ class Recipe(BaseSlapRecipe):
 #             base_varnish_port, backend_url, reference, service_dict, domain)
         rewrite_rule = self.configureSquidSlave(
             base_varnish_port, backend_url, reference, service_dict, domain)
-        base_varnish_port += 2
+        rewrite_rule_cached_list.append("%s %s" % (domain, backend_url))
       else:
         rewrite_rule = "%s %s" % (domain, backend_url)
 #       # Temporary forbid activation of cache until it is properly tested
@@ -190,9 +191,11 @@ class Recipe(BaseSlapRecipe):
         ip_list=["[%s]" % self.getGlobalIPv6Address(),
                  self.getLocalIPv4Address()],
         port=frontend_port_number,
+        cached_port=base_varnish_port + 1,
         plain_http_port=frontend_plain_http_port_number,
         name=frontend_domain_name,
         rewrite_rule_list=rewrite_rule_list,
+        rewrite_rule_cached_list=rewrite_rule_cached_list,
         rewrite_rule_https_only_list=rewrite_rule_https_only_list,
         rewrite_rule_zope_list=rewrite_rule_zope_list,
         rewrite_rule_zope_path_list=rewrite_rule_zope_path_list,
@@ -257,7 +260,6 @@ class Recipe(BaseSlapRecipe):
       service_dict, domain):
     # Squid should use stunnel to connect to the backend
     base_squid_control_port = base_squid_port
-    base_squid_port += 1
     # Use regex
     host_regex = "((\[\w*|[0-9]+\.)(\:|)).*(\]|\.[0-9]+)"
     slave_host = re.search(host_regex, url).group(0)
@@ -282,218 +284,16 @@ class Recipe(BaseSlapRecipe):
 #      size="1G")
     service_dict[service_name] = dict(public_ip=squid_ip,
         public_port=stunnel_port,
-        private_ip=slave_host.replace("[", "").replace("]", ""),
+        private_ip=slave_host,
         private_port=slave_port)
     return "%s http://%s:%s" % \
         (domain, squid_ip, base_squid_port)
 
-#  def installSquidCache(self, name, ip, port, backend_host,
-#                                backend_port, domain, size="1G"):
-#    """
-#      Install a squid daemon for a certain address
-#    """
-##     directory = self.createDataDirectory(name)
-##     squid_config = dict(
-##       directory=directory,
-##       pid = "%s/squid.pid" % directory,
-##       port="%s:%s" % (ip, port),
-##       squidd_binary=self.options["squidd_binary"],
-##       control_port="%s:%s" % (ip, control_port),
-##       storage="file,%s/storage.bin,%s" % (directory, size))
-#
-## 
-##     squid_argument_list = [squid_config['squidd_binary'].strip(),
-##         "-F", "-n", directory, "-P", squid_config["pid"], "-p",
-##         "cc_command=exec %s " % self.options["gcc_binary"] +\
-##             "-fpic -shared -o %o %s",
-##         "-f", config_file,
-##         "-a", squid_config["port"], "-T", squid_config["control_port"],
-##         "-s", squid_config["storage"]]
-##     environment = dict(PATH="%s:%s" % (self.options["binutils_directory"],
-##                                        os.environ.get('PATH')))
-##     wrapper = zc.buildout.easy_install.scripts([(name,
-##       'slapos.recipe.librecipe.execute', 'executee')], self.ws,
-##       sys.executable, self.service_directory, arguments=[squid_argument_list,
-##       environment])[0]
-##     self.path_list.append(wrapper)
-#
-#
-##     directory = self.createDataDirectory(name)
-#    config = dict(
-#      ip=ip,
-#      port=port,
-#      backend_ip=backend_host,
-#      backend_port=backend_port,
-#      domain=domain,
-#      # XXX Hardcoded
-#      access_log_path = os.path.join(self.log_directory, 'squid.access.log'),
-#      # XXX Hardcoded
-#      cache_log_path = os.path.join(self.log_directory, 'squid.cache.log'),
-##       cache_path=self.options['cache-path'],
-#      # XXX Hardcoded
-#      pid_filename_path=os.path.join(self.run_directory, 'squid.pid'),
-#      squid_binary=self.options["squid_binary"],
-#      )
-#    
-#    template_filename = self.getTemplateFilename('squid.conf.in')
-#    config_file = self.createConfigurationFile("%s.conf" % name,
-#      self.substituteTemplate(self.getTemplateFilename('squid.conf.in'),
-#                              config))
-#
-##     # Prepare directories
-##     prepare_path = self.createPythonScript(
-##       self.options['prepare-path'],
-##       'slapos.recipe.librecipe.execute.execute',
-##       arguments=[self.options['binary-path'].strip(),
-##                  '-z',
-##                  '-f', configuration_path,
-##                  ],)
-## 
-##     # Create running wrapper
-##     wrapper_path = self.createPythonScript(
-##       self.options['wrapper-path'],
-##       'slapos.recipe.librecipe.execute.execute',
-##       arguments=[self.options['binary-path'].strip(),
-##                  '-N',
-##                  '-f', configuration_path,
-##                  ],)
-## 
-##     return [configuration_path, wrapper_path, prepare_path]
-#
-#    squid_argument_list = [config['squid_binary'].strip(),
-#        "-N", "-f", config_file]
-##         "cc_command=exec %s " % self.options["gcc_binary"] +\
-##             "-fpic -shared -o %o %s",
-##         "-f", config_file,
-##         "-a", config["port"], "-T", config["control_port"],
-##         "-s", config["storage"]]
-#    environment = dict(PATH="%s:%s" % (self.options["binutils_directory"],
-#                                       os.environ.get('PATH')))
-#    wrapper = zc.buildout.easy_install.scripts([(name,
-#      'slapos.recipe.librecipe.execute', 'executee')], self.ws,
-#      sys.executable, self.service_directory, arguments=[squid_argument_list,
-#      environment])[0]
-#    self.path_list.append(wrapper)
-#
-#    return config
-
-#  def requestCertificate(self, name):
-#    hash = hashlib.sha512(name).hexdigest()
-#    key = os.path.join(self.ca_private, hash + self.ca_key_ext)
-#    certificate = os.path.join(self.ca_certs, hash + self.ca_crt_ext)
-#    parser = ConfigParser.RawConfigParser()
-#    parser.add_section('certificate')
-#    parser.set('certificate', 'name', name)
-#    parser.set('certificate', 'key_file', key)
-#    parser.set('certificate', 'certificate_file', certificate)
-#    parser.write(open(os.path.join(self.ca_request_dir, hash), 'w'))
-#    return key, certificate
-
-#  def installCrond(self):
-#   timestamps = self.createDataDirectory('cronstamps')
-#   cron_output = os.path.join(self.log_directory, 'cron-output')
-#   self._createDirectory(cron_output)
-#   catcher = zc.buildout.easy_install.scripts([('catchcron',
-#     __name__ + '.catdatefile', 'catdatefile')], self.ws, sys.executable,
-#     self.bin_directory, arguments=[cron_output])[0]
-#   self.path_list.append(catcher)
-#   cron_d = os.path.join(self.etc_directory, 'cron.d')
-#   crontabs = os.path.join(self.etc_directory, 'crontabs')
-#   self._createDirectory(cron_d)
-#   self._createDirectory(crontabs)
-#   wrapper = zc.buildout.easy_install.scripts([('crond',
-#     'slapos.recipe.librecipe.execute', 'execute')], self.ws, sys.executable,
-#     self.service_directory, arguments=[
-#       self.options['dcrond_binary'].strip(), '-s', cron_d, '-c', crontabs,
-#       '-t', timestamps, '-f', '-l', '5', '-M', catcher]
-#     )[0]
-#   self.path_list.append(wrapper)
-#   return cron_d
-
-#  def installValidCertificateAuthority(self, domain_name, certificate, key):
-#    ca_dir = os.path.join(self.data_root_directory, 'ca')
-#    ca_private = os.path.join(ca_dir, 'private')
-#    ca_certs = os.path.join(ca_dir, 'certs')
-#    ca_crl = os.path.join(ca_dir, 'crl')
-#    self._createDirectory(ca_dir)
-#    for path in (ca_private, ca_certs, ca_crl):
-#      self._createDirectory(path)
-#    key_path = os.path.join(ca_private, domain_name + ".key")
-#    certificate_path = os.path.join(ca_certs, domain_name + ".crt")
-#    self._writeFile(key_path, key)
-#    self._writeFile(certificate_path, certificate)
-#    return dict(certificate_authority_path=ca_dir,
-#        ca_crl=ca_crl,
-#        certificate=certificate_path,
-#        key=key_path)
-#
-#  def installCertificateAuthority(self, ca_country_code='XX',
-#      ca_email='xx@example.com', ca_state='State', ca_city='City',
-#      ca_company='Company'):
-#    backup_path = self.createBackupDirectory('ca')
-#    self.ca_dir = os.path.join(self.data_root_directory, 'ca')
-#    self._createDirectory(self.ca_dir)
-#    self.ca_request_dir = os.path.join(self.ca_dir, 'requests')
-#    self._createDirectory(self.ca_request_dir)
-#    config = dict(ca_dir=self.ca_dir, request_dir=self.ca_request_dir)
-#    self.ca_private = os.path.join(self.ca_dir, 'private')
-#    self.ca_certs = os.path.join(self.ca_dir, 'certs')
-#    self.ca_crl = os.path.join(self.ca_dir, 'crl')
-#    self.ca_newcerts = os.path.join(self.ca_dir, 'newcerts')
-#    self.ca_key_ext = '.key'
-#    self.ca_crt_ext = '.crt'
-#    for d in [self.ca_private, self.ca_crl, self.ca_newcerts, self.ca_certs]:
-#      self._createDirectory(d)
-#    for f in ['crlnumber', 'serial']:
-#      if not os.path.exists(os.path.join(self.ca_dir, f)):
-#        open(os.path.join(self.ca_dir, f), 'w').write('01')
-#    if not os.path.exists(os.path.join(self.ca_dir, 'index.txt')):
-#      open(os.path.join(self.ca_dir, 'index.txt'), 'w').write('')
-#    openssl_configuration = os.path.join(self.ca_dir, 'openssl.cnf')
-#    config.update(
-#        working_directory=self.ca_dir,
-#        country_code=ca_country_code,
-#        state=ca_state,
-#        city=ca_city,
-#        company=ca_company,
-#        email_address=ca_email,
-#    )
-#    self._writeFile(openssl_configuration, pkg_resources.resource_string(
-#      __name__, 'template/openssl.cnf.ca.in') % config)
-#
-#    # XXX-Cedric: Don't use this, but use slapos.recipe.certificate_authority
-#    #             from the instance profile.
-#    self.path_list.extend(zc.buildout.easy_install.scripts([
-#      ('certificate_authority', __name__ + '.certificate_authority',
-#         'runCertificateAuthority')],
-#        self.ws, sys.executable, self.service_directory, arguments=[dict(
-#          openssl_configuration=openssl_configuration,
-#          openssl_binary=self.options['openssl_binary'],
-#          certificate=os.path.join(self.ca_dir, 'cacert.pem'),
-#          key=os.path.join(self.ca_private, 'cakey.pem'),
-#          crl=os.path.join(self.ca_crl),
-#          request_dir=self.ca_request_dir
-#          )]))
-
-    # configure backup
-    #backup_cron = os.path.join(self.cron_d, 'ca_rdiff_backup')
-    #open(backup_cron, 'w').write(
-    #    '''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''%dict(
-    #      rdiff_backup=self.options['rdiff_backup_binary'],
-    #      source=self.ca_dir,
-    #      destination=backup_path))
-    #self.path_list.append(backup_cron)
-
-#    return dict(
-#      ca_certificate=os.path.join(config['ca_dir'], 'cacert.pem'),
-#      ca_crl=os.path.join(config['ca_dir'], 'crl'),
-#      certificate_authority_path=config['ca_dir']
-#    )
-
   def _getApacheConfigurationDict(self, name, ip_list, port):
     apache_conf = dict()
     apache_conf['server_name'] = name
     apache_conf['pid_file'] = self.options['pid-file']
+    apache_conf['pid_cache_file'] = self.options['cache-pid-file']
     apache_conf['lock_file'] = os.path.join(self.run_directory,
         name + '.lock')
     apache_conf['document_root'] = os.path.join(self.data_root_directory,
@@ -505,57 +305,23 @@ class Recipe(BaseSlapRecipe):
     apache_conf['server_admin'] = 'admin@'
     apache_conf['error_log'] = self.options['error-log']
     apache_conf['access_log'] = self.options['access-log']
+    apache_conf['error_cache_log']  = self.options['cache-error-log']
+    apache_conf['access_cache_log'] = self.options['cache-access-log']
     return apache_conf
 
-  def installStunnel(self, service_dict, certificate,
-      key, ca_crl, ca_path):
-    """Installs stunnel
-      service_dict =
-        { name: (public_ip, private_ip, public_port, private_port),}
-    """
-    template_filename = self.getTemplateFilename('stunnel.conf.in')
-    template_entry_filename = self.getTemplateFilename('stunnel.conf.entry.in')
-
-    log = os.path.join(self.log_directory, 'stunnel.log')
-    pid_file = os.path.join(self.run_directory, 'stunnel.pid')
-    stunnel_conf = dict(
-        pid_file=pid_file,
-        log=log,
-        cert = certificate,
-        key = key,
-        ca_crl = ca_crl,
-        ca_path = ca_path,
-        entry_str=''
-    )
-    entry_list = []
-    for name, parameter_dict in service_dict.iteritems():
-      parameter_dict["name"] = name
-      entry_str = self.substituteTemplate(template_entry_filename,
-          parameter_dict)
-      entry_list.append(entry_str)
-
-    stunnel_conf["entry_str"] = "\n".join(entry_list)
-    stunnel_conf_path = self.createConfigurationFile("stunnel.conf",
-        self.substituteTemplate(template_filename,
-          stunnel_conf))
-    wrapper = zc.buildout.easy_install.scripts([('stunnel',
-      'slapos.recipe.librecipe.execute', 'execute_wait')], self.ws,
-      sys.executable, self.service_directory, arguments=[
-        [self.options['stunnel_binary'].strip(), stunnel_conf_path],
-        [certificate, key]]
-      )[0]
-    self.path_list.append(wrapper)
-    return stunnel_conf
-
   def installFrontendApache(self, ip_list, key, certificate, name,
                             port=4443, plain_http_port=8080,
+                            cached_port=26081,
                             rewrite_rule_list=None,
+                            rewrite_rule_cached_list=None,
                             rewrite_rule_zope_list=None,
                             rewrite_rule_https_only_list=None,
                             rewrite_rule_zope_path_list=None,
                             access_control_string=None):
     if rewrite_rule_list is None:
       rewrite_rule_list = []
+    if rewrite_rule_cached_list is None:
+      rewrite_rule_cached_list = []
     if rewrite_rule_https_only_list is None:
       rewrite_rule_zope_path_list = []
     if rewrite_rule_zope_list is None:
@@ -597,21 +363,15 @@ class Recipe(BaseSlapRecipe):
     if not os.path.exists(custom_apache_virtual_configuration_file_location):
       open(custom_apache_virtual_configuration_file_location, 'w')
 
-    # Create backup of custom apache configuration
-    #backup_path = self.createBackupDirectory('custom_apache_conf_backup')
-    #backup_cron = os.path.join(self.cron_d, 'custom_apache_conf_backup')
-    #open(backup_cron, 'w').write(
-    #    '''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''%dict(
-    #      rdiff_backup=self.options['rdiff_backup_binary'],
-    #      source=custom_apache_configuration_directory,
-    #      destination=backup_path))
-    #self.path_list.append(backup_cron)
-
     # Create configuration file and rewritemaps
     apachemap_path = self.createConfigurationFile(
         "apache_rewritemap_generic.txt",
         "\n".join(rewrite_rule_list)
     )
+    apachecachedmap_path = self.createConfigurationFile(
+        "apache_rewritemap_cached.txt",
+        "\n".join(rewrite_rule_cached_list)
+    )
     apachemap_httpsonly_path = self.createConfigurationFile(
         "apache_rewritemap_httpsonly.txt",
         "\n".join(rewrite_rule_https_only_list)
@@ -635,8 +395,14 @@ class Recipe(BaseSlapRecipe):
     )
 
     apache_conf["listen"] = "\n".join([
-        "Listen %s:%s" % (ip, port)
-        for port in (plain_http_port, port)
+        "Listen %s:%s" % (ip, tmp_port)
+        for tmp_port in (plain_http_port, port)
+        for ip in ip_list
+    ])
+
+    apache_conf["listen_cache"] = "\n".join([
+        "Listen %s:%s" % (ip, tmp_port)
+        for tmp_port in (cached_port,)
         for ip in ip_list
     ])
 
@@ -651,12 +417,14 @@ class Recipe(BaseSlapRecipe):
     apache_conf.update(**dict(
       path_enable=path,
       apachemap_path=apachemap_path,
+      apachecachedmap_path=apachecachedmap_path,
       apachemap_httpsonly_path=apachemap_httpsonly_path,
       apachemapzope_path=apachemap_zope_path,
       apachemapzopepath_path=apachemap_zopepath_path,
       apache_domain=name,
       https_port=port,
       plain_http_port=plain_http_port,
+      cached_port=cached_port,
       custom_apache_conf=custom_apache_configuration_file_location,
       custom_apache_virtualhost_conf=custom_apache_virtual_configuration_file_location,
     ))
@@ -677,4 +445,20 @@ class Recipe(BaseSlapRecipe):
               config=apache_config_file)
           ]))
 
+    apache_cached_conf_string = self.substituteTemplate(
+          self.getTemplateFilename('apache_cached.conf.in'), apache_conf)
+
+    apache_cached_config_file = self.createConfigurationFile('apache_frontend_cached.conf',
+        apache_cached_conf_string)
+
+    self.path_list.extend(zc.buildout.easy_install.scripts([(
+      'frontend_cached_apache', 'slapos.recipe.erp5.apache', 'runApache')], self.ws,
+          sys.executable, self.service_directory, arguments=[
+            dict(
+              required_path_list=[key, certificate],
+              binary=self.options['httpd_binary'],
+              config=apache_cached_config_file)
+          ]))
+
+
     return dict(site_url="https://%s:%s/" % (name, port))

slapos/recipe/apache_frontend/template/apache.conf.in

@@ -87,8 +87,6 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javasc
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-# Make sure proxies don't deliver the wrong content
-Header append Vary User-Agent
 
 # SSL Configuration
 %(ssl_snippet)s
@@ -146,9 +144,6 @@ Header append Vary User-Agent
   ProxyTimeout 600
   RewriteEngine On
 
-  # Remove "Secure" from cookies, as backend may be https
-  Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
-
   # Include configuration file not operated by slapos. This file won't be erased
   # or changed when slapgrid is ran. It can be freely customized by node admin.
   # Include %(custom_apache_virtualhost_conf)s

slapos/recipe/apache_frontend/template/apache_cached.conf.in

+# Apache configuration file for Zope
+# Automatically generated
+
+# Basic server configuration
+PidFile "%(pid_cache_file)s"
+ServerName %(server_name)s
+DocumentRoot %(document_root)s
+ServerRoot %(instance_home)s
+
+%(listen_cache)s
+
+ServerAdmin %(server_admin)s
+DefaultType text/plain
+TypesConfig %(httpd_home)s/conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+# As backend is trusting REMOTE_USER header unset it always
+RequestHeader unset REMOTE_USER
+
+ServerTokens Prod
+
+# Log configuration
+ErrorLog "%(error_cache_log)s"
+LogLevel warn
+# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
+# LogFormat "%%h %%{REMOTE_USER}i %%{Host}i %%l %%u %%t \"%%r\" %%>s %%b" common
+# CustomLog "%(access_log)s" common
+LogFormat "%%h %%l %%{REMOTE_USER}i %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\" %%D" combined
+CustomLog "%(access_cache_log)s" combined
+
+%(path_enable)s
+
+# List of modules
+#LoadModule unixd_module modules/mod_unixd.so
+#LoadModule access_compat_module modules/mod_access_compat.so
+#LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module  %(httpd_home)s/modules/mod_authz_host.so
+LoadModule log_config_module  %(httpd_home)s/modules/mod_log_config.so
+LoadModule deflate_module     %(httpd_home)s/modules/mod_deflate.so
+LoadModule setenvif_module    %(httpd_home)s/modules/mod_setenvif.so
+LoadModule version_module     %(httpd_home)s/modules/mod_version.so
+LoadModule proxy_module       %(httpd_home)s/modules/mod_proxy.so
+LoadModule proxy_http_module  %(httpd_home)s/modules/mod_proxy_http.so
+LoadModule ssl_module         %(httpd_home)s/modules/mod_ssl.so
+LoadModule mime_module        %(httpd_home)s/modules/mod_mime.so
+LoadModule dav_module         %(httpd_home)s/modules/mod_dav.so
+LoadModule dav_fs_module      %(httpd_home)s/modules/mod_dav_fs.so
+LoadModule negotiation_module %(httpd_home)s/modules/mod_negotiation.so
+LoadModule rewrite_module     %(httpd_home)s/modules/mod_rewrite.so
+LoadModule headers_module     %(httpd_home)s/modules/mod_headers.so
+LoadModule cache_module       %(httpd_home)s/modules/mod_cache.so
+LoadModule mem_cache_module   %(httpd_home)s/modules/mod_mem_cache.so
+LoadModule antiloris_module   %(httpd_home)s/modules/mod_antiloris.so
+
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
+                        downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+
+# Cache directives
+CacheEnable mem /
+CacheDefaultExpire 3600
+MCacheSize 8192
+MCacheMaxObjectCount 1000
+MCacheMaxObjectSize 8192
+MCacheRemovalAlgorithm LRU
+
+# Deflate
+AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
+BrowserMatch ^Mozilla/4 gzip-only-text/html
+BrowserMatch ^Mozilla/4\.0[678] no-gzip
+BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+# SSL Configuration
+%(ssl_snippet)s
+
+# Only accept generic (i.e not Zope) backends on http
+<VirtualHost *:%(cached_port)s>
+  SSLProxyEngine on
+  # Rewrite part
+  ProxyVia On
+  ProxyPreserveHost On
+  ProxyTimeout 600
+  RewriteEngine On
+
+
+  # Include configuration file not operated by slapos. This file won't be erased
+  # or changed when slapgrid is ran. It can be freely customized by node admin.
+  # Include %(custom_apache_virtualhost_conf)s
+
+  RewriteMap apachemapcached txt:%(apachecachedmap_path)s
+  RewriteCond ${apachemapcached:%%{SERVER_NAME}} >""
+  RewriteRule ^/(.*)$ ${apachemapcached:%%{SERVER_NAME}}/$1 [L,P]
+
+  # If nothing exist : put a nice error
+  ErrorDocument 404 /notfound.html
+</VirtualHost>

software/apache-frontend/instance.cfg

@@ -37,7 +37,7 @@ cronstamps = $${:etc}/cronstamps
 ca-dir = $${:srv}/ssl
 
 squid-cache = $${:srv}/squid_cache
-stunnel-conf = $${:etc}/stunnel
+
 
 [instance-parameter]
 # Fetches parameters defined in SlapOS Master for this instance.
@@ -79,6 +79,9 @@ ca_crl = $${certificate-authority:ca-crl}
 access-log = $${directory:log}/frontend-apache-access.log
 error-log = $${directory:log}/frontend-apache-error.log
 pid-file = $${directory:run}/httpd.pid
+cache-access-log = $${directory:log}/frontend-apache-access-cached.log
+cache-error-log = $${directory:log}/frontend-apache-error-cached.log
+cache-pid-file = $${directory:run}/httpd-cached.pid
 
 
 # Create wrapper for "apachectl conftest" in bin
@@ -106,40 +109,15 @@ certs = $${directory:ca-dir}/certs/
 newcerts = $${directory:ca-dir}/newcerts/
 crl = $${directory:ca-dir}/crl/
 
-[ca-frontend]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-key-file = $${cadirectory:certs}/apache_frontend.key
-cert-file = $${cadirectory:certs}/apache_frontend.crt
-executable = $${directory:service}/apache_frontend
-wrapper = $${directory:service}/apache_frontend
-# Put domain name
-name = $${instance-parameter:configuration.domain}
-
-[ca-stunnel]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-key-file = $${directory:stunnel-conf}/stunnel.key
-cert-file = $${directory:stunnel-conf}/stunnel.crt
-executable = $${stunnel:wrapper}
-wrapper = $${basedirectory:services}/stunnel
-
-[stunnel]
-recipe = slapos.cookbook:stunnel
-stunnel-binary = ${stunnel:location}/bin/stunnel
-wrapper = $${directory:bin}/stunnel
-log-file = $${directory:log}/stunnel.log
-config-file = $${directory:etc}/stunnel.conf
-key-file = $${ca-stunnel:key-file}
-cert-file = $${ca-stunnel:cert-file}
-pid-file = $${directory:run}/stunnel.pid
-local-port = $${squid-hardcoded:backend-port}
-local-host = $${squid-hardcoded:backend-ip}
-remote-host = $${squid-hardcoded:remote-host}
-remote-port = $${squid-hardcoded:remote-port}
-client = false
-post-rotate-script = $${directory:bin}/stunnel_post_rotate
-
+#[ca-frontend]
+#<= certificate-authority
+#recipe = slapos.cookbook:certificate_authority.request
+#key-file = $${cadirectory:certs}/apache_frontend.key
+#cert-file = $${cadirectory:certs}/apache_frontend.crt
+#executable = $${directory:service}/apache_frontend
+#wrapper = $${directory:service}/apache_frontend
+## Put domain name
+#name = $${instance-parameter:configuration.domain}
 
 [cron]
 recipe = slapos.cookbook:cron
@@ -182,7 +160,7 @@ recipe = slapos.cookbook:logrotate.d
 name = apache
 log = $${apache:error-log} $${apache:access-log}
 frequency = daily
-rotate-num = 30
+rotatep-num = 30
 post = ${buildout:bin-directory}/killpidfromfile $${apache:pid-file} SIGUSR1
 sharedscripts = true
 notifempty = true
@@ -199,7 +177,7 @@ ip = $${squid-hardcoded:ip}
 port = $${squid-hardcoded:port}
 backend-ip = $${squid-hardcoded:backend-ip}
 backend-port = $${squid-hardcoded:backend-port}
-domain = $${squid-hardcoded:domain}
+public-ipv4 = $${instance-parameter:configuration.public-ipv4}
 access-log-path = $${directory:log}/squid-access.log
 cache-log-path = $${directory:log}/squid-cache.log
 pid-filename-path = $${directory:run}/squid.pid