Commit 958a5fe1 authored by Rafael Monnerat's avatar Rafael Monnerat Committed by Julien Muchembled

apache-frontend: Allow to use diferent backends for http and https

  Use 2 different ports on apache for cached slaves, to differ http and https accesses.
  Introduce the parameter https-url (with fallback to url) to include specific https urls,
    if they are different from url.
  Include /HTTPS/ mapping to traffic server to differ the backends based on the input.
parent 717d8475
......@@ -69,7 +69,7 @@ mode = 0644
[template-apache-frontend]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-apache-frontend.cfg
md5sum = 92b69679b3004e160180504012a36f46
md5sum = 3e52cdd1fba381cdb98b438589d1c4ab
output = ${buildout:directory}/template-apache-frontend.cfg
mode = 0644
......@@ -82,7 +82,7 @@ mode = 0644
[template-slave-list]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache-custom-slave-list.cfg.in
md5sum = 8b278b34a4fb063ba94e10186f725fcb
md5sum = ee18e498f2868735e0c0ddf209454c37
mode = 640
[template-slave-configuration]
......@@ -106,7 +106,7 @@ mode = 640
[template-apache-cached-configuration]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache_cached.conf.in
md5sum = a1c744e48b465a63c2d6f0f384466013
md5sum = 2c6c09390a9d778aecba75f569fb486c
mode = 640
[template-rewrite-cached]
......@@ -137,13 +137,13 @@ mode = 640
[template-default-slave-virtualhost]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in
md5sum = c22de91b25d0597fecc7082a153b87bc
md5sum = c50959e7c38b307f1a1c274505a7e1c1
mode = 640
[template-cached-slave-virtualhost]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/cached-virtualhost.conf.in
md5sum = 14c81d5a06bf2c4fd41f51b219197982
md5sum = 432e55df3b42243a98b564cca57e2396
mode = 640
[template-log-access]
......
......@@ -23,6 +23,7 @@ parts =
promise-apache-frontend-v6-https
promise-apache-frontend-v6-http
promise-apache-cached
promise-apache-ssl-cached
trafficserver-launcher
trafficserver-reload
......@@ -144,6 +145,7 @@ extra-context =
key apache_configuration_directory apache-directory:slave-configuration
key apache_cached_configuration_directory apache-directory:slave-with-cache-configuration
key cached_port apache-configuration:cache-through-port
key ssl_cached_port apache-configuration:ssl-cache-through-port
key http_port instance-parameter:configuration.plain_http_port
key https_port instance-parameter:configuration.port
key public_ipv4 instance-parameter:configuration.public-ipv4
......@@ -225,6 +227,7 @@ extra-context =
key instance_home buildout:directory
key ipv4_addr instance-parameter:ipv4-random
key cached_port apache-configuration:cache-through-port
key ssl_cached_port apache-configuration:ssl-cache-through-port
key server_admin instance-parameter:configuration.server-admin
key protected_path apache-configuration:protected-path
key access_control_string apache-configuration:access-control-string
......@@ -284,6 +287,7 @@ cache-pid-file = $${directory:run}/httpd-cached.pid
# Comunication with ats
cache-port = $${trafficserver-variable:input-port}
cache-through-port = 26011
ssl-cache-through-port = 26012
# Create wrapper for "apachectl conftest" in bin
[configtest]
......@@ -405,7 +409,9 @@ reload-path = $${directory:etc-run}/trafficserver-reload
local-ip = $${instance-parameter:ipv4-random}
input-port = 23432
hostname = $${instance-parameter:configuration.frontend-name}
remap = map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
remap = map /HTTPS/ http://$${instance-parameter:ipv4-random}:$${apache-configuration:ssl-cache-through-port}
map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
  • /cc @luke

    I found this pair of rules while looking at caddy frontend configuration files.

    Include /HTTPS/ mapping to traffic server to differ the backends based on the input.

    What happens if an http-served URL starts with /HTTPS/ for whatever weird reason (which is completely out of frontend control, and completely in the backend's control) ? Shouldn't http-served URL be constrained to some new /HTTP/ prefix to avoid surprises ?

  • What happens if an http-served URL starts with /HTTPS/ for whatever weird reason (which is completely out of frontend control, and completely in the backend's control) ? Shouldn't http-served URL be constrained to some new /HTTP/ prefix to avoid surprises ?

    If the http endpoint url is like: /HTTP/TEST the result is:

    Age: 0
    Cache-Control: no-cache
    Content-Length: 107
    Content-Type: text/html
    Date: Tue, 11 May 2021 08:56:27 GMT
    Server: Caddy
    Server: ATS/8.1.1
    
    <html><body><h1>503 Service Unavailable</h1>
    No server is available to handle this request.
    </body></html>

    Which is generated by trafficserver itself and never reaches the backend:

    1620723378.545 0 10.0.117.32 TCP_MISS/503 302 GET http://10.0.117.32:21443/TEST http://<domain>:8080/TEST - DIRECT/10.0.117.32 text/html

    Ooopsie, I'll add a bug for it.

Please register or sign in to reply
plugin-config = ${trafficserver:location}/libexec/trafficserver/rfc5861.so
cache-path = $${trafficserver-directory:cache-path}
disk-cache-size = $${instance-parameter:configuration.disk-cache-size}
......@@ -535,6 +541,12 @@ path = $${directory:promise}/apache_cached
hostname = $${instance-parameter:ipv4-random}
port = $${apache-configuration:cache-through-port}
[promise-apache-ssl-cached]
recipe = slapos.cookbook:check_port_listening
path = $${directory:promise}/apache_ssl_cached
hostname = $${instance-parameter:ipv4-random}
port = $${apache-configuration:ssl-cache-through-port}
[slap_connection]
# Kept for backward compatiblity
computer_id = $${slap-connection:computer-id}
......
......@@ -10,6 +10,12 @@
"type": "string",
"pattern": "^(http|https|ftp)://"
},
"https-url": {
"title": "HTTPS Backend URL",
"description": "Url of the backend if it is diferent from url parameter",
"type": "string",
"pattern": "^(http|https|ftp)://"
},
"custom_domain": {
"title": "Custom Domain",
"description": "Custom Domain to use for the website",
......@@ -23,7 +29,6 @@
"type": "string",
"default": ""
},
"type": {
"title": "Backend Type",
"description": "Type of slave. If redirect, the slave will redirect to the given url. If zope, the rewrite rules will be compatible with Virtual Host Monster",
......
......@@ -3,6 +3,7 @@
{% set cached_server_dict = {} -%}
{% set part_list = [] -%}
{% set cache_access = "http://%s:%s" % (local_ipv4, cache_port) -%}
{% set ssl_cache_access = "http://%s:%s/HTTPS" % (local_ipv4, cache_port) -%}
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{% set generic_instance_parameter_dict = {'cache_access': cache_access,} -%}
{% set slave_log_dict = {} -%}
......@@ -178,6 +179,7 @@ extra-context =
{% if 'enable_cache' in slave_instance and 'url' in slave_instance and 'domain' in slave_instance -%}
{% do slave_instance.__setitem__('custom_domain', slave_instance.get('domain')) -%}
{% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
{% do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) -%}
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%}
......@@ -208,7 +210,9 @@ apache_custom_https = {{ dumps(apache_custom_https) }}
{% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_instance.get('type', '') != 'redirect') -%}
{% if enable_cache -%}
{% do slave_instance.__setitem__('backend_url', slave_instance.get('url')) -%}
{% do slave_instance.__setitem__('https_backend_url', slave_instance.get('https-url', slave_instance.get('url'))) -%}
{% do slave_instance.__setitem__('url', cache_access) -%}
{% do slave_instance.__setitem__('https-url', ssl_cache_access) -%}
{% do cached_server_dict.__setitem__(slave_reference, slave_configuration_section_name) -%}
{% endif -%}
{% do part_list.append(slave_section_title) -%}
......@@ -251,6 +255,7 @@ extensions = jinja2.ext.do
extra-context =
section slave_parameter {{ slave_configuration_section_name }}
raw cached_port {{ cached_port }}
raw ssl_cached_port {{ ssl_cached_port }}
{{ '\n' }}
{% endfor %}
......
......@@ -8,6 +8,8 @@ DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}
{{ "Listen %s:%s" % (ipv4_addr, cached_port) }}
{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port) }}
ServerAdmin {{ server_admin }}
DefaultType text/plain
......
......@@ -27,3 +27,31 @@
RewriteRule ^/(.*)$ {{ slave_parameter.get('backend_url', '') }}/$1 [L,P]
</VirtualHost>
<VirtualHost *:{{ ssl_cached_port }}>
ServerName {{ slave_parameter.get('custom_domain') }}
{%- if 'server-alias' in slave_parameter -%}
{% set server_alias_list = slave_parameter.get('server-alias', '').split() %}
{%- for server_alias in server_alias_list %}
ServerAlias {{ server_alias }}
{% endfor %}
{%- endif %}
SSLProxyEngine on
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{% if 'ssl_proxy_ca_crt' in slave_parameter -%}
SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{% endif %}
SSLProxyVerify require
#SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
{% endif %}
# Rewrite part
ProxyPreserveHost On
ProxyTimeout 600
RewriteEngine On
RewriteRule ^/(.*)$ {{ slave_parameter.get('https_backend_url', '') }}/$1 [L,P]
</VirtualHost>
......@@ -78,14 +78,14 @@
# First, we check if we have a zope backend server
# If so, let's use Virtual Host Monster rewrite
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
{% elif slave_parameter.get('type', '') == 'redirect' -%}
RewriteRule (.*) {{slave_parameter.get('url', '')}}$1 [R,L]
RewriteRule (.*) {{ slave_parameter.get('https-url', '')}}$1 [R,L]
{% else -%}
{% if 'default-path' in slave_parameter %}
RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
{% endif -%}
RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/$1 [L,P]
{% endif -%}
</VirtualHost>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment