apache-frontend: Allow to use diferent backends for http and https

  Use 2 different ports on apache for cached slaves, to differ http and https accesses.
  Introduce the parameter https-url (with fallback to url) to include specific https urls,
    if they are different from url.
  Include /HTTPS/ mapping to traffic server to differ the backends based on the input.

software/apache-frontend/common.cfg

@@ -69,7 +69,7 @@ mode = 0644
 [template-apache-frontend]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-apache-frontend.cfg
-md5sum = 92b69679b3004e160180504012a36f46
+md5sum = 3e52cdd1fba381cdb98b438589d1c4ab 
 output = ${buildout:directory}/template-apache-frontend.cfg
 mode = 0644
 
@@ -82,7 +82,7 @@ mode = 0644
 [template-slave-list]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in
-md5sum = 8b278b34a4fb063ba94e10186f725fcb
+md5sum = ee18e498f2868735e0c0ddf209454c37
 mode = 640
 
 [template-slave-configuration]
@@ -106,7 +106,7 @@ mode = 640
 [template-apache-cached-configuration]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/apache_cached.conf.in
-md5sum = a1c744e48b465a63c2d6f0f384466013
+md5sum = 2c6c09390a9d778aecba75f569fb486c 
 mode = 640
 
 [template-rewrite-cached]
@@ -137,13 +137,13 @@ mode = 640
 [template-default-slave-virtualhost]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in
-md5sum = c22de91b25d0597fecc7082a153b87bc
+md5sum = c50959e7c38b307f1a1c274505a7e1c1 
 mode = 640
 
 [template-cached-slave-virtualhost]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/cached-virtualhost.conf.in
-md5sum = 14c81d5a06bf2c4fd41f51b219197982
+md5sum = 432e55df3b42243a98b564cca57e2396 
 mode = 640
 
 [template-log-access]

software/apache-frontend/instance-apache-frontend.cfg

@@ -23,6 +23,7 @@ parts =
   promise-apache-frontend-v6-https
   promise-apache-frontend-v6-http
   promise-apache-cached
+  promise-apache-ssl-cached
 
   trafficserver-launcher
   trafficserver-reload
@@ -144,6 +145,7 @@ extra-context =
     key apache_configuration_directory apache-directory:slave-configuration
     key apache_cached_configuration_directory apache-directory:slave-with-cache-configuration
     key cached_port apache-configuration:cache-through-port
+    key ssl_cached_port apache-configuration:ssl-cache-through-port
     key http_port instance-parameter:configuration.plain_http_port
     key https_port instance-parameter:configuration.port
     key public_ipv4 instance-parameter:configuration.public-ipv4
@@ -225,6 +227,7 @@ extra-context =
     key instance_home buildout:directory
     key ipv4_addr instance-parameter:ipv4-random
     key cached_port apache-configuration:cache-through-port
+    key ssl_cached_port apache-configuration:ssl-cache-through-port
     key server_admin instance-parameter:configuration.server-admin
     key protected_path apache-configuration:protected-path
     key access_control_string apache-configuration:access-control-string
@@ -284,6 +287,7 @@ cache-pid-file = $${directory:run}/httpd-cached.pid
 # Comunication with ats
 cache-port = $${trafficserver-variable:input-port}
 cache-through-port = 26011
+ssl-cache-through-port = 26012
 
 # Create wrapper for "apachectl conftest" in bin
 [configtest]
@@ -405,7 +409,9 @@ reload-path = $${directory:etc-run}/trafficserver-reload
 local-ip = $${instance-parameter:ipv4-random}
 input-port = 23432
 hostname = $${instance-parameter:configuration.frontend-name}
-remap = map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
+remap = map /HTTPS/ http://$${instance-parameter:ipv4-random}:$${apache-configuration:ssl-cache-through-port}
+  map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
+
 plugin-config = ${trafficserver:location}/libexec/trafficserver/rfc5861.so
 cache-path = $${trafficserver-directory:cache-path}
 disk-cache-size = $${instance-parameter:configuration.disk-cache-size}
@@ -535,6 +541,12 @@ path = $${directory:promise}/apache_cached
 hostname = $${instance-parameter:ipv4-random}
 port = $${apache-configuration:cache-through-port}
 
+[promise-apache-ssl-cached]
+recipe = slapos.cookbook:check_port_listening
+path = $${directory:promise}/apache_ssl_cached
+hostname = $${instance-parameter:ipv4-random}
+port = $${apache-configuration:ssl-cache-through-port}
+
 [slap_connection]
 # Kept for backward compatiblity
 computer_id = $${slap-connection:computer-id}

software/apache-frontend/instance-slave-apache-input-schema.json

@@ -10,6 +10,12 @@
       "type": "string",
       "pattern": "^(http|https|ftp)://"
     },
+    "https-url": {
+      "title": "HTTPS Backend URL",
+      "description": "Url of the backend if it is diferent from url parameter",
+      "type": "string",
+      "pattern": "^(http|https|ftp)://"
+    },
     "custom_domain": {
       "title": "Custom Domain",
       "description": "Custom Domain to use for the website",
@@ -23,7 +29,6 @@
       "type": "string",
       "default": ""
     },
-
     "type": {
       "title": "Backend Type",
       "description": "Type of slave. If redirect, the slave will redirect to the given url. If zope, the rewrite rules will be compatible with Virtual Host Monster",

software/apache-frontend/templates/apache-custom-slave-list.cfg.in

@@ -3,6 +3,7 @@
 {% set cached_server_dict = {} -%}
 {% set part_list = [] -%}
 {% set cache_access = "http://%s:%s" % (local_ipv4, cache_port) -%}
+{% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%}
 {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
 {% set generic_instance_parameter_dict = {'cache_access': cache_access,} -%}
 {% set slave_log_dict = {} -%}
@@ -178,6 +179,7 @@ extra-context =
 {%     if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%}
 {%       do slave_instance.__setitem__('custom_domain', slave_instance.get('domain')) -%}
 {%       do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
+{%       do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) -%}
 {%       do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
 {%     endif -%}
 
@@ -208,7 +210,9 @@ apache_custom_https = {{ dumps(apache_custom_https) }}
 {%     set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%}
 {%     if enable_cache -%}
 {%       do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
+{%       do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) -%}
 {%       do slave_instance.__setitem__('url', cache_access) -%}
+{%       do slave_instance.__setitem__('https-url', ssl_cache_access) -%}
 {%       do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
 {%     endif -%}
 {%     do part_list.append(slave_section_title) -%}
@@ -251,6 +255,7 @@ extensions = jinja2.ext.do
 extra-context =
     section slave_parameter {{ slave_configuration_section_name }}
     raw cached_port {{ cached_port }}
+    raw ssl_cached_port {{ ssl_cached_port }}
 {{ '\n' }}
 {% endfor %}
 

software/apache-frontend/templates/apache_cached.conf.in

@@ -8,6 +8,8 @@ DocumentRoot {{ document_root }}
 ServerRoot {{ instance_home }}
 
 {{ "Listen %s:%s" % (ipv4_addr, cached_port)  }}
+{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port)  }}
+
 
 ServerAdmin {{ server_admin }}
 DefaultType text/plain

software/apache-frontend/templates/cached-virtualhost.conf.in

@@ -27,3 +27,31 @@
   RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
 
 </VirtualHost>
+
+<VirtualHost *:{{ ssl_cached_port }}>
+  ServerName {{ slave_parameter.get('custom_domain') }}
+{%- if 'server-alias' in slave_parameter -%}
+  {% set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
+  {%- for server_alias in server_alias_list %}
+  ServerAlias {{ server_alias }}
+  {% endfor %}
+{%- endif %}
+  SSLProxyEngine on
+
+{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
+{% if ssl_proxy_verify -%}
+{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
+  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+{%   endif %}
+  SSLProxyVerify require
+  #SSLProxyCheckPeerCN on
+  SSLProxyCheckPeerExpire on
+{% endif %}
+  # Rewrite part
+  ProxyPreserveHost On
+  ProxyTimeout 600
+  RewriteEngine On
+
+  RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
+</VirtualHost>
+

software/apache-frontend/templates/default-virtualhost.conf.in

@@ -78,14 +78,14 @@
   # First, we check if we have a zope backend server
   # If so, let's use Virtual Host Monster rewrite
   # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
+  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
 {% elif slave_parameter.get('type', '') ==  'redirect' -%}
-  RewriteRule     (.*)  {{slave_parameter.get('url', '')}}$1 [R,L]
+  RewriteRule     (.*)  {{ slave_parameter.get('https-url', '')}}$1 [R,L]
 {% else -%}
   {% if 'default-path' in slave_parameter %}
   RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
   {% endif -%}
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
+  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/$1 [L,P]
 {% endif -%}
 </VirtualHost>
 

[Vincent Pelletier]

/cc @luke

I found this pair of rules while looking at caddy frontend configuration files.

Include /HTTPS/ mapping to traffic server to differ the backends based on the input.

What happens if an http-served URL starts with /HTTPS/ for whatever weird reason (which is completely out of frontend control, and completely in the backend's control) ? Shouldn't http-served URL be constrained to some new /HTTP/ prefix to avoid surprises ?

[Łukasz Nowak]

What happens if an http-served URL starts with /HTTPS/ for whatever weird reason (which is completely out of frontend control, and completely in the backend's control) ? Shouldn't http-served URL be constrained to some new /HTTP/ prefix to avoid surprises ?

If the http endpoint url is like: /HTTP/TEST the result is:

Age: 0
Cache-Control: no-cache
Content-Length: 107
Content-Type: text/html
Date: Tue, 11 May 2021 08:56:27 GMT
Server: Caddy
Server: ATS/8.1.1

<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

Which is generated by trafficserver itself and never reaches the backend:

1620723378.545 0 10.0.117.32 TCP_MISS/503 302 GET http://10.0.117.32:21443/TEST http://<domain>:8080/TEST - DIRECT/10.0.117.32 text/html

Ooopsie, I'll add a bug for it.