GitLab

Prerequisites:

• check that url and https-url with a path (like https://example.com/some/path) are supported correctly (it seems missing in the tests) ▶ covered by test_https_url
• depends on https://lab.nexedi.com/nexedi/slapos/merge_requests/783

Tasks:

• check behaviour of backend while SSL client cert is offered https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_112004
• review maxconn and input from https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_111938
• improve naming of timeout-backend-connect and timeout-backend-connect-retries https://lab.nexedi.com/nexedi/slapos/merge_requests/771#note_111939
• consider moving the whole parsing and preparation logic to templates/apache-custom-slave-list.cfg.in, so that configuration generation of Caddy, Apache Traffic Server, Haproxy and others will simplify ▶ current improvements are good enough
  • or maybe even to instance-apache-replicate.cfg.in, where the rejection of bad parameters happens
• put haproxy before the backend, stabilise test, do cleanups if needed
  • ssl_proxy_verify
  • backend_url in templates/default-virtualhost.conf.in can be ignored, as it's always present (in sense, that haproxy gives it), it shall be correctly done in the templates/backend-haproxy.cfg.in
  • generally support correctly url and https-url
  • graceful script in etc/run (be smart about signals supported by haproxy)
  • configuration validation
  • logs --> ❗ blocker haproxy does not write log to files (only stdout/stderr), but their logs are critical, considering using rsyslogd in the partition
    • logrotate
  • setup good limits (maxconn, timeout *), drop/hide not needed configuration
    • redo proxy_try_duration and proxy_try_interval --> possibly not needed anymore
    • support request_timeout, which in reality is proxy connection timeout, but then proxy_try_duration/interval helps
  • stabilise tests, good result is here
• enable sending certificates to the backend
  • configure it on haproxy level
  • check that it works against real backend
  • setup additional tasks (like signing certificates by CSR_ID)
  • add tests
• logrotate for backend haproxy log
• prove that listed below are correctly configurable on master and per slave:
  • timeout-backend-connect
  • timeout-backend-connect-retries
  • request-timeout
• validate again that it works correctly against real backend (eg. recent ERP5), if needed extend test suite (note: for ERP5 the minimal request parameters are {"balancer": {"ssl": {"frontend-caucase-url-list": ["<value-of-backend-client-cacucase-url>"]}}}
• ❗ tentative: create stack/rsyslogd instead of generating the file directly in software/caddy-frontend

Notes:

• X-Forwarded-For shall be reduced to one element only, as possibly backend-haproxy is more configurable
• the authentication is simple http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-crt

Future improvements:

• haproxy with active check to the backend, thus serving fast 5xx replies on malfuctioning/dead backend, so resulting with fast cached responses