caddy-frontend: Implement backend with own CA verification

software/caddy-frontend/TODO.rst

@@ -13,7 +13,6 @@ Generally things to be done with ``caddy-frontend``:
  * ``type:eventsource``:
 
    * **Jérome Perrin**: *For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?*
- * ``ssl_proxy_ca_crt`` for ``ssl_proxy_verify``, this is related to bug `#1550 <https://github.com/mholt/caddy/issues/1550>`_, proposed solution `just adding your CA to the system's trust store`
  * ``check-error-on-caddy-log`` like ``check-error-on-apache-log``
  * cover test suite like resilient tests for KVM and prove it works the same way as Caddy
  * have ``caddy-frontend`` specific parameters, with backward compatibility to ``apache-frontend`` ones:

software/caddy-frontend/buildout.hash.cfg

@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
 
 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = 395ea5b3389e26a57dad0f91cd458630
+md5sum = f9d0e64b4aae205c7bb941f5c1c27876
 
 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -62,11 +62,11 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
 
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 73bc8abae6aadc3ce55662c3d821b363
+md5sum = b7879a40ed7f8a49b764c82e7283811f
 
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in
-md5sum = 7cbcadc295860821ac9d3aaa3cca72c5
+md5sum = c64f8ac7ec439460877ce5a5c5ccf1f7
 
 [template-log-access]
 filename = templates/template-log-access.conf.in

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -537,7 +537,7 @@ mode = 700
 template = {{ parameter_dict['template_graceful_script'] }}
 rendered = ${directory:etc-run}/frontend-caddy-safe-graceful
 mode = 0700
-path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt
+path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:slave-with-cache-configuration}/*.conf ${caddy-directory:vh-ssl}/*.key ${caddy-directory:vh-ssl}/*.crt ${caddy-directory:vh-ssl}/*.proxy_ca_crt
 sha256sum = {{ parameter_dict['sha256sum'] }}
 signature_file = ${directory:run}/caddy_graceful_signature
 extra-context =

software/caddy-frontend/instance-slave-caddy-input-schema.json

@@ -131,12 +131,12 @@
     },
     "ssl-proxy-verify": {
       "default": "false",
-      "description": "[NOT Implemented] If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
+      "description": "If set to true, Backend SSL Certificates will be checked and frontend will refuse to proxy if certificate is invalid",
       "enum": [
         "false",
         "true"
       ],
-      "title": "[NOT Implemented] Verify Backend Certificates",
+      "title": "Verify Backend Certificates",
       "type": "string"
     },
     "ssl_ca_crt": {
@@ -162,8 +162,8 @@
     },
     "ssl_proxy_ca_crt": {
       "default": "",
-      "description": "[NOT Implemented] Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
-      "title": "[NOT Implemented] SSL Backend Authority's Certificate",
+      "description": "Content of the SSL Certificate Authority file of the backend (to be used with ssl-proxy-verify)",
+      "title": "SSL Backend Authority's Certificate",
       "type": "string"
     },
     "type": {

software/caddy-frontend/templates/cached-virtualhost.conf.in

@@ -19,9 +19,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
 # Rewrite part
   proxy / {{ slave_parameter.get('backend_url', '') }} {
     # As backend is trusting REMOTE_USER header unset it always
@@ -30,7 +27,8 @@
     transparent
     timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
     insecure_skip_verify
@@ -43,16 +41,14 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %}
   proxy / {{ slave_parameter.get('https_backend_url', '') }} {
     # As backend is trusting REMOTE_USER header unset it always
     header_upstream -REMOTE_USER
     transparent
     timeout 600s
 {%- if ssl_proxy_verify %}
-{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+{%-   if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
 {%-   endif %}
 {%- else %}
     insecure_skip_verify

software/caddy-frontend/templates/default-virtualhost.conf.in

@@ -30,9 +30,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
   tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
 {%- if enable_h2 %}
     # Allow HTTP2
@@ -79,8 +76,9 @@
     transparent
     timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
     insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -136,8 +134,9 @@
     transparent
     timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
     insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}
@@ -152,9 +151,6 @@
   bind {{ slave_parameter['local_ipv4'] }}
   # Compress the output
   gzip
-{%- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter %}
-    status 501 /
-{%- endif %} {#- if ssl_proxy_verify and 'ssl_proxy_ca_crt' in slave_parameter #}
 
   log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
   errors {{ slave_parameter.get('error_log') }}
@@ -201,8 +197,9 @@
     transparent
     timeout 600s
 {%-   if ssl_proxy_verify %}
-{%-     if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-     endif %} {#-     if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-   else %} {#-   if ssl_proxy_verify #}
     insecure_skip_verify
 {%-   endif %} {#-   if ssl_proxy_verify #}
@@ -252,8 +249,9 @@
     transparent
     timeout 600s
 {%-     if ssl_proxy_verify %}
-{%-       if 'ssl_proxy_ca_crt' in slave_parameter %}
-{%-       endif %} {#-       if 'ssl_proxy_ca_crt' in slave_parameter #}
+{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
+    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
+{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
 {%-     else %} {#-     if ssl_proxy_verify #}
     insecure_skip_verify
 {%-     endif %} {#-     if ssl_proxy_verify #}

software/caddy-frontend/test/test.py

@@ -40,6 +40,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler
 from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 import time
 import tempfile
+import ipaddress
 
 from utils import SlapOSInstanceTestCase
 from utils import findFreeTCPPort
@@ -118,11 +119,24 @@ def createSelfSignedCertificate(name_list):
   return key, key_pem, certificate, certificate_pem
 
 
-def createCSR(common_name):
+def createCSR(common_name, ip=None):
   key, key_pem = createKey()
+  subject_alternative_name_list = []
+  if ip is not None:
+    subject_alternative_name_list.append(
+      x509.IPAddress(ipaddress.ip_address(unicode(ip)))
+    )
   csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
      x509.NameAttribute(NameOID.COMMON_NAME, unicode(common_name)),
-  ])).sign(key, hashes.SHA256(), default_backend())
+  ]))
+
+  if len(subject_alternative_name_list):
+    csr = csr.add_extension(
+      x509.SubjectAlternativeName(subject_alternative_name_list),
+      critical=False
+    )
+
+  csr = csr.sign(key, hashes.SHA256(), default_backend())
   csr_pem = csr.public_bytes(serialization.Encoding.PEM)
   return key, key_pem, csr, csr_pem
 
@@ -157,6 +171,7 @@ class CertificateAuthority(object):
   def signCSR(self, csr):
     builder = x509.CertificateBuilder(
       subject_name=csr.subject,
+      extensions=csr.extensions,
       issuer_name=self.certificate.subject,
       not_valid_before=datetime.datetime.utcnow() - datetime.timedelta(days=1),
       not_valid_after=datetime.datetime.utcnow() + datetime.timedelta(days=30),
@@ -465,9 +480,10 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
       (LOCAL_IPV4, findFreeTCPPort(LOCAL_IPV4)),
       TestHandler)
 
+    cls.another_server_ca = CertificateAuthority("Another Server Root CA")
     cls.test_server_ca = CertificateAuthority("Test Server Root CA")
     key, key_pem, csr, csr_pem = createCSR(
-      "testserver.example.com")
+      "testserver.example.com", LOCAL_IPV4)
     _, cls.test_server_certificate_pem = cls.test_server_ca.signCSR(csr)
 
     cls.test_server_certificate_file = tempfile.NamedTemporaryFile(
@@ -759,6 +775,11 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
         'ssl-proxy-verify': True,
         'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
       },
+      'ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'ssl-proxy-verify': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
+      },
       'ssl-proxy-verify-unverified': {
         'url': cls.backend_https_url,
         'ssl-proxy-verify': True,
@@ -814,6 +835,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
         'ssl-proxy-verify': True,
         'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
       },
+      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'type': 'zope',
+        'ssl-proxy-verify': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
+      },
       'type-zope-ssl-proxy-verify-unverified': {
         'url': cls.backend_https_url,
         'type': 'zope',
@@ -880,6 +907,12 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
         'ssl_proxy_ca_crt': cls.test_server_ca.certificate_pem,
         'ssl-proxy-verify': True,
       },
+      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified': {
+        'url': cls.backend_https_url,
+        'enable_cache': True,
+        'ssl_proxy_ca_crt': cls.another_server_ca.certificate_pem,
+        'ssl-proxy-verify': True,
+      },
       'enable-http2-default': {
         'url': cls.backend_url,
       },
@@ -953,9 +986,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
     expected_parameter_dict = {
       'monitor-base-url': None,
       'domain': 'example.com',
-      'accepted-slave-amount': '40',
+      'accepted-slave-amount': '43',
       'rejected-slave-amount': '4',
-      'slave-amount': '44',
+      'slave-amount': '47',
       'rejected-slave-dict': {
         "_apache_custom_http_s-rejected": ["slave not authorized"],
         "_caddy_custom_http_s": ["slave not authorized"],
@@ -1769,6 +1802,45 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.headers['Location']
     )
 
+  def test_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain': 'sslproxyverifysslproxycacrtunverified.example.com',
+        'replication_number': '1',
+        'url': 'http://sslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://sslproxyverifysslproxycacrtunverified.example.com',
+        'secure_access':
+        'https://sslproxyverifysslproxycacrtunverified.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result.status_code
+    )
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result_http.status_code
+    )
+
   def test_ssl_proxy_verify_ssl_proxy_ca_crt(self):
     parameter_dict = self.parseSlaveParameterDict(
       'ssl-proxy-verify_ssl_proxy_ca_crt')
@@ -1793,17 +1865,42 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       self.certificate_pem,
       der2pem(result.peercert))
 
+    self.assertEqualResultJson(result, 'Path', '/test-path')
+
+    try:
+      j = result.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result.status_code
+      'gzip',
+      result.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result.headers['Set-Cookie']
     )
 
     result_http = self.fakeHTTPResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    self.assertEqualResultJson(result_http, 'Path', '/test-path')
+
+    try:
+      j = result_http.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result_http.status_code
+      'gzip',
+      result_http.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_http.headers['Set-Cookie']
     )
 
   def test_ssl_proxy_verify_unverified(self):
@@ -1835,6 +1932,47 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.status_code
     )
 
+  def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain':
+        'enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'replication_number': '1',
+        'url':
+        'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'secure_access':
+        'https://enablecachesslproxyverifysslproxycacrtunverified.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result.status_code
+    )
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result_http.status_code
+    )
+
   def test_enable_cache_ssl_proxy_verify_ssl_proxy_ca_crt(self):
     parameter_dict = self.parseSlaveParameterDict(
       'enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt')
@@ -1861,17 +1999,72 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       self.certificate_pem,
       der2pem(result.peercert))
 
+    self.assertEqualResultJson(result, 'Path', '/test-path')
+
+    headers = result.headers.copy()
+
+    self.assertKeyWithPop('Via', headers)
+    self.assertKeyWithPop('Server', headers)
+    self.assertKeyWithPop('Date', headers)
+    self.assertKeyWithPop('Age', headers)
+
+    # drop keys appearing randomly in headers
+    headers.pop('Transfer-Encoding', None)
+    headers.pop('Content-Length', None)
+    headers.pop('Connection', None)
+    headers.pop('Keep-Alive', None)
+
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result.status_code
+      {'Content-type': 'application/json',
+       'Set-Cookie': 'secured=value;secure, nonsecured=value',
+       'Content-Encoding': 'gzip', 'Vary': 'Accept-Encoding'},
+      headers
     )
 
-    result_http = self.fakeHTTPResult(
-      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+    result_direct = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      port=26011)
+
+    self.assertEqualResultJson(result_direct, 'Path', '/test-path')
+
+    try:
+      j = result_direct.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result_direct.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
 
     self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result_http.status_code
+      'gzip',
+      result_direct.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_direct.headers['Set-Cookie']
+    )
+
+    result_direct_https_backend = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path',
+      port=26012)
+
+    self.assertEqualResultJson(
+      result_direct_https_backend, 'Path', '/test-path')
+
+    try:
+      j = result_direct_https_backend.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (
+        result_direct_https_backend.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
+    self.assertEqual(
+      'gzip',
+      result_direct_https_backend.headers['Content-Encoding']
+    )
+
+    self.assertEqual(
+      'secured=value;secure, nonsecured=value',
+      result_direct_https_backend.headers['Set-Cookie']
     )
 
   def test_enable_cache_ssl_proxy_verify_unverified(self):
@@ -1904,6 +2097,46 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       result.status_code
     )
 
+  def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt_unverified(self):
+    parameter_dict = self.parseSlaveParameterDict(
+      'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified')
+
+    self.assertLogAccessUrlWithPop(parameter_dict)
+    self.assertEqual(
+      {
+        'domain': 'typezopesslproxyverifysslproxycacrtunverified.example.com',
+        'replication_number': '1',
+        'url':
+        'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
+        'site_url':
+        'http://typezopesslproxyverifysslproxycacrtunverified.example.com',
+        'secure_access':
+        'https://typezopesslproxyverifysslproxycacrtunverified.example.com',
+        'public-ipv4': LOCAL_IPV4,
+      },
+      parameter_dict
+    )
+
+    result = self.fakeHTTPSResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      self.certificate_pem,
+      der2pem(result.peercert))
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result.status_code
+    )
+
+    result_http = self.fakeHTTPResult(
+      parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
+
+    self.assertEqual(
+      httplib.BAD_GATEWAY,
+      result_http.status_code
+    )
+
   def test_type_zope_ssl_proxy_verify_ssl_proxy_ca_crt(self):
     parameter_dict = self.parseSlaveParameterDict(
       'type-zope-ssl-proxy-verify_ssl_proxy_ca_crt')
@@ -1929,17 +2162,29 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
       self.certificate_pem,
       der2pem(result.peercert))
 
-    self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result.status_code
+    try:
+      j = result.json()
+    except Exception:
+      raise ValueError('JSON decode problem in:\n%s' % (result.text,))
+    self.assertFalse('remote_user' in j['Incoming Headers'].keys())
+
+    self.assertEqualResultJson(
+      result,
+      'Path',
+      '/VirtualHostBase/https//'
+      'typezopesslproxyverifysslproxycacrt.example.com:443/'
+      '/VirtualHostRoot/test-path'
     )
 
-    result_http = self.fakeHTTPResult(
+    result = self.fakeHTTPResult(
       parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
 
-    self.assertEqual(
-      httplib.NOT_IMPLEMENTED,
-      result_http.status_code
+    self.assertEqualResultJson(
+      result,
+      'Path',
+      '/VirtualHostBase/http//'
+      'typezopesslproxyverifysslproxycacrt.example.com:80/'
+      '/VirtualHostRoot/test-path'
     )
 
   def test_type_zope_ssl_proxy_verify_unverified(self):

software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt

@@ -27,6 +27,8 @@ TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_access_log
 TestSlave-1/var/log/httpd/_enable_cache-disable-via-header_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_enable_cache_access_log
@@ -51,6 +53,8 @@ TestSlave-1/var/log/httpd/_server-alias_custom_domain-duplicated_error_log
 TestSlave-1/var/log/httpd/_server-alias_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_ssl_ca_crt_does_not_match_access_log
@@ -67,6 +71,8 @@ TestSlave-1/var/log/httpd/_type-zope-path_access_log
 TestSlave-1/var/log/httpd/_type-zope-path_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify-unverified_error_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_access_log
+TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified_error_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_access_log
 TestSlave-1/var/log/httpd/_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt_error_log
 TestSlave-1/var/log/httpd/_type-zope-virtualhostroot-http-port_access_log

software/caddy-frontend/test/test_data/test.TestSlave.test_monitor_promise_list-CADDY.txt

@@ -28,6 +28,8 @@ TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_enable_cache-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_https-only-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_monitor-ipv4-test-error-log-last-day
@@ -53,6 +55,8 @@ TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-las
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_does_not_match-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_ssl_ca_crt_garbage-error-log-last-day
@@ -73,6 +77,8 @@ TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-err
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-error-log-last-hour
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-day
+TestSlave-1/etc/monitor-promise/check-_type-zope-ssl-proxy-verify_ssl_proxy_ca_crt-unverified-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-day
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-http-port-error-log-last-hour
 TestSlave-1/etc/monitor-promise/check-_type-zope-virtualhostroot-https-port-error-log-last-day