TODO.rst 5.22 KB

Generally things to be done with caddy-frontend:

  • return warning on not implemented keys (from apache-frontend perspective) in master and slave request
  • tests: add assertion with results of promises in etc/promise for each partition
  • tests: swich to cryptography for certificate management
  • README: cleanup the documentation, explain various specifics
  • check the whole frontend slave snippet with caddy -validate during buildout run, and reject if does not pass validation
  • apache-ca-certificate shall be merged with apache-certificate
    • apache-ca-certificate shall be appended to apache-certificate if not already there
  • BUG?? check that changing apache-certificate on master partition results in reloading slave partition
  • provide apache-frontend to caddy-frontend migration information
  • (new) type:websocket slave
  • type:eventsource:
    • Jérome Perrin: For event source, if I understand https://github.com/mholt/caddy/issues/1355 correctly, we could use caddy as a proxy in front of nginx-push-stream . If we have a "central shared" caddy instance, can it handle keeping connections opens for many clients ?
  • ssl_proxy_ca_crt for ssl_proxy_verify, this is related to bug #1550, proposed solution just adding your CA to the system's trust store
  • check-error-on-caddy-log like check-error-on-apache-log
  • cover test suite like resilient tests for KVM and prove it works the same way as Caddy
  • have caddy-frontend specific parameters, with backward compatibility to apache-frontend ones:
  • apache-ca-certificate
  • apache-certificate and apache-key
  • use slapos!326, and especially note about complex restart scenarios, instead of self-developed graceful restart scripts

  • move out test/utils.py and use it from shared python distribution

  • provide various tricks for older browsers:

    # The following directives modify normal HTTP response behavior to
    # handle known problems with browser implementations.
    
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
                            downgrade-1.0 force-response-1.0
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0
    # The following directive disables redirects on non-GET requests for
    # a directory that does not include the trailing slash.  This fixes a
    # problem with Microsoft WebFolders which does not appropriately handle
    # redirects for folders with DAV methods.
    # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
    BrowserMatch "MS FrontPage" redirect-carefully
    BrowserMatch "^WebDrive" redirect-carefully
    BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
    BrowserMatch "^gnome-vfs" redirect-carefully
    BrowserMatch "^XML Spy" redirect-carefully
    BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
  • check, and if needed apply, Apache-like SSL configuration switches:

    # SSL Configuration
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
          SSLOptions +StdEnvVars
    </FilesMatch>
  • reduce the time of configuration validation (in instance-apache-frontend.cfg.in sections [configtest], [caddy-configuration], [nginx-configuration]), as it is not scalable on frontend with 2000+ slaves (takes few minutes instead of few, < 5, seconds), issue posted upstream

  • drop 6tunnel and use bind in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream bind: support multiple values and ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both

  • use caddy-frontend in standalone style playbooks

  • in templates/apache-custom-slave-list.cfg.in avoid repetetive part_list.append and use macro like in ERP5 SR (cf Vincent's comment)

  • Jérome Perrin: consider privacy implications/GDPR compliance of https://caddyserver.com/docs/telemetry and decide if we should leave it enabled.

Things which can't be implemented: