caddy-frontend: Simplify templates and fill TODO

Where applicable simplify Jinja2 templates by removing Caddy-TODO
and fill or update TODO.rst.

software/caddy-frontend/TODO.rst

@@ -2,10 +2,16 @@ Generally things to be done with ``caddy-frontend``:
 
  * ``apache-ca-certificate`` shall be merged with ``apache-certificate``
  * (new) ``type:websocket`` slave
- * ``type:eventsource`` https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_58483
+ * ``type:eventsource``:
+
+   * **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
  * ``ssl_ca_crt``
- * ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)
- * ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)
+ * ``prefer-gzip-encoding-to-backend`` (requires writing middleware plugin for Caddy)::
+
+    RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
+ * ``disabled-cookie-list`` (requires writing middleware plugin for Caddy)::
+
+    RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
  * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug https://github.com/mholt/caddy/issues/1550, proposed solution `just adding your CA to the system's trust store`
  * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
  * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
@@ -14,6 +20,46 @@ Generally things to be done with ``caddy-frontend``:
  * change ``switch-softwaretype`` to way how ``software/erp5`` does, which will help with dropping jinja2 template for ``caddy-wrapper``, which is workaround for current situation https://lab.nexedi.com/nexedi/slapos/merge_requests/312#note_62678
  * use `slapos!326 <https://lab.nexedi.com/nexedi/slapos/merge_requests/326>`_ instead of self-developed graceful restart scripts
  * move out `test/utils.py` and use it from shared python distribution
+ * provide various tricks for older browsers::
+
+    # The following directives modify normal HTTP response behavior to
+    # handle known problems with browser implementations.
+
+    BrowserMatch "Mozilla/2" nokeepalive
+    BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
+                            downgrade-1.0 force-response-1.0
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0
+    BrowserMatch "Java/1\.0" force-response-1.0
+    BrowserMatch "JDK/1\.0" force-response-1.0
+    # The following directive disables redirects on non-GET requests for
+    # a directory that does not include the trailing slash.  This fixes a
+    # problem with Microsoft WebFolders which does not appropriately handle
+    # redirects for folders with DAV methods.
+    # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+    BrowserMatch "MS FrontPage" redirect-carefully
+    BrowserMatch "^WebDrive" redirect-carefully
+    BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+    BrowserMatch "^gnome-vfs" redirect-carefully
+    BrowserMatch "^XML Spy" redirect-carefully
+    BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+ * Implement gzip/defalte on resources::
+
+    # Deflate
+    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
+    BrowserMatch ^Mozilla/4 gzip-only-text/html
+    BrowserMatch ^Mozilla/4\.0[678] no-gzip
+    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+ * check, and if needed apply, Apache-like SSL configuration switches::
+
+    # SSL Configuration
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+    SSLHonorCipherOrder on
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+          SSLOptions +StdEnvVars
+    </FilesMatch>
+
 
 Things which can't be implemented:
 

software/caddy-frontend/buildout.hash.cfg

@@ -38,7 +38,7 @@ md5sum = 8d318af17da5631d4242c0d6d1531066
 
 [template-caddy-frontend-configuration]
 filename = templates/Caddyfile.in
-md5sum = 5c048a80c2e9374adea0cd647d14b192
+md5sum = 924d3bb528f590916552534934c604a2
 
 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
@@ -50,11 +50,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = c291422b417a906ee944de17321c0d12
+md5sum = b524304177e7854232aa43bed98ddbfd
 
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
-md5sum = 194b1c41ae2edd1528e85bd01eb1f95b
+md5sum = 5aab4c15189a39837f56d4f442b233c6
 
 [template-log-access]
 filename = templates/template-log-access.conf.in

software/caddy-frontend/templates/Caddyfile.in

 # Automatically generated
 
-# The following directives modify normal HTTP response behavior to
-# handle known problems with browser implementations.
-# TODO-Caddy BrowserMatch "Mozilla/2" nokeepalive
-# TODO-Caddy BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
-# TODO-Caddy                         downgrade-1.0 force-response-1.0
-# TODO-Caddy BrowserMatch "RealPlayer 4\.0" force-response-1.0
-# TODO-Caddy BrowserMatch "Java/1\.0" force-response-1.0
-# TODO-Caddy BrowserMatch "JDK/1\.0" force-response-1.0
-# The following directive disables redirects on non-GET requests for
-# a directory that does not include the trailing slash.  This fixes a
-# problem with Microsoft WebFolders which does not appropriately handle
-# redirects for folders with DAV methods.
-# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
-# TODO-Caddy BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
-# TODO-Caddy BrowserMatch "MS FrontPage" redirect-carefully
-# TODO-Caddy BrowserMatch "^WebDrive" redirect-carefully
-# TODO-Caddy BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
-# TODO-Caddy BrowserMatch "^gnome-vfs" redirect-carefully
-# TODO-Caddy BrowserMatch "^XML Spy" redirect-carefully
-# TODO-Caddy BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
-
-
-# Deflate
-# TODO-Caddy AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript
-# TODO-Caddy BrowserMatch ^Mozilla/4 gzip-only-text/html
-# TODO-Caddy BrowserMatch ^Mozilla/4\.0[678] no-gzip
-# TODO-Caddy BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-
-# SSL Configuration
-# TODO-Caddy {% if slapparameter_dict.get('apache-ca-certificate') %}
-# TODO-Caddy SSLCACertificateFile {{ login_ca_crt }}
-# TODO-Caddy {% endif %}
-# TODO-Caddy SSLProtocol all -SSLv2 -SSLv3
-# TODO-Caddy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-# TODO-Caddy SSLHonorCipherOrder on
-# TODO-Caddy <FilesMatch "\.(cgi|shtml|phtml|php)$">
-# TODO-Caddy       SSLOptions +StdEnvVars
-# TODO-Caddy </FilesMatch>
-# Accept proxy to sites using self-signed SSL certificates
-# TODO-Caddy SSLProxyCheckPeerCN off
-# TODO-Caddy SSLProxyCheckPeerExpire off
-
 import {{frontend_configuration.get('log-access-configuration')}}
 import {{ slave_configuration_directory }}/*.conf
 import {{ slave_with_cache_configuration_directory }}/*.conf

software/caddy-frontend/templates/cached-virtualhost.conf.in

@@ -24,8 +24,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify
@@ -45,8 +43,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify

software/caddy-frontend/templates/default-virtualhost.conf.in

@@ -34,16 +34,10 @@
   log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
   errors {{ slave_parameter.get('error_log') }}
 
-# TODO-Caddy   SSLProtocol all -SSLv2 -SSLv3
-# TODO-Caddy   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-# TODO-Caddy   SSLHonorCipherOrder on
-
 {% for disabled_cookie in disabled_cookie_list %}
-# TODO-Caddy {{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
 {% endfor %}
 
 {% if prefer_gzip %}
-# TODO-Caddy   RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
 {% endif %}
 
 {% if slave_type ==  'zope' and backend_url %}
@@ -63,8 +57,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify
@@ -109,8 +101,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify
@@ -130,11 +120,9 @@
   errors {{ slave_parameter.get('error_log') }}
 
 {% for disabled_cookie in disabled_cookie_list %}
-# TODO-Caddy {{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
 {% endfor %}
 
 {% if prefer_gzip %}
-# TODO-Caddy   RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
 {% endif %}
 
 {% if https_only %}
@@ -160,8 +148,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify
@@ -201,8 +187,6 @@
     timeout 600s
 {% if ssl_proxy_verify %}
 {%   if 'ssl_proxy_ca_crt' in slave_parameter %}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%   endif %}
 {% else %}
     insecure_skip_verify