An error occurred fetching the project authors.
- 20 Dec, 2023 1 commit
-
-
Titouan Soulard authored
Using RegExp to validate hostnames is a bad practice, and has a lot of reasons to be wrong. On top of that, the JSON Schema specification allows, since draft 7, to validate hostnames against an IDN hostname, by using the `idn-hostname` format. With these changes, IDN are now supported (.рф and .中國 for instance), and long TLD should not be a problem anymore.
-
- 17 Apr, 2023 1 commit
-
-
Łukasz Nowak authored
Expose and document HTTP3 related cluster switches. Switch to Recurls with HTTP3 enabled curl for testing.
-
- 09 Jan, 2023 3 commits
-
-
Łukasz Nowak authored
Cipher translation is implented on the node, so that old style and new style nodes can co-exists in the same cluster, thus making partial upgrade possible.
-
Łukasz Nowak authored
mpm-graceful-shutdown-timeout is dropped, as it's historical leftover and never really useful in the caddy-frontend CDN usage context - stopping the server is the most rare situation, and any grace period is solved eventually outside of the running process (like redirecting traffic elsewhere before stopping).
-
Łukasz Nowak authored
It's based on phased out caddy-frontend, especially as next step is to drop Caddy software from the software release.
-
- 19 Oct, 2022 1 commit
-
-
Łukasz Nowak authored
-
- 17 Oct, 2022 2 commits
-
-
Łukasz Nowak authored
This option was useful only during the time, when there were experiments running on caddy-frontend clusters during switch to HTTP/2. Currently HTTP/2 is a standard, and there is no reason to disable it globally.
-
Łukasz Nowak authored
instance-slave-caddy-simplified-input-schema.json has been removed, as it is not useful.
-
- 07 Mar, 2022 1 commit
-
-
Łukasz Nowak authored
Instead of trusting CSR id published by the node which tries to join the cluster add a tool which is able to compare exposed CSR with one in caucase and then decide to accept node in the cluster. This tool does what usual user would do, and it's logic implemented as a script leads to much simpler profiles. For sake of clean profiles csr_id has been removed, except when it's used for self joining of the user to the cluster.
-
- 25 Feb, 2021 2 commits
-
-
Łukasz Nowak authored
It's available only on the slave, so it is not part of master partition configuration. Due to the cleanup change the parameter parsing logic has to be improved.
-
Łukasz Nowak authored
Improvements: * link from README to schemas * drop incorrect entries in README * improve entries description in README * make parameter description more understandable in SCHEMA
-
- 27 Jan, 2021 1 commit
-
-
Łukasz Nowak authored
-
- 26 Jan, 2021 2 commits
-
-
Łukasz Nowak authored
The public-ipv4 comes from the historical usage of the system, but since new implementation came into place it was never needed, so now it's time to say goodbye. Test has been updated to do in-house mimic of the used IP to access.
-
Łukasz Nowak authored
It's from old approach, which is not going to be implemented.
-
- 17 Jul, 2020 2 commits
-
-
Łukasz Nowak authored
By default do not offer authentication certificate, the switch authenticate-to-backend can be used on cluster or slave level to control this feature.
-
Łukasz Nowak authored
This is needed in order to provide future support for client certificates to the backend. Also it means that haproxy is used in all cases, with or without cache, and as a result the "cached" version of caddy is dropped. Let haproxy setup maxconn by itself, as it's wise enough. Also trust that it'll detect and use proper limits, instead enforcing them in the shell with ulimit trick (ulimit -n $(ulimit -Hn)). As empty server alias can impact the configuration, add proper test for checking it.
-
- 22 Jun, 2020 2 commits
-
-
Łukasz Nowak authored
QUIC is not used at all, and became superseded by HTTP/3
-
Łukasz Nowak authored
Customized configuration support is not used since introduction of Caddy software, so there is no need to support it anymore.
-
- 30 Aug, 2019 1 commit
-
-
Łukasz Nowak authored
It defaults to 600s, which is good reasonable chosen before.
-
- 18 Jul, 2019 1 commit
-
-
Łukasz Nowak authored
/reviewed-on !597
-
- 19 Jun, 2019 1 commit
-
-
Łukasz Nowak authored
As apache-ca-certificate field is not implemented for caddy, inform how to obtain required functionality.
-
- 14 Jun, 2019 1 commit
-
-
Łukasz Nowak authored
In "caddy-frontend: Implement KeDiFa SSL information" the certificates were dropped from the schema, but still internally supported. This lead to missing UI fields for still supported parameters. Reintroduced them with OBSOLETE mark. /reviewed-on nexedi/slapos!574
-
- 28 May, 2019 1 commit
-
-
Łukasz Nowak authored
Some arguments needs Caddy process restart, so implement it with hash-files and also inform the master partition requester about parameters which will result with process restart.
-
- 23 Apr, 2019 1 commit
-
-
Łukasz Nowak authored
There is no need anymore to have two processes for normal and nginx slaves, as nginx ones are served by caddy anyway. Also inform the requester that type:eventsource is not implemented.
-
- 13 Mar, 2019 3 commits
-
-
Łukasz Nowak authored
It is better to have automation similar to previous implementation by default.
-
Łukasz Nowak authored
AIKC - Automatic Internal Kedifa's Caucase CSR signing, which can be triggered by option automatic-internal-kedifa-caucase-csr. It signs all CSR which match csr_id and certificate from the nodes which needs them.
-
Łukasz Nowak authored
Use KeDiFa to store keys, and transmit the url to the requester for master and slave partitions. Download keys on the slave partitions level. Use caucase to fetch main caucase CA. kedifa-caucase-url is published in order to have access to it. Note: caucase is prepended with kedifa, as this is that one. Use kedifa-csr tool to generate CSR and use caucase-updater macro. Switch to KeDiFa with SSL Auth and updated goodies. KeDiFa endpoint URLs are randomised. Only one (first) user certificate is going to be automatically accepted. This one shall be operated by the cluster owner, the requester of frontend master partition. Then he will be able to sign certificates for other users and also for services - so each node in the cluster. Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line is used for one command generation of extensions in the certificate. Note: We could upgrade to openssl 1.1.1 in order to have it really simplified (see https://security.stackexchange.com/a/183973 ) Improve CSR readability by creating cluster-identification, which is master partition title, and use it as Organization of the CSR. Reserve slots for data exchange in KeDiFa.
-
- 08 Feb, 2019 1 commit
-
-
Łukasz Nowak authored
try_duration and try_interval are Caddy proxy's switches which allow to deal with non working backend (https://caddyserver.com/docs/proxy) The non working backend is the one, to which connection is lost or was not possible to make, without sending any data. The default try_duration=5s and try_interval=250ms are chosen, so that in normal network conditions (with all possible problems in the network, like lost packets) the browser will have to wait up to 5 seconds to be informed that backend is inaccessible or for the request to start being processed, but only a bit more than 250ms if Caddy would have to reestablish connection to faulty backend. In order to check it out it is advisable to setup a system, with real backend, like apache one, and configure iptables to randomly reject packets to it: iptables -A INPUT -m statistic --mode random -p tcp --dport <backend_port> \ --probability 0.05 -j REJECT --reject-with tcp-reset Using ab or any other tool will results with lot of 502 EOF in the Caddy error log and also reported by ab. With this configuration there are no more errors visible to the client, which come from the problems on the network between Caddy and the backend.
-
- 17 Jan, 2019 1 commit
-
-
Łukasz Nowak authored
One of solutions for random 502 errors from caddy is to fully disable HTTP2 protocol ( https://github.com/mholt/caddy/issues/1080 ) We run Caddy with HTTP2 enabled by default, as we can enable/disable it per each slave, but in some environments it might be just better to fully avoid HTTP2 codepaths in Caddy. /reviewed-on !495
-
- 20 Nov, 2018 1 commit
-
-
Łukasz Nowak authored
-
- 03 Sep, 2018 1 commit
-
-
Jérome Perrin authored
-
- 06 Aug, 2018 1 commit
-
-
Łukasz Nowak authored
/reviewed-on nexedi/slapos!368
-
- 28 Jun, 2018 1 commit
-
-
Łukasz Nowak authored
-