Commit ce9e0df5 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

Caddy frontend quic

/reviewed-on !368
parent 06d4db50
...@@ -449,6 +449,16 @@ the proxy:: ...@@ -449,6 +449,16 @@ the proxy::
} }
) )
QUIC Protocol
=============
Experimental QUIC available in Caddy is not configurable, thus it is required to open port ``udp:11443`` on the machine, like::
iptables -I INPUT -p udp --dport 11443 --destination ${ip} -j ACCEPT
where ``${ip}`` is the IP of the partition with running caddy process.
Notes Notes
===== =====
......
...@@ -63,7 +63,6 @@ Generally things to be done with ``caddy-frontend``: ...@@ -63,7 +63,6 @@ Generally things to be done with ``caddy-frontend``:
* reduce the time of configuration validation (in ``instance-apache-frontend.cfg.in`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_ * reduce the time of configuration validation (in ``instance-apache-frontend.cfg.in`` sections ``[configtest]``, ``[caddy-configuration]``, ``[nginx-configuration]``), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted `upstream <https://github.com/mholt/caddy/issues/2220>`_
* drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_ * drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_
* use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_ * use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_
* ensure `QUIC <https://en.wikipedia.org/wiki/QUIC>`_ is used by caddy
Things which can't be implemented: Things which can't be implemented:
......
...@@ -14,7 +14,7 @@ ...@@ -14,7 +14,7 @@
# not need these here). # not need these here).
[template] [template]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = d649e128d36cf76f870c189c53985569 md5sum = 2c2d051825c76384732faad9c407c538
[template-common] [template-common]
filename = instance-common.cfg.in filename = instance-common.cfg.in
...@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b ...@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
[template-apache-frontend] [template-apache-frontend]
filename = instance-apache-frontend.cfg.in filename = instance-apache-frontend.cfg.in
md5sum = 64fb8005a62f0a3a9987de2e336b68e1 md5sum = 5cfc4dd69c2800906d6648c626023cf0
[template-apache-replicate] [template-apache-replicate]
filename = instance-apache-replicate.cfg.in filename = instance-apache-replicate.cfg.in
......
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
[buildout] [buildout]
extends = extends =
{{ parameter_dict['common_profile'] }} {{ parameter_dict['common_profile'] }}
...@@ -224,6 +225,9 @@ command-line = {{ parameter_dict['caddy'] }} ...@@ -224,6 +225,9 @@ command-line = {{ parameter_dict['caddy'] }}
-conf ${dynamic-caddy-frontend-template:rendered} -conf ${dynamic-caddy-frontend-template:rendered}
-log ${caddy-configuration:error-log} -log ${caddy-configuration:error-log}
-http2=true -http2=true
{% if instance_parameter['configuration.enable-quic'].lower() in TRUE_VALUES %}
-quic
{% endif %}
-grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s -grace {{ instance_parameter['configuration.mpm-graceful-shutdown-timeout'] }}s
-disable-http-challenge -disable-http-challenge
-disable-tls-sni-challenge -disable-tls-sni-challenge
......
...@@ -66,6 +66,16 @@ ...@@ -66,6 +66,16 @@
"description": "Url to verify if the internet and/or re6stnet is working.", "description": "Url to verify if the internet and/or re6stnet is working.",
"title": "Test Verification URL", "title": "Test Verification URL",
"type": "string" "type": "string"
},
"enable-quic": {
"default": "false",
"description": "Enables QUIC - Quick UDP Internet Connections. Note that this is experimental feature, thus can result in undefined behaviour.",
"enum": [
"true",
"false"
],
"title": "Enable QUIC",
"type": "string"
} }
}, },
"title": "Input Parameters", "title": "Input Parameters",
......
...@@ -88,6 +88,7 @@ configuration.trafficserver-autoconf-port = 8083 ...@@ -88,6 +88,7 @@ configuration.trafficserver-autoconf-port = 8083
configuration.trafficserver-mgmt-port = 8084 configuration.trafficserver-mgmt-port = 8084
configuration.re6st-verification-url = http://[2001:67c:1254:4::1]/index.html configuration.re6st-verification-url = http://[2001:67c:1254:4::1]/index.html
configuration.enable-http2-by-default = true configuration.enable-http2-by-default = true
configuration.enable-quic = false
configuration.mpm-graceful-shutdown-timeout = 5 configuration.mpm-graceful-shutdown-timeout = 5
configuration.monitor-httpd-port = 8072 configuration.monitor-httpd-port = 8072
configuration.frontend-name = configuration.frontend-name =
\ No newline at end of file
...@@ -2830,3 +2830,110 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin): ...@@ -2830,3 +2830,110 @@ class TestDefaultMonitorHttpdPort(SlaveHttpFrontendTestCase, TestDataMixin):
'Listen [%s]:8196' % (utils.GLOBAL_IPV6,) in master_monitor_conf) 'Listen [%s]:8196' % (utils.GLOBAL_IPV6,) in master_monitor_conf)
self.assertTrue( self.assertTrue(
'Listen [%s]:8072' % (utils.GLOBAL_IPV6,) in slave_monitor_conf) 'Listen [%s]:8072' % (utils.GLOBAL_IPV6,) in slave_monitor_conf)
class TestQuicEnabled(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
def getInstanceParameterDict(cls):
return {
'domain': 'example.com',
'nginx-domain': 'nginx.example.com',
'public-ipv4': utils.LOCAL_IPV4,
'enable-quic': 'true',
'apache-certificate': open('wildcard.example.com.crt').read(),
'apache-key': open('wildcard.example.com.key').read(),
'-frontend-authorized-slave-string':
'_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT,
'nginx_port': NGINX_HTTPS_PORT,
'plain_nginx_port': NGINX_HTTP_PORT,
'monitor-httpd-port': MONITOR_HTTPD_PORT,
'-frontend-config-1-monitor-httpd-port': MONITOR_F1_HTTPD_PORT,
'mpm-graceful-shutdown-timeout': 2,
}
@classmethod
def getSlaveParameterDictDict(cls):
return {
'url': {
'url': cls.backend_url,
},
}
def getMasterPartitionPath(self):
# partition w/o etc/trafficserver, but with buildout.cfg
return [
q for q in glob.glob(os.path.join(self.instance_path, '*',))
if not os.path.exists(os.path.join(q, 'etc', 'trafficserver')) and
os.path.exists(os.path.join(q, 'buildout.cfg'))][0]
def getSlavePartitionPath(self):
# partition w/ etc/trafficserver
return [
q for q in glob.glob(os.path.join(self.instance_path, '*',))
if os.path.exists(os.path.join(q, 'etc', 'trafficserver'))][0]
def test_url(self):
parameter_dict = self.slave_connection_parameter_dict_dict[
'url'].copy()
self.assertLogAccessUrlWithPop(parameter_dict, 'url')
self.assertEqual(
parameter_dict,
{
'domain': 'url.example.com',
'replication_number': '1',
'url': 'http://url.example.com',
'site_url': 'http://url.example.com',
'secure_access': 'https://url.example.com',
'public-ipv4': utils.LOCAL_IPV4,
}
)
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
utils.der2pem(result.peercert),
open('wildcard.example.com.crt').read())
self.assertEqualResultJson(result, 'Path', '/test-path')
try:
j = result.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertKeyWithPop('Date', result.headers)
self.assertKeyWithPop('Content-Length', result.headers)
self.assertEqual(
result.headers,
{'Content-Encoding': 'gzip',
'Alt-Svc': 'quic=":11443"; ma=2592000; v="39"', # QUIC advertises
'Set-Cookie': 'secured=value;secure, nonsecured=value',
'Vary': 'Accept-Encoding',
'Server': 'Caddy, BaseHTTP/0.3 Python/2.7.14',
'Content-Type': 'application/json'}
)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqualResultJson(result_http, 'Path', '/test-path')
try:
j = result_http.json()
except Exception:
raise ValueError('JSON decode problem in:\n%s' % (result.text,))
self.assertFalse('remote_user' in j['Incoming Headers'].keys())
self.assertEqual(
result_http.headers['Content-Encoding'],
'gzip'
)
self.assertEqual(
result_http.headers['Set-Cookie'],
'secured=value;secure, nonsecured=value'
)
TestQuicEnabled-0/var/log/monitor-httpd-error.log
TestQuicEnabled-1/var/log/frontend-access.log
TestQuicEnabled-1/var/log/frontend-error.log
TestQuicEnabled-1/var/log/httpd/_url_access_log
TestQuicEnabled-1/var/log/httpd/_url_error_log
TestQuicEnabled-1/var/log/monitor-httpd-error.log
TestQuicEnabled-1/var/log/nginx-access.log
TestQuicEnabled-1/var/log/nginx-error.log
TestQuicEnabled-1/var/log/trafficserver/manager.log
TestQuicEnabled-1/var/log/trafficserver/traffic.out
\ No newline at end of file
TestQuicEnabled-0/var/run/monitor-httpd.pid
TestQuicEnabled-0/var/run/monitor/monitor-bootstrap.pid
TestQuicEnabled-1/var/run/caddy_configuration.signature
TestQuicEnabled-1/var/run/httpd.pid
TestQuicEnabled-1/var/run/monitor-httpd.pid
TestQuicEnabled-1/var/run/monitor/monitor-bootstrap.pid
TestQuicEnabled-1/var/run/ncaddy_configuration.signature
TestQuicEnabled-1/var/run/nginx.pid
\ No newline at end of file
TestQuicEnabled-1/etc/monitor-promise/check-_url-error-log-last-day
TestQuicEnabled-1/etc/monitor-promise/check-_url-error-log-last-hour
\ No newline at end of file
TestQuicEnabled-0/etc/promise/check-free-disk-space
TestQuicEnabled-0/etc/promise/monitor-http-frontend
TestQuicEnabled-0/etc/promise/monitor-httpd-listening-on-tcp
TestQuicEnabled-0/etc/promise/promise-monitor-httpd-is-process-older-than-dependency-set
TestQuicEnabled-1/etc/promise/caddy-frontend-is-running-actual-software-release
TestQuicEnabled-1/etc/promise/caddy_cached
TestQuicEnabled-1/etc/promise/caddy_frontend_ipv4_http
TestQuicEnabled-1/etc/promise/caddy_frontend_ipv4_https
TestQuicEnabled-1/etc/promise/caddy_frontend_ipv6_http
TestQuicEnabled-1/etc/promise/caddy_frontend_ipv6_https
TestQuicEnabled-1/etc/promise/caddy_ssl_cached
TestQuicEnabled-1/etc/promise/check-free-disk-space
TestQuicEnabled-1/etc/promise/frontend-caddy-configuration-promise
TestQuicEnabled-1/etc/promise/monitor-http-frontend
TestQuicEnabled-1/etc/promise/monitor-httpd-listening-on-tcp
TestQuicEnabled-1/etc/promise/nginx-configuration-promise
TestQuicEnabled-1/etc/promise/nginx_frontend_ipv4_http
TestQuicEnabled-1/etc/promise/nginx_frontend_ipv4_https
TestQuicEnabled-1/etc/promise/nginx_frontend_ipv6_http
TestQuicEnabled-1/etc/promise/nginx_frontend_ipv6_https
TestQuicEnabled-1/etc/promise/promise-monitor-httpd-is-process-older-than-dependency-set
TestQuicEnabled-1/etc/promise/promise-nginx-is-process-older-than-dependency-set
TestQuicEnabled-1/etc/promise/re6st-connectivity
TestQuicEnabled-1/etc/promise/trafficserver-cache-availability
TestQuicEnabled-1/etc/promise/trafficserver-port-listening
\ No newline at end of file
TestQuicEnabled-0:bootstrap-monitor EXITED
TestQuicEnabled-0:certificate_authority-on-watch RUNNING
TestQuicEnabled-0:crond RUNNING
TestQuicEnabled-0:monitor-httpd-graceful EXITED
TestQuicEnabled-0:monitor-httpd-on-watch RUNNING
TestQuicEnabled-1:6tunnel-11080-on-watch RUNNING
TestQuicEnabled-1:6tunnel-11443-on-watch RUNNING
TestQuicEnabled-1:6tunnel-12080-on-watch RUNNING
TestQuicEnabled-1:6tunnel-12443-on-watch RUNNING
TestQuicEnabled-1:6tunnel-26011-on-watch RUNNING
TestQuicEnabled-1:6tunnel-26012-on-watch RUNNING
TestQuicEnabled-1:bootstrap-monitor EXITED
TestQuicEnabled-1:certificate_authority-on-watch RUNNING
TestQuicEnabled-1:crond-on-watch RUNNING
TestQuicEnabled-1:frontend-caddy-safe-graceful EXITED
TestQuicEnabled-1:frontend-nginx-safe-graceful EXITED
TestQuicEnabled-1:frontend_caddy-on-watch RUNNING
TestQuicEnabled-1:frontend_nginx-on-watch RUNNING
TestQuicEnabled-1:monitor-httpd-graceful EXITED
TestQuicEnabled-1:monitor-httpd-on-watch RUNNING
TestQuicEnabled-1:trafficserver-on-watch RUNNING
TestQuicEnabled-1:trafficserver-reload EXITED
watchdog:watchdog RUNNING
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment