Generally things to be done with caddy-frontend
:
- return warning on not implemented keys (from
apache-frontend
perspective) in master and slave request- tests: add assertion with results of promises in etc/promise for each partition
- tests: swich to cryptography for certificate management
- README: cleanup the documentation, explain various specifics
- check the whole frontend slave snippet with
caddy -validate
during buildout run, and reject if does not pass validationapache-ca-certificate
shall be merged withapache-certificate
apache-ca-certificate
shall be appended toapache-certificate
if not already there- BUG?? check that changing
apache-certificate
on master partition results in reloading slave partition- provide
apache-frontend
tocaddy-frontend
migration information- (new)
type:websocket
slavetype:eventsource
:
- Jérome Perrin: For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?
ssl_proxy_ca_crt
forssl_proxy_verify
, this is related to bug #1550, proposed solution just adding your CA to the system's trust storecheck-error-on-caddy-log
likecheck-error-on-apache-log
- cover test suite like resilient tests for KVM and prove it works the same way as Caddy
- have
caddy-frontend
specific parameters, with backward compatibility toapache-frontend
ones:
apache-ca-certificate
apache-certificate
andapache-key
use slapos!326, and especially note about complex restart scenarios, instead of self-developed graceful restart scripts
move out
test/utils.py
and use it from shared python distributionprovide various tricks for older browsers:
# The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. BrowserMatch "Mozilla/2" nokeepalive BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
check, and if needed apply, Apache-like SSL configuration switches:
# SSL Configuration SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch>
reduce the time of configuration validation (in
instance-apache-frontend.cfg.in
sections[configtest]
,[caddy-configuration]
,[nginx-configuration]
), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted upstreamdrop
6tunnel
and usebind
in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream bind: support multiple values and ipv6: does not bind on ipv4 and ipv6 for sites that resolve to bothuse caddy-frontend in standalone style playbooks
in
templates/apache-custom-slave-list.cfg.in
avoid repetetivepart_list.append
and use macro like in ERP5 SR (cf Vincent's comment)Jérome Perrin: consider privacy implications/GDPR compliance of https://caddyserver.com/docs/telemetry and decide if we should leave it enabled.
Things which can't be implemented:
- use certificates valid forever in tests using cryptography, with available example
- REASON: it is impossible to generate certificate without Not Valid After, even with cryptography