caddy-frontend: Setup backend client auth

By default do not offer authentication certificate, the switch
authenticate-to-backend can be used on cluster or slave level to control
this feature.

software/caddy-frontend/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = db3f99b99f7db132928871acefc5b56a
+md5sum = 99f2f6d8818da4a98ca48412453c4f90
 
 [template-common]
 filename = instance-common.cfg.in
@@ -22,15 +22,15 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = ae7c867ebbfe3e2881f4b1cdbf414152
+md5sum = 23237969bbd9e974ac674b2052e8d67c
 
 [template-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = 6d7113ebf0c46b0e4c72c128ebb647db
+md5sum = 5dabdbf51d20bf9e9e277e5b84d58b7e
 
 [template-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
-md5sum = 5deaf0c4cbe84216d2b061f21494539c
+md5sum = be95a8ff3b0c2db22d80aa07c47504e3
 
 [template-replicate-publish-slave-information]
 _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
@@ -54,7 +54,7 @@ md5sum = 266f175dbdfc588af7a86b0b1884fe73
 
 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = ad130d64ac6e4fc0dc5a028494573d62
+md5sum = 8daeaaa02190d90e0df91e364b1d2fc0
 
 [template-log-access]
 _update_hash_filename_ = templates/template-log-access.conf.in

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -14,6 +14,8 @@ parts =
   switch-caddy-softwaretype
   caucase-updater
   caucase-updater-promise
+  backend-client-caucase-updater
+  backend-client-caucase-updater-promise
   frontend-caddy-graceful
   port-redirection
   promise-frontend-caddy-configuration
@@ -67,6 +69,7 @@ service = ${:etc}/service
 etc-run = ${:etc}/run
 
 ca-dir = ${:srv}/ssl
+backend-client-dir = ${:srv}/backend-client
 # BBB: SlapOS Master non-zero knowledge BEGIN
 bbb-ssl-dir = ${:srv}/bbb-ssl
 # BBB: SlapOS Master non-zero knowledge END
@@ -210,6 +213,47 @@ kedifa-updater-mapping-file = ${directory:etc}/kedifa_updater_mapping.txt
 kedifa-updater-state-file = ${directory:srv}/kedifa_updater_state.json
 slave_kedifa_information = {{ dumps(slapparameter_dict['slave-kedifa-information']) }}
 
+[backend-client-login-config]
+d = ${directory:backend-client-dir}
+template-csr = ${:d}/csr.pem
+key = ${:d}/certificate.pem
+certificate = ${:key}
+ca-certificate = ${:d}/ca.pem
+cas-ca-certificate = ${:d}/cas-ca.pem
+crl = ${:d}/crl.pem
+
+[backend-client-login-csr]
+recipe = plone.recipe.command
+organization = {{ slapparameter_dict['cluster-identification'] }}
+organizational_unit = {{ instance_parameter['configuration.frontend-name'] }}
+command =
+{% if slapparameter_dict['backend-client-caucase-url'] %}
+  if [ ! -f ${:template-csr} ] && [ ! -f ${:key} ]  ; then
+    {{ parameter_dict['openssl'] }} req -new -sha256 \
+      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -subj "/O=${:organization}/OU=${:organizational_unit}" \
+      -out ${:template-csr}
+  fi
+{% endif %}
+  test -f ${:key} && test -f ${:template-csr}
+update-command = ${:command}
+template-csr = ${backend-client-login-config:template-csr}
+key = ${backend-client-login-config:key}
+stop-on-error = True
+
+{{ caucase.updater(
+     prefix='backend-client-caucase-updater',
+     buildout_bin_directory=parameter_dict['bin_directory'],
+     updater_path='${directory:service}/backend-client-login-certificate-caucase-updater',
+     url=slapparameter_dict['backend-client-caucase-url'],
+     data_dir='${directory:srv}/backend-client-caucase-updater',
+     crt_path='${backend-client-login-config:certificate}',
+     ca_path='${backend-client-login-config:ca-certificate}',
+     crl_path='${backend-client-login-config:crl}',
+     key_path='${backend-client-login-csr:key}',
+     template_csr='${backend-client-login-csr:template-csr}'
+)}}
+
 [dynamic-custom-personal-template-slave-list]
 < = jinja2-template-base
 template = {{ parameter_dict['template_slave_list'] }}
@@ -225,8 +269,10 @@ caddy_executable = {{ parameter_dict['caddy'] }}
 sixtunnel_executable = {{ parameter_dict['sixtunnel'] }}/bin/6tunnel
 organization = {{ slapparameter_dict['cluster-identification'] }}
 organizational-unit = {{ instance_parameter['configuration.frontend-name'] }}
+backend-client-caucase-url = {{ slapparameter_dict['backend-client-caucase-url'] }}
 extra-context =
     key caddy_configuration_directory caddy-directory:slave-configuration
+    key backend_client_caucase_url :backend-client-caucase-url
     import urlparse_module urlparse
     key caddy_executable :caddy_executable
     key http_port configuration:plain_http_port
@@ -656,6 +702,13 @@ log-socket = ${backend-haproxy-rsyslogd:log-socket}
 graceful-command = ${backend-haproxy-validate:rendered} && kill -USR2 $(cat ${:pid-file})
 http-port = ${configuration:backend-haproxy-http-port}
 https-port = ${configuration:backend-haproxy-https-port}
+# Caucase related configuration
+caucase-url = {{ slapparameter_dict['backend-client-caucase-url'] }}
+ca-certificate = ${backend-client-login-config:ca-certificate}
+certificate = ${backend-client-login-config:certificate}
+cas-ca-certificate = ${backend-client-login-config:cas-ca-certificate}
+csr = ${backend-client-caucase-updater-csr:csr}
+crl = ${backend-client-login-config:crl}
 
 [backend-haproxy]
 recipe = slapos.cookbook:wrapper
@@ -676,7 +729,7 @@ template = {{ parameter_dict['template_configuration_state_script'] }}
 rendered = ${directory:bin}/${:_buildout_section_name_}
 mode = 0700
 
-path_list = ${backend-haproxy-configuration:file}
+path_list = ${backend-haproxy-configuration:file} ${backend-client-login-config:certificate}
 sha256sum = {{ parameter_dict['sha256sum'] }}
 
 extra-context =

software/caddy-frontend/instance-apache-replicate.cfg.in

 {% if slap_software_type in software_type %}
+{% set aibcc_enabled = True %}
 {% import "caucase" as caucase with context %}
 {#- SERVER_POLLUTED_KEY_LIST is a list of keys which comes from various SlapOS Master implementations, which mix request and publish keys on each slave information -#}
 {%- set SERVER_POLLUTED_KEY_LIST = ['connection-parameter-hash', 'timestamp', 'slave_title', 'slap_software_type'] -%}
 {%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
 {%- set GOOD_CIPHER_LIST = ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-AES256-CBC-SHA', 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-ECDSA-AES256-CBC-SHA', 'ECDHE-ECDSA-AES128-CBC-SHA', 'RSA-AES256-CBC-SHA', 'RSA-AES128-CBC-SHA', 'ECDHE-RSA-3DES-EDE-CBC-SHA', 'RSA-3DES-EDE-CBC-SHA'] %}
 {% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
+{% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %}
 {# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #}
 {% set master_partition_monitor_monitor_httpd_port = 8401 %}
 {% set kedifa_partition_monitor_httpd_port = 8402 %}
 {% set frontend_monitor_httpd_base_port = 8410 %}
+{% set caucase_host = '[' ~ instance_parameter['ipv6-random'] ~ ']' %}
+{% set caucase_netloc = caucase_host ~ ':' ~ instance_parameter['configuration.caucase_backend_client_port'] %}
+{% set caucase_url = 'http://' ~ caucase_netloc %}
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}
@@ -64,6 +69,7 @@ context =
 {%     endif %}
 {%   endfor %}
 {%   do config_dict.__setitem__('monitor-httpd-port', frontend_monitor_httpd_base_port + i) %}
+{%   do config_dict.__setitem__('backend-client-caucase-url', caucase_url) %}
 {%   do frontend_list.append(frontend_name) %}
 {%   do frontend_section_list.append(request_section_title) %}
 {%   do part_list.append(request_section_title) %}
@@ -213,7 +219,7 @@ software-url = {{ slapparameter_dict.pop(frontend_software_url_key) }}
 software-url = ${slap-connection:software-release-url}
 {% endif %}
 software-type = {{frontend_type}}
-return = private-ipv4 public-ipv4 slave-instance-information-list monitor-base-url csr_id-url csr_id-certificate
+return = private-ipv4 public-ipv4 slave-instance-information-list monitor-base-url backend-client-csr_id-url csr_id-url csr_id-certificate
 
 {% for section, frontend_request in request_dict.iteritems() %}
 {%   set state = frontend_request.get('state', '') %}
@@ -225,6 +231,7 @@ state = {{ state }}
 {%   endif %}
 config-slave-kedifa-information = ${request-kedifa:connection-slave-kedifa-information}
 config-kedifa-caucase-url = ${request-kedifa:connection-caucase-url}
+config-backend-client-caucase-url = {{ caucase_url }}
 config-master-key-download-url = ${request-kedifa:connection-master-key-download-url}
 config-cluster-identification = {{ cluster_identification }}
 {#   Do not send additional parameters for destroyed nodes #}
@@ -259,6 +266,7 @@ domain = {{ slapparameter_dict.get('domain') }}
 slave-amount = {{ slave_instance_list | length }}
 accepted-slave-amount = {{ authorized_slave_list | length }}
 rejected-slave-amount = {{ rejected_slave_dict | length }}
+backend-client-caucase-url = {{ caucase_url }}
 {# sort_keys are important in order to avoid shuffling parameters on each run #}
 rejected-slave-dict = {{ dumps(json_module.dumps(rejected_slave_title_dict, sort_keys=True)) }}
 rejected-slave-promise-url = ${rejected-slave-promise:config-url}
@@ -273,13 +281,24 @@ warning-list = {{ dumps(json_module.dumps(warning_list, sort_keys=True)) }}
 {# sort_keys are important in order to avoid shuffling parameters on each run #}
 warning-slave-dict = {{ dumps(json_module.dumps(warning_slave_dict, sort_keys=True)) }}
 {% endif %}
+{% if not aikc_enabled or not aibcc_enabled %}
+{% for frontend in frontend_list %}
+  {% set section_part = '${request-' + frontend %}
+{{ frontend }}-csr_id-certificate = {{ section_part }}:connection-csr_id-certificate}
+{% endfor %}
+{% endif %}
 {% if not aikc_enabled %}
 kedifa-csr_id-url = ${request-kedifa:connection-csr_id-url}
 kedifa-csr_id-certificate = ${request-kedifa:connection-csr_id-certificate}
 {% for frontend in frontend_list %}
   {% set section_part = '${request-' + frontend %}
 {{ frontend }}-csr_id-url = {{ section_part }}:connection-csr_id-url}
-{{ frontend }}-csr_id-certificate = {{ section_part }}:connection-csr_id-certificate}
+{% endfor %}
+{% endif %}
+{% if not aibcc_enabled %}
+{% for frontend in frontend_list %}
+  {% set section_part = '${request-' + frontend %}
+{{ frontend }}-backend-client-csr_id-url = {{ section_part }}:connection-backend-client-csr_id-url}
 {% endfor %}
 {% endif %}
 
@@ -371,12 +390,17 @@ kedifa = ${request-kedifa:connection-monitor-base-url}
 {{ frontend }} = {{ '${' + frontend + ':connection-monitor-base-url}' }}
 {% endfor %}
 
-{% if aikc_enabled %}
 [directory]
 recipe = slapos.cookbook:mkdirectory
-
 bin = ${buildout:directory}/bin/
 srv = ${buildout:directory}/srv/
+backup = ${:srv}/backup
+# CAUCASE directories
+caucased = ${:srv}/caucased
+backup-caucased = ${:backup}/caucased
+
+{% if aikc_enabled %}
+[directory]
 aikc = ${:srv}/aikc
 
 [aikc-config]
@@ -505,7 +529,140 @@ command =
   ${aikc-{{ csr }}-wrapper:rendered}
 update-command = ${:command}
 {% endfor %}
-{% endif %}
+{% endif %} {# if aikc_enabled #}
+
+{% if aibcc_enabled %}
+[directory]
+aibcc = ${:srv}/aibcc
+
+[aibcc-config]
+caucase-url = {{ caucase_url }}
+
+csr = ${directory:aibcc}/csr.pem
+key = ${directory:aibcc}/key.pem
+ca-certificate = ${directory:aibcc}/cas-ca-certificate.pem
+crl = ${directory:aibcc}/crl.pem
+user-ca-certificate = ${directory:aibcc}/user-ca-certificate.pem
+user-crl = ${directory:aibcc}/user-crl.pem
+user-created = ${directory:aibcc}/user-created
+csr_id = ${directory:aibcc}/csr_id
+
+[aibcc-user-csr]
+recipe = plone.recipe.command
+organization = {{ cluster_identification }}
+organizational_unit = Automatic Sign Backend Client Caucase CSR
+command =
+  if [ ! -f ${:csr} ] && [ ! -f ${:key} ]  ; then
+    {{ parameter_dict['openssl'] }} req -new -sha256 \
+      -newkey rsa:2048 -nodes -keyout ${:key} \
+      -subj "/O=${:organization}/OU=${:organizational_unit}" \
+      -out ${:csr}
+  fi
+update-command = ${:command}
+csr = ${aibcc-config:csr}
+key = ${aibcc-config:key}
+stop-on-error = True
+
+
+[aibcc-caucase-wrapper]
+{# jinja2 instead of wrapper is used with context to remove py'u' #}
+recipe = slapos.recipe.template:jinja2
+context =
+  key caucase_url aibcc-config:caucase-url
+template = inline:#!{{ parameter_dict['dash'] }}/bin/dash
+  exec {{ parameter_dict['bin_directory'] }}/caucase \
+{# raw block to use context #}
+{% raw %}
+  --ca-url {{ caucase_url }} \
+{% endraw %}
+  --ca-crt ${aibcc-config:ca-certificate} \
+  --user-ca-crt ${aibcc-config:user-ca-certificate} \
+  --user-crl ${aibcc-config:user-crl} \
+  --crl ${aibcc-config:crl} \
+  "$@"
+
+rendered = ${directory:bin}/aibcc-caucase-wrapper
+mode = 0700
+
+{% do part_list.append('aibcc-create-user') %}
+[aibcc-create-user]
+recipe = plone.recipe.command
+# the caucase for this part is provided in this profile, so we can't fail
+# as otherwise caucase will never be started...
+stop-on-error = False
+update-command = ${:command}
+command =
+  if ! [ -f ${aibcc-config:user-created} ] ; then
+    ${aibcc-caucase-wrapper:rendered} --mode user --send-csr ${aibcc-user-csr:csr} > ${aibcc-config:csr_id} || exit 1
+    cut -d ' ' -f 1 ${aibcc-config:csr_id} || exit 1
+    csr_id=`cut -d ' ' -f 1 ${aibcc-config:csr_id}`
+    sleep 1
+    ${aibcc-caucase-wrapper:rendered} --mode user --get-crt $csr_id ${aibcc-config:key} || exit 1
+    touch ${aibcc-config:user-created}
+  fi
+
+{% do part_list.append('aibcc-user-caucase-updater') %}
+{% do part_list.append('aibcc-user-caucase-updater-promise') %}
+{{ caucase.updater(
+     prefix='aibcc-user-caucase-updater',
+     buildout_bin_directory=parameter_dict['bin_directory'],
+     updater_path='${directory:service}/aibcc-user-caucase-updater',
+     url='${aibcc-config:caucase-url}',
+     data_dir='${directory:srv}/caucase-updater',
+     crt_path='${aibcc-config:key}',
+     ca_path='${aibcc-config:user-ca-certificate}',
+     crl_path='${aibcc-config:user-crl}',
+     key_path='${aibcc-config:key}',
+     mode='user',
+)}}
+
+[aibcc-check-certificate]
+recipe = slapos.recipe.template:jinja2
+rendered = ${directory:bin}/aibcc-check-certificate
+template = inline:
+  import sys
+  import ssl
+  import urlparse
+  certificate = sys.argv[2]
+  parsed = urlparse.urlparse(sys.argv[1])
+  got_certificate = ssl.get_server_certificate((parsed.hostname, parsed.port))
+  sys.exit(0) if certificate.strip() == got_certificate.strip() else sys.exit(1)
+
+{% for csr in frontend_list %}
+[aibcc-{{ csr }}-wrapper]
+{# jinja2 instead of wrapper is used with context to remove py'u' #}
+recipe = slapos.recipe.template:jinja2
+context =
+  key csr_id_url request-{{ csr }}:connection-backend-client-csr_id-url
+  key csr_id_certificate request-{{ csr }}:connection-csr_id-certificate
+template = inline:#!{{ parameter_dict['dash'] }}/bin/dash
+  test -f ${directory:aibcc}/{{ csr }}-done && exit 0
+  ${buildout:executable} ${aibcc-check-certificate:rendered} \
+{# raw block to use context #}
+{% raw %}
+  {{ csr_id_url }} \
+  """{{ csr_id_certificate }}"""
+{% endraw %}
+  if [ $? = 0 ]; then
+    csr_id=`{{ parameter_dict['curl'] }}/bin/curl -s -k -g \
+{% raw %}
+  {{ csr_id_url }} \
+{% endraw %}
+  ` || exit 1
+    ${aibcc-caucase-wrapper:rendered} --user-key ${aibcc-config:key} --sign-csr $csr_id && touch ${directory:aibcc}/{{ csr }}-done
+  fi
+rendered = ${directory:bin}/aibcc-{{ csr }}-wrapper
+mode = 0700
+
+{% do part_list.append('aibcc-%s' % (csr,)) %}
+[aibcc-{{ csr }}]
+recipe = plone.recipe.command
+stop-on-error = True
+command =
+  ${aibcc-{{ csr }}-wrapper:rendered}
+update-command = ${:command}
+{% endfor %}
+{% endif %} {# if aibcc_enabled #}
 
 [rejected-slave-json]
 recipe = slapos.recipe.template:jinja2
@@ -599,6 +756,20 @@ config-filename = ${rejected-slave-json:rendered}
 config-state = empty
 config-url = ${rejected-slave-publish:url}
 
+[caucased-backend-client]
+hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
+{{  caucase.caucased(
+      prefix='caucased-backend-client',
+      buildout_bin_directory=parameter_dict['bin_directory'],
+      caucased_path='${directory:service}/caucased-backend-client',
+      backup_dir='${directory:backup-caucased}',
+      data_dir='${directory:caucased}',
+      netloc=caucase_netloc,
+      service_auto_approve_count=0,
+      user_auto_approve_count=1,
+      key_len=2048,
+)}}
+
 [buildout]
 extends =
   {{ common_profile }}
@@ -610,6 +781,8 @@ parts =
   request-kedifa
   rejected-slave-promise
   promise-rejected-slave-publish-ip-port
+  caucased-backend-client
+  caucased-backend-client-promise
 {% for part in part_list %}
 {{ '  %s' % part }}
 {% endfor %}

software/caddy-frontend/instance-caddy-input-schema.json

@@ -88,6 +88,16 @@
       "title": "Automatic Internal KeDiFa's Caucase CSR",
       "type": "string"
     },
+    "automatic-internal-backend-client-caucase-csr": {
+      "default": "true",
+      "description": "Automatically signs CSRs sent to Backend Client's caucase, based on csr_id and matching certificate.",
+      "enum": [
+        "true",
+        "false"
+      ],
+      "title": "Automatic Internal Backend Client's Caucase CSR",
+      "type": "string"
+    },
     "ciphers": {
       "description": "List of ciphers. Empty defaults to Caddy list of ciphers. See https://caddyserver.com/docs/tls for more information.",
       "title": "Ordered space separated list of ciphers",
@@ -98,6 +108,16 @@
       "description": "Timeout for HTTP requests.",
       "title": "HTTP Request timeout in seconds",
       "type": "integer"
+    },
+    "authenticate-to-backend": {
+      "default": "false",
+      "description": "If set to true the frontend certificate will be used as authentication certificate to the backend. Note: backend might have to know the frontend CA, available with 'backend-client-caucase-url'.",
+      "enum": [
+        "false",
+        "true"
+      ],
+      "title": "Authenticate to backend",
+      "type": "string"
     }
   },
   "title": "Input Parameters",

software/caddy-frontend/instance-output-schema.json

@@ -73,6 +73,10 @@
     "warning-list": {
       "description": "List of warning found during the request.",
       "type": "array"
+    },
+    "backend-client-caucase-url": {
+      "description": "URL to caucase used by authentication to the backend.",
+      "type": "string"
     }
   },
   "type": "object"

software/caddy-frontend/instance-slave-caddy-input-schema.json

@@ -214,6 +214,15 @@
       "description": "List of ciphers. Empty defaults to cluster list of ciphers, which by default are Caddy list of ciphers. See https://caddyserver.com/docs/tls for more information.",
       "title": "Ordered space separated list of ciphers",
       "type": "string"
+    },
+    "authenticate-to-backend": {
+      "description": "If set to true the frontend certificate will be used as authentication certificate to the backend. Note: backend might have to know the frontend CA, available with 'backend-client-caucase-url'.",
+      "enum": [
+        "false",
+        "true"
+      ],
+      "title": "Authenticate to backend",
+      "type": "string"
     }
   },
   "title": "Input Parameters",

software/caddy-frontend/instance-slave-output-schema.json

@@ -49,6 +49,10 @@
     "kedifa-caucase-url": {
       "description": "URL to caucase used by KeDiFa",
       "type": "string"
+    },
+    "backend-client-caucase-url": {
+      "description": "URL to caucase used by authentication to the backend.",
+      "type": "string"
     }
   },
   "type": "object"

software/caddy-frontend/instance.cfg.in

@@ -103,6 +103,7 @@ configuration.nginx_port = 9443
 configuration.kedifa_port = 7879
 # Warning: Caucase takes also cacuase_port+1
 configuration.caucase_port = 8890
+configuration.caucase_backend_client_port = 8990
 configuration.apache-key =
 configuration.apache-certificate =
 configuration.open-port = 80 443
@@ -121,3 +122,4 @@ configuration.backend-connect-timeout = 5
 configuration.backend-connect-retries = 3
 configuration.backend-haproxy-http-port = 21080
 configuration.backend-haproxy-https-port = 21443
+configuration.authenticate-to-backend = False

software/caddy-frontend/templates/apache-custom-slave-list.cfg.in

@@ -110,11 +110,12 @@ create = true
 {%-   do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
 {%-   do slave_instance.__setitem__('global_disable_http2', global_disable_http2) %}
 {#-   Pass backend timeout values #}
-{%-   for key in ['backend-connect-timeout', 'backend-connect-retries', 'request-timeout'] %}
+{%-   for key in ['backend-connect-timeout', 'backend-connect-retries', 'request-timeout', 'authenticate-to-backend'] %}
 {%-     if slave_instance.get(key, '') == '' %}
 {%-       do slave_instance.__setitem__(key, configuration[key]) %}
 {%-     endif %}
 {%-   endfor %}
+{%-   do slave_instance.__setitem__('authenticate-to-backend', ('' ~ slave_instance.get('authenticate-to-backend', '')).lower() in TRUE_VALUES) %}
 {#-   Set Up log files #}
 {%-   do slave_parameter_dict.__setitem__('access_log', '/'.join([caddy_log_directory, '%s_access_log' % slave_reference])) %}
 {%-   do slave_parameter_dict.__setitem__('error_log', '/'.join([caddy_log_directory, '%s_error_log' % slave_reference])) %}
@@ -126,6 +127,7 @@ create = true
 {%-   do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
 {%-   do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
 {%-   do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
+{%-   do slave_publish_dict.__setitem__('backend-client-caucase-url', backend_client_caucase_url) %}
 {#-   Set slave domain if none was defined #}
 {%-   if slave_instance.get('custom_domain', None) == None %}
 {%-     set domain_prefix = slave_instance.get('slave_reference').replace("-", "").replace("_", "").lower() %}
@@ -342,6 +344,7 @@ slave-instance-information-list = {{ json_module.dumps(slave_instance_informatio
 {%- endif %}
 monitor-base-url = {{ monitor_base_url }}
 csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/csr_id.txt
+backend-client-csr_id-url = https://[${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port}/backend-haproxy-csr_id.txt
 csr_id-certificate = ${get-csr_id-certificate:certificate}
 
 [kedifa-updater]
@@ -400,6 +403,25 @@ https-port = {{ ('' ~ backend_haproxy_configuration['https-port']) }}
 request-timeout = {{ dumps('' ~ configuration['request-timeout']) }}
 backend-connect-timeout = {{ dumps('' ~ configuration['backend-connect-timeout']) }}
 backend-connect-retries =  {{ dumps('' ~ configuration['backend-connect-retries']) }}
+certificate = {{ dumps('' ~ backend_haproxy_configuration['certificate']) }}
+
+[store-backend-haproxy-csr_id]
+recipe = plone.recipe.command
+
+csr_id_path = {{ directory['csr_id'] }}/backend-haproxy-csr_id.txt
+csr_work_path = {{ directory['tmp'] }}/${:_buildout_section_name_}
+
+stop-on-error = False
+update-command = ${:command}
+command =
+  {{ bin_directory }}/caucase \
+    --ca-url {{ backend_haproxy_configuration['caucase-url'] }} \
+    --ca-crt {{ backend_haproxy_configuration['cas-ca-certificate'] }} \
+    --crl {{ backend_haproxy_configuration['crl'] }} \
+    --mode service \
+    --send-csr {{ backend_haproxy_configuration['csr'] }} > ${:csr_work_path} && \
+  cut -d ' ' -f 1 ${:csr_work_path} > ${:csr_id_path}
+
 ##<Backend haproxy>
 
 [buildout]
@@ -483,7 +505,9 @@ config-hostname = ${expose-csr_id-configuration:ip}
 config-port = ${expose-csr_id-configuration:port}
 
 [expose-csr_id]
-depends = ${store-csr_id:command}
+depends =
+  ${store-csr_id:command}
+  ${store-backend-haproxy-csr_id:command}
 recipe = slapos.cookbook:wrapper
 command-line = {{ caddy_executable }}
   -conf ${expose-csr_id-template:rendered}

software/caddy-frontend/templates/backend-haproxy.cfg.in

@@ -48,7 +48,11 @@ frontend https-backend
 {%-   for (scheme, prefix) in [('http', 'http_backend'), ('https', 'https_backend')] %}
 {%-     set info_dict = slave_instance[prefix] %}
 {%-     if info_dict['scheme'] == 'https' %}
-{%-       set ssl = ['ssl verify'] %}
+{%-       set ssl = [] %}
+{%-       if slave_instance['authenticate-to-backend'] %}
+{%-         set ssl = ['crt %s' % (configuration['certificate'],)] %}
+{%-       endif %}
+{%-       do ssl.append('ssl verify') %}
 {%-       set path_to_ssl_proxy_ca_crt = slave_instance.get('path_to_ssl_proxy_ca_crt') %}
 {%-       if slave_instance['ssl_proxy_verify'] %}
 {%-         if path_to_ssl_proxy_ca_crt %}

software/caddy-frontend/test/test.py

@@ -483,12 +483,17 @@ def fakeHTTPResult(domain, real_ip, path, port=HTTP_PORT,
 
 
 class TestHandler(BaseHTTPRequestHandler):
+  identification = None
+
   def do_GET(self):
     timeout = int(self.headers.dict.get('timeout', '0'))
     compress = int(self.headers.dict.get('compress', '0'))
     time.sleep(timeout)
     self.send_response(200)
 
+    if self.identification is not None:
+      self.send_header('X-Backend-Identification', self.identification)
+
     drop_header_list = []
     for header in self.headers.dict.get('x-drop-header', '').split():
       drop_header_list.append(header)
@@ -544,15 +549,7 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
     return "RootSoftwareInstance"
 
   @classmethod
-  def startServerProcess(cls):
-    server = HTTPServer(
-      (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address)),
-      TestHandler)
-
-    server_https = HTTPServer(
-      (cls._ipv4_address, findFreeTCPPort(cls._ipv4_address)),
-      TestHandler)
-
+  def prepareCertificate(cls):
     cls.another_server_ca = CertificateAuthority("Another Server Root CA")
     cls.test_server_ca = CertificateAuthority("Test Server Root CA")
     key, key_pem, csr, csr_pem = createCSR(
@@ -567,6 +564,17 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
         cls.test_server_certificate_pem + key_pem
       )
     cls.test_server_certificate_file.close()
+
+  @classmethod
+  def startServerProcess(cls):
+    server = HTTPServer(
+      (cls._ipv4_address, cls._server_http_port),
+      TestHandler)
+
+    server_https = HTTPServer(
+      (cls._ipv4_address, cls._server_https_port),
+      TestHandler)
+
     server_https.socket = ssl.wrap_socket(
       server_https.socket,
       certfile=cls.test_server_certificate_file.name,
@@ -585,9 +593,12 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
     cls.logger.debug('Started process %s' % (cls.server_https_process,))
 
   @classmethod
-  def stopServerProcess(cls):
+  def cleanUpCertificate(cls):
     if getattr(cls, 'test_server_certificate_file', None) is not None:
       os.unlink(cls.test_server_certificate_file.name)
+
+  @classmethod
+  def stopServerProcess(cls):
     for server in ['server_process', 'server_https_process']:
       process = getattr(cls, server, None)
       if process is not None:
@@ -838,6 +849,7 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
 
   @classmethod
   def _cleanup(cls, snapshot_name):
+    cls.cleanUpCertificate()
     cls.stopServerProcess()
     super(HttpFrontendTestCase, cls)._cleanup(snapshot_name)
 
@@ -845,6 +857,11 @@ class HttpFrontendTestCase(SlapOSInstanceTestCase):
   def setUpClass(cls):
     try:
       cls.createWildcardExampleComCertificate()
+      cls.prepareCertificate()
+      # find ports once to be able startServerProcess many times
+      cls._server_http_port = findFreeTCPPort(cls._ipv4_address)
+      cls._server_https_port = findFreeTCPPort(cls._ipv4_address)
+      cls._server_https_auth_port = findFreeTCPPort(cls._ipv4_address)
       cls.startServerProcess()
     except BaseException:
       cls.logger.exception("Error during setUpClass")
@@ -1009,6 +1026,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -1036,6 +1054,7 @@ class TestMasterRequestDomain(HttpFrontendTestCase, TestDataMixin):
     self.assertEqual(
       {
         'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'domain': 'example.com',
         'accepted-slave-amount': '0',
         'rejected-slave-amount': '0',
@@ -1064,6 +1083,7 @@ class TestMasterRequest(HttpFrontendTestCase, TestDataMixin):
     self.assertEqual(
       {
         'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'domain': 'None',
         'accepted-slave-amount': '0',
         'rejected-slave-amount': '0',
@@ -1088,14 +1108,14 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
     }
 
   @classmethod
-  def startServerProcess(cls):
+  def prepareCertificate(cls):
     cls.ca = CertificateAuthority('TestSlave')
     _, cls.customdomain_ca_key_pem, csr, _ = createCSR(
       'customdomainsslcrtsslkeysslcacrt.example.com')
     _, cls.customdomain_ca_certificate_pem = cls.ca.signCSR(csr)
     _, cls.customdomain_key_pem, _, cls.customdomain_certificate_pem = \
         createSelfSignedCertificate(['customdomainsslcrtsslkey.example.com'])
-    super(TestSlave, cls).startServerProcess()
+    super(TestSlave, cls).prepareCertificate()
 
   @classmethod
   def getSlaveParameterDictDict(cls):
@@ -1104,6 +1124,25 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
       },
       'Url': {
         'url': cls.backend_url,
+        # authenticating to http backend shall be no-op
+        'authenticate-to-backend': True,
+      },
+      'auth-to-backend': {
+        # in here use reserved port for the backend, which is going to be
+        # started later
+        'url': 'https://%s:%s/' % (
+          cls._ipv4_address, cls._server_https_auth_port),
+        'authenticate-to-backend': True,
+      },
+      'auth-to-backend-not-configured': {
+        # in here use reserved port for the backend, which is going to be
+        # started later
+        'url': 'https://%s:%s/' % (
+          cls._ipv4_address, cls._server_https_auth_port),
+      },
+      'auth-to-backend-backend-ignore': {
+        'url': cls.backend_https_url,
+        'authenticate-to-backend': True,
       },
       'url_https-url': {
         'url': cls.backend_url + 'http',
@@ -1513,10 +1552,11 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
-      'accepted-slave-amount': '52',
+      'accepted-slave-amount': '55',
       'rejected-slave-amount': '0',
-      'slave-amount': '52',
+      'slave-amount': '55',
       'rejected-slave-dict': {
       }
     }
@@ -1708,6 +1748,214 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
   timeout connect 5s
   retries 3""" in content)
 
+  def test_auth_to_backend(self):
+    parameter_dict = self.assertSlaveBase('auth-to-backend')
+    # 1. fetch certificate from backend-client-caucase-url
+    master_parameter_dict = self.parseConnectionParameterDict()
+    caucase_url = master_parameter_dict['backend-client-caucase-url']
+    ca_certificate = requests.get(caucase_url + '/cas/crt/ca.crt.pem')
+    assert ca_certificate.status_code == httplib.OK
+    ca_certificate_file = os.path.join(
+      self.working_directory, 'ca-backend-client.crt.pem')
+    with open(ca_certificate_file, 'w') as fh:
+      fh.write(ca_certificate.text)
+
+    # 2. start backend with this certificate
+    class OwnTestHandler(TestHandler):
+      identification = 'Auth Backend'
+
+    server_https_auth = HTTPServer(
+      (self._ipv4_address, self._server_https_auth_port),
+      OwnTestHandler)
+
+    server_https_auth.socket = ssl.wrap_socket(
+      server_https_auth.socket,
+      certfile=self.test_server_certificate_file.name,
+      cert_reqs=ssl.CERT_REQUIRED,
+      ca_certs=ca_certificate_file,
+      server_side=True)
+
+    backend_https_auth_url = 'https://%s:%s/' \
+        % server_https_auth.server_address
+
+    server_https_auth_process = multiprocessing.Process(
+      target=server_https_auth.serve_forever, name='HTTPSServerAuth')
+    server_https_auth_process.start()
+    self.logger.debug('Started process %s' % (server_https_auth_process,))
+    try:
+      # 3. assert that you can't fetch nothing without key
+      try:
+        requests.get(backend_https_auth_url, verify=False)
+      except Exception:
+        pass
+      else:
+        self.fail(
+          'Access to %r shall be not possible without certificate' % (
+            backend_https_auth_url,))
+      # 4. check that you can access this backend via frontend
+      #    (so it means that auth to backend worked)
+      result = fakeHTTPSResult(
+        parameter_dict['domain'], parameter_dict['public-ipv4'],
+        'test-path/deep/.././deeper',
+        headers={
+          'Timeout': '10',  # more than default backend-connect-timeout == 5
+          'Accept-Encoding': 'gzip',
+        }
+      )
+
+      self.assertEqual(
+        self.certificate_pem,
+        der2pem(result.peercert))
+
+      self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+
+      try:
+        j = result.json()
+      except Exception:
+        raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+
+      self.assertEqual(j['Incoming Headers']['timeout'], '10')
+      self.assertFalse('Content-Encoding' in result.headers)
+      self.assertBackendHeaders(
+         j['Incoming Headers'], parameter_dict['domain'])
+
+      self.assertEqual(
+        'secured=value;secure, nonsecured=value',
+        result.headers['Set-Cookie']
+      )
+      # proof that proper backend was accessed
+      self.assertEqual(
+        'Auth Backend',
+        result.headers['X-Backend-Identification']
+      )
+    finally:
+      self.logger.debug('Stopping process %s' % (server_https_auth_process,))
+      server_https_auth_process.join(10)
+      server_https_auth_process.terminate()
+      time.sleep(0.1)
+      if server_https_auth_process.is_alive():
+        self.logger.warning(
+          'Process %s still alive' % (server_https_auth_process, ))
+
+  def test_auth_to_backend_not_configured(self):
+    parameter_dict = self.assertSlaveBase('auth-to-backend-not-configured')
+    # 1. fetch certificate from backend-client-caucase-url
+    master_parameter_dict = self.parseConnectionParameterDict()
+    caucase_url = master_parameter_dict['backend-client-caucase-url']
+    ca_certificate = requests.get(caucase_url + '/cas/crt/ca.crt.pem')
+    assert ca_certificate.status_code == httplib.OK
+    ca_certificate_file = os.path.join(
+      self.working_directory, 'ca-backend-client.crt.pem')
+    with open(ca_certificate_file, 'w') as fh:
+      fh.write(ca_certificate.text)
+
+    # 2. start backend with this certificate
+    class OwnTestHandler(TestHandler):
+      identification = 'Auth Backend'
+
+    server_https_auth = HTTPServer(
+      (self._ipv4_address, self._server_https_auth_port),
+      OwnTestHandler)
+
+    server_https_auth.socket = ssl.wrap_socket(
+      server_https_auth.socket,
+      certfile=self.test_server_certificate_file.name,
+      cert_reqs=ssl.CERT_REQUIRED,
+      ca_certs=ca_certificate_file,
+      server_side=True)
+
+    backend_https_auth_url = 'https://%s:%s/' \
+        % server_https_auth.server_address
+
+    server_https_auth_process = multiprocessing.Process(
+      target=server_https_auth.serve_forever, name='HTTPSServerAuth')
+    server_https_auth_process.start()
+    self.logger.debug('Started process %s' % (server_https_auth_process,))
+    try:
+      # 3. assert that you can't fetch nothing without key
+      try:
+        requests.get(backend_https_auth_url, verify=False)
+      except Exception:
+        pass
+      else:
+        self.fail(
+          'Access to %r shall be not possible without certificate' % (
+            backend_https_auth_url,))
+      # 4. check that you can access this backend via frontend
+      #    (so it means that auth to backend worked)
+      result = fakeHTTPSResult(
+        parameter_dict['domain'], parameter_dict['public-ipv4'],
+        'test-path/deep/.././deeper',
+        headers={
+          'Timeout': '10',  # more than default backend-connect-timeout == 5
+          'Accept-Encoding': 'gzip',
+        }
+      )
+
+      self.assertEqual(
+        self.certificate_pem,
+        der2pem(result.peercert))
+
+      self.assertEqual(
+        result.status_code,
+        httplib.BAD_GATEWAY
+      )
+    finally:
+      self.logger.debug('Stopping process %s' % (server_https_auth_process,))
+      server_https_auth_process.join(10)
+      server_https_auth_process.terminate()
+      time.sleep(0.1)
+      if server_https_auth_process.is_alive():
+        self.logger.warning(
+          'Process %s still alive' % (server_https_auth_process, ))
+
+  def test_auth_to_backend_backend_ignore(self):
+    parameter_dict = self.assertSlaveBase('auth-to-backend-backend-ignore')
+
+    result = fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper',
+      headers={
+        'Timeout': '10',  # more than default backend-connect-timeout == 5
+        'Accept-Encoding': 'gzip',
+      }
+    )
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqualResultJson(result, 'Path', '/test-path/deeper')
+
+    try:
+      j = result.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+
+    self.assertEqual(j['Incoming Headers']['timeout'], '10')
+    self.assertFalse('Content-Encoding' in result.headers)
+    self.assertBackendHeaders(j['Incoming Headers'], parameter_dict['domain'])
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result.headers['Set-Cookie']
+    )
+
+    result_http = fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'],
+      'test-path/deep/.././deeper')
+
+    self.assertEqual(
+      httplib.FOUND,
+      result_http.status_code
+    )
+
+    self.assertEqual(
+      'https://authtobackendbackendignore.example.com:%s/test-path/deeper' % (
+        HTTP_PORT,),
+      result_http.headers['Location']
+    )
+
   def test_compressed_result(self):
     parameter_dict = self.assertSlaveBase('Url')
     result_compressed = fakeHTTPSResult(
@@ -1913,6 +2161,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://serveraliaswildcard.example.com',
         'secure_access': 'https://serveraliaswildcard.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -1947,6 +2196,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://serveraliasduplicated.example.com',
         'secure_access': 'https://serveraliasduplicated.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -1982,6 +2232,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://alias4.example.com',
         'secure_access': 'https://alias4.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2014,6 +2265,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://customdomainsslcrtsslkeysslcacrt.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2065,6 +2317,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://sslcacrtonly.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2097,6 +2350,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://sslcacrtgarbage.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2151,6 +2405,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://sslcacrtdoesnotmatch.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2220,6 +2475,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2247,6 +2503,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2282,6 +2539,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://*.customdomain.example.com',
         'secure_access': 'https://*.customdomain.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2311,6 +2569,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2583,6 +2842,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2839,6 +3099,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://typeeventsource.nginx.example.com',
         'secure_access': 'https://typeeventsource.nginx.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -2907,6 +3168,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://sslproxyverifysslproxycacrtunverified.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -3018,6 +3280,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://enablecachesslproxyverifysslproxycacrtunverified.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -3117,6 +3380,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://typezopesslproxyverifysslproxycacrtunverified.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -3325,6 +3589,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -3524,10 +3789,7 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         r'^http\/1.1 caddy-frontend-1\[.*\] \(ApacheTrafficServer\/7.1.6\)$'
       )
     finally:
-      self.callSupervisorMethod('startProcess', caddy_process_name)
-      # give few moments for caddy to start
-      # XXX: convert to a loop which awaits caddy to be ready
-      time.sleep(2)
+      self.startServerProcess()
     # END: check stale-if-error support
 
   def test_enable_cache_ats_timeout(self):
@@ -4056,6 +4318,7 @@ class TestReplicateSlave(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://replicate.example.com',
         'secure_access': 'https://replicate.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4170,6 +4433,7 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
         'secure_access':
         'https://enablehttp2default.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4190,6 +4454,7 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
         'secure_access':
         'https://enablehttp2false.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4210,6 +4475,7 @@ class TestEnableHttp2ByDefaultFalseSlave(SlaveHttpFrontendTestCase,
         'secure_access':
         'https://enablehttp2true.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4261,6 +4527,7 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
         'secure_access':
         'https://enablehttp2default.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4281,6 +4548,7 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
         'secure_access':
         'https://enablehttp2false.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4295,6 +4563,7 @@ class TestEnableHttp2ByDefaultDefaultSlave(SlaveHttpFrontendTestCase,
     self.assertEqual(
       {
         'domain': 'enablehttp2true.example.com',
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'replication_number': '1',
         'url': 'http://enablehttp2true.example.com',
         'site_url': 'http://enablehttp2true.example.com',
@@ -4346,6 +4615,7 @@ class TestRe6stVerificationUrlDefaultSlave(SlaveHttpFrontendTestCase,
         'site_url': 'http://default.None',
         'secure_access': 'https://default.None',
         'public-ipv4': 'None',
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4457,6 +4727,7 @@ class TestMalformedBackenUrlSlave(SlaveHttpFrontendTestCase,
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '1',
       'rejected-slave-amount': '2',
@@ -4555,6 +4826,7 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin):
       {
         'domain': 'test.None', 'replication_number': '1',
         'url': 'http://test.None', 'site_url': 'http://test.None',
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'secure_access': 'https://test.None', 'public-ipv4': 'None'},
       parameter_dict
     )
@@ -4632,6 +4904,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '6',
       'rejected-slave-amount': '3',
@@ -4668,6 +4941,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://serveraliassame.example.com',
         'secure_access': 'https://serveraliassame.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4729,6 +5003,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://virtualhostroothttpportunsafe.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4757,6 +5032,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'secure_access':
         'https://virtualhostroothttpsportunsafe.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4787,6 +5063,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://defaultpathunsafe.example.com',
         'secure_access': 'https://defaultpathunsafe.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4821,6 +5098,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://monitoripv4testunsafe.example.com',
         'secure_access': 'https://monitoripv4testunsafe.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4865,6 +5143,7 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://monitoripv6testunsafe.example.com',
         'secure_access': 'https://monitoripv6testunsafe.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -4936,6 +5215,7 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '1',
       'rejected-slave-amount': '3',
@@ -4964,6 +5244,7 @@ class TestDuplicateSiteKeyProtection(SlaveHttpFrontendTestCase, TestDataMixin):
         'site_url': 'http://duplicate.example.com',
         'secure_access': 'https://duplicate.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5017,6 +5298,7 @@ class TestSlaveGlobalDisableHttp2(TestSlave):
         'secure_access':
         'https://enablehttp2default.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5076,6 +5358,7 @@ class TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2(
         'secure_access':
         'https://enablehttp2true.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5107,6 +5390,7 @@ class TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2(
         'secure_access':
         'https://enablehttp2true.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5127,6 +5411,7 @@ class TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2(
         'secure_access':
         'https://enablehttp2default.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5187,7 +5472,8 @@ class TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5243,7 +5529,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
     # Do not upload certificates for the master partition
 
   @classmethod
-  def startServerProcess(cls):
+  def prepareCertificate(cls):
     _, cls.ssl_from_slave_key_pem, _, cls.ssl_from_slave_certificate_pem = \
       createSelfSignedCertificate(
         [
@@ -5287,7 +5573,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         createSelfSignedCertificate(['customdomainsslcrtsslkey.example.com'])
 
     super(
-      TestSlaveSlapOSMasterCertificateCompatibility, cls).startServerProcess()
+      TestSlaveSlapOSMasterCertificateCompatibility, cls).prepareCertificate()
 
   @classmethod
   def getInstanceParameterDict(cls):
@@ -5388,6 +5674,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '12',
       'rejected-slave-amount': '0',
@@ -5465,7 +5752,8 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5492,7 +5780,8 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5548,6 +5837,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5580,6 +5870,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5638,7 +5929,8 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5666,7 +5958,8 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -5724,6 +6017,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5756,6 +6050,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5833,6 +6128,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': ['ssl_key is obsolete, please use key-upload-url',
                          'ssl_crt is obsolete, please use key-upload-url']
       },
@@ -5862,6 +6158,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'secure_access':
         'https://customdomainsslcrtsslkeysslcacrt.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5952,6 +6249,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'secure_access':
         'https://sslcacrtgarbage.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -5983,6 +6281,7 @@ class TestSlaveSlapOSMasterCertificateCompatibility(
         'secure_access':
         'https://sslcacrtdoesnotmatch.example.com',
         'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
         'warning-list': [
           'ssl_key is obsolete, please use key-upload-url',
           'ssl_crt is obsolete, please use key-upload-url',
@@ -6078,6 +6377,7 @@ class TestSlaveSlapOSMasterCertificateCompatibilityUpdate(
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '1',
       'rejected-slave-amount': '0',
@@ -6106,7 +6406,8 @@ class TestSlaveSlapOSMasterCertificateCompatibilityUpdate(
         'url': 'http://%s.example.com' % (hostname, ),
         'site_url': 'http://%s.example.com' % (hostname, ),
         'secure_access': 'https://%s.example.com' % (hostname, ),
-        'public-ipv4': self._ipv4_address
+        'public-ipv4': self._ipv4_address,
+        'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       },
       parameter_dict
     )
@@ -6182,6 +6483,7 @@ class TestSlaveCiphers(SlaveHttpFrontendTestCase, TestDataMixin):
 
     expected_parameter_dict = {
       'monitor-base-url': 'https://[%s]:8401' % self._ipv6_address,
+      'backend-client-caucase-url': 'http://[%s]:8990' % self._ipv6_address,
       'domain': 'example.com',
       'accepted-slave-amount': '2',
       'rejected-slave-amount': '0',

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt

@@ -11,6 +11,12 @@ T-2/var/log/frontend-error.log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_error_log
+T-2/var/log/httpd/_auth-to-backend-backend-ignore_access_log
+T-2/var/log/httpd/_auth-to-backend-backend-ignore_error_log
+T-2/var/log/httpd/_auth-to-backend-not-configured_access_log
+T-2/var/log/httpd/_auth-to-backend-not-configured_error_log
+T-2/var/log/httpd/_auth-to-backend_access_log
+T-2/var/log/httpd/_auth-to-backend_error_log
 T-2/var/log/httpd/_ciphers_access_log
 T-2/var/log/httpd/_ciphers_error_log
 T-2/var/log/httpd/_custom_domain_access_log

software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlave.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt

@@ -11,6 +11,12 @@ T-2/var/log/frontend-error.log
 T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_error_log
+T-2/var/log/httpd/_auth-to-backend-backend-ignore_access_log
+T-2/var/log/httpd/_auth-to-backend-backend-ignore_error_log
+T-2/var/log/httpd/_auth-to-backend-not-configured_access_log
+T-2/var/log/httpd/_auth-to-backend-not-configured_error_log
+T-2/var/log/httpd/_auth-to-backend_access_log
+T-2/var/log/httpd/_auth-to-backend_error_log
 T-2/var/log/httpd/_ciphers_access_log
 T-2/var/log/httpd/_ciphers_error_log
 T-2/var/log/httpd/_custom_domain_access_log

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt

 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py
@@ -17,6 +19,7 @@ T-1/etc/plugin/monitor-bootstrap-status.py
 T-1/etc/plugin/monitor-http-frontend.py
 T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
 T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
 T-2/etc/plugin/backend-haproxy-configuration.py
 T-2/etc/plugin/backend_haproxy_http.py
 T-2/etc/plugin/backend_haproxy_https.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
 T-0:aikc-user-caucase-updater-on-watch RUNNING
 T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
 T-0:certificate_authority-{hash-generic}-on-watch RUNNING
 T-0:crond-{hash-generic}-on-watch RUNNING
 T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
@@ -17,6 +19,7 @@ T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
 T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
 T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED