caddy-frontend: Working implementation

Features: * shared place for Caddy configuration * gather a lot of parameters for caddy executable, as dislike Apache Caddy is configured from command line * dummy vhost for example.org * challanges (ACME SSL) are disabled * bind to interfaces are done per site * cache access is dummy, but working * /server-status redone in Caddy style * antiloris dropped, as this is apache specific * apache_custom_http and apache_custom_https * dropped not needed leftover access-control-string and protected-path * nginx replacement added * bin/caddy-wrapper is provided in order to allow parameterization of caddy over the network * access to log files over http is provided * username on log access is consistent, it is not uppercased like it was originally on apache-frontend * list of TODOs in TODO.rst

caddy-frontend: Working implementation
Features: * shared place for Caddy configuration * gather a lot of parameters for caddy executable, as dislike Apache Caddy is configured from command line * dummy vhost for example.org * challanges (ACME SSL) are disabled * bind to interfaces are done per site * cache access is dummy, but working * /server-status redone in Caddy style * antiloris dropped, as this is apache specific * apache_custom_http and apache_custom_https * dropped not needed leftover access-control-string and protected-path * nginx replacement added * bin/caddy-wrapper is provided in order to allow parameterization of caddy over the network * access to log files over http is provided * username on log access is consistent, it is not uppercased like it was originally on apache-frontend * list of TODOs in TODO.rst
4ba968e4 · Łukasz Nowak · 97ef6396 · 4ba968e4 · 4ba968e4 · 4ba968e4
Commit 4ba968e4 authored May 10, 2018 by Łukasz Nowak
18 changed files
--- a/software/caddy-frontend/TODO.rst
+++ b/software/caddy-frontend/TODO.rst
+Generally things to be done with ``caddy-frontend``:
+
+ * ``apache-ca-certificate`` shall be merged with ``apache-certificate``
+ * (new) ``type:websocket`` slave
+ * ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483
+ * ``ssl_ca_crt``
+ * ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)
+ * ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)
+ * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
+ * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
+ * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
+ * simplify Jijna2 syntax and drop whitespace control, as it is not needed
+ * make beautiful (eg. with whitespaces and nice comments) generated files (mostly Jinja2)
+ * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones (like ``apache_custom_http`` --> ``caddy_custom_http``)
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -4,7 +4,6 @@
 # - "^[" section beginings, copied verbatim
 # - lines containing an "=" sign which must fit in the following categorie.
 #   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
-#     But avoid directories, they are not portable.
 #     Copied verbatim.
 #   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
 #     by the re-generation script.
@@ -19,7 +18,7 @@ md5sum = f686f765e55d1dce2e55a400f0714b3e

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg
-md5sum = b6a2c860ea1cd4bc9d185c7108c52d0a
+md5sum = 7414a34216db1cce54b38b59fc762141

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -27,43 +26,39 @@ md5sum = 9e76028df7e93d3e32982884d5dc0913

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 24e514ad6f15859229db46f24a8cd280
+md5sum = 74bfedd670b05eb653804075fa7e0d86

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
-md5sum = d103143e5d50682bd5ad43117d82e2fa
+md5sum = 74275ad73b03114c69f80c8f8ae73374

 [template-replicate-publish-slave-information]
 filename = templates/replicate-publish-slave-information.cfg.in
 md5sum = 665e83d660c9b779249b2179d7ce4b4e

-[template-apache-frontend-configuration]
-filename = templates/apache.conf.in
-md5sum = a56045e7b53ff00ab34d2a8f911fc1a1
+[template-caddy-frontend-configuration]
+filename = templates/Caddyfile.in
+md5sum = a8765b3c3af9f4f4f6437028aa42c58f

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = 24e514ad6f15859229db46f24a8cd280
+md5sum = 74bfedd670b05eb653804075fa7e0d86

 [template-not-found-html]
 filename = templates/notfound.html
 md5sum = f20d6c3d2d94fb685f8d26dfca1e822b

-[template-default-virtualhost]
-filename = templates/000.conf.in
-md5sum = d98a01182f38868612948c87d5231428
-
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 7f38084af107034bedefba971abe165c
+md5sum = cab1b54a568fb24ed0f409b0f3e5fad2

 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
-md5sum = 1a1a53d9ac4a1591c017d86850a94796
+md5sum = 42a574141f2d8e27669e3848d2e600a1

 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = f85005b430978f3bd24ee7ce11b0e304
+md5sum = 82bd8044f51d5b28f8e43b14704c282e

 [template-empty]
 filename = templates/empty.in
@@ -73,6 +68,10 @@ md5sum = c2314c3a9c3412a38d14b312d3df83c1
 filename = templates/wrapper.in
 md5sum = 8cde04bfd0c0e9bd56744b988275cfd8

+[template-caddy-wrapper]
+filename = templates/caddy-wrapper.in
+md5sum = c5816275757124613920078b6bec1caf
+
 [template-trafficserver-records-config]
 filename = templates/trafficserver/records.config.jinja2
 md5sum = 84baef0a49c9a65e8f2d2ffdb8c1d39c
@@ -83,20 +82,20 @@ md5sum = 117238225b3fc3c5b5be381815f44c67

 [template-nginx-configuration]
 filename = templates/nginx.cfg.in
-md5sum = 18633ce55e53340efa1ba7693aac4152
+md5sum = cdc550b5067f76f1cab24f94178710a4

 [template-nginx-eventsource-slave-virtualhost]
 filename = templates/nginx-eventsource-slave.conf.in
-md5sum = a5186f666acb2f040ede04c91e60408f
+md5sum = 7fb09bb130dc463a6736c1f319e798d6

 [template-nginx-notebook-slave-virtualhost]
 filename = templates/nginx-notebook-slave.conf.in
-md5sum = 82d74a7f2aceb2b4a7acc6259291b7f2
+md5sum = afa11dda952b2317227e5c72508aeda2

 [template-apache-lazy-script-call]
 filename = templates/apache-lazy-script-call.sh.in
 md5sum = ebe5d3d19923eb812a40019cb11276d8

-[template-apache-graceful-script]
-filename = templates/apache-graceful-script.sh.in
-md5sum = 41299cc64200e7b8217fb9dec20bb8b9
+[template-caddy-graceful-script]
+filename = templates/caddy-graceful-script.sh.in
+md5sum = 455f8765a3afd39fb78562fb9e326c42
--- a/software/caddy-frontend/common.cfg
+++ b/software/caddy-frontend/common.cfg
@@ -10,7 +10,6 @@ extends =
  ../../component/rdiff-backup/buildout.cfg
  ../../component/trafficserver/buildout.cfg

-  ../../component/nginx/buildout.cfg
  ../../stack/nodejs.cfg
 # Monitoring stack (keep on bottom)
  ../../stack/monitor/buildout.cfg
@@ -20,12 +19,10 @@ parts +=
  template-apache-frontend
  template-apache-replicate
  apache
-  apache-antiloris

  dcron
  logrotate
  rdiff-backup
-  nginx-push-stream-output
  npm-modules
  proxy-by-url
  http-proxy
@@ -70,9 +67,9 @@ filename = custom-virtualhost.conf.in
 <=download-template
 filename = replicate-publish-slave-information.cfg.in

-[template-apache-frontend-configuration]
+[template-caddy-frontend-configuration]
 <=download-template
-filename = apache.conf.in
+filename = Caddyfile.in

 [template-custom-slave-list]
 <=download-template
@@ -82,10 +79,6 @@ filename = apache-default-slave-list.cfg.in
 <=download-template
 filename = notfound.html

-[template-default-virtualhost]
-<=download-template
-filename = 000.conf.in
-
 [template-default-slave-virtualhost]
 <=download-template
 filename = default-virtualhost.conf.in
@@ -102,6 +95,12 @@ filename = template-log-access.conf.in
 <=download-template
 filename = empty.in

+[template-caddy-wrapper]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/templates/caddy-wrapper.in
+output = ${buildout:directory}/template-caddy-wrapper.cfg
+mode = 0644
+
 [template-wrapper]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/templates/wrapper.in
@@ -137,9 +136,9 @@ mode = 0644
 <=download-template
 filename = apache-lazy-script-call.sh.in

-[template-apache-graceful-script]
+[template-caddy-graceful-script]
 <=download-template
-filename = apache-graceful-script.sh.in
+filename = caddy-graceful-script.sh.in

 [template-nginx-eventsource-slave-virtualhost]
 <=download-template

--- a/software/caddy-frontend/instance-apache-frontend.cfg
+++ b/software/caddy-frontend/instance-apache-frontend.cfg
--- a/software/caddy-frontend/templates/000.conf.in
+++ b/software/caddy-frontend/templates/000.conf.in
-<VirtualHost *:{{ https_port }}>
-  ServerName www.example.org
-  SSLEngine on
-  SSLProxyEngine on
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-  SSLHonorCipherOrder on
-
-  # Rewrite part
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-
-  ErrorDocument 404 /notfound.html
-
-</VirtualHost>
-
-<VirtualHost *:{{ http_port }}>
-
-  ServerName www.example.org
-  ErrorDocument 404 /notfound.html
-</VirtualHost>
\ No newline at end of file
--- a/software/caddy-frontend/templates/Caddyfile.in
+++ b/software/caddy-frontend/templates/Caddyfile.in
+# Automatically generated
+
+# As backend is trusting REMOTE_USER header unset it always
+# TODO-Caddy RequestHeader unset REMOTE_USER
+
+# TODO-Caddy <Directory {{ document_root }}>
+# TODO-Caddy   Require all granted
+# TODO-Caddy   Options -Indexes
+# TODO-Caddy   ErrorDocument 404 /notfound.html
+# TODO-Caddy   RewriteEngine on
+# TODO-Caddy   RewriteRule ^/?$ notfound.html [R=404,L]
+# TODO-Caddy </Directory>
+
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+# TODO-Caddy BrowserMatch "Mozilla/2" nokeepalive
+# TODO-Caddy BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
+# TODO-Caddy                         downgrade-1.0 force-response-1.0
+# TODO-Caddy BrowserMatch "RealPlayer 4\.0" force-response-1.0
+# TODO-Caddy BrowserMatch "Java/1\.0" force-response-1.0
+# TODO-Caddy BrowserMatch "JDK/1\.0" force-response-1.0
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a
+# problem with Microsoft WebFolders which does not appropriately handle
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+# TODO-Caddy BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+# TODO-Caddy BrowserMatch "MS FrontPage" redirect-carefully
+# TODO-Caddy BrowserMatch "^WebDrive" redirect-carefully
+# TODO-Caddy BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+# TODO-Caddy BrowserMatch "^gnome-vfs" redirect-carefully
+# TODO-Caddy BrowserMatch "^XML Spy" redirect-carefully
+# TODO-Caddy BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+
+
+# Deflate
+# TODO-Caddy AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
+# TODO-Caddy BrowserMatch ^Mozilla/4 gzip-only-text/html
+# TODO-Caddy BrowserMatch ^Mozilla/4\.0[678] no-gzip
+# TODO-Caddy BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+# SSL Configuration
+# TODO-Caddy {% if slapparameter_dict.get('apache-ca-certificate') %}
+# TODO-Caddy SSLCACertificateFile {{ login_ca_crt }}
+# TODO-Caddy {% endif %}
+# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
+# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+# TODO-Caddy SSLHonorCipherOrder on
+# TODO-Caddy <FilesMatch "\.(cgi|shtml|phtml|php)$">
+# TODO-Caddy       SSLOptions +StdEnvVars
+# TODO-Caddy </FilesMatch>
+# Accept proxy to sites using self-signed SSL certificates
+# TODO-Caddy SSLProxyCheckPeerCN off
+# TODO-Caddy SSLProxyCheckPeerExpire off
+
+import {{frontend_configuration.get('log-access-configuration')}}
+import {{ slave_configuration_directory }}/*.conf
+import {{ slave_with_cache_configuration_directory }}/*.conf
+
+https://[{{ global_ipv6 }}]:{{ https_port }}/, https://{{ local_ipv4 }}:{{ https_port }}/ {
+  tls {{ login_certificate }} {{ login_key }}
+  bind {{ local_ipv4 }}
+  status 404 /
+# TODO-Caddy   LogLevel notice
+# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+  log / {{ access_log }} {combined}
+  errors {{ error_log }}
+}
+
+https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
+  tls {{ login_certificate }} {{ login_key }}
+  bind {{ local_ipv4 }}
+  basicauth "{{ username }}" {{ password }} {
+    "Server Status"
+    /
+  }
+  expvar
+  pprof
+# TODO-Caddy   LogLevel notice
+# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+  log / {{ access_log }} {combined}
+  errors {{ error_log }}
+}
+
+http://[{{ global_ipv6 }}]:{{ http_port }}/, http://{{ local_ipv4 }}:{{ http_port }}/ {
+  bind {{ local_ipv4 }}
+  status 404 /
+# TODO-Caddy   LogLevel notice
+# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+  log / {{ access_log }} {combined}
+  errors {{ error_log }}
+}
+
+# TODO-Caddy ErrorDocument 404 /notfound.html
+# TODO-Caddy RewriteRule (.*) /notfound.html [R=404,L]
--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -9,7 +9,7 @@
 {% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%}
 {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
 {% set NGINX_TYPE_LIST = ['eventsource', 'notebook'] -%}
-{% set generic_instance_parameter_dict = {'cache_access': cache_access,} -%}
+{% set generic_instance_parameter_dict = { 'cache_access': cache_access, 'local_ipv4': local_ipv4, 'http_port': http_port, 'https_port': https_port} %}
 {% set slave_log_dict = {} -%}
 {% if extra_slave_instance_list -%}
 {%   set slave_instance_information_list = [] -%}
@@ -47,7 +47,6 @@ crl = {{ custom_ssl_directory }}/crl/

 {# Loop throught slave list to set up slaves #}
 {% for slave_instance in slave_instance_list -%}
-{#   # Do all set and do upper, so it makes easy to read the file later #} 
 {%   set slave_reference = slave_instance.get('slave_reference') -%}
 {%   set slave_type = slave_instance.get('type', '') -%}
 {%   set slave_section_title = 'dynamic-template-slave-instance-%s' % slave_reference -%}
@@ -57,10 +56,9 @@ crl = {{ custom_ssl_directory }}/crl/
 {%   set slave_logrotate_section = slave_reference + "-logs" -%}
 {%   set slave_password_section = slave_reference + "-password" -%}
 {%   set slave_ln_section = slave_reference + "-ln" -%}
-{%   set slave_htaccess_section = slave_reference + '-htaccess' %}

 {#   extend parts #}
-{%   do part_list.extend([slave_htaccess_section, slave_ln_section]) -%}
+{%   do part_list.extend([slave_ln_section]) -%}
 {%   do part_list.extend([slave_logrotate_section, slave_section_title]) -%}

 {%   set slave_log_folder = logrotate_dict.get('backup') + '/' + slave_reference + "-logs" -%}
@@ -74,7 +72,7 @@ crl = {{ custom_ssl_directory }}/crl/
 {#   Add slave log directory to the slave log access dict #}
 {%   do slave_log_dict.__setitem__(slave_reference, slave_log_folder) %}

-{%   set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('apache-ipv6') + ']:' + frontend_configuration.get('apache-https-port') + '/' + slave_reference.lower() + '/' %}
+{%   set slave_log_access_url = 'https://' + slave_reference + ':${'+ slave_password_section +':passwd}@[' + frontend_configuration.get('caddy-ipv6') + ']:' + frontend_configuration.get('caddy-https-port') + '/' + slave_reference.lower() + '/' %}
 {%   do slave_publish_dict.__setitem__('log-access', slave_log_access_url) %}
 {%   do slave_publish_dict.__setitem__('slave-reference', slave_reference) %}
 {%   do slave_publish_dict.__setitem__('public-ipv4', public_ipv4) %}
@@ -101,16 +99,19 @@ crl = {{ custom_ssl_directory }}/crl/
 {%     do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
 {%   endif -%}

-{%   if not slave_instance.has_key('apache_custom_http') %}
+{%   if not slave_instance.has_key('apache_custom_http') and not slave_instance.has_key('apache_custom_https') %}
 {%     do slave_publish_dict.__setitem__('domain', slave_instance.get('custom_domain')) -%}
 {%     do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) -%}
 {%     do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) -%}
 {%     do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) -%}
 {%   endif -%}

-[slave-log-directories]
+[slave-log-directory-dict]
 {{slave_reference}} = {{ slave_log_folder }}

+[slave-password]
+{{ slave_reference }} = {{ '${' + slave_password_section + ':passwd}' }}
+
 {# Set slave logrotate entry #}
 [{{slave_logrotate_section}}]
 <= logrotate
@@ -131,13 +132,6 @@ recipe = slapos.cookbook:generate.password
 storage-path = {{apache_configuration_directory}}/.{{slave_reference}}.passwd
 bytes = 8

-{# Set up htaccess file for slave #}
-[{{slave_htaccess_section}}]
-recipe = plone.recipe.command
-stop-on-error = true
-htaccess-path = {{apache_configuration_directory}}/.{{slave_reference}}.htaccess
-command = {{frontend_configuration.get('apache-directory')}}/bin/htpasswd -cb ${:htaccess-path} {{ slave_reference }} {{ '${' + slave_password_section + ':passwd}' }}
-
 {# ################################################## #}
 {# Set Slave Certificates if needed                   #}

@@ -162,6 +156,13 @@ value = {{ dumps(slave_instance.get(cert_name)) }}
 {%     endif -%}
 {%   endfor -%}

+{#-   Set Up Certs #}
+{%-   do slave_instance.__setitem__('login_certificate', login_certificate) %}
+{%-   do slave_instance.__setitem__('login_key', login_key) %}
+{%-   do slave_instance.__setitem__('login_ca_crt', login_ca_crt) %}
+{%-   do slave_instance.__setitem__('enable_http2_by_default', enable_http2_by_default) %}
+{%-   do slave_parameter_dict.__setitem__('ssl_crt', login_certificate) %}
+{%-   do slave_parameter_dict.__setitem__('ssl_key', login_key) %}
 {%   if 'ssl_key' in slave_instance and 'ssl_crt' in slave_instance -%}
 {%     set cert_title = '%s-crt' % (slave_reference) -%}
 {%     set key_title = '%s-key' % (slave_reference) -%}
@@ -320,6 +321,7 @@ extra-context =
 {% endfor %}

 [slave-log-directories]
+<= slave-log-directory-dict
 recipe = slapos.cookbook:mkdirectory

 {# Define log access #}
@@ -328,9 +330,19 @@ recipe = slapos.cookbook:mkdirectory
 template = {{frontend_configuration.get('template-log-access')}}
 rendered = {{frontend_configuration.get('log-access-configuration')}}
 extra-context =
-    section slave_log_directory slave-log-directories
+    section slave_log_directory slave-log-directory-dict
+    section slave_password slave-password
    raw apache_log_directory {{apache_log_directory}}
    raw apache_configuration_directory {{apache_configuration_directory}}
+    raw local_ipv4 {{ local_ipv4 }}
+    raw local_ipv6 {{ local_ipv6 }}
+    raw https_port {{ https_port }}
+    raw http_port {{ http_port }}
+    raw global_ipv6 {{ global_ipv6 }}
+    raw login_certificate {{ login_certificate }}
+    raw login_key {{ login_key }}
+    raw access_log {{ access_log }}
+    raw error_log {{ error_log }}

 {# Publish information for the instance #}
 [publish-apache-information]

--- a/software/caddy-frontend/templates/apache-graceful-script.sh.in
+++ b/software/caddy-frontend/templates/apache-graceful-script.sh.in
-#!/bin/sh
-
-RUN_DIR={{ directory_run }}
-ETC_DIR={{ directory_etc }}
-
-APACHE_SIGNATURE_FILE=$RUN_DIR/apache_configuration.signature
-NAPACHE_SIGNATURE_FILE=$RUN_DIR/napache_configuration.signature
-
-touch $APACHE_SIGNATURE_FILE
-sha256sum $ETC_DIR/apache*.conf $ETC_DIR/apache-*.d/*.conf $ETC_DIR/apache-*.d/ssl/*.*key $ETC_DIR/apache-*.d/ssl/*.*crt* | sort -k 66 > $NAPACHE_SIGNATURE_FILE 
-
-# If no diff, no restart for now
-if diff "$APACHE_SIGNATURE_FILE" "$NAPACHE_SIGNATURE_FILE"; then
-  echo "Nothing Changed, so nothing to reload"
-  exit 0
-fi
-echo "Reloading apache.."
-
-{{ apache_graceful_reload_command }}
-
-mv "$NAPACHE_SIGNATURE_FILE" "$APACHE_SIGNATURE_FILE" 
--- a/software/caddy-frontend/templates/apache.conf.in
+++ b/software/caddy-frontend/templates/apache.conf.in
-# Apache configuration file for Zope
-# Automatically generated
-
-# Basic server configuration
-PidFile "{{ pid_file }}"
-ServerName {{ domain }}
-DocumentRoot {{ document_root }}
-ServerRoot {{ instance_home }}
-
-{{ "Listen %s:%s" % (ipv4_addr, cached_port)  }}
-{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port)  }}
-{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
-{%   for port in (http_port, https_port) -%}
-{{ "Listen %s:%s" % (ip, port)  }}
-{%   endfor -%}
-{% endfor -%}
-
-ServerAdmin {{ server_admin }}
-TypesConfig {{ httpd_home }}/conf/mime.types
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-# As backend is trusting REMOTE_USER header unset it always
-RequestHeader unset REMOTE_USER
-
-ServerTokens Prod
-
-# Disable TRACE Method
-TraceEnable off
-
-# Log configuration
-ErrorLog "{{ error_log }}"
-LogLevel notice
-# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
-# CustomLog "{{ access_log }}" common
-LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
-CustomLog "{{ access_log }}" combined
-
-<Directory {{ protected_path }}>
-  Order Deny,Allow
-  Allow from {{ access_control_string }}
-</Directory>
-
-<Directory {{ document_root }}>
-  Require all granted
-  Options -Indexes
-  ErrorDocument 404 /notfound.html
-  RewriteEngine on
-  RewriteRule ^/?$ notfound.html [R=404,L]
-</Directory>
-
-# List of modules
-LoadModule unixd_module        {{ httpd_home }}/modules/mod_unixd.so
-LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so
-LoadModule authz_core_module  {{ httpd_home }}/modules/mod_authz_core.so
-LoadModule authz_host_module  {{ httpd_home }}/modules/mod_authz_host.so
-LoadModule authn_core_module  {{ httpd_home }}/modules/mod_authn_core.so
-LoadModule log_config_module  {{ httpd_home }}/modules/mod_log_config.so
-LoadModule deflate_module     {{ httpd_home }}/modules/mod_deflate.so
-LoadModule setenvif_module    {{ httpd_home }}/modules/mod_setenvif.so
-LoadModule version_module     {{ httpd_home }}/modules/mod_version.so
-LoadModule proxy_module       {{ httpd_home }}/modules/mod_proxy.so
-LoadModule proxy_http_module  {{ httpd_home }}/modules/mod_proxy_http.so
-LoadModule ssl_module         {{ httpd_home }}/modules/mod_ssl.so
-LoadModule mime_module        {{ httpd_home }}/modules/mod_mime.so
-LoadModule dav_module         {{ httpd_home }}/modules/mod_dav.so
-LoadModule dav_fs_module      {{ httpd_home }}/modules/mod_dav_fs.so
-LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
-LoadModule rewrite_module     {{ httpd_home }}/modules/mod_rewrite.so
-LoadModule headers_module     {{ httpd_home }}/modules/mod_headers.so
-LoadModule cache_module       {{ httpd_home }}/modules/mod_cache.so
-LoadModule cache_socache_module   {{ httpd_home }}/modules/mod_cache_socache.so
-LoadModule socache_shmcb_module   {{ httpd_home }}/modules/mod_socache_shmcb.so
-LoadModule antiloris_module   {{ httpd_home }}/modules/mod_antiloris.so
-LoadModule alias_module       {{ httpd_home }}/modules/mod_alias.so
-LoadModule autoindex_module   {{ httpd_home }}/modules/mod_autoindex.so
-LoadModule auth_basic_module  {{ httpd_home }}/modules/mod_auth_basic.so
-LoadModule authz_user_module  {{ httpd_home }}/modules/mod_authz_user.so
-LoadModule authn_file_module  {{ httpd_home }}/modules/mod_authn_file.so
-LoadModule filter_module       {{ httpd_home }}/modules/mod_filter.so
-LoadModule http2_module       {{ httpd_home }}/modules/mod_http2.so
-LoadModule info_module        {{ httpd_home }}/modules/mod_info.so
-LoadModule status_module      {{ httpd_home }}/modules/mod_status.so
-LoadModule reqtimeout_module  {{ httpd_home }}/modules/mod_reqtimeout.so
-
-# The following directives modify normal HTTP response behavior to
-# handle known problems with browser implementations.
-BrowserMatch "Mozilla/2" nokeepalive
-BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
-                        downgrade-1.0 force-response-1.0
-BrowserMatch "RealPlayer 4\.0" force-response-1.0
-BrowserMatch "Java/1\.0" force-response-1.0
-BrowserMatch "JDK/1\.0" force-response-1.0
-# The following directive disables redirects on non-GET requests for
-# a directory that does not include the trailing slash.  This fixes a
-# problem with Microsoft WebFolders which does not appropriately handle
-# redirects for folders with DAV methods.
-# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
-BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
-BrowserMatch "MS FrontPage" redirect-carefully
-BrowserMatch "^WebDrive" redirect-carefully
-BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
-BrowserMatch "^gnome-vfs" redirect-carefully
-BrowserMatch "^XML Spy" redirect-carefully
-BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
-
-
-{% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %}
-Protocols h2 http/1.1
-{% endif %}
-
-# Increase IPReadLimit to 10
-<IfModule antiloris_module>
-   # IPReadLimit - Maximum simultaneous connections in READ state per IP address 
-   IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
-</IfModule>
-
-ExtendedStatus On
-<Location /server-status>
-    SetHandler server-status
-    Order Deny,Allow
-    Deny from all
-    Allow from All
-
-    AuthType basic
-    AuthName "Apache Server Status"
-    AuthBasicProvider file
-    AuthUserFile {{ instance_home }}/etc/monitor-htpasswd
-    Require valid-user
-</Location>
-
-ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }}
-MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }}
-StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }}
-ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }}
-#MaxRequestsPerChild 0 // Default value is 0
-GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }}
-
-# Deflate
-AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
-BrowserMatch ^Mozilla/4 gzip-only-text/html
-BrowserMatch ^Mozilla/4\.0[678] no-gzip
-BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-
-# SSL Configuration
-SSLCertificateFile {{ login_certificate }}
-SSLCertificateKeyFile {{ login_key }}
-{% if slapparameter_dict.get('apache-ca-certificate') %}
-SSLCACertificateFile {{ login_ca_crt }}
-{% endif %}
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
-SSLSessionCacheTimeout  300
-SSLRandomSeed startup /dev/urandom 256
-SSLRandomSeed connect builtin
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-SSLHonorCipherOrder on
-<FilesMatch "\.(cgi|shtml|phtml|php)$">
-      SSLOptions +StdEnvVars
-</FilesMatch>
-# Accept proxy to sites using self-signed SSL certificates
-SSLProxyCheckPeerCN off
-SSLProxyCheckPeerExpire off
-
-include {{frontend_configuration.get('log-access-configuration')}}
-includeoptional {{ slave_configuration_directory }}/*.conf
-includeoptional {{ slave_with_cache_configuration_directory }}/*.conf
-
-ErrorDocument 404 /notfound.html
-RewriteRule (.*) /notfound.html [R=404,L]
--- a/software/caddy-frontend/templates/cached-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/cached-virtualhost.conf.in
@@ -2,50 +2,50 @@
 {% set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
 {% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}

-# Only accept generic (i.e not Zope) backends on http
-<VirtualHost *:{{ cached_port }}>
-  ServerName {{ slave_parameter.get('custom_domain') }}
-  {%- for server_alias in server_alias_list %}
-  ServerAlias {{ server_alias }}
-  {% endfor %}
-  SSLProxyEngine on
+# TODO-Caddy # Only accept generic (i.e not Zope) backends on http
+# TODO-Caddy <VirtualHost *:{{ cached_port }}>
+# TODO-Caddy   ServerName {{ slave_parameter.get('custom_domain') }}
+# TODO-Caddy   {%- for server_alias in server_alias_list %}
+# TODO-Caddy   ServerAlias {{ server_alias }}
+# TODO-Caddy   {% endfor %}
+# TODO-Caddy   SSLProxyEngine on

-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-  SSLProxyVerify require
-  #SSLProxyCheckPeerCN on
-  SSLProxyCheckPeerExpire on
-{% endif %}
-  # Rewrite part
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
-</VirtualHost>
-
-<VirtualHost *:{{ ssl_cached_port }}>
-  ServerName {{ slave_parameter.get('custom_domain') }}
-  {%- for server_alias in server_alias_list %}
-  ServerAlias {{ server_alias }}
-  {% endfor %}
-  SSLProxyEngine on
-
-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-  SSLProxyVerify require
-  #SSLProxyCheckPeerCN on
-  SSLProxyCheckPeerExpire on
-{% endif %}
-  # Rewrite part
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
-
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
-</VirtualHost>
+# TODO-Caddy {% if ssl_proxy_verify -%}
+# TODO-Caddy {%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+# TODO-Caddy {%   endif %}
+# TODO-Caddy   SSLProxyVerify require
+# TODO-Caddy   #SSLProxyCheckPeerCN on
+# TODO-Caddy   SSLProxyCheckPeerExpire on
+# TODO-Caddy {% endif %}
+# TODO-Caddy   # Rewrite part
+# TODO-Caddy   ProxyPreserveHost On
+# TODO-Caddy   ProxyTimeout 600
+# TODO-Caddy   RewriteEngine On
+# TODO-Caddy 
+# TODO-Caddy   RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
+# TODO-Caddy </VirtualHost>

+# TODO-Caddy <VirtualHost *:{{ ssl_cached_port }}>
+# TODO-Caddy   ServerName {{ slave_parameter.get('custom_domain') }}
+# TODO-Caddy   {%- for server_alias in server_alias_list %}
+# TODO-Caddy   ServerAlias {{ server_alias }}
+# TODO-Caddy   {% endfor %}
+# TODO-Caddy   SSLProxyEngine on
+# TODO-Caddy 
+# TODO-Caddy {% if ssl_proxy_verify -%}
+# TODO-Caddy {%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+# TODO-Caddy {%   endif %}
+# TODO-Caddy   SSLProxyVerify require
+# TODO-Caddy   #SSLProxyCheckPeerCN on
+# TODO-Caddy   SSLProxyCheckPeerExpire on
+# TODO-Caddy {% endif %}
+# TODO-Caddy   # Rewrite part
+# TODO-Caddy   ProxyPreserveHost On
+# TODO-Caddy   ProxyTimeout 600
+# TODO-Caddy   RewriteEngine On
+# TODO-Caddy 
+# TODO-Caddy   RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
+# TODO-Caddy </VirtualHost>
+# TODO-Caddy 
--- a/software/caddy-frontend/templates/caddy-graceful-script.sh.in
+++ b/software/caddy-frontend/templates/caddy-graceful-script.sh.in
+#!/bin/sh
+
+RUN_DIR={{ directory_run }}
+ETC_DIR={{ directory_etc }}
+BIN_DIR={{ directory_bin }}
+
+CADDY_SIGNATURE_FILE=$RUN_DIR/caddy_configuration.signature
+NCADDY_SIGNATURE_FILE=$RUN_DIR/ncaddy_configuration.signature
+
+touch $CADDY_SIGNATURE_FILE
+sha256sum $ETC_DIR/Caddyfile $ETC_DIR/log-access.conf $ETC_DIR/caddy-*.d/*.conf $ETC_DIR/caddy-*.d/ssl/*.*key $ETC_DIR/caddy-*.d/ssl/*.*crt* | sort -k 66 > $NCADDY_SIGNATURE_FILE
+
+# If no diff, no restart for now
+if diff "$CADDY_SIGNATURE_FILE" "$NCADDY_SIGNATURE_FILE"; then
+  echo "Nothing Changed, so nothing to reload"
+  exit 0
+fi
+echo "Reloading caddy.."
+
+{{ caddy_graceful_reload_command }}
+
+mv "$NCADDY_SIGNATURE_FILE" "$CADDY_SIGNATURE_FILE"
--- a/software/caddy-frontend/templates/caddy-wrapper.in
+++ b/software/caddy-frontend/templates/caddy-wrapper.in
+#!${dash-output:dash}
+
+exec {{ caddy }} \
+  -conf {{ conf }} \
+  -log {{ log }} \
+  -http2=true \
+  -grace {{ grace }}s \
+  -disable-http-challenge \
+  -disable-tls-sni-challenge \
+  "$@"
--- a/software/caddy-frontend/templates/custom-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/custom-virtualhost.conf.in
-<VirtualHost *:{{ https_port }}>
 {{ slave_parameter.get('apache_custom_https', '') }}
-</VirtualHost>
-
-<VirtualHost *:{{ http_port }}>
-{{ slave_parameter.get('apache_custom_https', '') }}
-</VirtualHost>
+{{ slave_parameter.get('apache_custom_http', '') }}
\ No newline at end of file
--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
--- a/software/caddy-frontend/templates/nginx-eventsource-slave.conf.in
+++ b/software/caddy-frontend/templates/nginx-eventsource-slave.conf.in
@@ -11,105 +11,105 @@
                                 ('ssl_certificate_key', 'path_to_ssl_key')] -%}


-upstream {{ slave_parameter.get('slave_reference') }} {
-  server {{ upstream }};
-}
-
-upstream https_{{ slave_parameter.get('slave_reference') }} {
-  server {{ https_upstream }};
-}
-
-
-server {
-  listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
-  listen {{ local_ipv4 }}:{{ nginx_http_port }};
-
-  server_name {{ slave_parameter.get('custom_domain') }};
-
-  error_log {{ slave_parameter.get('error_log') }} error; 
-  access_log {{ slave_parameter.get('access_log') }} custom;
-  
-  location /pub {
-    push_stream_publisher;
-    push_stream_channels_path $arg_id;
-    # store messages in memory
-    push_stream_store_messages  off;
-
-    # Message size limit
-    # client_max_body_size MUST be equal to client_body_buffer_size or
-    # you will be sorry.
-    client_max_body_size 16k;
-    client_body_buffer_size 16k;
-
-   }
-
-   location ~ /sub/(.*) {
-     # activate subscriber mode for this location
-     add_header "Access-Control-Allow-Origin" "*";
-     add_header 'Access-Control-Allow-Credentials' 'false';
-     add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
-     add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
-
-     push_stream_subscriber eventsource;
-     # positional channel path
-     push_stream_channels_path $1;
-
-     # content-type
-     default_type "text/event-stream; charset=utf-8";
-  }
-
-}
-
-server {
-  listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
-  listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
-
-  server_name {{ slave_parameter.get('custom_domain') }};
-
-  error_log {{ slave_parameter.get('error_log') }} error;
-  access_log {{ slave_parameter.get('access_log') }} custom;
-
-  ssl on;
-  
-  ssl_session_timeout 5m;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
+# TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
+# TODO-Caddy  server {{ upstream }};
+# TODO-Caddy 
+
+# TODO-Caddy pstream https_{{ slave_parameter.get('slave_reference') }} {
+# TODO-Caddy  server {{ https_upstream }};
+# TODO-Caddy 
+
+
+# TODO-Caddy server {
+# TODO-Caddy  listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
+# TODO-Caddy  listen {{ local_ipv4 }}:{{ nginx_http_port }};
+# TODO-Caddy 
+# TODO-Caddy  server_name {{ slave_parameter.get('custom_domain') }};
+# TODO-Caddy 
+# TODO-Caddy  error_log {{ slave_parameter.get('error_log') }} error; 
+# TODO-Caddy  access_log {{ slave_parameter.get('access_log') }} custom;
+# TODO-Caddy  
+# TODO-Caddy  location /pub {
+# TODO-Caddy    push_stream_publisher;
+# TODO-Caddy    push_stream_channels_path $arg_id;
+# TODO-Caddy    # store messages in memory
+# TODO-Caddy    push_stream_store_messages  off;
+# TODO-Caddy 
+# TODO-Caddy    # Message size limit
+# TODO-Caddy    # client_max_body_size MUST be equal to client_body_buffer_size or
+# TODO-Caddy    # you will be sorry.
+# TODO-Caddy    client_max_body_size 16k;
+# TODO-Caddy    client_body_buffer_size 16k;
+# TODO-Caddy 
+# TODO-Caddy   }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /sub/(.*) {
+# TODO-Caddy     # activate subscriber mode for this location
+# TODO-Caddy     add_header "Access-Control-Allow-Origin" "*";
+# TODO-Caddy     add_header 'Access-Control-Allow-Credentials' 'false';
+# TODO-Caddy     add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
+# TODO-Caddy     add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
+# TODO-Caddy 
+# TODO-Caddy     push_stream_subscriber eventsource;
+# TODO-Caddy     # positional channel path
+# TODO-Caddy     push_stream_channels_path $1;
+# TODO-Caddy 
+# TODO-Caddy     # content-type
+# TODO-Caddy     default_type "text/event-stream; charset=utf-8";
+# TODO-Caddy  }
+# TODO-Caddy 
+# TODO-Caddy 
+
+# TODO-Caddy server {
+# TODO-Caddy  listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
+# TODO-Caddy  listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
+# TODO-Caddy 
+# TODO-Caddy  server_name {{ slave_parameter.get('custom_domain') }};
+# TODO-Caddy 
+# TODO-Caddy  error_log {{ slave_parameter.get('error_log') }} error;
+# TODO-Caddy  access_log {{ slave_parameter.get('access_log') }} custom;
+# TODO-Caddy 
+# TODO-Caddy  ssl on;
+# TODO-Caddy  
+# TODO-Caddy  ssl_session_timeout 5m;
+# TODO-Caddy  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+# TODO-Caddy  ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
+# TODO-Caddy  ssl_prefer_server_ciphers on;
+# TODO-Caddy  ssl_session_cache shared:SSL:10m;

 {% for key, value in ssl_configuration_list -%}
 {%   if value in slave_parameter -%}
-{{ '  %s' % key }} {{ slave_parameter.get(value) }};
+# TODO-Caddy {{ '  %s' % key }} {{ slave_parameter.get(value) }};
 {% endif -%}
 {% endfor %}

-  location /pub {
-    push_stream_publisher;
-    push_stream_channels_path $arg_id;
-    # store messages in memory
-    push_stream_store_messages  off;
-
-    # Message size limit
-    # client_max_body_size MUST be equal to client_body_buffer_size or
-    # you will be sorry.
-    client_max_body_size 16k;
-    client_body_buffer_size 16k;
-
-   }
-
-   location ~ /sub/(.*) {
-     # activate subscriber mode for this location
-     add_header "Access-Control-Allow-Origin" "*";
-     add_header 'Access-Control-Allow-Credentials' 'false';
-     add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
-     add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
-
-     push_stream_subscriber eventsource;
-     # positional channel path
-     push_stream_channels_path $1;
-
-     # content-type
-     default_type "text/event-stream; charset=utf-8";
-  }
-}
+# TODO-Caddy  location /pub {
+# TODO-Caddy    push_stream_publisher;
+# TODO-Caddy    push_stream_channels_path $arg_id;
+# TODO-Caddy    # store messages in memory
+# TODO-Caddy    push_stream_store_messages  off;
+# TODO-Caddy 
+# TODO-Caddy    # Message size limit
+# TODO-Caddy    # client_max_body_size MUST be equal to client_body_buffer_size or
+# TODO-Caddy    # you will be sorry.
+# TODO-Caddy    client_max_body_size 16k;
+# TODO-Caddy    client_body_buffer_size 16k;
+# TODO-Caddy 
+# TODO-Caddy   }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /sub/(.*) {
+# TODO-Caddy     # activate subscriber mode for this location
+# TODO-Caddy     add_header "Access-Control-Allow-Origin" "*";
+# TODO-Caddy     add_header 'Access-Control-Allow-Credentials' 'false';
+# TODO-Caddy     add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
+# TODO-Caddy     add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
+# TODO-Caddy 
+# TODO-Caddy     push_stream_subscriber eventsource;
+# TODO-Caddy     # positional channel path
+# TODO-Caddy     push_stream_channels_path $1;
+# TODO-Caddy 
+# TODO-Caddy     # content-type
+# TODO-Caddy     default_type "text/event-stream; charset=utf-8";
+# TODO-Caddy  }
+# TODO-Caddy}
 {% endif -%}
--- a/software/caddy-frontend/templates/nginx-notebook-slave.conf.in
+++ b/software/caddy-frontend/templates/nginx-notebook-slave.conf.in
@@ -11,96 +11,96 @@
                                 ('ssl_certificate_key', 'path_to_ssl_key')] -%}


-upstream {{ slave_parameter.get('slave_reference') }} {
-  server {{ upstream }};
-}
-
-upstream https_{{ slave_parameter.get('slave_reference') }} {
-  server {{ https_upstream }};
-}
-
-
-server {
-  listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
-  listen {{ local_ipv4 }}:{{ nginx_http_port }};
-
-  server_name {{ slave_parameter.get('custom_domain') }};
-
-  error_log {{ slave_parameter.get('error_log') }} error; 
-  access_log {{ slave_parameter.get('access_log') }} custom;
-
-  location / {
-        proxy_pass            {{ proxy_pass }};
-        proxy_set_header      Host $host;
-  }
-
-  location ~ /api/kernels/ {
-        proxy_pass            {{ proxy_pass }};
-        proxy_set_header      Host $host;
-        # websocket support
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade "websocket";
-        proxy_set_header      Connection "Upgrade";
-        proxy_read_timeout    86400;
-   }
-
-  location ~ /terminals/ {
-        proxy_pass            {{ proxy_pass }};
-        proxy_set_header      Host $host;
-        # websocket support
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade "websocket";
-        proxy_set_header      Connection "Upgrade";
-        proxy_read_timeout    86400;
-  }
-}
-
-server {
-  listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
-  listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
-
-  server_name {{ slave_parameter.get('custom_domain') }};
-
-  error_log {{ slave_parameter.get('error_log') }} error;
-  access_log {{ slave_parameter.get('access_log') }} custom;
-
-  ssl on;
-  
-  ssl_session_timeout 5m;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
+# TODO-Caddy upstream {{ slave_parameter.get('slave_reference') }} {
+# TODO-Caddy   server {{ upstream }};
+# TODO-Caddy }
+
+# TODO-Caddy upstream https_{{ slave_parameter.get('slave_reference') }} {
+# TODO-Caddy   server {{ https_upstream }};
+# TODO-Caddy }
+
+
+# TODO-Caddy server {
+# TODO-Caddy   listen [{{ global_ipv6 }}]:{{ nginx_http_port }};
+# TODO-Caddy   listen {{ local_ipv4 }}:{{ nginx_http_port }};
+# TODO-Caddy 
+# TODO-Caddy   server_name {{ slave_parameter.get('custom_domain') }};
+# TODO-Caddy 
+# TODO-Caddy   error_log {{ slave_parameter.get('error_log') }} error; 
+# TODO-Caddy   access_log {{ slave_parameter.get('access_log') }} custom;
+# TODO-Caddy 
+# TODO-Caddy   location / {
+# TODO-Caddy         proxy_pass            {{ proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy   }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /api/kernels/ {
+# TODO-Caddy         proxy_pass            {{ proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy         # websocket support
+# TODO-Caddy         proxy_http_version    1.1;
+# TODO-Caddy         proxy_set_header      Upgrade "websocket";
+# TODO-Caddy         proxy_set_header      Connection "Upgrade";
+# TODO-Caddy         proxy_read_timeout    86400;
+# TODO-Caddy    }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /terminals/ {
+# TODO-Caddy         proxy_pass            {{ proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy         # websocket support
+# TODO-Caddy         proxy_http_version    1.1;
+# TODO-Caddy         proxy_set_header      Upgrade "websocket";
+# TODO-Caddy         proxy_set_header      Connection "Upgrade";
+# TODO-Caddy         proxy_read_timeout    86400;
+# TODO-Caddy   }
+# TODO-Caddy }
+
+# TODO-Caddy server {
+# TODO-Caddy   listen [{{ global_ipv6 }}]:{{ nginx_https_port }} ssl;
+# TODO-Caddy   listen {{ local_ipv4 }}:{{ nginx_https_port }} ssl;
+# TODO-Caddy 
+# TODO-Caddy   server_name {{ slave_parameter.get('custom_domain') }};
+# TODO-Caddy 
+# TODO-Caddy   error_log {{ slave_parameter.get('error_log') }} error;
+# TODO-Caddy   access_log {{ slave_parameter.get('access_log') }} custom;
+# TODO-Caddy 
+# TODO-Caddy   ssl on;
+# TODO-Caddy   
+# TODO-Caddy   ssl_session_timeout 5m;
+# TODO-Caddy   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+# TODO-Caddy   ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
+# TODO-Caddy   ssl_prefer_server_ciphers on;
+# TODO-Caddy   ssl_session_cache shared:SSL:10m;

 {% for key, value in ssl_configuration_list -%}
 {%   if value in slave_parameter -%}
-{{ '  %s' % key }} {{ slave_parameter.get(value) }};
+# TODO-Caddy {{ '  %s' % key }} {{ slave_parameter.get(value) }};
 {% endif -%}
 {% endfor %}

-  location / {
-        proxy_pass            {{ https_proxy_pass }};
-        proxy_set_header      Host $host;
-  }
-
-  location ~ /api/kernels/ {
-        proxy_pass            {{ https_proxy_pass }};
-        proxy_set_header      Host $host;
-        # websocket support
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade "websocket";
-        proxy_set_header      Connection "Upgrade";
-        proxy_read_timeout    86400;
-   }
-
-  location ~ /terminals/ {
-        proxy_pass            {{ https_proxy_pass }};
-        proxy_set_header      Host $host;
-        # websocket support
-        proxy_http_version    1.1;
-        proxy_set_header      Upgrade "websocket";
-        proxy_set_header      Connection "Upgrade";
-        proxy_read_timeout    86400;
-  }
-}
+# TODO-Caddy   location / {
+# TODO-Caddy         proxy_pass            {{ https_proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy   }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /api/kernels/ {
+# TODO-Caddy         proxy_pass            {{ https_proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy         # websocket support
+# TODO-Caddy         proxy_http_version    1.1;
+# TODO-Caddy         proxy_set_header      Upgrade "websocket";
+# TODO-Caddy         proxy_set_header      Connection "Upgrade";
+# TODO-Caddy         proxy_read_timeout    86400;
+# TODO-Caddy    }
+# TODO-Caddy 
+# TODO-Caddy   location ~ /terminals/ {
+# TODO-Caddy         proxy_pass            {{ https_proxy_pass }};
+# TODO-Caddy         proxy_set_header      Host $host;
+# TODO-Caddy         # websocket support
+# TODO-Caddy         proxy_http_version    1.1;
+# TODO-Caddy         proxy_set_header      Upgrade "websocket";
+# TODO-Caddy         proxy_set_header      Connection "Upgrade";
+# TODO-Caddy         proxy_read_timeout    86400;
+# TODO-Caddy   }
+# TODO-Caddy }
 {% endif -%}
--- a/software/caddy-frontend/templates/nginx.cfg.in
+++ b/software/caddy-frontend/templates/nginx.cfg.in
-daemon off; # run in the foreground so supervisord can look after it
-
-worker_processes $${nginx-configuration:worker_processes};
-pid $${nginx-configuration:pid-file};
+# Dummy site for starting Caddy correctly
+https://www.example.org:$${nginx-configuration:port} {
+  tls $${nginx-configuration:ssl_certificate} $${nginx-configuration:ssl_key}
+  bind $${nginx-configuration:local_ip}
+# TODO-Caddy  bind {{ ipv6_addr }}
+# Serve an error 204 (No Content) for favicon.ico
+status 204 /favicon.ico
+status 404 /
+}

-events {
-  worker_connections $${nginx-configuration:worker_connections};
-  # multi_accept on;
+http://www.example.org:$${nginx-configuration:plain_port} {
+  bind $${nginx-configuration:local_ip}
+# TODO-Caddy  bind {{ ipv6_addr }}
+# Serve an error 204 (No Content) for favicon.ico
+status 204 /favicon.ico
+status 404 /
 }
+# TODO-Caddy worker_processes $${nginx-configuration:worker_processes};

-error_log $${nginx-configuration:error_log};
+# TODO-Caddy events {
+# TODO-Caddy   worker_connections $${nginx-configuration:worker_connections};
+# TODO-Caddy   # multi_accept on;
+# TODO-Caddy }

-http {
+# TODO-Caddy http {

  ##
  # Basic Settings
  ##

-  sendfile on;
-  tcp_nopush on;
-  tcp_nodelay on;
-  keepalive_timeout 65;
-  types_hash_max_size 2048;
-  server_tokens off;
+# TODO-Caddy   sendfile on;
+# TODO-Caddy   tcp_nopush on;
+# TODO-Caddy   tcp_nodelay on;
+# TODO-Caddy   keepalive_timeout 65;
+# TODO-Caddy   types_hash_max_size 2048;
+# TODO-Caddy   server_tokens off;

-  error_log $${nginx-configuration:error_log};
-  log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
-  access_log $${nginx-configuration:access_log} custom;
+# TODO-Caddy   log_format custom '$remote_addr - $remote_user $time_local $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time';
+# TODO-Caddy   access_log $${nginx-configuration:access_log} custom;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

-  default_type application/octet-stream;
+# TODO-Caddy   default_type application/octet-stream;

-  ssl_certificate $${ca-frontend:cert-file};
-  ssl_certificate_key $${ca-frontend:key-file};
+# TODO-Caddy   ssl_certificate $${ca-frontend:cert-file};
+# TODO-Caddy   ssl_certificate_key $${ca-frontend:key-file};

  ##
  # Gzip Settings
  ##
-  gzip on;
-  gzip_disable "msie6";
-
-  gzip_vary on;
-  gzip_proxied any;
-  gzip_comp_level 6;
-  gzip_buffers 16 8k;
-  gzip_http_version 1.1;
-  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+# TODO-Caddy   gzip on;
+# TODO-Caddy   gzip_disable "msie6";
+
+# TODO-Caddy   gzip_vary on;
+# TODO-Caddy   gzip_proxied any;
+# TODO-Caddy   gzip_comp_level 6;
+# TODO-Caddy   gzip_buffers 16 8k;
+# TODO-Caddy   gzip_http_version 1.1;
+# TODO-Caddy   gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  
  ##
  # Push stream Settings
  ##
-  push_stream_shared_memory_size                32m;
-
-  fastcgi_temp_path  $${directory:varnginx} 1 2;
-  uwsgi_temp_path  $${directory:varnginx} 1 2;
-  scgi_temp_path  $${directory:varnginx} 1 2;
-
-  client_body_temp_path $${directory:varnginx} 1 2;
-  proxy_temp_path $${directory:varnginx} 1 2;
-
-  include $${nginx-configuration:slave-configuration-directory}/*.conf;
-
-  server {
-    listen [$${nginx-configuration:ip}]:$${nginx-configuration:plain_port};
-    listen $${nginx-configuration:local_ip}:$${nginx-configuration:plain_port};
+# TODO-Caddy   push_stream_shared_memory_size                32m;

+# TODO-Caddy   fastcgi_temp_path  $${directory:varnginx} 1 2;
+# TODO-Caddy   uwsgi_temp_path  $${directory:varnginx} 1 2;
+# TODO-Caddy   scgi_temp_path  $${directory:varnginx} 1 2;

-    ## Serve an error 204 (No Content) for favicon.ico
-    location = /favicon.ico {
-      return 204;
-    }
+# TODO-Caddy   client_body_temp_path $${directory:varnginx} 1 2;
+# TODO-Caddy   proxy_temp_path $${directory:varnginx} 1 2;
+# TODO-Caddy }

-    location / {
-      root $${apache-directory:document-root};
-      index notfound.html;
-    }
-  }
-
-  server {
-    listen [$${nginx-configuration:ip}]:$${nginx-configuration:port} ssl;
-    listen $${nginx-configuration:local_ip}:$${nginx-configuration:port} ssl;
-
-    ssl on;
-  
-    ssl_session_timeout 5m;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5';
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-
-    ## Serve an error 204 (No Content) for favicon.ico
-    location = /favicon.ico {
-      return 204;
-    }
-
-    location / {
-      root $${apache-directory:document-root};
-      index notfound.html;
-    }
-  }
-}
+import $${nginx-configuration:slave-configuration-directory}/*.conf
--- a/software/caddy-frontend/templates/template-log-access.conf.in
+++ b/software/caddy-frontend/templates/template-log-access.conf.in
 {% for slave, directory in slave_log_directory.iteritems() %}
-Alias /{{slave}}/ {{directory}}/
-<Directory {{directory}}>
-  Order Deny,Allow
-  Deny from env=AUTHREQUIRED
-  <Files ".??*">
-    Order Allow,Deny
-    Deny from all
-  </Files>
-  AuthType Basic
-  AuthName "Log Access {{slave}}"
-  AuthUserFile "{{ apache_configuration_directory + '/.' + slave.upper() + '.htaccess'}}"
-  Require user {{slave.upper()}}
-  Options Indexes FollowSymLinks
-  Satisfy all
-</Directory>
-
+https://[{{ global_ipv6 }}]:{{ https_port }}/{{ slave }}, https://{{ local_ipv4 }}:{{ https_port }}/{{ slave }} {
+  bind {{ local_ipv4 }}
+  #bind {{ global_ipv6 }}
+  root {{directory}}/
+  browse
+  tls {{ login_certificate }} {{ login_key }}
+  basicauth "{{ slave }}" {{ slave_password[slave] }} {
+    "Log Access {{ slave }}"
+    /
+  }
+# TODO-Caddy   LogLevel notice
+# TODO-Caddy   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+  log / {{ access_log }} {combined}
+  errors {{ error_log }}
+}
 {% endfor %}