• Jérome Perrin's avatar
    stack/erp5: remove httpd and use haproxy instead · 6a8f58c5
    Jérome Perrin authored
    Two main differences of haproxy are file format for certificates and logs.
    
    HAProxy also uses certificates in PEM format, but it expect its own server
    certificate and the key to be in the same file (although recent version seems
    to accept separate files, we don't use this now) and the CRL and CA certificates
    also all together in the same file.
    We change to use the same file for certificate and key and for CA and CRL, in
    the updater script we we build PEM files by containing all CA certificates and
    all CRL together.
    Also, since haproxy needs to be reloaded when certificate change, we run it in
    master-worker mode, with a pid file so that we can signal it to reload.
    
    For the logs, since haproxy does not log to file, we introduce a rsyslogd to
    log to a file. The log format is same as with httpd, except that timing are not
    in microseconds but in milliseconds - this did not seem to be configurable.
    This is a problem for apachedex reports on log, for that we plan to use an
    updated version of apachedex with support for `%{ms}T` for durations.
    
    HAProxy is configured with same timeouts, except:
     - "connect" timeout has been increased a bit (from 5 to 10s), because the
       comment "The connection should be immediate on LAN" was no longer true, now
       that haproxy is accessed from frontend.
     - the server entries for testrunner are a very long timeout (8h) because some
       ERP5 functional tests exceeed the 305s timeout.
    
    The SSL configuration is with current "modern" config from https://ssl-config.mozilla.org/
    
    Tests have been modified a bit, because haproxy uses HTTP/2.0 and not 1.1
    like httpd was doing several haproxy features (keep alive and gzip
    compression) are only available when backend uses HTTP/1.1, so we adjusted
    tests to use a 1.1 backend.
    
    There was also differences with logs, because of the time being in milliseconds.
    
    TestPublishedURLIsReachableMixin._checkERP5IsReachable was also updated, it
    was working by chance because when accessed behind httpd->haproxy->zope, zope
    was producing a redirect URL that was the URL of haproxy, which could be
    resolved by chance. This test was updated to access zope with a path that
    contains VirtualHostMonster magic, as the shared frontend ( with "zope" software
    type) is supposed to set.
    
    This should hopefuly solve the "502 Proxy Error" that we are observing with httpd.
    6a8f58c5
haproxy.cfg.in 8.46 KB